[opensuse-factory] ntp problems
The capability module is loaded, ntpd is still running though /var/log/ntp.log says it's exited. I also removed the drift file and there is a new one = 0.000, yet the time has drifted. 10.1/10.2Alpha4 both affected. I've tried the latest from factory of a few days ago, no joy, it's now 01:46, but system time says 01:19. # rcntp restart Shutting down network time protocol daemon (NTPD) done Try to get initial date and time via NTP from 0.pool.ntp.org 1.pool.ntdoneg 2.pool.ntp.org Starting network time protocol daemon (NTPD) done barrabas:~ # tail -20 /var/log/ntp 1 Oct 15:29:45 ntpd[3687]: synchronized to 128.118.25.3, stratum 2 5 Oct 11:57:22 ntpd[3687]: ntpd exiting on signal 15 5 Oct 11:59:01 ntpd[5058]: cap_set_proc() failed to drop root privileges: Operation not permitted 5 Oct 12:36:00 ntpd[5501]: cap_set_proc() failed to drop root privileges: Operation not permitted 5 Oct 12:43:47 ntpd[5290]: cap_set_proc() failed to drop root privileges: Operation not permitted 6 Oct 21:02:10 ntpd[2726]: cap_set_proc() failed to drop root privileges: Operation not permitted 6 Oct 21:06:08 ntpd[2734]: synchronized to LOCAL(0), stratum 10 6 Oct 21:06:08 ntpd[2734]: kernel time sync enabled 0001 8 Oct 10:10:48 ntpd[31987]: cap_set_proc() failed to drop root privileges: Operation not permitted 8 Oct 10:11:04 ntpd[32021]: cap_set_proc() failed to drop root privileges: Operation not permitted 8 Oct 19:43:51 ntpd[32212]: cap_set_proc() failed to drop root privileges: Operation not permitted 9 Oct 22:25:44 ntpd[5536]: cap_set_proc() failed to drop root privileges: Operation not permitted 9 Oct 22:31:16 ntpd[5603]: cap_set_proc() failed to drop root privileges: Operation not permitted 9 Oct 23:09:07 ntpd[7780]: cap_set_proc() failed to drop root privileges: Operation not permitted 10 Oct 08:35:53 ntpd[16359]: cap_set_proc() failed to drop root privileges: Operation not permitted 11 Oct 00:08:50 ntpd[23043]: cap_set_proc() failed to drop root privileges: Operation not permitted 11 Oct 16:20:07 ntpd[5519]: cap_set_proc() failed to drop root privileges: Operation not permitted 11 Oct 16:46:55 ntpd[5521]: ntpd exiting on signal 15 11 Oct 20:40:37 ntpd[5595]: ntpd exiting on signal 15 11 Oct 21:43:18 ntpd[8993]: ntpd exiting on signal 15 barrabas:~ # ps fax|grep ntp 9140 ? Ss 0:00 /usr/sbin/ntpd -p /var/lib/ntp/var/run/ntp/ntpd.pid -u ntp -i /var/lib/ntp barrabas:~ # lsmod|grep capa capability 5000 0 commoncap 7680 1 capability # rpm -qi xntp Name : xntp Relocations: (not relocatable) Version : 4.2.2p2 Vendor: SUSE LINUX Products GmbH, Nuernberg, Germany Release : 4 Build Date: Sat Sep 2 19:28:18 2006 Install Date: Sat Sep 30 14:41:13 2006 Build Host: nelson.suse.de Group : Productivity/Networking/Other Source RPM: xntp-4.2.2p2-4.src.rpm Size : 1301006 License: X11/MIT Signature : DSA/SHA1, Sat Sep 2 19:32:43 2006, Key ID a84edae89c800aca Packager : http://bugs.opensuse.org URL : http://www.ntp.org/ Summary : Network Time Protocol daemon (version 4) Distribution: openSUSE 10.2 (i586) Any ideas? Regards Sid. -- Sid Boyce ... Hamradio License G3VBV, Licensed Private Pilot Emeritus IBM/Amdahl Mainframes and Sun/Fujitsu Servers Tech Support Specialist, Cricket Coach Microsoft Windows Free Zone - Linux used for all Computing Tasks --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Sid Boyce wrote:
done barrabas:~ # tail -20 /var/log/ntp 1 Oct 15:29:45 ntpd[3687]: synchronized to 128.118.25.3, stratum 2 5 Oct 11:57:22 ntpd[3687]: ntpd exiting on signal 15 5 Oct 11:59:01 ntpd[5058]: cap_set_proc() failed to drop root privileges: Operation not permitted
Check your /var/log/audit/audit.log - this looks like apparmor may be getting in the way. You may be able to update the profile by running 'aa-genprof <ntpd-binary>' /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Per Jessen wrote:
Sid Boyce wrote:
done barrabas:~ # tail -20 /var/log/ntp 1 Oct 15:29:45 ntpd[3687]: synchronized to 128.118.25.3, stratum 2 5 Oct 11:57:22 ntpd[3687]: ntpd exiting on signal 15 5 Oct 11:59:01 ntpd[5058]: cap_set_proc() failed to drop root privileges: Operation not permitted
Check your /var/log/audit/audit.log - this looks like apparmor may be getting in the way.
