2017-12-14 09:58 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0012208CentOS-7dhcppublic2017-12-06 22:26
Reporterjtingiris 
PrioritynormalSeverityminorReproducibilityalways
StatusnewResolutionopen 
PlatformLinux atl-devcnc01 3.10.0-327.36OSCentOS LinuxOS Versionrelease 7.2.1511
Product Version7.2.1511 
Target VersionFixed in Version 
Summary0012208: When option ntp-servers sends a DNS name with multiple A records, dhclient/ntp.sh incorrect appends addresses to ntp.conf
Descriptione.g.

dhcpd uses;

option ntp-servers pool.ntp.org;
option time-servers pool.ntp.org;

dhclient receives the option & ultimately ntp.sh adds them to /etc/ntp.conf as

server 108.61.73.244
208.75.88.4
63.211.239.58
96.126.122.39 # added by /sbin/dhclient-scrip

ntpd complains; syntax is invalid

Steps To Reproducesend dhcp option ntp-servers and/or time-servers with a DNS name that has been configured with multiple A records to a CentOS 7 dhclient (via NetworkManager)
TagsNo tags attached.
abrt_hash
URL
Attached Files

-Relationships
+Relationships

-Notes

~0028854

N3WWN (reporter)

jtingiris,

I have attempted to replicate this issue, but have been unsuccessful.

I'm using CentOS 7.2.1511 on the client with the following packages:

NetworkManager-1.0.6-29.el7_2
ntp-4.2.6p5-25.el7.centos.1
dhclient-4.2.5-42.el7.centos

I'm also using CentOS 7.2.1511 on the server with dhcp-4.2.5-47.el7.centos.

The /etc/dhcp/dhcpd.conf configuration is:

subnet 192.168.125.0 netmask 255.255.255.0 {
  range 192.168.125.100 192.168.125.101;
  option ntp-servers pool.ntp.org;
  option time-servers pool.ntp.org;
}


This configuration results in the following 4 lines being appended to /etc/ntp.conf when the DHCP-configured interface is brought up:

server 148.167.132.200 # added by /sbin/dhclient-script
server 198.58.110.84 # added by /sbin/dhclient-script
server 204.2.134.163 # added by /sbin/dhclient-script
server 96.126.100.203 # added by /sbin/dhclient-script

Can you provide any additional information that could be used to replicate this bug?

One item that may be helpful is knowing what DNS server is resolving pool.ntp.org for the client. It is possible that the DNS server is sending back a response that is not able to be parsed as expected. If the DNS server is on your network, please provide the specifics to replicate the DNS (package, version, configuration, etc).

Thanks!

-Rich Alloway (RogueWave)

~0028855

jtingiris (reporter)

The clients and servers are using CentOS Linux release 7.2.1511 (Core)

An affected client is typically installed with:

ntp-4.2.6p5-22.el7.centos.2.x86_64
NetworkManager-1.0.6-31.el7_2.x86_64

Both of the master dhcpd & primary named server are running on the same machine, currently using:

dhcp-4.2.5-42.el7.centos.x86_64
bind-9.9.4-29.el7_2.4.x86_64

My /etc/dhcp/dhcpd.conf is big and uses includes. The most obvious difference I see is that I've put the ntp-servers & time-servers option in the global context. Here's a simplified version of the bits I think are apropos.

--example dhcpd.conf--
authoritative;

default-lease-time 43200;
max-lease-time 86400;
min-lease-time 43200;
#one-lease-per-client true;

option domain-name "private.domain.com";

option ntp-servers pool.ntp.org;
option time-servers pool.ntp.org;

option ip-forwarding false;
option mask-supplier false;

# RFC3442 routes: overrides routers option
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;

# microsoft routes: overrides routers option
option ms-classless-static-routes code 249 = array of unsigned integer 8;

include "/etc/dhcp/key.rndc.conf";

omapi-key key.rndc;
omapi-port 7911;

zone 10.in-addr.arpa {
    primary 10.8.1.10;
    key key.rndc;
}

zone private.domain.com {
    primary 10.8.1.10;
    key key.rndc;
}

ddns-updates true;
ddns-update-style interim;
ddns-ttl 900;
update-conflict-detection false;
update-static-leases true;
update-optimization false;
use-host-decl-names true;

