upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-03-18 00:25:50 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
opnsense-src/contrib/ntp/scripts/update-leap/update-leap.html
Cy Schubert 767173cec2 MFV r362565: 
Update 4.2.8p14 --> 4.2.8p15

Summary: Systems that use a CMAC algorithm in ntp.keys will not release
a bit of memory on each packet that uses a CMAC keyid, eventually causing
ntpd to run out of memory and fail. The CMAC cleanup from
https://bugs.ntp.org/3447, part of ntp-4.2.8p11, introduced a bug whereby
the CMAC data structure was no longer completely removed.

MFC after:	3 days
Security:	NTP Bug 3661
2020-06-24 01:51:05 +00:00

396 lines
17 KiB
HTML
Raw Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- Created by GNU Texinfo 6.5, http://www.gnu.org/software/texinfo/ -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>update-leap User&rsquo;s Manual</title>
<meta name="description" content="update-leap User&rsquo;s Manual">
<meta name="keywords" content="update-leap User&rsquo;s Manual">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<link href="#Top" rel="start" title="Top">
<link href="dir.html#Top" rel="up" title="(dir)">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.indentedblock {margin-right: 0em}
blockquote.smallindentedblock {margin-right: 0em; font-size: smaller}
blockquote.smallquotation {font-size: smaller}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
div.smalldisplay {margin-left: 3.2em}
div.smallexample {margin-left: 3.2em}
div.smalllisp {margin-left: 3.2em}
kbd {font-style: oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: inherit; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: inherit; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.nolinebreak {white-space: nowrap}
span.roman {font-family: initial; font-weight: normal}
span.sansserif {font-family: sans-serif; font-weight: normal}
ul.no-bullet {list-style: none}
-->
</style>
</head>
<body lang="en">
<h1 class="settitle" align="center">update-leap User&rsquo;s Manual</h1>
<a name="Top"></a>
<div class="header">
<p>
Previous: <a href="dir.html#Top" accesskey="p" rel="prev">(dir)</a>, Up: <a href="dir.html#Top" accesskey="u" rel="up">(dir)</a> &nbsp; </p>
</div>
<h1 class="node-heading">Top</h1>
<p>This document describes the use of the NTP Project&rsquo;s <code>update-leap</code> program.
</p>
<p>This document applies to version 4.2.8p15 of <code>update-leap</code>.
</p>
<a name="SEC_Overview"></a>
<h2 class="shortcontents-heading">Short Table of Contents</h2>
<div class="shortcontents">
<li><a name="stoc-Invoking-update_002dleap" href="#toc-Invoking-update_002dleap">1 Invoking update-leap</a></li>
</div>
<table class="menu" border="0" cellspacing="0">
<tr><td align="left" valign="top">&bull; update-leap Description:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Description
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#update_002dleap-Invocation" accesskey="2">update-leap Invocation</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Invoking update-leap
</td></tr>
</table>
<hr>
<a name="update_002dleap-Invocation"></a>
<div class="header">
<p>
Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; </p>
</div>
<a name="Invoking-update_002dleap"></a>
<h3 class="section">1 Invoking update-leap</h3>
<a name="index-update_002dleap"></a>
<a name="index-leap_002dseconds-file-manager_002fupdater"></a>
<p><code>update-leap</code>
will validate the file currently on the local system
and if necessary, updates leap-second definition file.
</p>
<p>Ordinarily, the file is found using the &quot;leapfile&quot; directive in
<code>ntp.conf(5)</code>.
However, an alternate location can be specified on the command line.
</p>
<p>If the file does not exist, is not valid, has expired, or is expiring soon,
a new copy will be downloaded. If the new copy validates, it is installed and
NTP is (optionally) restarted.
</p>
<p>If the current file is acceptable, no download or restart occurs.
</p>
<p>-c can also be used to invoke another script to perform administrative
functions, e.g. to copy the file to other local systems.
.PP
This can be run as a cron job. As the file is rarely updated, and leap
seconds are announced at least one month in advance (usually longer), it
need not be run more frequently than about once every three weeks.
.PP
For cron-friendly behavior, define CRONJOB=1 in the crontab.
.PP
This script depends on$REQUIREDCMDS
</p>
<p>This section was generated by <strong>AutoGen</strong>,
using the <code>agtexi-cmd</code> template and the option descriptions for the <code>update-leap</code> program.
