Discussion:
[OpenIndiana-discuss] NTP not starting in Zones
Till Wegmüller
2018-09-12 20:59:36 UTC
Permalink
Hello fellow Community

Since some time I get the following error inside all my zones from ntp.

------
[ Sep 11 06:54:40 Enabled. ]
[ Sep 11 06:54:41 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 06:54:41 svc.startd could not set context for method: ]
setppriv: Not owner
[ Sep 11 06:54:41 Method "start" exited with status 96. ]
[ Sep 11 07:08:18 Leaving maintenance because disable requested. ]
[ Sep 11 07:08:18 Disabled. ]
[ Sep 11 15:58:33 Enabled. ]
[ Sep 11 15:58:33 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 15:58:33 svc.startd could not set context for method: ]
setppriv: Not owner
[ Sep 11 15:58:33 Method "start" exited with status 96. ]
------

Does anybody know what ntp or rather smf is complaining about?
Is ntp not suposed to be installed inside zones? If so wouldn't it make
sense to configure ntp as variant global?

Would love to hear what you know about this.
Greetings
Till
ken mays via openindiana-discuss
2018-09-12 21:08:27 UTC
Permalink
Check owner status (non-root)...~K

On Wednesday, September 12, 2018, 2:01:29 PM PDT, Till Wegmüller <***@gmail.com> wrote:

Hello fellow Community

Since some time I get the following error inside all my zones from ntp.

------
[ Sep 11 06:54:40 Enabled. ]
[ Sep 11 06:54:41 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 06:54:41 svc.startd could not set context for method:  ]
setppriv: Not owner
[ Sep 11 06:54:41 Method "start" exited with status 96. ]
[ Sep 11 07:08:18 Leaving maintenance because disable requested. ]
[ Sep 11 07:08:18 Disabled. ]
[ Sep 11 15:58:33 Enabled. ]
[ Sep 11 15:58:33 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 15:58:33 svc.startd could not set context for method:  ]
setppriv: Not owner
[ Sep 11 15:58:33 Method "start" exited with status 96. ]
------

Does anybody know what ntp or rather smf is complaining about?
Is ntp not suposed to be installed inside zones? If so wouldn't it make
sense to configure ntp as variant global?

Would love to hear what you know about this.
Greetings
Till
Till Wegmüller
2018-09-12 21:15:40 UTC
Permalink
Hi

No unfortuantely not.
SMF Manifest has:
----
<exec_method
type='method'
name='start'
exec='/lib/svc/method/ntp %m'
timeout_seconds='600'>
<method_context>
<method_credential
user='root'
group='root'

privileges='basic,!file_link_any,!proc_info,!proc_session,net_privaddr,proc_lock_memory,sys_time'
/>
</method_context>
</exec_method>
----

and
~# ls -alh /lib/svc/method/ntp
-r-xr-xr-x 1 root bin 3.26K Feb 22 2018 /lib/svc/method/ntp

~# ls -alh /usr/lib/inet/ntpd
-r-xr-xr-x 1 root bin 1.20M Sep 9 22:53 /usr/lib/inet/ntpd

Unfortunately not. Or do I need to check on another spot?

-Till
Post by ken mays via openindiana-discuss
Check owner status (non-root)...~K
Hello fellow Community
Since some time I get the following error inside all my zones from ntp.
------
[ Sep 11 06:54:40 Enabled. ]
[ Sep 11 06:54:41 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 06:54:41 svc.startd could not set context for method:  ]
setppriv: Not owner
[ Sep 11 06:54:41 Method "start" exited with status 96. ]
[ Sep 11 07:08:18 Leaving maintenance because disable requested. ]
[ Sep 11 07:08:18 Disabled. ]
[ Sep 11 15:58:33 Enabled. ]
[ Sep 11 15:58:33 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 15:58:33 svc.startd could not set context for method:  ]
setppriv: Not owner
[ Sep 11 15:58:33 Method "start" exited with status 96. ]
------
Does anybody know what ntp or rather smf is complaining about?
Is ntp not suposed to be installed inside zones? If so wouldn't it make
sense to configure ntp as variant global?
Would love to hear what you know about this.
Greetings
Till
_______________________________________________
openindiana-discuss mailing list
https://openindiana.org/mailman/listinfo/openindiana-discuss
_______________________________________________
openindiana-discuss mailing list
https://openindiana.org/mailman/listinfo/openindiana-discuss
Jerry Kemp
2018-09-12 21:26:22 UTC
Permalink
Maybe I'm doing it wrong, but typically, I typically only set time/run NTP in the Global zone, and my observations are that, NTP in
the Global zone will take care of the GZ, HW time and everything else.

