| View previous topic :: View next topic |
| Author |
Message |
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
 Posted: Mon Feb 02, 2009 11:22 pm Post subject: ntp issue ?? ntp.drift.TEMP: Permission denied |
 |
|
Hello all
I'm starting get these in my logs. I just recently updated the kernel, so I think it may be related.
| Code: | Feb 2 12:12:27 comp ntpd[11268]: frequency initialized 75.149 PPM from /var/lib/ntp/ntp.drift
Feb 2 12:16:44 comp ntpd[11268]: synchronized to 66.250.45.2, stratum 2
Feb 2 19:16:44 comp ntpd[11268]: kernel time sync status change 0001
Feb 2 20:12:27 comp ntpd[11268]: can't open /var/lib/ntp/ntp.drift.TEMP: Permission denied |
The directly is definitely owned by ntp..
| Code: | drwxr-xr-x 2 ntp ntp 120 Feb 2 16:20 .
drwxr-xr-x 20 root root 560 Dec 30 09:04 ..
-rw-r--r-- 1 ntp ntp 7 Feb 1 08:23 ntp.drift
|
Here are my USE flags for ntp
| Code: | | [ebuild R ] net-misc/ntp-4.2.4_p6 USE="caps ssl -debug -ipv6 -openntpd -parse-clocks (-selinux) -zeroconf" 0 kB |
Here is my kernel version:
| Code: | | Linux wcec 2.6.27-gentoo-r8 |
I tried to touch ntp.drift.TEMP in the directory and chown it to ntp:ntp, but the error continues.
Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com |
|
| Back to top |
|
 |
pgf
Tux's lil' helper
Joined: 26 Dec 2004
Posts: 121
Location: Toronto, Ontario
|
| Posted: Tue Feb 03, 2009 3:44 pm Post subject: Re: ntp issue ?? ntp.drift.TEMP: Permission denied |
|
|
| hanj wrote: | Hello all
The directly is definitely owned by ntp..
|
Stupid question, but... are you sure NTP is running as user ntp? |
|
| Back to top |
|
|
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
| Posted: Tue Feb 03, 2009 4:01 pm Post subject: |
|
|
Yep. The proess was owned by ntp. I think this is related to caps. I rebuilt ntp without caps, and things seem to be better, but the process is running as root. There must have been something that changed in the kernel from 2.26 to 2.27?
Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com |
|
| Back to top |
|
|
pgf
Tux's lil' helper
Joined: 26 Dec 2004
Posts: 121
Location: Toronto, Ontario
|
| Posted: Tue Feb 03, 2009 4:16 pm Post subject: |
|
|
| Hmmm.... I have never noticed that USE flag, but I see I have -caps (the default?). I upgraded to 2.27 a while ago and have never had a problem. You should probably update the title with [SOLVED]. |
|
| Back to top |
|
|
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
| Posted: Tue Feb 03, 2009 4:23 pm Post subject: |
|
|
I don't think it's quite solved yet. I want ntp to run as ntp.. not root, which caps does (if I'm not mistaken), so not sure what the issue is related to 2.6.27 kernel and ntp/caps. I've been running ntp with caps for a long, long time.
Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com |
|
| Back to top |
|
|
pgf
Tux's lil' helper
Joined: 26 Dec 2004
Posts: 121
Location: Toronto, Ontario
|
| Posted: Tue Feb 03, 2009 4:37 pm Post subject: |
|
|
Did you enable Default Linux Capabilities in the kernel:
| Code: | Security options --->
[*] Enable different security models
[*] Default Linux Capabilities ...
|
as per http://en.gentoo-wiki.com/wiki/NTP? |
|
| Back to top |
|
|
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
| Posted: Tue Feb 03, 2009 4:52 pm Post subject: |
|
|
I think this is what's changed. Looking at my security options...
| Code: | Security options --->
[ ] Enable access key retention support
[*] Enable different security models
[ ] Socket and Networking Security Hooks
[ ] File POSIX Capabilities
(0) Low address space to protect from user allocation |
Default Linux Capabilities is no longer an option.
hanji
_________________
Server Admin Blog - Uno-Code.com |
|
| Back to top |
|
|
pgf
Tux's lil' helper
Joined: 26 Dec 2004
Posts: 121
Location: Toronto, Ontario
|
| Posted: Tue Feb 03, 2009 5:00 pm Post subject: |
|
|
| Oops! My apologies. I didn't look at my config - just at the wiki. Looking at my .config I see a CONFIG_SECURITY_FILE_CAPABILITIES variable. Could that be the same thing? |
|
| Back to top |
|
|
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
| Posted: Tue Feb 03, 2009 5:10 pm Post subject: |
|
|
| pgf wrote: | | Oops! My apologies. I didn't look at my config - just at the wiki. Looking at my .config I see a CONFIG_SECURITY_FILE_CAPABILITIES variable. Could that be the same thing? |
I think that is File POSIX Capabilities. Which might address the problem. I don't think it's the same thing as Default Linux Capabilities.
hanji
_________________
Server Admin Blog - Uno-Code.com |
|
| Back to top |
|
|
pgf
Tux's lil' helper
Joined: 26 Dec 2004
Posts: 121
Location: Toronto, Ontario
|
| Posted: Tue Feb 03, 2009 5:41 pm Post subject: |
|
|
| hanj wrote: | I don't think it's the same thing as Default Linux Capabilities.
hanji |
Look at http://www.linuxhq.com/kernel/v2.6/27/security/Kconfig. It looks like it replaced Default Linux Caps with POSIX caps, if I am reading it right. |
|
| Back to top |
|
|
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
| Posted: Tue Feb 03, 2009 5:58 pm Post subject: |
|
|
Hmmmm.. I'll recompile the kernel and give it a shot. It's a production server, so I won't be able to reboot for a bit.
Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com |
|
| Back to top |
|
|
pgf
Tux's lil' helper
Joined: 26 Dec 2004
Posts: 121
Location: Toronto, Ontario
|
| Posted: Tue Feb 03, 2009 7:08 pm Post subject: |
|
|
| hanj wrote: | | Hmmmm.. I'll recompile the kernel and give it a shot. It's a production server, so I won't be able to reboot for a bit. |
I am trying to recreate it on one of my test boxes for you. I have emerged ntp with USE=caps and now am waiting for the error. How often did it occur? |
|
| Back to top |
|
|
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
|
| Back to top |
|
|
pgf
Tux's lil' helper
Joined: 26 Dec 2004
Posts: 121
Location: Toronto, Ontario
|
| Posted: Tue Feb 03, 2009 9:10 pm Post subject: |
|
|
| hanj wrote: | | Error occurs once an hour. |
I haven't been able to recreate it yet - 90 minutes since restarting ntp and no errors. I will keep watching. |
|
| Back to top |
|
|
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
| Posted: Wed Feb 04, 2009 4:14 pm Post subject: |
|
|
Ok. I rebooted this morning, and I'm still seeing the errors. Now check this out. Here are some snips from my logs. This is after my reboot, re-emerging ntp with caps and restarting the ntpd server. Pay attention to the times in the logs
| Code: | Feb 4 07:59:49 comp ntpd[29269]: Listening on interface #0 wildcard, 0.0.0.0#123 Disabled
Feb 4 07:59:49 comp ntpd[29269]: Listening on interface #1 lo, 127.0.0.1#123 Enabled
Feb 4 07:59:49 comp ntpd[29269]: Listening on interface #2 eth0, 192.168.1.1#123 Enabled
Feb 4 07:59:49 comp ntpd[29269]: Listening on interface #3 eth0:1, 192.168.1.25#123 Enabled
Feb 4 07:59:49 comp ntpd[29269]: Listening on interface #4 eth1, 192.168.0.2#123 Enabled
Feb 4 07:59:49 comp ntpd[29269]: kernel time sync status 0040
Feb 4 07:59:50 comp ntpd[29269]: frequency initialized 76.055 PPM from /var/lib/ntp/ntp.drift
Feb 4 07:59:55 comp ntpdate[29338]: step time server 204.152.189.171 offset -0.002710 sec
Feb 4 08:04:10 comp ntpd[29269]: synchronized to 204.152.189.171, stratum 2
Feb 4 15:04:10 comp ntpd[29269]: kernel time sync status change 0001
Feb 4 15:59:49 comp ntpd[29269]: can't open /var/lib/ntp/ntp.drift.TEMP: Permission denied |
The error seems to be WAY in the future. Running `date` I see..
| Code: | date
Wed Feb 4 09:08:21 MST 2009 |
I wonder if there is something else that is hosed giving it the wrong time. Syslog is still showing entries with the correct time?
Here are my contents of ntp.conf
| Code: | server pool.ntp.org
driftfile /var/lib/ntp/ntp.drift
restrict default nomodify nopeer
restrict 127.0.0.1 |
Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com |
|
| Back to top |
|
|
pgf
Tux's lil' helper
Joined: 26 Dec 2004
Posts: 121
Location: Toronto, Ontario
|
| Posted: Wed Feb 04, 2009 5:25 pm Post subject: |
|
|
time zone issues? What do you have for:
/etc/conf.d/clock
/etc/timezone
your $TZ value
I don't see this has anything to do with the permissions problem (although you never know), but it is definitely not right. |
|
| Back to top |
|
|
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
| Posted: Wed Feb 04, 2009 5:32 pm Post subject: |
|
|
/etc/conf.d/clock
| Code: | CLOCK="UTC"
CLOCK_OPTS=""
CLOCK_SYSTOHC="no"
SRM="no"
ARC="no" |
I don't have /etc/timezone. Maybe /etc/localtime?
| Code: | | localtime -> /usr/share/zoneinfo/US/Mountain |
Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com |
|
| Back to top |
|
|
pgf
Tux's lil' helper
Joined: 26 Dec 2004
Posts: 121
Location: Toronto, Ontario
|
| Posted: Wed Feb 04, 2009 5:44 pm Post subject: |
|
|
| hanj wrote: |
I don't have /etc/timezone. Maybe /etc/localtime?
| Code: | | localtime -> /usr/share/zoneinfo/US/Mountain |
|
Hmmm... I have /etc/timezone, which contains "America/Toronto". I have never been completely clear on the difference, but:
| Quote: | | Additionally, the TIMEZONE variable is no longer in this file. Its contents are instead found in the /etc/timezone file. If it doesn't exist, you will of course have to create it with your timezone. Please review both of these files to ensure their correctness. |
from the Gentoo Baselayout and OpenRC Migration Guide (http://www.gentoo.org/doc/en/openrc-migration.xml?style=printable)
I do have an /etc/localtime as well. |
|
| Back to top |
|
|
MMMMM
Tux's lil' helper
Joined: 13 Jun 2011
Posts: 141
Location: Berlin
|
| Posted: Sun Apr 30, 2017 8:44 am Post subject: |
|
|
Hi,
I have two gentoo boxes, one with and one without this problem.
Difference is that /var/lib/ntp/ntp.drift belongs to root:root on the box with this problem.
| Code: | | chown ntp:ntp /var/lib/ntp/ntp.drift |
... did not help  |
|
| Back to top |
|
|
|
Networking & Security