You may be able to update the profile by running 'aa-genprof <ntpd-binary>'
/Per Jessen, Zürich
type=APPARMOR msg=audit(1159712726.582:6): REJECTING r access to /proc/net/if_inet6 (ntpd(3687) profile /usr/sbin/ntpd active /usr/sbin/ntpd) type=APPARMOR msg=audit(1159713575.608:7): REJECTING m access to /etc/ld.so.cache (netstat(4724) profile /bin/netstat active /bin/netstat) type=APPARMOR msg=audit(1159755718.633:8): REJECTING m access to /etc/ld.so.cache (netstat(801) profile /bin/netstat active /bin/netstat) type=APPARMOR msg=audit(1159802849.507:9): REJECTING m access to /etc/ld.so.cache (netstat(6917) profile /bin/netstat active /bin/netstat) OK, I'm running a vanilla kernel without apparmor, selinux enabled and the apparmor panel says apparmor is disabled, so it's puzzling. At one stage I did look around for apparmor patches, but none could be found. Regards Sid. -- Sid Boyce ... Hamradio License G3VBV, Licensed Private Pilot Emeritus IBM/Amdahl Mainframes and Sun/Fujitsu Servers Tech Support Specialist, Cricket Coach Microsoft Windows Free Zone - Linux used for all Computing Tasks --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Sid Boyce wrote:
type=APPARMOR msg=audit(1159712726.582:6): REJECTING r access to /proc/net/if_inet6 (ntpd(3687) profile /usr/sbin/ntpd active /usr/sbin/ntpd) type=APPARMOR msg=audit(1159713575.608:7): REJECTING m access to /etc/ld.so.cache (netstat(4724) profile /bin/netstat active /bin/netstat) type=APPARMOR msg=audit(1159755718.633:8): REJECTING m access to /etc/ld.so.cache (netstat(801) profile /bin/netstat active /bin/netstat) type=APPARMOR msg=audit(1159802849.507:9): REJECTING m access to /etc/ld.so.cache (netstat(6917) profile /bin/netstat active /bin/netstat)
OK, I'm running a vanilla kernel without apparmor, selinux enabled and the apparmor panel says apparmor is disabled, so it's puzzling. At one stage I did look around for apparmor patches, but none could be found. Regards Sid.
Try 'rcapparmor kill' to kill apparmor, or put apparmor in learning mode, 'complain [application]'. -Chad --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Chad Groneman wrote:
Sid Boyce wrote:
type=APPARMOR msg=audit(1159712726.582:6): REJECTING r access to /proc/net/if_inet6 (ntpd(3687) profile /usr/sbin/ntpd active /usr/sbin/ntpd) type=APPARMOR msg=audit(1159713575.608:7): REJECTING m access to /etc/ld.so.cache (netstat(4724) profile /bin/netstat active /bin/netstat) type=APPARMOR msg=audit(1159755718.633:8): REJECTING m access to /etc/ld.so.cache (netstat(801) profile /bin/netstat active /bin/netstat) type=APPARMOR msg=audit(1159802849.507:9): REJECTING m access to /etc/ld.so.cache (netstat(6917) profile /bin/netstat active /bin/netstat)
OK, I'm running a vanilla kernel without apparmor, selinux enabled and the apparmor panel says apparmor is disabled, so it's puzzling. At one stage I did look around for apparmor patches, but none could be found. Regards Sid.
Try 'rcapparmor kill' to kill apparmor, or put apparmor in learning mode, 'complain [application]'.
