OpenNTP won't start



  • There is an issue with ntpd starting, it started with this change I believe: https://github.com/bsdperimeter/pfsense/commit/d46c3acd20608169bc577c81806064499db3f946

    verbosity doesn't seem to be an option for OpenNTP, but there is an option for a logfile, -l

    
    ntpd - NTP daemon program - Ver. 4.2.4p5
    USAGE:  ntpd [ - <flag>[<val>] | --<name>[{=| }<val>] ]...
      Flg Arg Option-Name    Description
       -4 no  ipv4           Force IPv4 DNS name resolution
       -6 no  ipv6           Force IPv6 DNS name resolution
       -a no  authreq        Require crypto authentication
       -A no  authnoreq      Do not require crypto authentication
       -b no  bcastsync      Allow us to sync to broadcast servers
       -c Str configfile     configuration file name
       -f Str driftfile      frequency drift file name
       -g no  panicgate      Allow the first adjustment to be Big
       -i Str jaildir        Jail directory
       -I Str interface      Listen on interface
       -k Str keyfile        path to symmetric keys
       -l Str logfile        path to the log file
       -L no  novirtualips   Do not listen to virtual IPs
       -n no  nofork         Do not fork
       -N no  nice           Run at high priority
       -p Str pidfile        path to the PID file
       -P Num priority       Process priority
       -q no  quit           Set the time and quit
       -r Str propagationdelay Broadcast/propagation delay
       -U Num updateinterval interval in seconds between scans for new or dropped interfaces
       -s Str statsdir       Statistics file location
       -t Str trustedkey     Trusted key number
       -u Str user           Run as userid (or userid:groupid)
       -v Str var            make ARG an ntp variable (RW)
       -V Str dvar           make ARG an ntp variable (RW|DEF)
       -x no  slew           Slew up to 600 seconds
       -v opt version        Output version information and exit
       -? no  help           Display usage information and exit
       -! no  more-help      Extended usage information passed thru pager
    
    Options are specified by doubled hyphens and their name
    or by a single hyphen and the flag character.</val></name></val></flag> 
    

    error on startup:
    Starting OpenNTP time client…ntpd: illegal option --v
    usage: ntpd [-dSs] [-f file]


  • Rebel Alliance Developer Netgate

    Did you actually do a binary update, or just a gitsync? Mine does not complain about that option.


  • Rebel Alliance Global Moderator

    As mentioned before around here, pfsense has both openntp and true ntpd – why I have no freaking idea, that makes little sense to me.  Pick one ;)  openntp is the wrong choice.

    But hey simple pkg_add -r and I have the current version and for everything else you need so you can log and can query it with ntpq or ntpdc, etc..

    you listed out the options for ntpd, but then when you ran it was openntp

    ls -la /usr/local/sbin/ntpd
    -r-xr-xr-x  1 root  wheel  43984 Mar 21 07:57 /usr/local/sbin/ntpd

    ls -la /usr/sbin/ntpd
    -r-xr-xr-x  1 root  wheel  347760 Mar 21 07:55 /usr/sbin/ntpd

    the one in usr/sbin is
    /usr/sbin/ntpd --version
    ntpd - NTP daemon program - Ver. 4.2.4p5

    one in /usr/local/sbin is that other pos ;)


  • Rebel Alliance Developer Netgate

    We'd love to use the stock FreeBSD ntpd but it does not support selective binding that we need. You can filter it in various ways but it doesn't change the fact that it will always bind to every IP. OpenNTPd, when told to only listen on certain IPs, only binds to those and no others.

    OpenNTPd does log correctly on current snapshots.


  • Rebel Alliance Global Moderator

    what does it matter if binds to all ips?  Not going to be open from wan until you allow the firewall rule.  Its not going to answer queries until configured to do so, etc.

    I agree it not an optimal thing – you really should be able to bind to the ips you want/need.  But the to me the many other features outweigh that small flaw.

    "OpenNTPd does log correctly on current snapshots."

    What does it log??  I just started it up vs the ntpd -- now I am blind to checking if its sync'd or not because I can not query it.  I see it started in the system log.. But not seeing any entries in openntp tab in the logs section.

    4:13 php: /status_services.php: OpenNTPD is starting up.