As such, I do not run NTP, or do anything else to set time, aside from configuring the TZ (time zone) in local zones.

This has generally served me well since the Solaris 10 beta's. I wouldn't expect a local zone to be able to access the HW clock.

Am I doing this wrong?

Jerry




-------- Original Message --------
From: Till Wegmüller
Sent: Wed, Sep 12, 2018 3:59 PM CDT
To: Discussion list for OpenIndiana
Subject: [OpenIndiana-discuss] NTP not starting in Zones

Hello fellow Community

Since some time I get the following error inside all my zones from ntp.

------
[ Sep 11 06:54:40 Enabled. ]
[ Sep 11 06:54:41 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 06:54:41 svc.startd could not set context for method: ]
setppriv: Not owner
[ Sep 11 06:54:41 Method "start" exited with status 96. ]
[ Sep 11 07:08:18 Leaving maintenance because disable requested. ]
[ Sep 11 07:08:18 Disabled. ]
[ Sep 11 15:58:33 Enabled. ]
[ Sep 11 15:58:33 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 15:58:33 svc.startd could not set context for method: ]
setppriv: Not owner
[ Sep 11 15:58:33 Method "start" exited with status 96. ]
------

Does anybody know what ntp or rather smf is complaining about?
Is ntp not suposed to be installed inside zones? If so wouldn't it make
sense to configure ntp as variant global?

Would love to hear what you know about this.
Greetings
Till
Alexander Pyhalov via openindiana-discuss
2018-09-13 08:10:42 UTC
Permalink
Hello.
What is a point of running ntp in zone?
NTP running in GZ will care about system time.

С уважением,
Александр Пыхалов,
программист отдела телекоммуникационной инфраструктуры
управления информационно-коммуникационной инфраструктуры ЮФУ


________________________________________
От: Till Wegmüller <***@gmail.com>
Отправлено: 12 сентября 2018 г. 23:59:36
Кому: Discussion list for OpenIndiana
Тема: [OpenIndiana-discuss] NTP not starting in Zones

Hello fellow Community

Since some time I get the following error inside all my zones from ntp.

------
[ Sep 11 06:54:40 Enabled. ]
[ Sep 11 06:54:41 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 06:54:41 svc.startd could not set context for method: ]
setppriv: Not owner
[ Sep 11 06:54:41 Method "start" exited with status 96. ]
[ Sep 11 07:08:18 Leaving maintenance because disable requested. ]
[ Sep 11 07:08:18 Disabled. ]
[ Sep 11 15:58:33 Enabled. ]
[ Sep 11 15:58:33 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 15:58:33 svc.startd could not set context for method: ]
setppriv: Not owner
[ Sep 11 15:58:33 Method "start" exited with status 96. ]
------

Does anybody know what ntp or rather smf is complaining about?
Is ntp not suposed to be installed inside zones? If so wouldn't it make
sense to configure ntp as variant global?

Would love to hear what you know about this.
Greetings
Till

_______________________________________________
openindiana-discuss mailing list
openindiana-***@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss
Jonathan Adams
2018-09-13 08:53:57 UTC
Permalink
I got ntp working inside a zone, by granting a privilege in the master (in
zonecfg) and modifying the svc script in the client to not reject it ...
but it was many years ago.

the reason I did it, in that case was that the parent zone didn't have
access to the internet, but the child zone did.

I'm trying to find the server that did this, but I think it got rebuilt in
the end.

