From owner-svn-src-stable@freebsd.org Thu Mar 2 01:23:18 2017 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EFAD1CF295D; Thu, 2 Mar 2017 01:23:18 +0000 (UTC) (envelope-from ian@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B150FB5E; Thu, 2 Mar 2017 01:23:18 +0000 (UTC) (envelope-from ian@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v221NHiO016859; Thu, 2 Mar 2017 01:23:17 GMT (envelope-from ian@FreeBSD.org) Received: (from ian@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v221NHED016857; Thu, 2 Mar 2017 01:23:17 GMT (envelope-from ian@FreeBSD.org) Message-Id: <201703020123.v221NHED016857@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ian set sender to ian@FreeBSD.org using -f From: Ian Lepore Date: Thu, 2 Mar 2017 01:23:17 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r314531 - in stable/11/etc: . rc.d X-SVN-Group: stable-11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Mar 2017 01:23:19 -0000 Author: ian Date: Thu Mar 2 01:23:17 2017 New Revision: 314531 URL: https://svnweb.freebsd.org/changeset/base/314531 Log: MFC r311103, r311907: Update ntp.conf to use the ntpd pool feature. Our previous ntp.conf file configured 3 servers from freebsd.pool.ntp.org using 3 separate 'server' config lines. That is now replaced with a single 'pool' line which causes ntpd to add multiple servers from the pool. More than just making the config smaller, the pool feature in ntpd has one major advantage over configuring 3 separate servers from a pool: if a server that was added using a 'pool' statement provides bad time (initially or at some later date), ntpd automatically discards it and configures a new different server from the pool without needing to be restarted. These changes also add a 'tos' line to control how many pool servers get added, a 'restrict source' line that is required to allow ntpd to add new peers from the pool, and it deletes a 'restrict 127.127.1.0' line that does nothing and should never have been there (127.127.1.0 is not a valid IP address, it's a refclock identifier). Add "pool" to the keywords that rc.d/ntpdate examines to find a server address in ntp.conf. Modified: stable/11/etc/ntp.conf stable/11/etc/rc.d/ntpdate Directory Properties: stable/11/ (props changed) Modified: stable/11/etc/ntp.conf ============================================================================== --- stable/11/etc/ntp.conf Thu Mar 2 01:18:46 2017 (r314530) +++ stable/11/etc/ntp.conf Thu Mar 2 01:23:17 2017 (r314531) @@ -11,28 +11,43 @@ # # -# The following three servers will give you a random set of three -# NTP servers geographically close to you. -# See http://www.pool.ntp.org/ for details. Note, the pool encourages +# Set the target and limit for adding servers configured via pool statements +# or discovered dynamically via mechanisms such as broadcast and manycast. +# Ntpd automatically adds maxclock-1 servers from configured pools, and may +# add as many as maxclock*2 if necessary to ensure that at least minclock +# servers are providing good consistant time. +# +tos minclock 3 maxclock 6 + +# +# The following pool statement will give you a random set of NTP servers +# geographically close to you. A single pool statement adds multiple +# servers from the pool, according to the tos minclock/maxclock targets. +# See http://www.pool.ntp.org/ for details. Note, pool.ntp.org encourages # users with a static IP and good upstream NTP servers to add a server # to the pool. See http://www.pool.ntp.org/join.html if you are interested. # # The option `iburst' is used for faster initial synchronization. # -server 0.freebsd.pool.ntp.org iburst -server 1.freebsd.pool.ntp.org iburst -server 2.freebsd.pool.ntp.org iburst -#server 3.freebsd.pool.ntp.org iburst +pool 0.freebsd.pool.ntp.org iburst # # If you want to pick yourself which country's public NTP server -# you want sync against, comment out the above servers, uncomment -# the next ones and replace CC with the country's abbreviation. -# Make sure that the hostnames resolve to a proper IP address! -# -# server 0.CC.pool.ntp.org iburst -# server 1.CC.pool.ntp.org iburst -# server 2.CC.pool.ntp.org iburst +# you want to sync against, comment out the above pool, uncomment +# the next one, and replace CC with the country's abbreviation. +# Make sure that the hostname resolves to a proper IP address! +# +# pool 0.CC.pool.ntp.org iburst + +# +# To configure a specific server, such as an organization-wide local +# server, add lines similar to the following. One or more specific +# servers can be configured in addition to, or instead of, any server +# pools specified above. When both are configured, ntpd first adds all +# the specific servers, then adds servers from the pool until the tos +# minclock/maxclock targets are met. +# +#server time.my-internal.org iburst # # Security: @@ -40,11 +55,17 @@ server 2.freebsd.pool.ntp.org iburst # By default, only allow time queries and block all other requests # from unauthenticated clients. # +# The "restrict source" line allows peers to be mobilized when added by +# ntpd from a pool, but does not enable mobilizing a new peer association +# by other dynamic means (broadcast, manycast, ntpq commands, etc). +# # See http://support.ntp.org/bin/view/Support/AccessRestrictions # for more information. # -restrict default limited kod nomodify notrap nopeer noquery -restrict -6 default limited kod nomodify notrap nopeer noquery +restrict default limited kod nomodify notrap noquery nopeer +restrict -6 default limited kod nomodify notrap noquery nopeer +restrict source limited kod nomodify notrap noquery + # # Alternatively, the following rules would block all unauthorized access. # @@ -65,7 +86,6 @@ restrict -6 default limited kod nomodify # The following settings allow unrestricted access from the localhost restrict 127.0.0.1 restrict -6 ::1 -restrict 127.127.1.0 # # If a server loses sync with all upstream servers, NTP clients Modified: stable/11/etc/rc.d/ntpdate ============================================================================== --- stable/11/etc/rc.d/ntpdate Thu Mar 2 01:18:46 2017 (r314530) +++ stable/11/etc/rc.d/ntpdate Thu Mar 2 01:23:17 2017 (r314531) @@ -20,7 +20,7 @@ ntpdate_start() if [ -z "$ntpdate_hosts" -a -f "$ntpdate_config" ]; then ntpdate_hosts=`awk ' /^server[ \t]*127.127/ {next} - /^(server|peer)/ { + /^(server|peer|pool)/ { if ($2 ~/^-/) {print $3} else {print $2}} ' < "$ntpdate_config"`