PSARC 2015/278 NTP allow_step_at_boot
authorBrian Utterback <brian.utterback@oracle.com>
Mon, 15 Jun 2015 17:59:44 -0700
changeset 4486 8a12763ec19a
parent 4485 ccd96394d501
child 4490 5a5296580120
PSARC 2015/278 NTP allow_step_at_boot 18408859 NTP Management profile should have auths to edit /etc/inet/ntp.conf 20664660 NTP should have a restart_fmri tag on ntpd in the ntp.p5m file 20683411 ntpd and multiple default route constantly resets state and never sets sys.peer 20874200 NTP should use -preserve_argvalues=complete 21020160 html help files in ntp for RBAC profiles and authorizations must go 21020795 Add "RO" to res1 field of auth_attr.d files in ntp 21155469 NTP should update time at boot and shutdown
components/ntp/Makefile
components/ntp/Solaris/RtNTPMngmnt.html
components/ntp/Solaris/SmfNTPStates.html
components/ntp/Solaris/SmfValueNTP.html
components/ntp/Solaris/auth_attr
components/ntp/Solaris/ntp.sh
components/ntp/Solaris/ntp.xml
components/ntp/Solaris/prof_attr
components/ntp/manpages/ntpd.1m
components/ntp/ntp.p5m
components/ntp/patches/40-norefresh.patch
--- a/components/ntp/Makefile	Mon Jun 15 23:00:30 2015 -0700
+++ b/components/ntp/Makefile	Mon Jun 15 17:59:44 2015 -0700
@@ -51,6 +51,8 @@
 include $(WS_MAKE_RULES)/ips.mk
 
 CFLAGS +=	$(studio_C99_ENABLE) -D_XOPEN_SOURCE=600 -D__EXTENSIONS__
+CFLAGS.i386 =	-preserve_argvalues=complete
+CFLAGS +=	$(CFLAGS.$(MACH))
 
 CONFIGURE_ENV +=	CFLAGS="$(CFLAGS)"
 CONFIGURE_OPTIONS +=	--bindir=/usr/sbin
--- a/components/ntp/Solaris/RtNTPMngmnt.html	Mon Jun 15 23:00:30 2015 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,35 +0,0 @@
-<HTML>
-<!--
-    CDDL HEADER START
-
-    The contents of this file are subject to the terms of the
-    Common Development and Distribution License (the "License").
-    You may not use this file except in compliance with the License.
-
-    You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-    or http://www.opensolaris.org/os/licensing.
-    See the License for the specific language governing permissions
-    and limitations under the License.
-
-    When distributing Covered Code, include this CDDL HEADER in each
-    file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-    If applicable, add the following below this CDDL HEADER, with the
-    fields enclosed by brackets "[]" replaced with your own identifying
-    information: Portions Copyright [yyyy] [name of copyright owner]
-
-    CDDL HEADER END
-
-    Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved.
--->
-<HEAD>
-	<TITLE> </TITLE>
-	 
-	
-</HEAD>
-<BODY>
-When NTP Management is in the Rights Included column, it grants the right to manage the NTP SMF service.
-<p>
-If NTP Management is grayed, then you are not entitled to Add or Remove this right.
-<p>
-</BODY>
-</HTML>
--- a/components/ntp/Solaris/SmfNTPStates.html	Mon Jun 15 23:00:30 2015 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,36 +0,0 @@
-<HTML>
-<!--
-    CDDL HEADER START
-
-    The contents of this file are subject to the terms of the
-    Common Development and Distribution License (the "License").
-    You may not use this file except in compliance with the License.
-
-    You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-    or http://www.opensolaris.org/os/licensing.
-    See the License for the specific language governing permissions
-    and limitations under the License.
-
-    When distributing Covered Code, include this CDDL HEADER in each
-    file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-    If applicable, add the following below this CDDL HEADER, with the
-    fields enclosed by brackets "[]" replaced with your own identifying
-    information: Portions Copyright [yyyy] [name of copyright owner]
-
-    CDDL HEADER END
-
-    Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved.
--->
-<!--
-   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
--->
-<BODY>
-When Manage NTP Service States is in the Authorizations Include
-column, it grants the authorization to enable, disable, or restart the
-ndmpd daemon.
-<p>
-If Manage NTP Service States is grayed, then you are not entitled to
-Add or Remove this authorization.
-<BR>&nbsp;
-</BODY>
-</HTML>
--- a/components/ntp/Solaris/SmfValueNTP.html	Mon Jun 15 23:00:30 2015 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,35 +0,0 @@
-<HTML>
-<!--
-    CDDL HEADER START
-
-    The contents of this file are subject to the terms of the
-    Common Development and Distribution License (the "License").
-    You may not use this file except in compliance with the License.
-
-    You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-    or http://www.opensolaris.org/os/licensing.
-    See the License for the specific language governing permissions
-    and limitations under the License.
-
-    When distributing Covered Code, include this CDDL HEADER in each
-    file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-    If applicable, add the following below this CDDL HEADER, with the
-    fields enclosed by brackets "[]" replaced with your own identifying
-    information: Portions Copyright [yyyy] [name of copyright owner]
-
-    CDDL HEADER END
-
-    Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
--->
-<!--
-   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
--->
-<BODY>
-When <em>Value NTP Properties</em> is in the Authorizations Included
-column, it grants the authorization to change NTP service property values.
-<P> 
-If <em>Value NTP Properties</em> is grayed, then you are not entitled to
-Add or Remove this authorization.
-<BR>&nbsp;
-</BODY>
-</HTML>
--- a/components/ntp/Solaris/auth_attr	Mon Jun 15 23:00:30 2015 -0700
+++ b/components/ntp/Solaris/auth_attr	Mon Jun 15 17:59:44 2015 -0700
@@ -1,2 +1,2 @@
-solaris.smf.manage.ntp:::Manage NTP service states::help=SmfNTPStates.html
-solaris.smf.value.ntp:::Change NTP value properties::help=SmfValueNTP.html
+solaris.smf.manage.ntp:RO::Manage NTP service states::
+solaris.smf.value.ntp:RO::Change NTP value properties::
--- a/components/ntp/Solaris/ntp.sh	Mon Jun 15 23:00:30 2015 -0700
+++ b/components/ntp/Solaris/ntp.sh	Mon Jun 15 17:59:44 2015 -0700
@@ -21,7 +21,7 @@
 #
 