</p>
<table class="menu" border="0" cellspacing="0">
<tr><td align="left" valign="top">&bull; <a href="#update_002dleap-usage" accesskey="1">update-leap usage</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">update-leap help/usage (<samp>--help</samp>)
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#update_002dleap-source_002durl" accesskey="2">update-leap source-url</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">source-url option (-s)
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#update_002dleap-ipv4" accesskey="3">update-leap ipv4</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">ipv4 option (-4)
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#update_002dleap-destination" accesskey="4">update-leap destination</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">destination option (-d)
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#update_002dleap-expiration" accesskey="5">update-leap expiration</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">expiration option (-e)
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#update_002dleap-ntp_002dconf_002dfile" accesskey="6">update-leap ntp-conf-file</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">ntp-conf-file option (-f)
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#update_002dleap-force_002dupdate" accesskey="7">update-leap force-update</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">force-update option (-F)
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#update_002dleap-exit-status" accesskey="8">update-leap exit status</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">exit status
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#update_002dleap-Usage" accesskey="9">update-leap Usage</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Usage
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#update_002dleap-Authors">update-leap Authors</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Authors
</td></tr>
</table>
<hr>
<a name="update_002dleap-usage"></a>
<div class="header">
<p>
Next: <a href="#update_002dleap-source_002durl" accesskey="n" rel="next">update-leap source-url</a>, Up: <a href="#update_002dleap-Invocation" accesskey="u" rel="up">update-leap Invocation</a> &nbsp; </p>
</div>
<a name="update_002dleap-help_002fusage-_0028_002d_002dhelp_0029"></a>
<h4 class="subsection">1.1 update-leap help/usage (<samp>--help</samp>)</h4>
<a name="index-update_002dleap-help"></a>
<p>This is the automatically generated usage text for update-leap.
</p>
<p>The text printed is the same whether selected with the <code>help</code> option
(<samp>--help</samp>) or the <code>more-help</code> option (<samp>--more-help</samp>). <code>more-help</code> will print
the usage text by passing it through a pager program.
<code>more-help</code> is disabled on platforms without a working
<code>fork(2)</code> function. The <code>PAGER</code> environment variable is
used to select the program, defaulting to <samp>more</samp>. Both will exit
with a status code of 0.
</p>
<div class="example">
<pre class="example">
Usage: update-leap [options]
Verifies and if necessary, updates leap-second definition file
All arguments are optional: Default (or current value) shown:
-C Absolute path to CA Cert (see SSL/TLS Considerations)
-D Path to a CAdir (see SSL/TLS Considerations)
-e Specify how long (in days) before expiration the file is to be
refreshed. Note that larger values imply more frequent refreshes.
60
-F Force update even if current file is OK and not close to expiring.
-f Absolute path ntp.conf file (default /etc/ntp.conf)
/etc/ntp.conf
-h show help
-i Specify number of minutes between retries
10
-L Absolute path to leapfile on the local system
(overrides value in ntp.conf)
-l Specify the syslog(3) facility for logging
LOG_USER
-q Only report errors (cannot be used with -v)
-r Specify number of attempts to retrieve file
6
-s Send output to syslog(3) - implied if STDOUT has no tty or redirected
-t Send output to terminal - implied if STDOUT attached to terminal
-u Specify the URL of the master copy to download
https://www.ietf.org/timezones/data/leap-seconds.list
-v Verbose - show debug messages (cannot be used with -q)
The following options are not (yet) implemented in the perl version:
-4 Use only IPv4
-6 Use only IPv6
-c Command to restart NTP after installing a new file
&lt;none&gt; - ntpd checks file daily
-p 4|6
Prefer IPv4 or IPv6 (as specified) addresses, but use either
update-leap will validate the file currently on the local system.
Ordinarily, the leapfile is found using the 'leapfile' directive in
/etc/ntp.conf. However, an alternate location can be specified on the
command line with the -L flag.
If the leapfile does not exist, is not valid, has expired, or is
expiring soon, a new copy will be downloaded. If the new copy is
valid, it is installed.
If the current file is acceptable, no download or restart occurs.
This can be run as a cron job. As the file is rarely updated, and
leap seconds are announced at least one month in advance (usually
longer), it need not be run more frequently than about once every
three weeks.
SSL/TLS Considerations
-----------------------
The perl modules can usually locate the CA certificate used to verify
the peer's identity.
