From owner-freebsd-questions@FreeBSD.ORG Tue Apr 7 14:23:22 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A15E9A9E for ; Tue, 7 Apr 2015 14:23:22 +0000 (UTC) Received: from webmail.dweimer.net (24-240-198-187.static.stls.mo.charter.com [24.240.198.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6FB94A88 for ; Tue, 7 Apr 2015 14:23:22 +0000 (UTC) Received: from www.dweimer.net (webmail [192.168.5.2]) by webmail.dweimer.net (8.14.9/8.14.9) with ESMTP id t37EHUej099962 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 7 Apr 2015 09:17:30 -0500 (CDT) (envelope-from dweimer@dweimer.net) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Tue, 07 Apr 2015 09:17:30 -0500 From: dweimer To: FreeBSD Questions Subject: NTPD in jail Organization: dweimer.net Reply-To: dweimer@dweimer.net Mail-Reply-To: dweimer@dweimer.net Message-ID: <8ee743046ce9a8e9e7e6359150fbfa1e@dweimer.net> X-Sender: dweimer@dweimer.net User-Agent: Roundcube Webmail/1.1.1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Apr 2015 14:23:22 -0000 I understand that a jail can't update the servers time, but I recently migrated a physical FreeBSD machine into a FreeBSD jail. That machine was one of the 3 machines that I ran NTPD on to sync to internet time servers, and pointed my internal machines at. I have configured the host to sync to the internet time servers. And setup the jail to only have the fake fudge 127.127.1.0 server, figuring that the host ntpd process would keep the server synced and this would allow the internal clients to sync to it without having to change them all to point at the hosts IP address instead. I have both processes limited to the correct external IPs to avoid port conflicts, however the jails NTPD service periodically fails, the only log entries I see are the "Apr 7 09:01:27 proxy1 ntpd[48446]: local_clock: ntp_loopfilter.c line 709: ntp_adjtime: Operation not permitted" but at some point it's no longer running to answer query's. I plan to add DNS CNAMEs for NTP1, NTP2, NTP3 to reference the NTP servers from the clients and update the CNAMEs if hosts change in the future. In the short term to make sure clients don't lose their time sync does anyone have a work around that will allow NTPD to run on the jail? -- Thanks, Dean E. Weimer http://www.dweimer.net/