 #
-# Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
 #
 
 # Standard prolog
@@ -52,7 +52,7 @@
 shift $#
 set -- -p /var/run/ntp.pid
 # We allow a step larger than the panic value of 17 minutes only 
-# once when ntpd starts up. If always_all_large_step is true, 
+# once when ntpd starts up. If always_allow_large_step is true, 
 # then we allow this each time ntpd starts. Otherwise, we allow
 # it only the very first time ntpd starts after a boot. We 
 # check that by making ntpd write its pid to a file in /var/run.
@@ -86,18 +86,31 @@
 
 # We used to support the slewalways keyword, but that was a Sun thing
 # and not in V4. Look for "slewalways yes" and set the new slew option.
-val=`svcprop -c -p config/slew_always $SMF_FMRI`
-if [ ! "$val" = "true" ]; then
-	val=`/usr/bin/nawk '/^[ \t]*#/{next}
+slew_always=`svcprop -c -p config/slew_always $SMF_FMRI`
+if [ ! "$slew_always" = "true" ]; then
+	slew_always=`/usr/bin/nawk '/^[ \t]*#/{next}
 	    /^[ \t]*slewalways[ \t]+yes/ {
         	printf("true", $2)
         	next } ' /etc/inet/ntp.conf`
 fi
-[ "$val" = "true" ] && set -- "[email protected]" --slew
+[ "$slew_always" = "true" ] && set -- "[email protected]" --slew
 
 # Set up debugging.
 deb=`svcprop -c -p config/debuglevel $SMF_FMRI`
 
+# If slew_always is set to true, then the large offset after a reboot
+# might take a very long time to correct the clock. Optionally allow
+# a step once after a reboot if slew_always is set when allow_step_at_boot
+# is also set. Unfortunately ntpd in ntpdate mode is a little too 
+# chatty, so direct the log to /dev/null. And since the offset might be
+# more than 17 minutes, allow larger steps with the "-g".
+#
+val=`svcprop -c -p config/allow_step_at_boot $SMF_FMRI`
+if [ "$val" = "true" ] && [ "$slew_always" = "true" ] && \
+    [ ! -f /var/run/ntp.pid ]; then
+	/usr/lib/inet/ntpd -q -l /dev/null -g
+fi
+
 # Start the daemon. If debugging is requested, put it in the background, 
 # since it won't do it on it's own.
 if [ "$deb" -gt 0 ]; then
--- a/components/ntp/Solaris/ntp.xml	Mon Jun 15 23:00:30 2015 -0700
+++ b/components/ntp/Solaris/ntp.xml	Mon Jun 15 17:59:44 2015 -0700
@@ -20,7 +20,7 @@
 
  CDDL HEADER END
 
- Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved.
+ Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
 