option space PXE;
option PXE.mtftp-ip code 1 = ip-address;
option PXE.mtftp-cport code 2 = unsigned integer 16;
option PXE.mtftp-sport code 3 = unsigned integer 16;
option PXE.mtftp-tmout code 4 = unsigned integer 8;
option PXE.mtftp-delay code 5 = unsigned integer 8;

option space pxelinux;
option pxelinux.magic code 208 = string;
option pxelinux.configfile code 209 = text;
option pxelinux.pathprefix code 210 = text;
option pxelinux.reboottime code 211 = unsigned integer 32;

option architecture-type code 93 = unsigned integer 16; # RFC4578

class "pxe_boot" {
    match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";

    next-server 10.8.1.11;

    if option architecture-type = 00:07 {
        filename "/pxe/uefi/shim.efi";
    } else {
        filename "/pxe/pxelinux/pxelinux.0";
    }
}

shared-network private_atl {

    subnet 10.8.1.0 netmask 255.255.255.0 {
        ddns-domainname "private.domain.com";
        option domain-name "private.domain.com";
        option domain-search "private.domain.com", "domain.com", "mux.domain.com", "nad.domain.com", "vpc.domain.com";
        #option routers 10.8.1.30;
        option domain-name-servers 10.8.1.11, 10.8.1.12;
        option subnet-mask 255.255.255.0;

        # default gateway (MASK, NETWORK, GATEWAY) (overrides option routers)
        option rfc3442-classless-static-routes 8, 10, 10,8,1,30, 22, 10, 111, 4, 10, 8, 1, 57, 22, 10, 111, 0, 10, 8, 1, 52;
        option ms-classless-static-routes 8, 10, 10,8,1,30, 22, 10, 111, 4, 10, 8, 1, 57, 22, 10, 111, 0, 10, 8, 1, 52;
        option rfc3442-classless-static-routes 22, 10, 111, 0, 10, 8, 1, 52;
        option ms-classless-static-routes 22, 10, 111, 4, 10, 8, 1, 57;

        # 5 : 1-5 : static : btl/static/network/appliance

        # 1 : 9 : static : btl/static/ccc

        # 3 : 6-8 : dynamic : btl/pool/bootp/pxe
        pool {
            #failover peer "failover_private_atl";
            range 10.8.1.6 10.8.1.8;
            next-server 10.8.1.11;
            allow members of "pxe_boot";
        }

        # 50 : 10-59 : dynamic : btl/fixed/ddns
        # use dhcpd.fixed configs

        # 50 : 60-109 : dynamic : btl/pool/ddns
        pool {
            #failover peer "failover_private_atl";
            range 10.8.1.60 10.8.1.109;
            allow unknown-clients;
            allow known-clients;
            deny members of "pxe_boot";
        }

        # 50 : 110-159 : dynamic : client/fixed/ddns
        # use dhcpd.fixed configs

        # 50 : 160-209 : dynamic : client/pool/ddns
        pool {
            #failover peer "failover_private_atl";
            range 10.8.1.160 10.8.1.209;
            allow unknown-clients;
            allow known-clients;
            deny members of "pxe_boot";
        }

        # 5 : 250-254 : static : btl/static/network/appliance
    }

# end shared-network private_atl
}
--example dhcpd.conf--



My named.conf is even bigger. Here are what I think are the relevant parts.

--cut named.conf--
ACLs

options {
    listen-on port 53 { any; };
    listen-on-v6 port 53 { none; };

    also-notify {10.8.1.11;};

    filter-aaaa-on-v4 yes;

    directory "/var/named/";
    dump-file "/var/log/ddns/cache_dump.db";
    statistics-file "/var/log/ddns/named_stats.txt";
    memstatistics-file "/var/log/ddns/named_mem_stats.txt";

    recursion no;
    additional-from-auth no;
    additional-from-cache no;

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    bindkeys-file "key/key.iscdlv.conf";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};

view "private-view" {
    match-clients { private-acl; };
    allow-recursion { private-acl; };
    recursion yes;
    additional-from-auth yes;
    additional-from-cache yes;
    zone "." IN {
        type hint;
        file "zone/root-servers.net/named.zone";
    };
}
--cut named.conf--

The DNS server that's resolving poll.ntp.org for the client has a public IP (no NAT) and private. Again, dhcpd & named are on the same machine. No matter the named view, clients using the public and/or private get the same response with regard to how NetworkManager modifies their ntp.conf. May have something to do with the additional options.