Jon


On Thu, 13 Sep 2018 at 09:11, Alexander Pyhalov via openindiana-discuss <
Post by Alexander Pyhalov via openindiana-discuss
Hello.
What is a point of running ntp in zone?
NTP running in GZ will care about system time.
С уважением,
Александр Пыхалов,
программист отдела телекоммуникационной инфраструктуры
управления информационно-коммуникационной инфраструктуры ЮФУ
________________________________________
Отправлено: 12 сентября 2018 г. 23:59:36
Кому: Discussion list for OpenIndiana
Тема: [OpenIndiana-discuss] NTP not starting in Zones
Hello fellow Community
Since some time I get the following error inside all my zones from ntp.
------
[ Sep 11 06:54:40 Enabled. ]
[ Sep 11 06:54:41 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 06:54:41 svc.startd could not set context for method: ]
setppriv: Not owner
[ Sep 11 06:54:41 Method "start" exited with status 96. ]
[ Sep 11 07:08:18 Leaving maintenance because disable requested. ]
[ Sep 11 07:08:18 Disabled. ]
[ Sep 11 15:58:33 Enabled. ]
[ Sep 11 15:58:33 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 15:58:33 svc.startd could not set context for method: ]
setppriv: Not owner
[ Sep 11 15:58:33 Method "start" exited with status 96. ]
------
Does anybody know what ntp or rather smf is complaining about?
Is ntp not suposed to be installed inside zones? If so wouldn't it make
sense to configure ntp as variant global?
Would love to hear what you know about this.
Greetings
Till
_______________________________________________
openindiana-discuss mailing list
https://openindiana.org/mailman/listinfo/openindiana-discuss
_______________________________________________
openindiana-discuss mailing list
https://openindiana.org/mailman/listinfo/openindiana-discuss
Jonathan Adams
2018-09-13 08:56:31 UTC
Permalink
https://docs.oracle.com/cd/E19044-01/sol.containers/817-1592/z.admin.ov-18/index.html

seems to imply that the privilege is just "sys_time"
Post by Jonathan Adams
I got ntp working inside a zone, by granting a privilege in the master (in
zonecfg) and modifying the svc script in the client to not reject it ...
but it was many years ago.
the reason I did it, in that case was that the parent zone didn't have
access to the internet, but the child zone did.
I'm trying to find the server that did this, but I think it got rebuilt in
the end.
Jon
On Thu, 13 Sep 2018 at 09:11, Alexander Pyhalov via openindiana-discuss <
Post by Alexander Pyhalov via openindiana-discuss
Hello.
What is a point of running ntp in zone?
NTP running in GZ will care about system time.
С уважением,
Александр Пыхалов,
программист отдела телекоммуникационной инфраструктуры
управления информационно-коммуникационной инфраструктуры ЮФУ
________________________________________
Отправлено: 12 сентября 2018 г. 23:59:36
Кому: Discussion list for OpenIndiana
Тема: [OpenIndiana-discuss] NTP not starting in Zones
Hello fellow Community
Since some time I get the following error inside all my zones from ntp.
------
[ Sep 11 06:54:40 Enabled. ]
[ Sep 11 06:54:41 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 06:54:41 svc.startd could not set context for method: ]
setppriv: Not owner
[ Sep 11 06:54:41 Method "start" exited with status 96. ]
[ Sep 11 07:08:18 Leaving maintenance because disable requested. ]
[ Sep 11 07:08:18 Disabled. ]
[ Sep 11 15:58:33 Enabled. ]
[ Sep 11 15:58:33 Executing start method ("/lib/svc/method/ntp start"). ]
[ Sep 11 15:58:33 svc.startd could not set context for method: ]
setppriv: Not owner
[ Sep 11 15:58:33 Method "start" exited with status 96. ]
------
Does anybody know what ntp or rather smf is complaining about?
Is ntp not suposed to be installed inside zones? If so wouldn't it make
sense to configure ntp as variant global?
Would love to hear what you know about this.
Greetings
Till
_______________________________________________
openindiana-discuss mailing list
https://openindiana.org/mailman/listinfo/openindiana-discuss
_______________________________________________
openindiana-discuss mailing list
https://openindiana.org/mailman/listinfo/openindiana-discuss
Bob Friesenhahn
2018-09-13 17:21:32 UTC
Permalink
Post by Alexander Pyhalov via openindiana-discuss
Hello.
What is a point of running ntp in zone?
NTP running in GZ will care about system time.
The main reason is usually security. Running network daemons inside
of zones helps avoid problems if there is a security issue with the
daemon.