-Chad
# rcapparmor kill FATAL: Module apparmor not found. Unloading AppArmor modules failed Same result as when earlier I tried "/etc/init.d/boot.apparmor stop". I've also done "chkconfig boot.apparmor off". I've not seen any more reports in audit.log since earlier in the day, but soon after "rcntp restart", the time goes drifting off. At 00:07 ---- # rcntp restart Shutting down network time protocol daemon (NTPD) done Try to get initial date and time via NTP from 0.pool.ntp.org 1.pool.ntdoneg 2.pool.ntp.org Starting network time protocol daemon (NTPD) done At 00:09 localtime has drifted 12 seconds lower. Regards Sid. -- Sid Boyce ... Hamradio License G3VBV, Licensed Private Pilot Emeritus IBM/Amdahl Mainframes and Sun/Fujitsu Servers Tech Support Specialist, Cricket Coach Microsoft Windows Free Zone - Linux used for all Computing Tasks --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On 2006-10-13 00:09:53 +0100, Sid Boyce wrote:
# rcapparmor kill FATAL: Module apparmor not found. Unloading AppArmor modules failed
Same result as when earlier I tried "/etc/init.d/boot.apparmor stop". I've also done "chkconfig boot.apparmor off". I've not seen any more reports in audit.log since earlier in the day, but soon after "rcntp restart", the time goes drifting off. At 00:07 ---- # rcntp restart Shutting down network time protocol daemon (NTPD) done Try to get initial date and time via NTP from 0.pool.ntp.org 1.pool.ntdoneg 2.pool.ntp.org Starting network time protocol daemon (NTPD) done
you dont run the suse kernel?? darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Sid Boyce wrote:
type=APPARMOR msg=audit(1159712726.582:6): REJECTING r access to /proc/net/if_inet6 (ntpd(3687) profile /usr/sbin/ntpd active /usr/sbin/ntpd) type=APPARMOR msg=audit(1159713575.608:7): REJECTING m access to /etc/ld.so.cache (netstat(4724) profile /bin/netstat active /bin/netstat) type=APPARMOR msg=audit(1159755718.633:8): REJECTING m access to /etc/ld.so.cache (netstat(801) profile /bin/netstat active /bin/netstat) type=APPARMOR msg=audit(1159802849.507:9): REJECTING m access to /etc/ld.so.cache (netstat(6917) profile /bin/netstat active /bin/netstat)
OK, I'm running a vanilla kernel without apparmor, selinux enabled and the apparmor panel says apparmor is disabled, so it's puzzling. At one stage I did look around for apparmor patches, but none could be found.
Well, it seems to me that apparmor is still getting in your way - although the messages you quoted are not the ones related to NTP not being able to drop root priviledges. For starters I would try what Chad Groneman suggested - "complain <ntp-binary>". Then you'll see "PERMITTING" messages in the audit.log and your NTP should work. /Per Jessen, Zürich --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Sid Boyce wrote:
type=APPARMOR msg=audit(1159712726.582:6): REJECTING r access to /proc/net/if_inet6 (ntpd(3687) profile /usr/sbin/ntpd active /usr/sbin/ntpd) type=APPARMOR msg=audit(1159713575.608:7): REJECTING m access to /etc/ld.so.cache (netstat(4724) profile /bin/netstat active /bin/netstat) type=APPARMOR msg=audit(1159755718.633:8): REJECTING m access to /etc/ld.so.cache (netstat(801) profile /bin/netstat active /bin/netstat) type=APPARMOR msg=audit(1159802849.507:9): REJECTING m access to /etc/ld.so.cache (netstat(6917) profile /bin/netstat active /bin/netstat)
OK, I'm running a vanilla kernel without apparmor, selinux enabled and the apparmor panel says apparmor is disabled, so it's puzzling. At one stage I did look around for apparmor patches, but none could be found.
Hi Sid, It may be nothing, but you wrote that you have selinux ENabled. Same behaviour when you disable it? Hans -- pgp-id: 926EBB12 pgp-fingerprint: BE97 1CBF FAC4 236C 4A73 F76E EDFC D032 926E BB12 Registered linux user: 75761 (http://counter.li.org) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hans Witvliet wrote:
Sid Boyce wrote:
type=APPARMOR msg=audit(1159712726.582:6): REJECTING r access to /proc/net/if_inet6 (ntpd(3687) profile /usr/sbin/ntpd active /usr/sbin/ntpd) type=APPARMOR msg=audit(1159713575.608:7): REJECTING m access to /etc/ld.so.cache (netstat(4724) profile /bin/netstat active /bin/netstat) type=APPARMOR msg=audit(1159755718.633:8): REJECTING m access to /etc/ld.so.cache (netstat(801) profile /bin/netstat active /bin/netstat) type=APPARMOR msg=audit(1159802849.507:9): REJECTING m access to /etc/ld.so.cache (netstat(6917) profile /bin/netstat active /bin/netstat)
OK, I'm running a vanilla kernel without apparmor, selinux enabled and the apparmor panel says apparmor is disabled, so it's puzzling. At one stage I did look around for apparmor patches, but none could be found.
Hi Sid,
It may be nothing, but you wrote that you have selinux ENabled. Same behaviour when you disable it?