On BSDs, the default is typically the file /etc/ssl/certs.pem. On
Linux, the location is typically a path to a CAdir - a directory of
symlinks named according to a hash of the certificates' subject names.
The -C or -D options are available to pass in a location if no CA cert
is found in the default location.
External Dependencies
---------------------
The following perl modules are required:
HTTP::Tiny - version &gt;= 0.056
IO::Socket::SSL - version &gt;= 1.56
NET::SSLeay - version &gt;= 1.49
Version: 1.004
</pre></div>
<hr>
<a name="update_002dleap-source_002durl"></a>
<div class="header">
<p>
Next: <a href="#update_002dleap-ipv4" accesskey="n" rel="next">update-leap ipv4</a>, Previous: <a href="#update_002dleap-usage" accesskey="p" rel="prev">update-leap usage</a>, Up: <a href="#update_002dleap-Invocation" accesskey="u" rel="up">update-leap Invocation</a> &nbsp; </p>
</div>
<a name="source_002durl-option-_0028_002ds_0029"></a>
<h4 class="subsection">1.2 source-url option (-s)</h4>
<a name="index-update_002dleap_002dsource_002durl"></a>
<p>This is the &ldquo;the url of the master copy of the leapseconds file&rdquo; option.
This option takes a string argument.
Specify the URL of the master copy to download
$LEAPSRC
</p><hr>
<a name="update_002dleap-ipv4"></a>
<div class="header">
<p>
Next: <a href="#update_002dleap-destination" accesskey="n" rel="next">update-leap destination</a>, Previous: <a href="#update_002dleap-source_002durl" accesskey="p" rel="prev">update-leap source-url</a>, Up: <a href="#update_002dleap-Invocation" accesskey="u" rel="up">update-leap Invocation</a> &nbsp; </p>
</div>
<a name="ipv4-option-_0028_002d4_0029"></a>
<h4 class="subsection">1.3 ipv4 option (-4)</h4>
<a name="index-update_002dleap_002dipv4"></a>
<p>This is the &ldquo;use only ipv4 addresses for dns name resolution&rdquo; option.
</p>
<p>This option has some usage constraints. It:
</p><ul>
<li> must not appear in combination with any of the following options:
ipv6.
</li></ul>
<p>Force DNS resolution of following host names on the command line
to the IPv4 namespace.
_EndOfDoc_;
;
</p>
<p>flag =
name = ipv6;
flags-cant = ipv4, prefer;
value = 6;
descrip = &quot;Use only IPv6 addresses for DNS name resolution&quot;;
doc = &lt;&lt;- _EndOfDoc_
Force DNS resolution of following host names on the command line
to the IPv6 namespace.
_EndOfDoc_;
;
</p>
<p>flag =
name = prefer;
flags-cant = ipv4, ipv6;
value = p;
arg-type = keyword;
keyword = 4, 6;
descrip = &rsquo;Prefer IPv4 or IPv6 (as specified) addresses, but use either&rsquo;;
doc = &lt;&lt;- _EndOfDoc_
Prefer IPv4 or IPv6 (as specified) addresses, but use either.
</p><hr>
<a name="update_002dleap-destination"></a>
<div class="header">
<p>
Next: <a href="#update_002dleap-expiration" accesskey="n" rel="next">update-leap expiration</a>, Previous: <a href="#update_002dleap-ipv4" accesskey="p" rel="prev">update-leap ipv4</a>, Up: <a href="#update_002dleap-Invocation" accesskey="u" rel="up">update-leap Invocation</a> &nbsp; </p>
</div>
<a name="destination-option-_0028_002dd_0029"></a>
<h4 class="subsection">1.4 destination option (-d)</h4>
<a name="index-update_002dleap_002ddestination"></a>
<p>This is the &ldquo;filename on the local system&rdquo; option.
This option takes a string argument <samp>float</samp>.
The name to use to store the leapfile on the local system.
$LEAPFILE
</p><hr>
<a name="update_002dleap-expiration"></a>
<div class="header">
<p>
Next: <a href="#update_002dleap-ntp_002dconf_002dfile" accesskey="n" rel="next">update-leap ntp-conf-file</a>, Previous: <a href="#update_002dleap-destination" accesskey="p" rel="prev">update-leap destination</a>, Up: <a href="#update_002dleap-Invocation" accesskey="u" rel="up">update-leap Invocation</a> &nbsp; </p>
</div>
<a name="expiration-option-_0028_002de_0029"></a>
<h4 class="subsection">1.5 expiration option (-e)</h4>
<a name="index-update_002dleap_002dexpiration"></a>
<p>This is the &ldquo;refresh the leapfile this long before it expires&rdquo; option.
