whops that should be
ntpdate_hosts not servers
On 7 June 2016 at 12:09, krad <kraduk at gmail.com> wrote:
> something as simple as this thrown in /etc/periodic/daily/ would probably
> do it.
>
> #!/bin/sh
> ip=`dig pool.ntp.org +short | head -1'
> cp /etc/hosts /etc/hosts.old &&
> sed -e "s/.*ntp-server/$ip ntp-server/" /etc/hosts.old >
/etc/hosts
>
>
> with these lines in rc.conf
> ntpdate_enable=yes
> ntpdate_servers="ntp-server"
>
>
>
>
>
> On 7 June 2016 at 11:43, Slawa Olhovchenkov <slw at zxy.spb.ru>
wrote:
>
>> On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote:
>>
>> > Like i said you could configure ntpdate as well as ntpd, but give
it a
>> > known good ip. It will only run once at boot, and ntpd will start
after
>> so
>> > that can use the nice pool names.
>> >
>> > A slightly better way maybe to give ntpdate a server hostname like
>> > ntp-server and populated the hosts file with one of the ips from
>> > pool.ntp.org. You could then have a periodic script to check and
>> update the
>> > ip in the hosts every day, so it works over a reboot. The ip would
>> > obviously have to have an initial seed value, but you could work
this
>> out
>> > progmatically at system configuration time with tools like
ansible.
>>
>> What purpose don't do it by standart scripts from base systems?
>> Enforcing DNSSEC must be prevent this strange works on all systems
>> lack CMOS time.
>>
>> I am not expert in sh scripting for this automation.
>>
>> > On 7 June 2016 at 09:47, Slawa Olhovchenkov <slw at
zxy.spb.ru> wrote:
>> >
>> > > On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote:
>> > >
>> > > > Well there is a deadlock situation there so you have to
relax one
>> of the
>> > > > conditions, for one time at least.
>> > > >
>> > > > Your best bet is to do a manual ntpdate against a fixed
ip of known
>> > > > goodness. If you have a lot of machines you need to do
this on, use
>> > > ansible
>> > > > or similar to do the heavy lifting for you. Ansible is
best in my
>> opinion
>> > > > if you dont have anything setup as its quick to get
going. It does
>> > > require
>> > > > python on the target machines so you would need to
install that
>> first.
>> > > > Something like the following should get it working (as
you dont
>> have dns
>> > > on
>> > > > the target machine, package fetches wont work, so i
would tunnel a
>> squid
>> > > > proxy and let that handle all the internet stuff.
>> > > >
>> > > > add something like the following to your ssh_config
>> > > >
>> > > > Host *
>> > > > RemoteForward 31280 squid_server:3128
>> > > >
>> > > > then run some stuff like this (after installing ansible
on your
>> > > > desktop/bastion host)
>> > > >
>> > > > ansible -b -m raw -a '/usr/bin/env
ASSUME_ALWAYS_YES=1 http_proxy>> > > > http://127.0.0.1:31280
/usr/sbin/pkg bootstrap -f' -u root -i
>> > > > <host_list_file> -kS --ask-su-pass
>> > > >
>> > > > ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES
http_proxy>> > > > http://127.0.0.1:31280 pkg install python'
-u root -i
>> <host_list_file>
>> > > > -kS --ask-su-pass
>> > > >
>> > > > ansible -m shell -a "ntpdate
<good_ntp_server_ip>" -kS
>> --ask-su-pass -i
>> > > > <host_list_file>
>> > > >
>> > > > from here on you should be able to start unbound and
then ntpd eg
>> > > >
>> > > > ansible -m service -a "name=local_unbound
state=restarted"
>> > > > -kS --ask-su-pass -i <host_list_file>
>> > > > ansible -m service -a "name=ntpd
state=restarted" -kS
>> --ask-su-pass -i
>> > > > <host_list_file
>> > > >
>> > > > Alternatively you could just relax your dnssec rules on
first boot
>> to
>> > > give
>> > > > ntp a chance. Probably much easier 8)
>> > >
>> > > How I am do it? I am don't touch dnssec rules and
don't know unbound.
>> > > May be this is posible by startup scripts?
>> > > Also, some platforms lack of CMOS time, RPi, for example.
