Bug 1955859 - ntpd compiled without refclock support
Summary: ntpd compiled without refclock support
Keywords:
Status: ASSIGNED
Alias: None
Product: Fedora
Classification: Fedora
Component: ntpsec
Version: 34
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Lichvar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-01 02:09 UTC by Maciej Żenczykowski
Modified: 2021-05-03 08:58 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)

Description Maciej Żenczykowski 2021-05-01 02:09:41 UTC
This is a regression from ntpd in fc33

Installed Packages:
  ntp-refclock.x86_64  0.4-3.fc34
  ntpsec.x86_64        1.2.0-6.fc34
  ntpstat.noarch       0.6-4.fc34

ntpd[1173]: IO: Listening on routing socket on fd #23 for interface updates
ntpd[1173]: INIT: ntpd was compiled without refclock support.
ntpd[1173]: PROTO: 127.127.1.0 unlink local addr 127.0.0.1 -> <null>
ntpd[1173]: INIT: ntpd was compiled without refclock support.
ntpd[1173]: PROTO: 127.127.20.0 unlink local addr 127.0.0.1 -> <null>
ntpd[1173]: CONFIG: Fudge commands not supported: built without refclocks

I've found and installed the 'ntp-refclock' package, but it doesn't seem to help.
I don't see any obviously correct packages to install, searching for pps nmea gps refclock...

Comment 1 Maciej Żenczykowski 2021-05-01 02:13:10 UTC
https://fedoraproject.org/wiki/Changes/NtpReplacement makes no mention of how to make things work.

Comment 2 Maciej Żenczykowski 2021-05-01 08:46:16 UTC
Downgrading to ntp/ntpdate 4.2.8p15-3.fc33 fixes the problem (unsurprisingly),
though along the way it deleted my ntp crypto keys and I had to recover them from backups or regenerate them.

Comment 3 Maciej Żenczykowski 2021-05-03 07:38:42 UTC
Unpacking the source ntpsec tarball finds the following in INSTALL.adoc:

== Optional Features ==

The waf builder accepts `--enable-FEATURE` options to where FEATURE
indicates an optional part of the package.  Do `waf --help` for a list
of options.

refclocks are enabled with `--refclock=<n1,n2,n3..>` or `--refclock=all`
`waf configure --list` will print a list of available refclocks.

---

So adding --refclock=local,nmea to the ntpsec.spec file and rebuilding.
(though perhaps it should just be --refclock=all)

This seems to produce a closer to functional package.

May 02 23:38:24 mini.lan ntpd[29966]: REFCLOCK: refclock_params: kernel PLL (hardpps, RFC 1589) not implemented
May 02 23:38:24 mini.lan ntpd[29966]: REFCLOCK: NMEA(0) set PPSAPI params fails

which can be fixed (worked around?) by flipping 'flag3 1' to 'flag3 0' though that seems suboptimal.
Presumably this is something missing from ntpsec that was present in fc33 ntpd?

---

Note: I also have extra selinux config localntp.te:

module localntp 1.0;

require {
	type clock_device_t;
	type ntpd_t;
	type tty_device_t;
	class lnk_file read;
	class chr_file { open read write ioctl };
}

#============= ntpd_t ==============
allow ntpd_t tty_device_t:lnk_file read;
allow ntpd_t tty_device_t:chr_file { open read write ioctl };
allow ntpd_t clock_device_t:lnk_file read;
allow ntpd_t clock_device_t:chr_file { open read write ioctl };

which I'm not entirely sure if it is still needed or not.

---

Another thing that comes to light is that apparently /usr/bin/ntpkeygen can generate keys which fail to parse.

cd /etc/ntp && ntpkeygen && ln -sf ntp.keys keys && systemctl status restart

May 03 00:02:15 mini.lan ntpd[30661]: AUTH: authreadkeys: reading /etc/ntp/keys
May 03 00:02:15 mini.lan ntpd[30661]: AUTH: CMAC key 8 will be padded 10=>16
May 03 00:02:15 mini.lan ntpd[30661]: AUTH: authreadkeys: added 20 keys

This appears to be related to the presence of #'s in the key:
 8 AES yaFV<<}Z4x#n^k,#

May 03 00:10:14 mini.lan ntpd[30802]: AUTH: authreadkeys: reading /etc/ntp/keys
May 03 00:10:14 mini.lan ntpd[30802]: AUTH: CMAC key 10 will be padded 8=>16
May 03 00:10:14 mini.lan ntpd[30802]: AUTH: authreadkeys: added 20 keys

10 AES Nc{2&pyv#C}=,KqN

May 03 00:11:53 mini.lan ntpd[30857]: AUTH: authreadkeys: reading /etc/ntp/keys
May 03 00:11:53 mini.lan ntpd[30857]: AUTH: authreadkeys: no key for key 9
May 03 00:11:53 mini.lan ntpd[30857]: AUTH: authreadkeys: added 19 keys

 9 AES #CeE{.3qv(,:.e.G

btw. additionally 'man ntpkeygen' has a tiny typo since it lists [-MV] instead of [-V]

Comment 4 Miroslav Lichvar 2021-05-03 08:23:36 UTC
Thanks for the report.

I'll make an update enabling the refclock support. I didn't notice it's disabled by default.
I'll look into the keygen issue.

The hardpps feature requires a special build of the kernel. It didn't work with the old ntpd either.

If you find any selinux issues, please file a bug for the selinux-policy component.


Note You need to log in before you can comment on or make changes to this bug.