Why not with according devfs rules?
С уважением,
John Freeman
***@mail.ru

Hi Roger, I have a similar mental state :)

Yes, I run ports ntpd within a chroot environment. 

ntpd can run within a jail, but it lacks the priv to perform a syscall
to modify time.  Which is correct behaviour, for a restricted
environment; protecting other jailed environs.  Previously there was
also an mlock call, which prevented it running but that was changed a
while ago; but that's an aside unless you're running on old "stuff". ;)

As this is not a security issue, I've removed those interested in that
area from the CC.

There are a few tricks with chroot, but first a disclaimer: I use jails
for everything except ntpd, so there may be a better way.

Trick 1. This is how I want ntpd to run

/usr/local/sbin/ntpd -c /etc/ntp.conf -x -G -g -p /var/run/ntpd.pid

but you can't pass arguments into chroot.  So I created a "/start" that
I place my chroot commands into.

Trick 2.  Use ldd to see what libs you need to copy into your chroot. 
Also remember, that you must have ld-elf and /dev/null. So

Using ROOTD as your chroot destination

mkdir $ROOTD/libexec && cp /libexec/ld-elf.so.1 $ROOTD/libexec  ;

and setup dev

  mkdir  $ROOTD/dev
  touch $ROOTD/dev/null
  chmod 666 $ROOTD/dev/null;   # Yes this is sufficient!

The rest of the files are from the ntpd tarfile.  Enjoy ;)

PS: ntpq wont report due to "servname not supported for ai_socktype"...
no solution yet.

Hello,

TL;DR: +1

I've been wondering about the same thing.

Anything that speaks to untrusted network clients belongs in a jail, but
to my knowledge both ntpds are unjailable because they want to use some
kernel system calls (to adjust time) which are not allowed in jails (as
it should be).

In my opinion adjusting the local bios/cmos clock and keeping it in sync
with some upstream NTP source is a different task than serving NTP to
untrusted network clients (like an ISP is expected to do).

I'd love for one or both ntpds to have an option to only serve local
time, without attempting to adjust the clock, if such a feature is possible.

I'd then keep an ntpd running in the base system which takes care of
keeping the system clock in-sync, and another in a jail which only reads
the time and serves it to network clients, but doesn't try to adjust or
speak to upsteam NTPs.

I will be watching this thread hoping that someone who knows about NTP
will chime in. Thanks!


Best regards,

Thomas Steen Rasmussen