From owner-svn-src-head@freebsd.org Tue Dec 5 09:22:15 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C4139DFE9CA; Tue, 5 Dec 2017 09:22:15 +0000 (UTC) (envelope-from cperciva@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 90710727BA; Tue, 5 Dec 2017 09:22:15 +0000 (UTC) (envelope-from cperciva@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vB59MEQJ009380; Tue, 5 Dec 2017 09:22:14 GMT (envelope-from cperciva@FreeBSD.org) Received: (from cperciva@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vB59MEBT009379; Tue, 5 Dec 2017 09:22:14 GMT (envelope-from cperciva@FreeBSD.org) Message-Id: <201712050922.vB59MEBT009379@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: cperciva set sender to cperciva@FreeBSD.org using -f From: Colin Percival Date: Tue, 5 Dec 2017 09:22:14 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r326565 - head/release/tools X-SVN-Group: head X-SVN-Commit-Author: cperciva X-SVN-Commit-Paths: head/release/tools X-SVN-Commit-Revision: 326565 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Dec 2017 09:22:15 -0000 Author: cperciva Date: Tue Dec 5 09:22:14 2017 New Revision: 326565 URL: https://svnweb.freebsd.org/changeset/base/326565 Log: Make EC2 instances use Amazon's NTP service for time synchronization. Since Amazon provides NTP servers within their network, this should be far superior to using the default NTP pools; and since the service is provided by Amazon there's very little risk in enabling it by default. (If someone is able to compromise Amazon's NTP servers and exploit them to attack EC2 instances, they would almost certainly be able to compromise EC2 instances even without ntpd running...) MFC after: 1 week Relnotes: EC2 instances now keep their clocks synchronized using the Amazon Time Sync Service (aka. NTP). Modified: head/release/tools/ec2.conf Modified: head/release/tools/ec2.conf ============================================================================== --- head/release/tools/ec2.conf Tue Dec 5 09:08:48 2017 (r326564) +++ head/release/tools/ec2.conf Tue Dec 5 09:22:14 2017 (r326565) @@ -9,7 +9,7 @@ export VM_EXTRA_PACKAGES="ec2-scripts firstboot-freebsd-update firstboot-pkgs dual-dhclient amazon-ssm-agent" # Set to a list of third-party software to enable in rc.conf(5). -export VM_RC_LIST="ec2_configinit ec2_fetchkey ec2_ephemeralswap ec2_loghostkey firstboot_freebsd_update firstboot_pkgs" +export VM_RC_LIST="ec2_configinit ec2_fetchkey ec2_ephemeralswap ec2_loghostkey firstboot_freebsd_update firstboot_pkgs ntpd" # Build with a 3 GB UFS partition; the growfs rc.d script will expand # the partition to fill the root disk after the EC2 instance is launched. @@ -86,6 +86,11 @@ vm_extra_pre_umount() { sed -i '' -e \ 's/^#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/' \ ${DESTDIR}/etc/ssh/sshd_config + + # Use the NTP service provided by Amazon + sed -i '' -e 's/^pool/#pool/' \ + -e 's/^#server.*/server 169.254.169.123 iburst/' \ + ${DESTDIR}/etc/ntp.conf # The first time the AMI boots, the installed "first boot" scripts # should be allowed to run: