Security changes to chrony causing client to fail
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Undecided
|
Major Hayden |
Bug Description
It looks bindaddress is being set by the security playboooks for chrony. When
this happens, chrony doens't make an attempt to reach out to the ntp servers
which eventually skews and causes cinder volumes to appear down. A tcpdump will
show communications via 232 to the chrony service over localhost and nothing ntp
related after on the default interface. I think it uses bindaddress for outgoing
connections as well, but documentation is lacking. I did find where you can disable
the server functionality all together and set up the chronyc->chronyd communications
to be limited to localhost.
https:/
It looks like setting 'port 0' closes the server ports and opens a couple of random
unprivileged ports for the client side to communication out to ntp servers externally.
#######
# Findings with bindaddress in place
#######
root@infra01:~# grep ^bind /etc/chrony/
bindaddress 127.0.0.1
bindaddress ::1
root@infra01:~# chronyc sources
210 Number of sources = 4
MS Name/IP address Stratum Poll Reach LastRx Last sample
=======
^? 104.156.99.226 2 10 0 73m -813us[ -813us] +/- 75ms
^? ntp.wdc1.
^? pool-173-
^? blue.1e400.net 0 10 0 10y +0ns[ +0ns] +/- 0ns
root@infra01:~# grep chrony /var/log/syslog | tail -n 1
Jan 12 19:51:40 infra01 chronyd[31788]: Could not send to 108.59.2.24:123 : Invalid argument
root@infra01:~# ss -ntpul | grep chron
tcp UNCONN 0 0 127.0.0.1:123 *:* users:(
tcp UNCONN 0 0 127.0.0.1:323 *:* users:(
tcp UNCONN 0 0 ::1:123 :::* users:(
tcp UNCONN 0 0 ::1:323 :::* users:(
#######
# Findings after changing bindaddress to bindcmdaddress and adding 'port 0'
#######
root@infra01:~# awk '/^(port|bind)/' /etc/chrony/
port 0
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
root@infra01:~# chronyc sources
210 Number of sources = 4
MS Name/IP address Stratum Poll Reach LastRx Last sample
=======
^+ host-74-
^* ntp1.wiktel.com 1 8 37 52 -1605us[-1404us] +/- 39ms
^+ zero.gotroot.ca 2 9 37 52 +2298us[+2298us] +/- 25ms
^- ntp1.torix.ca 2 8 37 53 +643us[ +844us] +/- 534ms
root@infra01:~# ss -ntpul | grep chron
tcp UNCONN 0 0 127.0.0.1:323 *:* users:(
tcp UNCONN 0 0 *:50996 *:* users:(
tcp UNCONN 0 0 :::35886 :::* users:(
tcp UNCONN 0 0 ::1:323 :::* users:(
I think the following template is setting the bindaddress entries causing the issue.
https:/
Changed in openstack-ansible: | |
assignee: | Shannon Mitchell (shannon-mitchell) → Major Hayden (rackerhacker) |
Thanks for the bug, Shannon! By default, the role configures chronyd to listen for NTP requests only on localhost, but you can disable that feature by setting an Ansible variable:
security_ ntp_bind_ local_interface s_only: False
That will ensure that chronyd listens on all interfaces. Does that help?