GNU bug report logs - #37318
OpenNTPD generated config is convoluted

Previous Next

Package: guix;

Reported by: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Date: Fri, 6 Sep 2019 03:11:02 UTC

Severity: normal

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 37318 in the body.
You can then email your comments to 37318 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#37318; Package guix. (Fri, 06 Sep 2019 03:11:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Fri, 06 Sep 2019 03:11:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: bug-guix <bug-guix <at> gnu.org>
Subject: OpenNTPD generated config is convoluted
Date: Tue, 03 Sep 2019 13:33:42 +0900

For the documented following openntpd-service-type definition:

--8<---------------cut here---------------start------------->8---
(openntpd-configuration
            (listen-on '("127.0.0.1" "::1"))
            (sensor '("udcf0 correction 70000"))
            (constraint-from '("www.gnu.org"))
            (constraints-from '("https://www.google.com/"))
            (allow-large-adjustment? #t)))
--8<---------------cut here---------------end--------------->8---

The following configuration file is generated:

--8<---------------cut here---------------start------------->8---
listen on 127.0.0.1
 listen on ::1
constraints from "https://www.google.com/"
constraints from "https://www.google.com/"
sensor udcf0 correction 70000
constraints from "https://www.google.com/"
server 0.guix.pool.ntp.org
 server 1.guix.pool.ntp.org
 server 2.guix.pool.ntp.org
 server 3.guix.pool.ntp.org
constraints from "https://www.google.com/"
constraints from "https://www.google.com/"
constraint from www.gnu.org
--8<---------------cut here---------------end--------------->8---

Notice the repeated "constraints from" directives.
Information forwarded to bug-guix <at> gnu.org:
bug#37318; Package guix. (Fri, 06 Sep 2019 03:24:01 GMT) Full text and rfc822 format available.

Message #8 received at 37318 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: 37318 <at> debbugs.gnu.org
Subject: Re: OpenNTPD generated config is convoluted
Date: Tue, 03 Sep 2019 13:47:06 +0900

I also can't seem to make it sync, see my test below.

Tests:

# Set the date to somewhere in the past
sudo date -s 'Tue Sep  3 12:00:00 JST 2019'

# Set the hwclock to the same wrong date
sudo hwclock --systohc

Then I launched (open)ntpd manually in verbose mode:

sudo /gnu/store/j4abi03pc4b0gfs2mlbzyd6g9bjqphyc-openntpd-6.2p3/sbin/ntpd -f /gnu/store/v2cqcxliivrcn1rlz78p6mg21k7pxyrx-ntpd.conf -d -s -v
adjtimex returns frequency of 27.512100ppm
listening on 127.0.0.1 
listening on ::1 
ntp engine ready
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
no constraint reply from 172.217.31.132 received in time, next query 900s
no constraint reply from 172.217.31.132 received in time, next query 900s
no constraint reply from 2001:470:142:3::a received in time, next query 900s
no constraint reply from 2404:6800:4004:818::2004 received in time, next query 900s
constraint: failed to load constraint ca
constraint: failed to load constraint ca
no constraint reply from 172.217.31.132 received in time, next query 900s
no constraint reply from 172.217.31.132 received in time, next query 900s
no constraint reply from 172.217.31.132 received in time, next query 900s
no constraint reply from 2404:6800:4004:818::2004 received in time, next query 900s
constraint: failed to load constraint ca
no constraint reply from 2404:6800:4004:818::2004 received in time, next query 900s
no constraint reply from 2404:6800:4004:818::2004 received in time, next query 900s
constraint: failed to load constraint ca
no constraint reply from 209.51.188.148 received in time, next query 900s
no constraint reply from 2404:6800:4004:818::2004 received in time, next query 900s
no reply received in time, skipping initial time setting
constraint: failed to load constraint ca
constraint: failed to load constraint ca
no constraint reply from 2404:6800:4004:818::2004 received in time, next query 900s
no constraint reply from 172.217.31.132 received in time, next query 900s
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
no constraint reply from 2404:6800:4004:818::2004 received in time, next query 900s
no constraint reply from 172.217.31.132 received in time, next query 900s
no constraint reply from 2404:6800:4004:818::2004 received in time, next query 900s
no constraint reply from 172.217.31.132 received in time, next query 900s
no constraint reply from 2404:6800:4004:818::2004 received in time, next query 900s
no constraint reply from 172.217.31.132 received in time, next query 900s
no constraint reply from 2404:6800:4004:818::2004 received in time, next
query 900s


cat /gnu/store/v2cqcxliivrcn1rlz78p6mg21k7pxyrx-ntpd.conf
listen on 127.0.0.1
 listen on ::1
constraints from "https://www.google.com/"
constraints from "https://www.google.com/"
sensor udcf0 correction 70000
constraints from "https://www.google.com/"
server 0.guix.pool.ntp.org
 server 1.guix.pool.ntp.org
 server 2.guix.pool.ntp.org
 server 3.guix.pool.ntp.org
constraints from "https://www.google.com/"
constraints from "https://www.google.com/"
constraint from www.gnu.org

Many tens of minutes later my date is still stuck in the past (despite
using the "-s" flag, which is supposed to set the time immediately
rather than slowly at startup).

Am I missing something?

Maxim
Information forwarded to bug-guix <at> gnu.org:
bug#37318; Package guix. (Fri, 06 Sep 2019 09:35:01 GMT) Full text and rfc822 format available.