This option takes a string argument.
Specify how long before expiration the file is to be refreshed
Units are required, e.g. &quot;-e 60 days&quot; Note that larger values
imply more frequent refreshes.
&quot;$PREFETCH&quot;
</p><hr>
<a name="update_002dleap-ntp_002dconf_002dfile"></a>
<div class="header">
<p>
Next: <a href="#update_002dleap-force_002dupdate" accesskey="n" rel="next">update-leap force-update</a>, Previous: <a href="#update_002dleap-expiration" accesskey="p" rel="prev">update-leap expiration</a>, Up: <a href="#update_002dleap-Invocation" accesskey="u" rel="up">update-leap Invocation</a> &nbsp; </p>
</div>
<a name="ntp_002dconf_002dfile-option-_0028_002df_0029"></a>
<h4 class="subsection">1.6 ntp-conf-file option (-f)</h4>
<a name="index-update_002dleap_002dntp_002dconf_002dfile"></a>
<p>This is the &ldquo;location of the ntp.conf file&rdquo; option.
This option takes a string argument.
Specify location of ntp.conf (used to make sure leapfile directive is
present and to default leapfile)
/etc/ntp.conf
</p><hr>
<a name="update_002dleap-force_002dupdate"></a>
<div class="header">
<p>
Next: <a href="#update_002dleap-exit-status" accesskey="n" rel="next">update-leap exit status</a>, Previous: <a href="#update_002dleap-ntp_002dconf_002dfile" accesskey="p" rel="prev">update-leap ntp-conf-file</a>, Up: <a href="#update_002dleap-Invocation" accesskey="u" rel="up">update-leap Invocation</a> &nbsp; </p>
</div>
<a name="force_002dupdate-option-_0028_002dF_0029"></a>
<h4 class="subsection">1.7 force-update option (-F)</h4>
<a name="index-update_002dleap_002dforce_002dupdate"></a>
<p>This is the &ldquo;force update of the leapfile&rdquo; option.
Force update even if current file is OK and not close to expiring.
</p><hr>
<a name="update_002dleap-exit-status"></a>
<div class="header">
<p>
Next: <a href="#update_002dleap-Usage" accesskey="n" rel="next">update-leap Usage</a>, Previous: <a href="#update_002dleap-force_002dupdate" accesskey="p" rel="prev">update-leap force-update</a>, Up: <a href="#update_002dleap-Invocation" accesskey="u" rel="up">update-leap Invocation</a> &nbsp; </p>
</div>
<a name="update_002dleap-exit-status-1"></a>
<h4 class="subsection">1.8 update-leap exit status</h4>
<p>One of the following exit values will be returned:
</p><dl compact="compact">
<dt>&lsquo;<samp>0 (EXIT_SUCCESS)</samp>&rsquo;</dt>
<dd><p>Successful program execution.
</p></dd>
<dt>&lsquo;<samp>1 (EXIT_FAILURE)</samp>&rsquo;</dt>
<dd><p>The operation failed or the command syntax was not valid.
</p></dd>
</dl>
<hr>
<a name="update_002dleap-Usage"></a>
<div class="header">
<p>
Next: <a href="#update_002dleap-Authors" accesskey="n" rel="next">update-leap Authors</a>, Previous: <a href="#update_002dleap-exit-status" accesskey="p" rel="prev">update-leap exit status</a>, Up: <a href="#update_002dleap-Invocation" accesskey="u" rel="up">update-leap Invocation</a> &nbsp; </p>
</div>
<a name="update_002dleap-Usage-1"></a>
<h4 class="subsection">1.9 update-leap Usage</h4>
<hr>
<a name="update_002dleap-Authors"></a>
<div class="header">
<p>
Previous: <a href="#update_002dleap-Usage" accesskey="p" rel="prev">update-leap Usage</a>, Up: <a href="#update_002dleap-Invocation" accesskey="u" rel="up">update-leap Invocation</a> &nbsp; </p>
</div>
<a name="update_002dleap-Authors-1"></a>
<h4 class="subsection">1.10 update-leap Authors</h4>
<hr>
</body>
</html>
Reference in a new issue View git blame Copy permalink