Chrony: erinevus redaktsioonide vahel
Allikas: Imre kasutab arvutit
Mine navigeerimisribaleMine otsikasti
| (ei näidata sama kasutaja 2 vahepealset redaktsiooni) | |||
| 27. rida: | 27. rida: | ||
</pre> |
</pre> |
||
| + | seccomp leiab oma syscallid üles bfp-classic filtrite abil (neid ei esita 'bpftool prog show') |
||
| ⚫ | |||
<pre> |
<pre> |
||
| 55. rida: | 55. rida: | ||
</pre> |
</pre> |
||
| − | või getpcaps abil |
+ | või getpcaps abil (ep - effective, permitted) |
<pre> |
<pre> |
||
root@pve-svc-02:~# getpcaps 1436092 |
root@pve-svc-02:~# getpcaps 1436092 |
||
1436092: cap_net_bind_service,cap_sys_time=ep |
1436092: cap_net_bind_service,cap_sys_time=ep |
||
| + | </pre> |
||
| + | |||
| + | või /proc/PID/status abil |
||
| + | |||
| + | <pre> |
||
| + | root@pve-svc-02:~# cat /proc/1436092/status | grep ^Cap |
||
| + | CapInh: 0000000000000000 |
||
| + | CapPrm: 0000000002000400 |
||
| + | CapEff: 0000000002000400 |
||
| + | CapBnd: 000001c08380fddf |
||
| + | CapAmb: 0000000000000000 |
||
| + | |||
| + | root@pve-svc-02:~# capsh --decode=0000000002000400 |
||
| + | 0x0000000002000400=cap_net_bind_service,cap_sys_time |
||
| + | </pre> |
||
| + | |||
| ⚫ | |||
| + | |||
| + | * CapInh: Inheritable (can be passed to children). |
||
| + | * CapPrm: Permitted (the maximum "credit limit" of authority). |
||
| + | * CapEff: Effective (the authority currently being used). |
||
| + | * CapBnd: Bounding (the hard ceiling that cannot be exceeded). |
||
| + | * CapAmb: Ambient (applies to unprivileged non-setuid binaries). |
||
| + | |||
| + | ning |
||
| + | |||
| + | <pre> |
||
| + | |||
</pre> |
</pre> |
||
Viimane redaktsioon: 4. mai 2026, kell 02:23
Sissejuhatus
TODO
Tööpõhimõte
TODO
Misc - chrony protsess
chronyd protsessi info
root@pve-svc-02:~# pgrep chronyd
1436092
1436093
root@pve-svc-02:~# lsns -p 1436093
NS TYPE NPROCS PID USER COMMAND
4026531833 net 481 1 root /sbin/init
4026531834 time 481 1 root /sbin/init
4026531835 cgroup 481 1 root /sbin/init
4026531836 pid 481 1 root /sbin/init
4026531837 user 481 1 root /sbin/init
4026531839 ipc 481 1 root /sbin/init
4026533035 mnt 2 1436092 _chrony ├─/usr/sbin/chronyd -F 1
4026533036 uts 2 1436092 _chrony └─/usr/sbin/chronyd -F 1
seccomp leiab oma syscallid üles bfp-classic filtrite abil (neid ei esita 'bpftool prog show')
root@pve-svc-02:~# cat /proc/1436092/status | grep -i seccomp Seccomp: 2 Seccomp_filters: 23 root@pve-svc-02:~# nsenter -m -t 1436092 findmnt | grep inacc | sed -r 's/tmpfs\s+.*//' │ └─/dev/kmsg tmpfs[/systemd/inaccessible/chr] │ ├─/run/credentials tmpfs[/systemd/inaccessible/dir] │ ├─/run/user tmpfs[/systemd/inaccessible/dir] ├─/root tmpfs[/systemd/inaccessible/dir] ├─/home tmpfs[/systemd/inaccessible/dir] ├─/usr/lib/modules tmpfs[/systemd/inaccessible/dir]
ning capabilities
root@pve-svc-02:~# pscap -p 1436092 ppid pid uid command capabilities 1 1436092 _chrony chronyd net_bind_service, sys_time + root@pve-svc-02:~# pscap -p 1436093 ppid pid uid command capabilities 1436092 1436093 _chrony chronyd net_bind_service, sys_time +
või getpcaps abil (ep - effective, permitted)
root@pve-svc-02:~# getpcaps 1436092 1436092: cap_net_bind_service,cap_sys_time=ep
või /proc/PID/status abil
root@pve-svc-02:~# cat /proc/1436092/status | grep ^Cap CapInh: 0000000000000000 CapPrm: 0000000002000400 CapEff: 0000000002000400 CapBnd: 000001c08380fddf CapAmb: 0000000000000000 root@pve-svc-02:~# capsh --decode=0000000002000400 0x0000000002000400=cap_net_bind_service,cap_sys_time
kus
- CapInh: Inheritable (can be passed to children).
- CapPrm: Permitted (the maximum "credit limit" of authority).
- CapEff: Effective (the authority currently being used).
- CapBnd: Bounding (the hard ceiling that cannot be exceeded).
- CapAmb: Ambient (applies to unprivileged non-setuid binaries).
ning
ning systemd vastavad seadistused
root@pve-svc-02:~# systemctl show chrony | egrep "^Prot|^Priv|^Capab" | egrep "restore$|yes$" CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_setgid cap_setuid cap_setpcap cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_nice cap_sys_resource cap_sys_time cap_setfcap cap_perfmon cap_bpf cap_checkpoint_restore PrivateTmp=yes ProtectKernelTunables=yes ProtectKernelModules=yes ProtectKernelLogs=yes ProtectControlGroups=yes ProtectControlGroupsEx=yes ProtectHome=yes ProtectHostname=yes
Misc - chrony teenus
Seadistus
root@pve-svc-02:~# egrep "pool|server" /etc/chrony/chrony.conf # pool 2.debian.pool.ntp.org iburst root@pve-svc-02:~# cat /etc/chrony/sources.d/local-ntp-server.sources server 10.192.0.53 iburst
sources info
root@pve-svc-02:~# chronyc sources -v -n .-- Source mode '^' = server, '=' = peer, '#' = local clock. / .- Source state '*' = current best, '+' = combined, '-' = not combined, | / 'x' = may be in error, '~' = too variable, '?' = unusable. || .- xxxx [ yyyy ] +/- zzzz || Reachability register (octal) -. | xxxx = adjusted offset, || Log2(Polling interval) --. | | yyyy = measured offset, || \ | | zzzz = estimated error. || | | \ MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* 10.192.0.53 4 9 377 413 -135us[ -216us] +/- 3171us
tracking info
root@pve-svc-02:~# chronyc tracking Reference ID : 0AC00035 (10.192.0.53) Stratum : 5 Ref time (UTC) : Sun May 03 17:25:18 2026 System time : 0.000016197 seconds slow of NTP time Last offset : -0.000080330 seconds RMS offset : 0.000049475 seconds Frequency : 0.712 ppm fast Residual freq : -0.006 ppm Skew : 0.085 ppm Root delay : 0.006004042 seconds Root dispersion : 0.000445185 seconds Update interval : 517.6 seconds Leap status : Normal
Kasulikud lisamaterjalid
- TODO
