1406445 – chronyd fails to start if hostnames are not resolvable in allow directive

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1406445 - chronyd fails to start if hostnames are not resolvable in allow directive

Summary: chronyd fails to start if hostnames are not resolvable in allow directive

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	chrony
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Lichvar
QA Contact:	Karel Volný
Docs Contact:
URL:
Whiteboard:
Depends On:	1387223
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-20 14:35 UTC by Stefan Meyer
Modified:	2020-09-10 10:03 UTC (History)
CC List:	4 users (show)
Fixed In Version:	chrony-3.1-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 16:20:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:1908	0	normal	SHIPPED_LIVE	chrony bug fix and enhancement update	2017-08-01 17:54:45 UTC

Description Stefan Meyer 2016-12-20 14:35:11 UTC

Description of problem:
When the allow directive is used in /etc/chrony.conf and the name 
of the server is not resolvable by dns, the service fails to start.

This was first seen when the network did not come up fast enough 
and dns was not yet available.

While starting from version 1.25, chronyd will keep trying to resolve 
the names specified by the server, pool, and peer directives in an 
increasing interval until it succeeds, this is not the case for the
allow directive.

Version-Release number of selected component (if applicable):
- Red Hat Enterprise Linux 7.3
- chrony 2.1.1

How reproducible:
Whenever a hostname cannot get resolved by dns or /etc/hosts

Steps to Reproduce:
1. edit /etc/chrony.conf
2. add "allow thisserverdoesnotexist.example.com"
3. restart chronyd with "systemctl restart chronyd"
4. The restart fails 

Actual results:
The service fails with "Could not parse allow directive at line XX in file /etc/chrony.conf"

Expected results:
- The service should not fail.
- The allow directive should behave like the server, pool, and peer directives.

Additional info:

Comment 2 Miroslav Lichvar 2017-01-04 12:15:34 UTC

Resolving of hosts specified the allow/deny directive is intentionally required to work on start. Maybe it should be mentioned in the man page.

While theoretically the allow/deny directives could be delayed for name resolving, I'm not sure if it makes much sense. If the address of the NTP client is expected to change over time (i.e. it needs to be specified as a hostname), the client would be allowed access only until the next change of its address and chronyd would need to be restarted. In such case it would be better to periodically run a script and use the allow/deny commands of chronyc.

Also, it's not clear to what should it do if the name resolves to multiple addresses. What if it's used in a deny command blacklisting a client and there is an allow directive for a subnet in which the client is? The client would be allowed access until the resolving succeeds.

It seems the original reason for this bug report is that the allow directive was thought to be needed for NTP sources (like ntpd requires with the restrict directive), but that's not actually necessary.

Comment 3 Evgeni Golov 2017-01-05 09:40:07 UTC

(In reply to Miroslav Lichvar from comment #2)
> Resolving of hosts specified the allow/deny directive is intentionally
> required to work on start. Maybe it should be mentioned in the man page.

This should also mention that chrony has to be started strictly *after* the network has been brough up, as otherwise DNS resolution might not work.

> While theoretically the allow/deny directives could be delayed for name
> resolving, I'm not sure if it makes much sense. If the address of the NTP
> client is expected to change over time (i.e. it needs to be specified as a
> hostname), the client would be allowed access only until the next change of
> its address and chronyd would need to be restarted. In such case it would be
> better to periodically run a script and use the allow/deny commands of
> chronyc.

But doesn't this render the hostname version of allow/deny useless? If my hostname ←→ IP mapping never changes, I can also just enter the IP address in chrony.conf and forget about all the DNS resolution pain.

> It seems the original reason for this bug report is that the allow directive
> was thought to be needed for NTP sources (like ntpd requires with the
> restrict directive), but that's not actually necessary.

It's not needed, true. But the main point of the BZ was: chrony fails to start if it is started before I have a working network but want to use allow/deny with names.

Comment 4 Miroslav Lichvar 2017-01-05 10:07:31 UTC

(In reply to Evgeni Golov from comment #3)
> This should also mention that chrony has to be started strictly *after* the
> network has been brough up, as otherwise DNS resolution might not work.

Right.

Generally, we want to start chronyd early in the boot process, so it can restore the frequency of the clock from the driftfile, set the clock from the RTC (with the -s option), or set the clock from a reference clock (e.g. GPS), even if the network is not up.

There are other interesting problems with name resolving. If chronyd waited for working DNS, it might lock with DNSSEC it it's waiting for chronyd to set the clock.

> But doesn't this render the hostname version of allow/deny useless? If my
> hostname ←→ IP mapping never changes, I can also just enter the IP address
> in chrony.conf and forget about all the DNS resolution pain.

I agree the hostname form of the directive is not very useful. I don't remember any other reports about this. If it was implemented again, it would probably make sense to not support hostnames at all. Now, I think it needs to be preserved for compatibility.

Comment 5 Miroslav Lichvar 2017-01-06 13:12:51 UTC

(In reply to Evgeni Golov from comment #3)
> (In reply to Miroslav Lichvar from comment #2)
> > Resolving of hosts specified the allow/deny directive is intentionally
> > required to work on start. Maybe it should be mentioned in the man page.
> 
> This should also mention that chrony has to be started strictly *after* the
> network has been brough up, as otherwise DNS resolution might not work.

This is now upstream:

http://chrony.tuxfamily.org/doc/devel/chrony.conf.html#allow

Comment 6 Miroslav Lichvar 2017-01-25 16:36:31 UTC

The improved documentation will be included in chrony rebase (bug #1387223).

Comment 8 Karel Volný 2017-03-13 12:18:00 UTC

the abovementioned page has this relevant part:

"The directive allows a hostname to be specified instead of an IP address, but the name must be resolvable when chronyd is started (i.e. chronyd needs to be started when the network is already up and DNS is working)."

just to be sure, do I get it right that nothing changed in the startup process (as described in the bug reproducer), the whole 'fix' is just docs change as suggested in #c6?

Comment 9 Miroslav Lichvar 2017-03-13 12:36:57 UTC

(In reply to Karel Volný from comment #8)
> just to be sure, do I get it right that nothing changed in the startup
> process (as described in the bug reproducer), the whole 'fix' is just docs
> change as suggested in #c6?

Yes, this is just a documentation improvement. The default ordering of the chronyd service doesn't change.

Comment 11 errata-xmlrpc 2017-08-01 16:20:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1908

Note You need to log in before you can comment on or make changes to this bug.