I run named and ntp in the global zone since I worry that the host
could have some dependencies on these protocols which impacts clean
booting.

Bob
--
Bob Friesenhahn
***@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Jonathan Adams
2018-09-13 18:07:49 UTC
Permalink
strange, I prefer to run all my daemons in a zone as it keeps them separate
from the core operating system, and reduces the access to resources.

it's easy for a global zone to access the resources of the child, it's hard
for the child to access the global zone.
Post by Bob Friesenhahn
Post by Alexander Pyhalov via openindiana-discuss
Hello.
What is a point of running ntp in zone?
NTP running in GZ will care about system time.
The main reason is usually security. Running network daemons inside
of zones helps avoid problems if there is a security issue with the
daemon.
I run named and ntp in the global zone since I worry that the host
could have some dependencies on these protocols which impacts clean
booting.
Bob
--
Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
_______________________________________________
openindiana-discuss mailing list
https://openindiana.org/mailman/listinfo/openindiana-discuss
Bob Friesenhahn
2018-09-13 18:18:40 UTC
Permalink
Post by Jonathan Adams
strange, I prefer to run all my daemons in a zone as it keeps them separate
from the core operating system, and reduces the access to resources.
it's easy for a global zone to access the resources of the child, it's hard
for the child to access the global zone.
The host (global zone) is booted prior to the zone and so it can not
use the services of the zone until the zone is booted. If the DNS
server is running in the zone then some other means needs to be used
for hostname/IP resolution while it is down. The zone is typically
down while booting and during system updates.

I don't see how this could be considered "strange".

Bob
--
Bob Friesenhahn
***@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Jonathan Adams
2018-09-13 20:39:31 UTC
Permalink
you have a good point about the order of services ... I'm just saying it
was strange that you considered it "safer" to run the daemons in the global
zone, as I'm kinda paranoid about that sort of thing myself.

Jon
Post by Jonathan Adams
Post by Jonathan Adams
strange, I prefer to run all my daemons in a zone as it keeps them
separate
Post by Jonathan Adams
from the core operating system, and reduces the access to resources.
it's easy for a global zone to access the resources of the child, it's
hard
Post by Jonathan Adams
for the child to access the global zone.
The host (global zone) is booted prior to the zone and so it can not
use the services of the zone until the zone is booted. If the DNS
server is running in the zone then some other means needs to be used
for hostname/IP resolution while it is down. The zone is typically
down while booting and during system updates.
I don't see how this could be considered "strange".
Bob
--
Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
_______________________________________________
openindiana-discuss mailing list
https://openindiana.org/mailman/listinfo/openindiana-discuss
Brian Wilson
2018-09-17 17:24:36 UTC
Permalink
Post by Jonathan Adams
strange, I prefer to run all my daemons in a zone as it keeps them separate
from the core operating system, and reduces the access to resources.
it's easy for a global zone to access the resources of the child, it's hard
for the child to access the global zone.
Unless you give the child zone the privileges it needs to do so - like
sys_time. Though I don't know that that one's a big deal.
I would take the opposite approach - lock down logins to the global zone
and run privileged 'global' services like NTP, monitoring, backups and/or
NFS there, and then keep the child/local zones as thin as possible so that
the processes running in the zone that faced the Internet were minimal.
Post by Jonathan Adams
On Thu, 13 Sep 2018 at 18:22, Bob Friesenhahn <
Post by Bob Friesenhahn
Post by Alexander Pyhalov via openindiana-discuss
Hello.
What is a point of running ntp in zone?
NTP running in GZ will care about system time.
The main reason is usually security. Running network daemons inside
of zones helps avoid problems if there is a security issue with the
daemon.
I run named and ntp in the global zone since I worry that the host
could have some dependencies on these protocols which impacts clean
booting.
Bob
--
Bob Friesenhahn
http://www.simplesystems.org/users/bfriesen/
Post by Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
_______________________________________________
openindiana-discuss mailing list
https://openindiana.org/mailman/listinfo/openindiana-discuss
_______________________________________________
openindiana-discuss mailing list
https://openindiana.org/mailman/listinfo/openindiana-discuss
Loading...