How to chroot ntp in Debian

Here are few simple steps to chroot ntp in debian. Add the following to file /usr/local/sbin/chroot-ntp and execute (alternatively you can download script from bitbucket site here):

#!/bin/bash

/etc/init.d/ntp stop

rootfs=/var/chroot/ntp
mkdir -p $rootfs/{etc,var/lib/ntp,var/log}

mv /etc/ntp.conf $rootfs/etc
ln -s $rootfs/etc/ntp.conf /etc/ntp.conf

if [ -e /var/lib/ntp/ntp.drift ]; then
    mv /var/lib/ntp/ntp.drift $rootfs/var/lib/ntp
fi
ln -s $rootfs/var/lib/ntp/ntp.drift \
    /var/lib/ntp/ntp.drift
chown -R ntp:ntp $rootfs/var/lib/ntp

mv /var/log/ntpstats $rootfs/var/log
ln -s $rootfs/var/log/ntpstats /var/log/ntpstats
chown -R ntp:ntp $rootfs/var/log/ntpstats

sed -e "s,'-g','-4 -i /var/chroot/ntp -g'," \
    /etc/default/ntp > /tmp/x && \
    mv /tmp/x /etc/default/ntp

sed -e "s,restrict -6,#restrict -6," \
    -e "s,restrict ::1,#restrict ::1," \
    /etc/ntp.conf > /tmp/x && \
    mv /tmp/x /etc/ntp.conf

/etc/init.d/ntp start

Verify that ntp uses the chroot (file /etc/default/ntp):

NTPD_OPTS='-4 -i /var/chroot/ntp -g'

Debian NTP Server

Let start by installing few packages:

apt-get -y install ntp ntpdate

The options passed to ntp daemon are set in /etc/default/ntp file. We are interested to turn off ipv6 for now:

NTPD_OPTS='-4 -g'

As well we are going restrict ntp daemon for use ipv4 only (file /etc/ntp.conf):

# By default, exchange time with everybody, but don't 
# allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
#restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more 
# closely.
restrict 127.0.0.1
#restrict ::1

Restart ntp daemon so the changes take place:

/etc/init.d/ntp restart

Look which servers it uses for synchronization:

ntpq -4p

Client

Install ntpdate package:

apt-get -y install ntpdate

You can sync the client with you ntp server by issuing the following command (I assume your local htp server resolves to ntp.dev.local):

ntpdate -p 2 ntp.dev.local

Consider have a look at the following post (you just need to substitute the ntp server name with yours).

Debian Diskless Setup and Configuration

Here we are going setup a server that serves over network to pxe clients a diskless debian. We will be using the following:

• DHCP server: dh1 (see how to install here)
• TFTP server: tftp1 (IP: 192.168.10.35)
• NFS server: nfs1 (IP: 192.168.10.30)
• PXE image location on NFS server: /srv/diskless/c1

How to properly "halt" virtual machine in LXC

While running a number of virtual machines in LXC you might need gracefully shutdown each virtual machine while host reboot. Here is a script (file /usr/local/sbin/lxc-shutdown):

#!/bin/sh

name=$1
timeout=15

if lxc-info -n $name | grep -qs "STOPPED"
then
    echo $name not running...
    exit 0
fi                                           
                                                                               
ssh $name halt &                                                               
#if [ -e /usr/bin/lxc-halt ]; then                                             
#    /usr/bin/lxc-halt -n $name                                                
#else                                                                          
#    ssh $name halt &                                                          
#fi

while [ $timeout -gt 0 ]
do
    timeout=$(($timeout-1));sleep 1
    if lxc-info -n $name | grep -qs "STOPPED"
    then
        exit 0
    fi
done

lxc-stop -n $name
lxc-wait -n $name -s 'STOPPED'

This approach requires root to have password-less ssh login (see more here). So now that you have a script that let you halt gracefully virtual machine, let make few changes to /etc/init.d/lxc (somewhere around line 56):

# ...
    stop)
    log_daemon_msg "Stopping $DESC"
    #action_all "lxc-stop -n"
    # Uncomment below if you need to halt containers 
    # in reverse order
    CONTAINERS=`echo $CONTAINERS | tac -s ' '`
    action_all "lxc-halt"
    ;;
# ...

Use the following two commands to override lxc-shutdown for lxc v0.8+

                                           
update-alternatives --install /usr/bin/lxc-shutdown \                        
   lxc-shutdown /usr/local/sbin/lxc-shutdown 1                                
update-alternatives --set lxc-shutdown \                                     
   /usr/local/sbin/lxc-shutdown

Exim4 SSL/TLS Configuration

Here we are going configure exim4 to use SSL/TLS for incoming connections:

1. First of all let create an exim4 certificate request (see here how to create a certificate authority):

   openssl req -newkey rsa:2048 -keyout exim.key -out exim.csr -days 3650 -nodes
   

2. Now let sign it with our certificate authority:

   openssl ca -out exim.crt -infiles exim.csr
   

3. Here we get two important files: exim.key (that is private key) and exim.crt (x509 certificate file). Let copy them to /etc/exim4
4. Secure certificates:

   chown root:Debian-exim exim.key exim.crt
   chmod g=r,o= exim.key exim.crt
   

5. Enable exim4 daemon listening options for ports 25 and 465 (file /etc/default/exim4):

   SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'
   

6. Turn on SSL/TLS option (new file /etc/exim4/conf.d/main/00_exim4-localmacros):

   MAIN_TLS_ENABLE = true
   

7. Restart exim4 and have a look at log file when you send a test message.

   /etc/init.d/exim4 restart
   echo test | mail -s "ssl/tls test" root@dev.local
   

   Here is what you will see in log file (/var/log/exim4/mainlog):

   ... P=esmtps X=TLS1.0:RSA_AES_256_CBC_SHA1:32 ...
   

   If for some reason you can not see esmtps message in log file it most likely it doesn't use SSL/TLS for local delivery, try from remote machine.

Alternative Certificate Location

You can specify any location for ssl/tls certificate (file /etc/exim4/conf.d/main/00_exim4-localmacros):

MAIN_TLS_CERTIFICATE=/etc/ssl/certs/mail.dev.local-cert.pem
MAIN_TLS_PRIVATEKEY=/etc/ssl/private/mail.dev.local-key.pem

This is useful when you host both SMTP and IMAP services on the same host. Note, group Debian-exim must have read access to both files.