Index: RELNOTES =================================================================== --- RELNOTES +++ RELNOTES @@ -10,6 +10,10 @@ Changes to this file should not be MFCed. +rNNNNNN: + ntpd is no longer by default locked in memory. rlimit memlock 32 + or rlimit memlock 0 can be used to restore this behaviour. + r351522: Add kernel-side support for in-kernel Transport Layer Security (KTLS). KTLS permits using sendfile(2) over sockets using Index: UPDATING =================================================================== --- UPDATING +++ UPDATING @@ -26,6 +26,15 @@ disable the most expensive debugging functionality run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +20190912: + ntpd no longer by default locks its pages in memory, allowing them + to be paged out by the kernel. For stratum 1 or 2 NTP servers, + rlimit memlock can be used to lock ntpd into memory, restoring + previous behaviour. For example, rlimit memlock 32 to lock up to + 32 MB of ntpd address space in memory or (if ASLR is disabled or + ASLR stack gap is 0) rlimit memlock 0 to lock all that ntpd asks + for into memory. + 20190823: Several of ping6's options have been renamed for better consistency with ping. If you use any of -ARWXaghmrtwx, you must update your Index: usr.sbin/ntp/config.h =================================================================== --- usr.sbin/ntp/config.h +++ usr.sbin/ntp/config.h @@ -287,7 +287,7 @@ #define DEFAULT_HZ 100 /* Default number of megabytes for RLIMIT_MEMLOCK */ -#define DFLT_RLIMIT_MEMLOCK 32 +#define DFLT_RLIMIT_MEMLOCK -1 /* Default number of 4k pages for RLIMIT_STACK */ #define DFLT_RLIMIT_STACK 50 Index: usr.sbin/ntp/ntpd/ntp.conf =================================================================== --- usr.sbin/ntp/ntpd/ntp.conf +++ usr.sbin/ntp/ntpd/ntp.conf @@ -102,3 +102,11 @@ # Use either leapfile in /etc/ntp or periodically updated leapfile in /var/db. #leapfile "/etc/ntp/leap-seconds" leapfile "/var/db/ntpd.leap-seconds.list" + +# Specify the number of megabytes of memory that should be allocated and +# locked. -1 (default) means "do not lock the process into memory". +# 0 means "lock whatever memory the process wants into memory". Any other +# number means to lock up to that number of megabytes into memory. +# 0 may result in a segfault when ASLR with stack gap randomization +# is enabled. +#rlimit memlock 32