View Source

h1. Running a NTP server on SmartOS


h2. Background Information

I recently migrated my gateway to run ontop of SmartOS (OpenBSD in KVM zone), I used to feed it my serial GPS to get a better fix. This won't work with KVM.

So I decided to remove the GPS at first. That also did not work too great, I noticed a lot of drift\! Mostly due to the kvm clock not updating the actual hardware clock\!

My solution was to run ntpd inside a base zone. I had to give it some extra privilages, I also had to disable ntp in the global zone. In the end I even got my GPS to work, although not as wel as on OpenBSD.

h2. Disabling NTP in the global zone

To disable ntp in the global zone I added a custom SMF. You'll see some commented lines to get my GPS to work too.
If you also want to use a GPS in the zone, uncomment those lines.


{code:language=xml|title=/opt/custom/smf/time-helper.xml|linenumbers=true|theme=Midnight}
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">

<service_bundle type='manifest' name='acheron:time-helper'>
<service name='acheron/time-helper' type='service' version='1'>
<create_default_instance enabled='true' />
<single_instance />
<dependency name='filesystem' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/system/filesystem/local'/>
</dependency>

<dependency name='system-log' grouping='optional_all' restart_on='none' type='service'>
<service_fmri value='svc:/network/ntp' />
</dependency>

<exec_method type='method' name='start' exec='/opt/custom/bin/time-helper' timeout_seconds='0' />
<exec_method type='method' name='stop' exec=':true' timeout_seconds='0' />

<property_group name='startd' type='framework'>
<propval name='duration' type='astring' value='transient' />
</property_group>

<stability value='Unstable' />
</service>
</service_bundle>
{code}
{code:language=bash|title=/opt/custom/bin/time-helper|linenumbers=true|theme=Midnight}
#!/usr/bin/sh

. /lib/svc/share/smf_include.sh

## alias my gps device to /dev/gps0 to make ntpd happy
#/usr/bin/ln -sf /dev/cua/0 /dev/gps0
## disable global zone ntp
/usr/sbin/svcadm disable svc:/network/ntp:default

exit $SMF_EXIT_OK
{code}

h2. Creating The Zone

{code:language=javascript|linenumbers=true|theme=Midnight}
{
"brand": "joyent",
"image_uuid": "c02a2044-c1bd-11e4-bd8c-dfc1db8b0182",
"hostname": "ntp.acheron.be",
"alias": "ntp",
"autoboot": false,
"nowait": false,
"limit_priv": "default,+sys_time,+proc_priocntl,+proc_clock_highres",
"cpu_shares": 100,
"cpu_cap": 100,
"max_physical_memory": 128,
"quota": 2,
"delegate_dataset": true,
"zfs_io_priority": 100,
"zfs_root_compression": "lz4",
"nics": [
{
"nic_tag": "trunk",
"mtu": 1500,
"vlan_id": 30,
"mac": "00:15:00:xx:xx:xx",
"ip": "172.16.xx.2",
"netmask": "255.255.255.0",
"allow_ip_spoofing": true
}
]
}
{code}

The *limit_priv* line is important, it allows for: higher resolution timers to be used, ntpd to change it's niceness, ntpd to change the hw clock.

If you want to use a gps device you need to include it in the zone, there is no way to do this through vmadm :(

Run zonecfg -z UUID and add the following:

{code:language=javascript|linenumbers=true|theme=Midnight}
add device
set match=/dev/cua/0
end
add device
set match=/dev/gps0
end
exit
{code}

h2. Configuring NTPD


{code:language=bash|title=/etc/inet/ntp.conf|linenumbers=true|theme=Midnight}
## general
driftfile /var/ntp/ntp.drift
logfile /var/log/ntp.log

## security
# default restrictions
restrict -4 default limited kod notrap nomodify nopeer noquery
restrict -6 default limited kod notrap nomodify nopeer noquery

# allow localhost to manage ntpd
restrict 127.0.0.1
restrict -6 ::1


# allow servers to reply to our queries
restrict source nomodify noquery notrap

## time sources
# local gps direct (mode 0 -> RMC, mode 2 -> GGA)
#server 127.127.20.0 mode 2 minpoll 4 maxpoll 4 prefer
#fudge 127.127.20.0 time2 0.7 refid GPS

# gpsd shared memory
#server 127.127.28.0 minpoll 4 maxpoll 4
#fudge 127.127.28.0 time1 -0.245 refid GPS stratum 15
#server 127.127.28.1 minpoll 4 maxpoll 4 prefer
#fudge 127.127.28.1 refid PPS

# remote time servers
pool 0.europe.pool.ntp.org burst iburst minpoll 4 maxpoll 4
{code}

Comment out 'local gps direct' when using a gps device

The last step is to get ntpd to run inside the zone, I hacked up the global zone's ntp smf manifest.

