Monday, April 4, 2011

How to chroot ntp in Debian

Here are few simple steps to chroot ntp in debian. Add the following to file /usr/local/sbin/chroot-ntp and execute (alternatively you can download script from bitbucket site here):
#!/bin/bash

/etc/init.d/ntp stop

rootfs=/var/chroot/ntp
mkdir -p $rootfs/{etc,var/lib/ntp,var/log}

mv /etc/ntp.conf $rootfs/etc
ln -s $rootfs/etc/ntp.conf /etc/ntp.conf

if [ -e /var/lib/ntp/ntp.drift ]; then
    mv /var/lib/ntp/ntp.drift $rootfs/var/lib/ntp
fi
ln -s $rootfs/var/lib/ntp/ntp.drift \
    /var/lib/ntp/ntp.drift
chown -R ntp:ntp $rootfs/var/lib/ntp

mv /var/log/ntpstats $rootfs/var/log
ln -s $rootfs/var/log/ntpstats /var/log/ntpstats
chown -R ntp:ntp $rootfs/var/log/ntpstats

sed -e "s,'-g','-4 -i /var/chroot/ntp -g'," \
    /etc/default/ntp > /tmp/x && \
    mv /tmp/x /etc/default/ntp

sed -e "s,restrict -6,#restrict -6," \
    -e "s,restrict ::1,#restrict ::1," \
    /etc/ntp.conf > /tmp/x && \
    mv /tmp/x /etc/ntp.conf

/etc/init.d/ntp start
Verify that ntp uses the chroot (file /etc/default/ntp):
NTPD_OPTS='-4 -i /var/chroot/ntp -g'

Debian NTP Server

Let start by installing few packages:
apt-get -y install ntp ntpdate
The options passed to ntp daemon are set in /etc/default/ntp file. We are interested to turn off ipv6 for now:
NTPD_OPTS='-4 -g'
As well we are going restrict ntp daemon for use ipv4 only (file /etc/ntp.conf):
# By default, exchange time with everybody, but don't 
# allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
#restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more 
# closely.
restrict 127.0.0.1
#restrict ::1
Restart ntp daemon so the changes take place:
/etc/init.d/ntp restart
Look which servers it uses for synchronization:
ntpq -4p

Client

Install ntpdate package:
apt-get -y install ntpdate
You can sync the client with you ntp server by issuing the following command (I assume your local htp server resolves to ntp.dev.local):
ntpdate -p 2 ntp.dev.local
Consider have a look at the following post (you just need to substitute the ntp server name with yours).