>> > >
>> > > > Also make sure you are using the '-g' flag on
ntpd
>> > >
>> > > Yes, I am add `ntpd_sync_on_start=yes` to rc.conf.
>> > > I am suggest do it by checkbox in bsdinstall.
>> > >
>> > >
>> > > > On 6 June 2016 at 14:50, Slawa Olhovchenkov <slw at
zxy.spb.ru> wrote:
>> > > >
>> > > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell
Gilbert wrote:
>> > > > >
>> > > > > > Slawa Olhovchenkov <slw at zxy.spb.ru>
writes:
>> > > > > >
>> > > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400,
Lowell Gilbert
>> wrote:
>> > > > > > >
>> > > > > > >> Slawa Olhovchenkov <slw at
zxy.spb.ru> writes:
>> > > > > > >>
>> > > > > > >> > Default install with
local_unbound and ntpd can't be
>> functional
>> > > with
>> > > > > > >> > incorrect date/time in BIOS:
>> > > > > > >> >
>> > > > > > >> > Unbound requred correct time for
DNSSEC check and refuseing
>> > > queries
>> > > > > > >> > ("Jul 1 20:17:29 yellowrat
unbound: [3444:0] info: failed
>> to
>> > > prime
>> > > > > > >> > trust anchor -- DNSKEY rrset is
not secure . DNSKEY IN")
>> > > > > > >> >
>> > > > > > >> > ntpd don't have any numeric
IP of ntp servers in ntp.conf
>> --
>> > > only
>> > > > > > >> > symbolic names like
0.freebsd.pool.ntp.org, as result --
>> can't
>> > > > > > >> > resolve (see above, about
DNSKEY).
>> > > > > > >>
>> > > > > > >> I can't see how this would
happen. DNSSEC doesn't seem to be
>> > > required
>> > > > > in
>> > > > > > >> a regular install as far as I can
see. Certainly I don't
>> have any
>> > > > > > >
>> > > > > > > I don't know reasson for enforcing
DNSSEC in regular install.
>> > > > > > > I am just select `local_unbound` at setup
time and enter
>> > > `127.0.0.1` as
>> > > > > > > nameserver address.
>> > > > > >
>> > > > > > That's not enough to configure unbound as
a fully recursive DNS
>> > > > > > server.
>> > > > >
>> > > > > What I am missing?
>> > > > > Need to fix unbound setup scripts? bsdinstall
scripts?
>> > > > > As I see unbound setup scripts detects 127.0.0.1 in
resolv.conf
>> and
>> > > > > configured unbound as fully recursive DNS server.
>> > > > >
>> > > > > > If your system gets its address through DHCP,
it is probably
>> > > > > > getting DNS server addresses as well, and
would work fine
>> *without*
>> > > your
>> > > > > > configuring any of the DNS state.
>> > > > >
>> > > > > I am have static address and don't getting DNS
server address.
>> > > > >
>> > > > > > >> problem on any of my systems, and
I've never configured an
>> anchor
>> > > on
>> > > > > the
>> > > > > > >> internal systems.
>> > > > > > >>
>> > > > > > >> > IMHO, ntp.conf need to include
some numeric IP of public
>> ntp
>> > > > > servers.
>> > > > > > >>
>> > > > > > >> Ouch; that's a terrible idea, for
several different reasons.
>> > > > > > >
>> > > > > > > What else?
>> > > > > >
>> > > > > > All the normal reasons that hard-coding IP
addresses is a bad
>> idea;
>> > > they
>> > > > > > can change, you're encouraging a lot of
people to use the same
>> ones,
>> > > etc.
>> > > > >
>> > > > > And how to resolve this issuse:
>> > > > >
>> > > > > - default install with unbound as recursive DNS
server (by default
>> > > > > enforcing DNSSEC)
>> > > > > - ntp time synchronisation
>> > > > > - stale CMOS time (2008 year)
>> > > > > _______________________________________________
>> > > > > freebsd-stable at freebsd.org mailing list
>> > > > >
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
>> > > > > To unsubscribe, send any mail to "
>> > > freebsd-stable-unsubscribe at freebsd.org"
>> > > > >
>> > >
>>
>
>