{code:language=xml|title=/srv/ntpd/smf/ntp.xml|linenumbers=true|theme=Midnight}
<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<service_bundle type='manifest' name='export'>
<service name='network/ntp' type='service' version='0'>
<single_instance/>
<dependency name='network' grouping='require_any' restart_on='error' type='service'>
<service_fmri value='svc:/network/service'/>
</dependency>
<dependency name='routing' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/network/routing-setup'/>
</dependency>
<exec_method name='start' type='method' exec='/srv/ntpd/smf/svc-ntp %m' timeout_seconds='600'>
<method_context>
<method_credential user='root' group='root' privileges='basic,!file_link_any,!proc_info,!proc_session,net_privaddr,proc_lock_memory,sys_time'/>
</method_context>
</exec_method>
<exec_method name='restart' type='method' exec='/srv/ntpd/smf/svc-ntp %m' timeout_seconds='1800'>
<method_context>
<method_credential user='root' group='root' privileges='basic,!file_link_any,!proc_info,!proc_session,net_privaddr,proc_lock_memory,sys_time'/>
</method_context>
</exec_method>
<exec_method name='stop' type='method' exec=':kill' timeout_seconds='60'/>
<property_group name='general' type='framework'>
<propval name='action_authorization' type='astring' value='solaris.smf.manage.ntp'/>
<propval name='value_authorization' type='astring' value='solaris.smf.value.ntp'/>
</property_group>
<instance name='default' enabled='true'>
<property_group name='config' type='application'>
<propval name='always_allow_large_step' type='boolean' value='true'/>
<propval name='debuglevel' type='integer' value='0'/>
<propval name='logfile' type='astring' value='/var/ntp/ntp.log'/>
<propval name='mdnsregister' type='boolean' value='false'/>
<propval name='no_auth_required' type='boolean' value='false'/>
<propval name='slew_always' type='boolean' value='false'/>
<propval name='value_authorization' type='astring' value='solaris.smf.value.ntp'/>
<propval name='verbose_logging' type='boolean' value='false'/>
<propval name='wait_for_sync' type='boolean' value='false'/>
</property_group>
</instance>
<stability value='Unstable'/>
<template>
<common_name>
<loctext xml:lang='C'>Network Time Protocol (NTP) Version 4</loctext>
</common_name>
<documentation>
<manpage title='ntpd' section='1M'/>
<manpage title='ntp.conf' section='4'/>
<manpage title='ntpq' section='1M'/>
</documentation>
</template>
</service>
</service_bundle>
{code}

{code:language=bash|title=/srv/ntpd/smf/svc-ntp|linenumbers=true|theme=Midnight}
#!/sbin/sh
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#

#
# Copyright 2009 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#

#
# Copyright (c) 2013 Joyent, Inc. All rights reserved.
#

# Standard prolog
#
. /lib/svc/share/smf_include.sh

NTPD_OPTIONS="-N"

if [ -z $SMF_FMRI ]; then
echo "SMF framework variables are not initialized."
exit $SMF_EXIT_ERR
fi

#
# Is NTP configured?
#
if [ ! -f /etc/inet/ntp.conf ]; then
echo "Error: Configuration file '/etc/inet/ntp.conf' not found." \
" See ntpd(1M)."
exit $SMF_EXIT_ERR_CONFIG
fi

# Disable globbing to prevent privilege escalations by users authorized
# to set property values for the NTP service.
set -f

#
# Build the command line flags
#
shift $#
set -- -p /var/run/ntp.pid
# We allow a step large than the panic value of 17 minutes only
# once when ntpd starts up. If always_all_large_step is true,
# then we allow this each time ntpd starts. Otherwise, we allow
# it only the very first time ntpd starts after a boot. We
# check that by making ntpd write its pid to a file in /var/run.

val=`svcprop -c -p config/always_allow_large_step $SMF_FMRI`
if [ "$val" = "true" ]; then
NTPD_OPTIONS="${NTPD_OPTIONS} -g"
fi

# Auth was off by default in xntpd now the default is on. Better have a way
# to turn it off again. Also check for the obsolete "authenitcation" keyword.
val=`svcprop -c -p config/no_auth_required $SMF_FMRI`
if [ ! "$val" = "true" ]; then
val=`/usr/bin/nawk '/^[ \t]*#/{next}
/^[ \t]*authentication[ \t]+no/ {
printf("true", $2)
next } ' /etc/inet/ntp.conf`
fi
[ "$val" = "true" ] && set -- "$@" --authnoreq

# Set up logging if requested.
logfile=`svcprop -c -p config/logfile $SMF_FMRI`
val=`svcprop -c -p config/verbose_logging $SMF_FMRI`
[ "$val" = "true" ] && [ -n "$logfile" ] && set -- "$@" -l $logfile

# Register with mDNS.
val=`svcprop -c -p config/mdnsregister $SMF_FMRI`
mdns=`svcprop -c -p general/enabled svc:/network/dns/multicast:default`
[ "$val" = "true" ] && [ "$mdns" = "true" ] && set -- "$@" -m

# We used to support the slewalways keyword, but that was a Sun thing
# and not in V4. Look for "slewalways yes" and set the new slew option.
val=`svcprop -c -p config/slew_always $SMF_FMRI`
if [ ! "$val" = "true" ]; then
val=`/usr/bin/nawk '/^[ \t]*#/{next}
/^[ \t]*slewalways[ \t]+yes/ {
printf("true", $2)
next } ' /etc/inet/ntp.conf`
fi
[ "$val" = "true" ] && set -- "$@" --slew

# Set up debugging.
deb=`svcprop -c -p config/debuglevel $SMF_FMRI`

# Start the daemon. If debugging is requested, put it in the background,
# since it won't do it on it's own.
if [ "$deb" -gt 0 ]; then
/usr/sbin/ntpd ${NTPD_OPTIONS} "$@" --set-debug-level=$deb >/var/ntp/ntp.debug &
else
/usr/sbin/ntpd ${NTPD_OPTIONS} "$@"
fi

# Now, wait for the first sync, if requested.
val=`svcprop -c -p config/wait_for_sync $SMF_FMRI`
[ "$val" = "true" ] && /usr/sbin/ntp-wait

exit $SMF_EXIT_OK
{code}