[ntp:questions] "pool" directive and 4.2.8p8

Brian Inglis Brian.Inglis at SystematicSw.ab.ca
Mon Nov 14 18:19:05 UTC 2016

On 2016-11-14 09:04, Kiss Gábor wrote:
> Thanks for your mail.
> I started to write a looong answer ... then I somehow I checked the
> logs.
>>> What did I wrong?
> Oh Jeez!
> Apparmor made me suck again. :-(
> 2016-11-14T16:45:10.717758+01:00 login kernel: [273248.423730]
> type=1400 audit(1479138310.715:659): apparmor="DENIED"
> operation="create" parent=1 profile="/usr/sbin/ntpd" pid=32274
> comm="ntpd" family="unspec" sock_type="dgram" protocol=0
> I wonder what is the forbidden operation that "pool" directive
> requires?
> Strace shows dozens of like this:
> 32274 socket(PF_UNSPEC, SOCK_DGRAM, 0) = -1 EACCES (Permission
> denied)
> Investigation in progress...

Seems like apparmor is only good for blocking protocols,
not selective ports - the following should allow family unspec:
	network udp, # allow access to udp ipv4 and ipv6 addresses
You may also have to open port 123 in that system's network filters.

You should still drop the ntp.conf tos statement, as that may
cause problems handling the leap second at year end, depending
on the releases and options on each of the pool servers.

With releases after 4.2.6 you should add preempt to the end of
the pool statement and add
	restrict source nomodify notrap noquery
to limit what the (anonymous, random) pool servers can do to you,
in case of attacks or forgeries.
See NTP BCP https://tools.ietf.org/html/draft-ietf-ntp-bcp-02
or more recent.

To ensure consistency, it is better to set up all systems with
/etc/leap-seconds.list and add ntp.conf statement:
	leapfile /etc/leap-seconds.list
where that file can be a symlink to e.g /etc/ntp/leap-seconds.list,
/var/db/ntpd/leap-seconds.list, or wherever is consistent with your
admin policy, and that leap-seconds.list is a symlink to the actual
leap file leap-seconds.3676752000 currently, which can usually be downloaded from:
for authentication and security, or:
as backup, which provides a remote symlink to the current file.

Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

More information about the questions mailing list