  NOTE:  This service manifest is not editable; its contents will
  be overwritten by package or patch operations, including
@@ -35,7 +35,7 @@
 	type='service'
 	version='1'>
 	<single_instance />
-	<dependency 
+	<dependency
 		name='network'
 		grouping='require_any'
 		restart_on='error'
@@ -112,53 +112,58 @@
 	<instance name="default" enabled="false">
 		<property_group name='config' type='application' >
 			<!-- default property settings for ntpd(1M). -->
-		
+
 			<propval
 			    name='wait_for_sync'
 			    type='boolean'
 			    value='false' />
-		
+
 			<propval
 			    name='no_auth_required'
 			    type='boolean'
 			    value='false' />
-		
+
 			<propval
 			    name='verbose_logging'
 			    type='boolean'
 			    value='false' />
-	
+
 			<propval
 			    name='slew_always'
 			    type='boolean'
 			    value='false' />
-	
+
+			<propval
+			    name='allow_step_at_boot'
+			    type='boolean'
+			    value='true' />
+
 			<propval
 			    name='always_allow_large_step'
 			    type='boolean'
 			    value='true' />
-	
+
 			<propval
 			    name='logfile'
 			    type='astring'
 			    value='/var/ntp/ntp.log' />
-		
+
 			<propval
 			    name='debuglevel'
 			    type='integer'
 			    value='0' />
-	
+
 			<propval
 			    name='mdnsregister'
 			    type='boolean'
 			    value='false' />
-	
+
 			<!-- to change properties -->
 			<propval
 			    name='value_authorization'
 			    type='astring'
 			    value='solaris.smf.value.ntp' />
-		
+
 		</property_group>
 	</instance>
 	<stability value='Unstable' />
--- a/components/ntp/Solaris/prof_attr	Mon Jun 15 23:00:30 2015 -0700
+++ b/components/ntp/Solaris/prof_attr	Mon Jun 15 17:59:44 2015 -0700
@@ -1,1 +1,1 @@
-NTP Management:RO::Manage the NTP service:auths=solaris.smf.manage.ntp,solaris.smf.value.ntp
+NTP Management:RO::Manage the NTP service:auths=solaris.smf.manage.ntp,solaris.smf.value.ntp,solaris.admin.edit/etc/inet/ntp.conf
--- a/components/ntp/manpages/ntpd.1m	Mon Jun 15 23:00:30 2015 -0700
+++ b/components/ntp/manpages/ntpd.1m	Mon Jun 15 17:59:44 2015 -0700
@@ -18,7 +18,7 @@
 .\"
 .\" CDDL HEADER END
 .\"
-.\" Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
+.\" Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
 .\"
 .TH "ntpd" "1M" "" "" "System Administration Commands"
 .SH NAME
@@ -283,6 +283,13 @@
 does not prevent all stepping, but increases the threshold above which stepping is used. It also disables the use
 of the kernel \fBNTP\fP facility, which is incompatible with long slew times. The default is false.
 .TP
+.BR config/allow_step_at_boot
+A boolean which when true, allows ntpd to step the clock once at boot, even if slew_always is true. Normally
+when slew_always is true ntpd will not step the clock except for very large offsets. Since the intial offset
+when the system is booted could be large and no applications will be running yet, this option allows one step
+as soon as the offset is determined. If slew_always is false or if the \fBNTP\fP service is being restarted, then
+this option has no effect. The default is true.
+.TP
 .BR config/wait_for_sync
 A boolean which when true, causes the \fBNTP\fP service to delay coming completely on-line until after the first 
 time the system clock is synchronized. This can potetially delay the system start up by a significant amount. The
--- a/components/ntp/ntp.p5m	Mon Jun 15 23:00:30 2015 -0700
+++ b/components/ntp/ntp.p5m	Mon Jun 15 17:59:44 2015 -0700
@@ -42,12 +42,8 @@
 file Solaris/prof_attr path=etc/security/prof_attr.d/ntp
 file Solaris/ntp.xml path=lib/svc/manifest/network/ntp.xml
 file Solaris/ntp.sh path=lib/svc/method/ntp
-file Solaris/RtNTPMngmnt.html path=usr/lib/help/auths/locale/C/RtNTPMngmnt.html
-file Solaris/SmfNTPStates.html \
-    path=usr/lib/help/auths/locale/C/SmfNTPStates.html
-file Solaris/SmfValueNTP.html path=usr/lib/help/auths/locale/C/SmfValueNTP.html
 file path=usr/lib/inet/ntp-wait
-file path=usr/lib/inet/ntpd
+file path=usr/lib/inet/ntpd restart_fmri=svc:/network/ntp:default
 file path=usr/sbin/ntp-keygen
 file path=usr/sbin/ntpdate
 file path=usr/sbin/ntpdc
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/ntp/patches/40-norefresh.patch	Mon Jun 15 17:59:44 2015 -0700
@@ -0,0 +1,22 @@
+Don't change interfaces unless there is something wrong with the old one.
+This is NTP bug [2043] and this patch should be removed after upgrading to
+a version of NTP with a fix for that bug.
+
+--- ntpd/ntp_peer.c
++++ ntpd/ntp_peer.c
[email protected]@ -718,9 +718,13 @@
+ 	/*
+ 	 * this is called when the interface list has changed
+ 	 * give all peers a chance to find a better interface
++	 * but only if either they don't have an address already
++	 * or if the one they have hasn't worked for a while.
+ 	 */
+-	for (p = peer_list; p != NULL; p = p->p_link)
+-		peer_refresh_interface(p);
++	for (p = peer_list; p != NULL; p = p->p_link) {
++		if (!(p->dstadr && (p->reach & 0x3)))
++			peer_refresh_interface(p);
++	}
+ }
+ 
+