freenas does not respond to network NTP requests

ianrm

Dabbler
Joined
Aug 22, 2020
Messages
27
Hi folks,
I have setup my freenas as the network time source but it never responds. I have edited ntp.conf, stopped ntpd and restarted it

What else do I need to do to enable the freenas to respond to ntp calls?
Ian
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
ntpd should never be configured to provide timeservice to anyone without a deliberate choice by the admin. As such, the FreeNAS ntp.conf file is not set up to provide timeservice. There have been a number of unfortunate "default configuration incidents" in the past that have led to denial of service attacks and other such badness.

Did you edit your ntp.conf? If so, don't bother. Your FreeNAS host is going to overwrite ntp.conf at every boot. There is no supported method to make what you want happen on an ongoing basis.

In theory you could add an appropriate restrict line (the "restrict default ignore" and "restrict -6 default ignore" are what's preventing service). However, this would only be a temporary change until the next reboot. So, as I said, don't bother.

It is possible, unlikely, but possible, that the developers would be open to making timeservice available on the local network(s). You can file a feature request if you want.

One of my other hats is infrastructure engineering for NTP.ORG. As such, I would point out that there are benefits to dedicated timekeeping hardware, even if it is just a small device like a Raspberry Pi, which you can configure to run NTP, recursion DNS, DHCP, and maybe a few other critical network services if you like.
 

ianrm

Dabbler
Joined
Aug 22, 2020
Messages
27
Hi greco,
thank you for the detailed answer. I built the new nas because I wanted to use a 10gb interface so I thought I might as well add the NTP function which was available in my older NAS and previous firewall. I had considered the PI or even a small linux server looks like it is the PI.
There are a number of web pages indicating you can use freenas as a time server, but they didn't work so I came to ask.
Ian
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,702
You could easily set it up in a jail if you're determined to have the function on that hardware...
 

ianrm

Dabbler
Joined
Aug 22, 2020
Messages
27
Thank you for the information. Jails are not good because they do not use the freenas NTPD function to obtain the NTP results, this my understanding from searches.
Ian
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
You could easily set it up in a jail if you're determined to have the function on that hardware...

No, you can't, because the NTP in the base system owns the kernel timekeeping functions, and my recollection is that jails are not permitted to slew the time. That doesn't actually seem to be documented in adjtime(2) though.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
No, you can't, because the NTP in the base system owns the kernel timekeeping functions, and my recollection is that jails are not permitted to slew the time. That doesn't actually seem to be documented in adjtime(2) though.
looks like there's a priv_check() for PRIV_NTP_ADJTIME and PRIV_ADJTIME in relevant functions. Looks like those aren't permitted in prison_priv_check() in sys/kern/kern_jail.c (falls through to default):
Code:
        default:
                /*
                 * In all remaining cases, deny the privilege request.  This
                 * includes almost all network privileges, many system
                 * configuration privileges.
                 */
                return (EPERM);

 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
looks like there's a priv_check() for PRIV_NTP_ADJTIME and PRIV_ADJTIME in relevant functions.

Yeah, that's why I said it. :smile: It's one of several long term issues I've been subversively trying to get addressed.

I already managed to get the network code in ntpd rewritten to allow specific interface binding, which sounds simple, but isn't in practice. The original code assumed that all networks were ethernet and that certain behaviours were acceptable, but if you use more advanced networking like OSPF with a service address on loopback, networking looks like a completely different thing, and it becomes very reasonable to want a policy like "all timeservice only happens on this one IP address, all packets will be originated with this address, no exceptions." Part of my subversiveness was to introduce OSPF into the ntp.org environment and now portions of the network run on OSPF, including the internal clocks. Nice regression prevention, huh.

Recently, Harlan's been talking with Cy Schubert about clamping issues in securemode. In virtualization environments, a virtual machine can get stunned or just be in resource contention, and the clock can get far enough off that ntpd has a tough time catching back up because of some design decisions made in the pre-virtualization era that assumed that a machine would always hold an even keel. That's not true for VM's, and I've seen problems with this for a very long time, maybe only because our network monitoring system has tight parameters for NTP.

I've been an advocate and user of jails basically since phk introduced them, and one of the slightly annoying things about ntpd is that it can't be jailed, although it happily chroots. For my purposes, that's almost the same thing, but Harlan completely drank the "jail" kool-aid I handed him, and has been very enthusiastic about the prospect of jailing services whenever possible.

That's my very long way of saying that it's on my list of things to see if I can get changed for the better. Unfortunately, the jail issue is a bit complicated because you do not want to get into a situation where there are two ntpd's, one in base and one in a jail, trying to slew the clock. Much hilarity would ensue. It isn't clear what a suitable fix is.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Yeah, that's why I said it. :smile: It's one of several long term issues I've been subversively trying to get addressed.

I already managed to get the network code in ntpd rewritten to allow specific interface binding, which sounds simple, but isn't in practice. The original code assumed that all networks were ethernet and that certain behaviours were acceptable, but if you use more advanced networking like OSPF with a service address on loopback, networking looks like a completely different thing, and it becomes very reasonable to want a policy like "all timeservice only happens on this one IP address, all packets will be originated with this address, no exceptions." Part of my subversiveness was to introduce OSPF into the ntp.org environment and now portions of the network run on OSPF, including the internal clocks. Nice regression prevention, huh.