Message #11 received at 37318 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: 37318 <at> debbugs.gnu.org
Subject: Re: OpenNTPD generated config is convoluted
Date: Fri, 06 Sep 2019 18:34:34 +0900

The problem of OpenNTPD not syncing was caused by the use of constraint
directives; ntpd would print the message (when run in debug mode with
the -v option):

--8<---------------cut here---------------start------------->8---
constraint: failed to load constraint ca
--8<---------------cut here---------------end--------------->8---

Some investigation follows.

In the sources, the block printing this message is:

#ifdef HAVE_LIBTLS
	/* Init TLS and load CA certs before chroot() */
	if (tls_init() == -1)
		fatalx("tls_init");
	if ((conf->ca = tls_load_file(CONSTRAINT_CA,
	    &conf->ca_len, NULL)) == NULL)
		fatalx("failed to load constraint ca");
#endif

Furthermore, CONSTRAINT_CA is set at configuration time like:

AC_ARG_WITH([cacert],
	AS_HELP_STRING([--with-cacert=path],
		       [CA certificate location for HTTPS constraint validation]),
	CONSTRAINT_CA="$withval",
	CONSTRAINT_CA="/etc/ssl/cert.pem"
)

The configure flag --with-cacert is not used in our openntpd package, so
it must be configured to use the certificate authority at
/etc/ssl/cert.pem.


Let's verify this:

sudo ltrace -f -e open /gnu/store/j4abi03pc4b0gfs2mlbzyd6g9bjqphyc-openntpd-6.2p3/sbin/ntpd -f ~/openntpd.conf -d -s -v
[...]
[pid 20164] libtls.so.17->open("/etc/ssl/cert.pem", 0, 00) = -1
constraint: failed to load constraint ca
[pid 20164] +++ exited (status 1) +++
[pid 20161] --- SIGCHLD (Child exited) ---
no constraint reply from 172.217.31.132 received in time, next query 900s
[pid 20165] libtls.so.17->open("/etc/ssl/cert.pem", 0, 00) = -1
constraint: failed to load constraint ca
[pid 20165] +++ exited (status 1) +++
[pid 20161] --- SIGCHLD (Child exited) ---
no constraint reply from 2404:6800:4004:818::2004 received in time, next
query 900s

Indeed, it's reading that file, which doesn't exist.
Information forwarded to bug-guix <at> gnu.org:
bug#37318; Package guix. (Sat, 07 Sep 2019 04:22:01 GMT) Full text and rfc822 format available.

Message #14 received at 37318 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: 37318 <at> debbugs.gnu.org
Subject: [PATCH] OpenNTPD generated config is convoluted
Date: Sat, 07 Sep 2019 13:21:27 +0900

[Message part 1 (text/plain, inline)]
Hello,

The attached patches fix this issue as well as the openntpd package not
being able to load the CA cert used to authenticate constraint servers.

It depends on the NTP patches posted here: bugs.gnu.org/37295.


[0001-gnu-openntpd-Fix-error-CA-errors-when-using-constrai.patch (text/x-patch, attachment)]
[0002-services-openntpd-Remove-useless-let.patch (text/x-patch, attachment)]
[0003-services-openntpd-Add-test-for-issue-3731.patch (text/x-patch, attachment)]
[0004-services-openntpd-Fix-the-config-generation-code.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#37318; Package guix. (Sun, 08 Sep 2019 08:08:02 GMT) Full text and rfc822 format available.

Message #17 received at 37318 <at> debbugs.gnu.org (full text, mbox):

From: Efraim Flashner <efraim <at> flashner.co.il>
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: 37318 <at> debbugs.gnu.org
Subject: Re: bug#37318: [PATCH] OpenNTPD generated config is convoluted
Date: Sun, 8 Sep 2019 11:07:46 +0300

[Message part 1 (text/plain, inline)]
On Sat, Sep 07, 2019 at 01:21:27PM +0900, Maxim Cournoyer wrote:
> Hello,
> 
> The attached patches fix this issue as well as the openntpd package not
> being able to load the CA cert used to authenticate constraint servers.
> 
> It depends on the NTP patches posted here: bugs.gnu.org/37295.
> 

This set also looks good to me. Make sure you don't forget any copyright
lines for yourself.


-- 
Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[signature.asc (application/pgp-signature, inline)]
Reply sent to Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility. (Tue, 10 Sep 2019 04:05:01 GMT) Full text and rfc822 format available.
Notification sent to Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
bug acknowledged by developer. (Tue, 10 Sep 2019 04:05:02 GMT) Full text and rfc822 format available.

Message #22 received at 37318-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Efraim Flashner <efraim <at> flashner.co.il>
Cc: 37318-done <at> debbugs.gnu.org
Subject: Re: bug#37318: [PATCH] OpenNTPD generated config is convoluted
Date: Tue, 10 Sep 2019 13:04:21 +0900

Hello,

Efraim Flashner <efraim <at> flashner.co.il> writes:

> On Sat, Sep 07, 2019 at 01:21:27PM +0900, Maxim Cournoyer wrote:
>> Hello,
>> 
>> The attached patches fix this issue as well as the openntpd package not
>> being able to load the CA cert used to authenticate constraint servers.
>> 
>> It depends on the NTP patches posted here: bugs.gnu.org/37295.
>> 
>
> This set also looks good to me. Make sure you don't forget any copyright
> lines for yourself.

I thought I had answered already, but it seems my reply wasn't sent.

Fixed in commit cccdfae388d61f2263a085a4ddac8cb2919d01531.  Thanks for
the review!

Maxim
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 08 Oct 2019 11:24:05 GMT) Full text and rfc822 format available.
This bug report was last modified 4 years and 201 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.