Re: [chrony-dev] Using Linux Capabilities

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]

To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-dev] Using Linux Capabilities
From: Bill Unruh <unruh@xxxxxxxxxxxxxx>
Date: Wed, 8 Nov 2017 15:07:24 -0800 (PST)


On Thu, 9 Nov 2017, Bryan Christianson wrote:

On 9/11/2017, at 11:17 AM, Michael Cashwell <chronyd@xxxxxxxxxxxx> wrote:


It sounds like a “more standard” approach would be:

1: chronyd is started by the OS at boot in local mode (eg: no upstream time sources) and in an inert state where it WILL NOT respond to NTP requests on the LAN because is has not been told that the system time is “good”.

2: At some point after boot up my parent process invokes chronyc (again as non-root) to bless the system time as good and thus enable NTP requests to be answered.

If that’s possible without source code changes that’s fine with me.


Maybe you could just start chronyd but with the listening port (123) blocked in your firewall. When your system clock has been set by the external source and chronyc is reporting it as OK, then open the port to allow external requests.


That of course requires root to change the firewall in which case you might as
well use root to start up chrony.
You could also use sudo to start up chrony from whatever user you are using
once you are sure that your server is delivering.

References:
- Re: [chrony-dev] Using Linux Capabilities
  - From: Michael Cashwell
- Re: [chrony-dev] Using Linux Capabilities
  - From: Bryan Christianson

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-dev] Using Linux Capabilities
Next by Date: Re: [chrony-dev] Using Linux Capabilities
Previous by thread: Re: [chrony-dev] Using Linux Capabilities
Next by thread: Re: [chrony-dev] Using Linux Capabilities

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/