Recently, Harlan's been talking with Cy Schubert about clamping issues in securemode. In virtualization environments, a virtual machine can get stunned or just be in resource contention, and the clock can get far enough off that ntpd has a tough time catching back up because of some design decisions made in the pre-virtualization era that assumed that a machine would always hold an even keel. That's not true for VM's, and I've seen problems with this for a very long time, maybe only because our network monitoring system has tight parameters for NTP.
I've noted the same as well regarding time. Every Windows Domain Controller is a time server, users like to virtualize DCs (and forget to set up an external time source), kerberos (authentication) is time-sensitive. Headaches ensue.
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,702
No, you can't, because the NTP in the base system owns the kernel timekeeping functions, and my recollection is that jails are not permitted to slew the time. That doesn't actually seem to be documented in adjtime(2) though.
Maybe with the right devfs ruleset and the host pointing to the jail as the timesource, then the jail going out to pool.ntp.org or whatever??

Just an idea. I'm no expert on this topic.

Although this might apply:
Unfortunately, the jail issue is a bit complicated because you do not want to get into a situation where there are two ntpd's, one in base and one in a jail, trying to slew the clock. Much hilarity would ensue. It isn't clear what a suitable fix is.

I also saw a reference to using openntpd instead of ntpd, so maybe that can be configured to just use the system clock without slewing it and serving out ntp to clients...? maybe worth some further research.

The last post in this thread looks promising:
 
Last edited:

Fredda

Guru
Joined
Jul 9, 2019
Messages
608
Shouldn't it be possible to run ntpd in a jail by simply putting the server to localhost. This is anyway the default fallback.

Code:
# If a server loses sync with all upstream servers, NTP clients
# no longer follow that server. The local clock can be configured
# to provide a time source when this happens, but it should usually
# be configured on just one server on a network. For more details see
# http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock
# The use of Orphan Mode may be preferable.
#
server 127.127.1.0
fudge 127.127.1.0 stratum 10

This way the ntpd would never need to adjust the time (this is done anyway by the FreeNAS ntpd) and the jails ntpd is just used to share the time to other computers. Seems to work here:
Code:
[root@jail] /etc# ntpq  -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 LOCAL(0)        .LOCL.          10 l   49   64   37    0.000    0.000   0.000

Of course one could also modify the FreeNAS ntp.conf file with a post init script via tasks menu.
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
Shouldn't it be possible to run ntpd in a jail by simply putting the server to localhost. This is anyway the default fallback.

Code:
# If a server loses sync with all upstream servers, NTP clients
# no longer follow that server. The local clock can be configured
# to provide a time source when this happens, but it should usually
# be configured on just one server on a network. For more details see
# http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock
# The use of Orphan Mode may be preferable.
#
server 127.127.1.0
fudge 127.127.1.0 stratum 10

This way the ntpd would never need to adjust the time (this is done anyway by the FreeNAS ntpd) and the jails ntpd is just used to share the time to other computers. Seems to work here:
Code:
[root@jail] /etc# ntpq  -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
LOCAL(0)        .LOCL.          10 l   49   64   37    0.000    0.000   0.000

Of course one could also modify the FreeNAS ntp.conf file with a post init script via tasks menu.

Both are bad ideas but I don't have time to pound out a long message here, sorry.

I think all things considered there may be a reasonable argument to let directly attached networks sync time, as noted, this has to do with stuff like AD.

@anodos do you think there would be openness to a GUI config option that would add the list of local networks to the ntp.conf file?
 

Fredda

Guru
Joined
Jul 9, 2019
Messages
608
Both are bad ideas but I don't have time to pound out a long message here, sorry.
Well, if you find the time, could you elaborate, please?

I understand that running ntp in a jail is not a good idea, even if its just synching to itself. So probably summer time <-> winter time switches or leap seconds will cause problems. Or is there something else?

Fixing a config file with post init scripts is also something that should be a last resort and should only be done by people who know what they are doing.

For the average use case I'd suggest to do the ntp service via the DSL router if supported (mine does, but its not activated by default). It usually does DHCP and DNS anyway, why not use it for NTP?
 

ianrm

Dabbler
Joined
Aug 22, 2020
Messages
27
That solution of using a local router is fine if that is what your are using for your internet t security, for those using a firewall, not all firewall have an NTP function, hence I am trying to build my own.
Also from memory MS PDCs etc do not offer a time service to none MS devices.
Ian
 

bearhntr

Dabbler
Joined
Sep 11, 2021
Messages
12
Is there someplace in TrueNAS-12.0-U5.1 to see where NTP was successful or to test this? I would like it to use my Domain Controller for synching time - as it advertises as an NTP - and my other computers appear to be using it.
 

bearhntr

Dabbler
Joined
Sep 11, 2021
Messages
12
You mean like the classic "ntpq -p"?

I am not sure. I just want a way to see that TrueNAS is getting and synching time from my domain controller - that gets it time from my pfSense box, which gets it time from 2.pfsense.pool.ntp.org. Instead of every thing reaching out to an NTP server - the pfSense is listed in my domain as the 'source' for time (from the outside {Internet} - and the DC is the source for everything "Inside" my network.

Curtis
 
Joined
Jun 2, 2019
Messages
591
not all firewall have an NTP function, hence I am trying to build my own.
Then consider stepping up your game and switch to open source enterprise class software https://pfsense.org for your firewall. Runs on almost any x86 HW or you can buy an appliance from Netgate or https://protectli.com

Screen Shot 2021-10-23 at 2.54.47 PM.png


The other option is see off your existing router can be re-flashed to open source firmware from https://openwrt.org or https://dd-wrt.com, both of which can be configured to serve NTP time on your LAN.
 
Last edited:
Top