Another thing worth considering is that I'm also sending many other dhcpd optiosn (i.e. rfc3442 etc)

Thanks for your time. If I get some then I'll setup a pair of configs that can reproduce it reliably. It's just easier/quicker to fix dhclient/ntp.sh to ensure it iterates properly.

~0030713

N3WWN (reporter)

Hi jtingiris!

Thanks for providing the additional info so quickly!

I'm very sorry for the delay in getting back to this... it fell off my radar and I only just saw your response.

I've spent the day trying to replicate your situation as closely as possible and based on the information that you've posted and am still unable to replicate the problem.

The clients and servers are using CentOS Linux release 7.2.1511 (Core).

Client packages:

ntp-4.2.6p5-22.el7.centos.2.x86_64
NetworkManager-1.0.6-31.el7_2.x86_64

Both of the master dhcpd & primary named server are running on the same machine, with packages:

dhcp-4.2.5-42.el7.centos.x86_64
bind-9.9.4-29.el7_2.4.x86_64

I changed the subnet for the scope, but otherwise, I'm using your configs as posted.

After restarting the network (systemctl restart network) or bouncing the interfaces (ifdown enp0s8; ifup enp0s8), the ntp.conf file is updated, but still has one entry per line with the proper syntax:

[root@OLC-1204-ntp-client ~]# tail /etc/ntp.conf

# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
server 107.161.30.25 # added by /sbin/dhclient-script
server 40.85.153.82 # added by /sbin/dhclient-script
server 45.79.187.10 # added by /sbin/dhclient-script
server 69.89.207.199 # added by /sbin/dhclient-script
[root@OLC-1204-ntp-client ~]#

What does your ntp.sh look like before and after you modify it?

Here is mine:

[root@OLC-1204-ntp-client ~]# ls -al /etc/dhcp/dhclient.d/ntp.sh
-rwxr-xr-x. 1 root root 2227 Nov 19 2015 /etc/dhcp/dhclient.d/ntp.sh
[root@OLC-1204-ntp-client ~]#

[root@OLC-1204-ntp-client ~]# cat /etc/dhcp/dhclient.d/ntp.sh | grep -v ^#

CONF=/etc/ntp.conf
SAVECONF=${SAVEDIR}/${CONF##*/}.predhclient.${interface}

ntp_replace_conf() {
        echo "$1" | diff -q ${CONF} - > /dev/null 2>&1
        if [ $? -eq 1 ]; then
            echo "$1" > ${CONF}
            restorecon ${CONF} >/dev/null 2>&1
            systemctl try-restart ntpd.service > /dev/null 2>&1 ||
                service ntpd condrestart > /dev/null 2>&1
        fi
}

ntp_config() {
    if [ ! "${PEERNTP}" = "no" ] && [ -n "${new_ntp_servers}" ] &&
        [ -e ${CONF} ] && [ -d ${SAVEDIR} ]; then
        local conf=$(grep -v '^server .* # added by /sbin/dhclient-script$' < ${CONF})
        local unique_servers=$(comm -23 \
            <(for s in ${new_ntp_servers}; do echo $s; done | sort -u) \
            <(echo "$conf" | awk '$1=="peer"||$1=="server"{print $2}' | sort -u))

        conf=$(echo "$conf"
            for s in ${unique_servers}; do
                echo "server ${s} ${NTPSERVERARGS} # added by /sbin/dhclient-script"
            done)

        [ -f ${SAVECONF} ] || touch ${SAVECONF}
        ntp_replace_conf "$conf"
    fi
}

ntp_restore() {
    if [ -e ${CONF} ] && [ -f ${SAVECONF} ]; then
        local conf=$(grep -v '^server .* # added by /sbin/dhclient-script$' < ${CONF})

        ntp_replace_conf "$conf"
        rm -f ${SAVECONF}
    fi
}
[root@OLC-1204-ntp-client ~]#

Thanks!

-Rich Alloway (Rogue Wave)
+Notes

-Issue History
Date Modified Username Field Change
2016-11-11 17:03 jtingiris New Issue
2017-03-14 20:21 N3WWN Note Added: 0028854
2017-03-14 23:49 jtingiris Note Added: 0028855
2017-12-06 22:26 N3WWN Note Added: 0030713
+Issue History