Hans
At the moment it is not configured, but from .config CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0 # CONFIG_SECURITY_SELINUX_DISABLE is not set CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 # CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT is not set CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX=y CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE=19 I can build a kernel with it disabled to see if it's a problem. Before 10.1-GM there was never a problem and there is no problem with SUSE kernels. Grub menu.list does not have "selinux=". Regards Sid. -- Sid Boyce ... Hamradio License G3VBV, Licensed Private Pilot Emeritus IBM/Amdahl Mainframes and Sun/Fujitsu Servers Tech Support Specialist, Cricket Coach Microsoft Windows Free Zone - Linux used for all Computing Tasks --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Sid Boyce wrote:
Hans Witvliet wrote:
Sid Boyce wrote:
type=APPARMOR msg=audit(1159712726.582:6): REJECTING r access to /proc/net/if_inet6 (ntpd(3687) profile /usr/sbin/ntpd active /usr/sbin/ntpd) type=APPARMOR msg=audit(1159713575.608:7): REJECTING m access to /etc/ld.so.cache (netstat(4724) profile /bin/netstat active /bin/netstat) type=APPARMOR msg=audit(1159755718.633:8): REJECTING m access to /etc/ld.so.cache (netstat(801) profile /bin/netstat active /bin/netstat) type=APPARMOR msg=audit(1159802849.507:9): REJECTING m access to /etc/ld.so.cache (netstat(6917) profile /bin/netstat active /bin/netstat)
OK, I'm running a vanilla kernel without apparmor, selinux enabled and the apparmor panel says apparmor is disabled, so it's puzzling. At one stage I did look around for apparmor patches, but none could be found.
Hi Sid,
It may be nothing, but you wrote that you have selinux ENabled. Same behaviour when you disable it?
Hans
At the moment it is not configured, but from .config CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0 # CONFIG_SECURITY_SELINUX_DISABLE is not set CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 # CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT is not set CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX=y CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE=19
I can build a kernel with it disabled to see if it's a problem. Before 10.1-GM there was never a problem and there is no problem with SUSE kernels. Grub menu.list does not have "selinux=". Regards Sid.
Strange, I just checked the Athlon 64x2 box with 10.1 installed, kernel 2.6.18-git20-smp, no selinux compiled in and ntp keeps the time rock solid. Athlon64 laptop with 2.6.19-rc1-git4 currently but that also went through 2.6.18/2.6.18-git series, this Athlon XP3200+ (32-bit) at 2.6.19-rc2 (no selinux) which also went through the 2.6.18/2.6.18-git series, both experiencing significant clock drift. The 64x2 box has reference in audit.log to postfix apparmor rejects, but no ntp reject errors. xntp-4.20a-70.4 on the 10.1 x86_64 boxes and xntp-4.2.2p2-4 (upgraded) on the 10.2Alpha4 32-bit box. Regards Sid. -- Sid Boyce ... Hamradio License G3VBV, Licensed Private Pilot Emeritus IBM/Amdahl Mainframes and Sun/Fujitsu Servers Tech Support Specialist, Cricket Coach Microsoft Windows Free Zone - Linux used for all Computing Tasks --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Per Jessen wrote:
Sid Boyce wrote:
type=APPARMOR msg=audit(1159712726.582:6): REJECTING r access to /proc/net/if_inet6 (ntpd(3687) profile /usr/sbin/ntpd active /usr/sbin/ntpd) type=APPARMOR msg=audit(1159713575.608:7): REJECTING m access to /etc/ld.so.cache (netstat(4724) profile /bin/netstat active /bin/netstat) type=APPARMOR msg=audit(1159755718.633:8): REJECTING m access to /etc/ld.so.cache (netstat(801) profile /bin/netstat active /bin/netstat) type=APPARMOR msg=audit(1159802849.507:9): REJECTING m access to /etc/ld.so.cache (netstat(6917) profile /bin/netstat active /bin/netstat)
OK, I'm running a vanilla kernel without apparmor, selinux enabled and the apparmor panel says apparmor is disabled, so it's puzzling. At one stage I did look around for apparmor patches, but none could be found.
Well, it seems to me that apparmor is still getting in your way - although the messages you quoted are not the ones related to NTP not being able to drop root priviledges.
For starters I would try what Chad Groneman suggested - "complain <ntp-binary>". Then you'll see "PERMITTING" messages in the audit.log and your NTP should work.
Since I did "/etc/init.d/boot.apparmor stop" and I now have it disabled at boot time I haven't had any messages in audit.log, however, the problem is still there. "rcntp start" or restart will cause the time to be set, thereafter, it drifts badly until a further restart or reboot. Tried running ntp non-chroot, no change. On another 10.2Alpha4 box running SUSE kernel 2.6.18-rc5-git6-2-default, there isn't a problem, so there seems to be a different behaviour with vanilla kernels. Regards Sid. -- Sid Boyce ... Hamradio License G3VBV, Licensed Private Pilot Emeritus IBM/Amdahl Mainframes and Sun/Fujitsu Servers Tech Support Specialist, Cricket Coach Microsoft Windows Free Zone - Linux used for all Computing Tasks --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (5)
-
Chad Groneman -
Hans Witvliet -
Marcus Rueckert -
Per Jessen -
Sid Boyce