    I am on the latest snap I do believe

    2.1-DEVELOPMENT (i386)
    built on Wed Apr 18 18:25:03 EDT 2012
    FreeBSD 8.3-RELEASE

    You are on the latest version.

    What does it log?


  • Rebel Alliance Developer Netgate

    Because to make the NTP service properly accessible in many cases, especially over VPNs, it's required.

    The way NTP works (and most UDP services) the reply is sourced from the bound interface closest to the client. So, say you have LAN and DMZ. If you request the time from the LAN interface from a DMZ client, it responds from the DMZ interface, even when the request was made to the LAN, so the reply is ignored. If the daemon is only bound to the LAN IP, that's where the reply comes from.

    Now imagine you're querying the service on a CARP VIP, the reply comes from the interface, not the CARP VIP… kind of annoying, at least it did last I tried it.



  • @jimp:

    OpenNTPd does log correctly on current snapshots.

    I'm running 2.1-DEVELOPMENT (i386) built on Tue Apr 17 16:58:04 EDT 2012 FreeBSD 8.3-RELEASE and my ntpd log is empty.

    I expected to see at least a startup message.

    My snapshot not current enough?


  • Rebel Alliance Global Moderator

    K - how about since you have both versions installed we get something in the gui that allows for which one you want to run!  That would be the best of both worlds and make everyone happy I think?

    Not sure why and the hell I would not just query the dmz interface for ntp for boxes in my dmz?  As to vpn, again could not just query the correct ip ;)  Since as you stated its going to be listening on every one?  Since you can not just bind it to specific.

    Same thing goes with your carp vip example..  Again its listening on all IPs is not??  Then query the one you want a reply from – why would you ever query the interface that is not closest too you??  I could see the thing with the VIP being hey that's the logical one, etc.

    Not sure i would ever being doing queries to a ntp over a vpn connection in the first place?  Run one local to that network, and sync it to a good source, etc.

    Again the features of the full ntpd so far outweigh the selective binding - the openntp client other than selective binding blows chunks compared to the normal ntpd.

    It would be fantastic to allow for simple choice of which one you want to run - that is for sure.


  • Rebel Alliance Developer Netgate

    Those were just examples, but in the case of the CARP VIP, you are querying the one 'closest' to you. It still responds from the "wrong" IP on the same interface, iirc. It's been a while since I tested that, may need to try it again.

    As for the GUI switch, patches accepted. Let me know when you're done coding it up. :-)

    @wallabybob:

    I'm running 2.1-DEVELOPMENT (i386) built on Tue Apr 17 16:58:04 EDT 2012 FreeBSD 8.3-RELEASE and my ntpd log is empty.

    I expected to see at least a startup message.

    My snapshot not current enough?

    I thought it may have been fixed by then, but now I'm not seeing logs in mine again. It was logging fine on the 17th after I made some changes to the syslog config format, but now it doesn't seem to be. It was at least logging time adjustments every few minutes.

    Apr 17 09:03:50 	ntpd[41857]: adjusting local clock by 0.002309s
    Apr 17 09:07:30 	ntpd[41857]: adjusting local clock by 0.000968s
    Apr 17 09:08:38 	ntpd[41857]: adjusting clock frequency by 12.622102 to 0.462800ppm
    Apr 17 09:13:05 	ntpd[41857]: adjusting local clock by 0.003031s
    Apr 17 09:16:47 	ntpd[41857]: adjusting local clock by 0.003045s
    Apr 17 09:19:28 	ntpd[41857]: adjusting local clock by 0.000410s
    


  • updated the binaries and its working again… no logging still... but at least it works :-)



  • I recently upgraded to 2.1-DEVELOPMENT (i386)
    built on Sat Apr 28 05:27:55 EDT 2012
    FreeBSD 8.3-RELEASE
    and ntpd logging is still not working (Status -> System Logs, OpenNTPD tab displays an empty log).


  • Rebel Alliance Developer Netgate

    NTP logging should be fixed now, it's happy in the current snapshot since I fixed it yesterday.



  • @jimp:

    NTP logging should be fixed now, it's happy in the current snapshot since I fixed it yesterday.

    Thanks.



  • thank you! I think this is the first time I've seen OpenNTPD logging functioning.    :)


Locked