Bug 1406445

Summary: chronyd fails to start if hostnames are not resolvable in allow directive
Product: Red Hat Enterprise Linux 7 Reporter: Stefan Meyer <smeyer>
Component: chronyAssignee: Miroslav Lichvar <mlichvar>
Status: CLOSED ERRATA QA Contact: Karel Volný <kvolny>
Severity: low Docs Contact:
Priority: medium    
Version: 7.3CC: egolov, jprokes, kvolny, mlichvar
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: chrony-3.1-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 16:20:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1387223    
Bug Blocks:    

Description Stefan Meyer 2016-12-20 14:35:11 UTC 
Description of problem:
When the allow directive is used in /etc/chrony.conf and the name 
of the server is not resolvable by dns, the service fails to start.

This was first seen when the network did not come up fast enough 
and dns was not yet available.

While starting from version 1.25, chronyd will keep trying to resolve 
the names specified by the server, pool, and peer directives in an 
increasing interval until it succeeds, this is not the case for the
allow directive.

Version-Release number of selected component (if applicable):
- Red Hat Enterprise Linux 7.3
- chrony 2.1.1

How reproducible:
Whenever a hostname cannot get resolved by dns or /etc/hosts

Steps to Reproduce:
1. edit /etc/chrony.conf
2. add "allow thisserverdoesnotexist.example.com"
3. restart chronyd with "systemctl restart chronyd"
4. The restart fails 

Actual results:
The service fails with "Could not parse allow directive at line XX in file /etc/chrony.conf"

Expected results:
- The service should not fail.
- The allow directive should behave like the server, pool, and peer directives.

Additional info:
Comment 2 Miroslav Lichvar 2017-01-04 12:15:34 UTC 
Resolving of hosts specified the allow/deny directive is intentionally required to work on start. Maybe it should be mentioned in the man page.

While theoretically the allow/deny directives could be delayed for name resolving, I'm not sure if it makes much sense. If the address of the NTP client is expected to change over time (i.e. it needs to be specified as a hostname), the client would be allowed access only until the next change of its address and chronyd would need to be restarted. In such case it would be better to periodically run a script and use the allow/deny commands of chronyc.

Also, it's not clear to what should it do if the name resolves to multiple addresses. What if it's used in a deny command blacklisting a client and there is an allow directive for a subnet in which the client is? The client would be allowed access until the resolving succeeds.

It seems the original reason for this bug report is that the allow directive was thought to be needed for NTP sources (like ntpd requires with the restrict directive), but that's not actually necessary.
Comment 3 Evgeni Golov 2017-01-05 09:40:07 UTC 
(In reply to Miroslav Lichvar from comment #2)
> Resolving of hosts specified the allow/deny directive is intentionally
> required to work on start. Maybe it should be mentioned in the man page.

This should also mention that chrony has to be started strictly *after* the network has been brough up, as otherwise DNS resolution might not work.

> While theoretically the allow/deny directives could be delayed for name
> resolving, I'm not sure if it makes much sense. If the address of the NTP
> client is expected to change over time (i.e. it needs to be specified as a
> hostname), the client would be allowed access only until the next change of
> its address and chronyd would need to be restarted. In such case it would be
> better to periodically run a script and use the allow/deny commands of
> chronyc.

But doesn't this render the hostname version of allow/deny useless? If my hostname ←→ IP mapping never changes, I can also just enter the IP address in chrony.conf and forget about all the DNS resolution pain.

> It seems the original reason for this bug report is that the allow directive
> was thought to be needed for NTP sources (like ntpd requires with the
> restrict directive), but that's not actually necessary.

It's not needed, true. But the main point of the BZ was: chrony fails to start if it is started before I have a working network but want to use allow/deny with names.
Comment 4 Miroslav Lichvar 2017-01-05 10:07:31 UTC 
(In reply to Evgeni Golov from comment #3)
> This should also mention that chrony has to be started strictly *after* the
> network has been brough up, as otherwise DNS resolution might not work.

Right.

Generally, we want to start chronyd early in the boot process, so it can restore the frequency of the clock from the driftfile, set the clock from the RTC (with the -s option), or set the clock from a reference clock (e.g. GPS), even if the network is not up.

There are other interesting problems with name resolving. If chronyd waited for working DNS, it might lock with DNSSEC it it's waiting for chronyd to set the clock.

> But doesn't this render the hostname version of allow/deny useless? If my
> hostname ←→ IP mapping never changes, I can also just enter the IP address
> in chrony.conf and forget about all the DNS resolution pain.

I agree the hostname form of the directive is not very useful. I don't remember any other reports about this. If it was implemented again, it would probably make sense to not support hostnames at all. Now, I think it needs to be preserved for compatibility.
Comment 5 Miroslav Lichvar 2017-01-06 13:12:51 UTC 
(In reply to Evgeni Golov from comment #3)
> (In reply to Miroslav Lichvar from comment #2)
> > Resolving of hosts specified the allow/deny directive is intentionally
> > required to work on start. Maybe it should be mentioned in the man page.
> 
> This should also mention that chrony has to be started strictly *after* the
> network has been brough up, as otherwise DNS resolution might not work.

This is now upstream:

http://chrony.tuxfamily.org/doc/devel/chrony.conf.html#allow
Comment 6 Miroslav Lichvar 2017-01-25 16:36:31 UTC 
The improved documentation will be included in chrony rebase (bug #1387223).
Comment 8 Karel Volný 2017-03-13 12:18:00 UTC 
the abovementioned page has this relevant part:

"The directive allows a hostname to be specified instead of an IP address, but the name must be resolvable when chronyd is started (i.e. chronyd needs to be started when the network is already up and DNS is working)."

just to be sure, do I get it right that nothing changed in the startup process (as described in the bug reproducer), the whole 'fix' is just docs change as suggested in #c6?
Comment 9 Miroslav Lichvar 2017-03-13 12:36:57 UTC 
(In reply to Karel Volný from comment #8)
> just to be sure, do I get it right that nothing changed in the startup
> process (as described in the bug reproducer), the whole 'fix' is just docs
> change as suggested in #c6?

Yes, this is just a documentation improvement. The default ordering of the chronyd service doesn't change.
Comment 11 errata-xmlrpc 2017-08-01 16:20:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1908