sonic-buildimage/files/image_config/ntp/ntp.conf.j2

###############################################################################
# Managed by Ansible
# file: ansible/roles/acs/templates/ntp.conf.j2
###############################################################################

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

# To avoid ntpd from panic and exit if the drift between new time and
# current system time is large.
tinker panic 0

driftfile /var/lib/ntp/ntp.drift


# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable


# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
{% for ntp_server in NTP_SERVER %}
server {{ ntp_server }} iburst
{% endfor %}

#listen on source interface if configured, else 
#only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0 
# if we don't have both of them (default is to listen on all ip addresses)
interface ignore wildcard

# set global variable for configured source interface name
# set global boolean to indicate if the ip of the configured source interface is configured
# if the source interface is configured but no ip on that interface, then listen on another
# interface based on existing logic
{%- macro check_ip_on_interface(interface_name, table_name) %}
    {%- set ns = namespace(valid_intf = 'false') %}
    {%- if table_name %}
        {%- for (name, source_prefix) in table_name|pfx_filter %}
            {%- if source_prefix and name == interface_name %}
                {%- set ns.valid_intf = 'true' %}
            {%- endif %}
        {%- endfor %}
    {%- endif %}
{{ ns.valid_intf }}
{%- endmacro %}

{% set ns = namespace(source_intf = "") %}
{% set ns = namespace(source_intf_ip = 'false') %}
{% if (NTP) and (NTP['global']['src_intf'])  %}
    {% set ns.source_intf = (NTP['global']['src_intf']) %}
    {% if ns.source_intf != "" %}
        {% if ns.source_intf == "eth0" %}
            {% set ns.source_intf_ip = 'true' %}
        {% elif ns.source_intf.startswith('Vlan') %}
            {% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, VLAN_INTERFACE) %}
        {% elif ns.source_intf.startswith('Ethernet') %}
            {% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, INTERFACE) %}
        {% elif ns.source_intf.startswith('PortChannel') %}
            {% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, PORTCHANNEL_INTERFACE) %}
        {% elif ns.source_intf.startswith('Loopback') %}
            {% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, LOOPBACK_INTERFACE) %}
        {% endif %}
    {% endif %}
{% endif %}

{% if ns.source_intf_ip == 'true' %}
interface listen {{ns.source_intf}}
{% elif (NTP) and NTP['global']['vrf'] == 'mgmt' %}
interface listen eth0
{% elif MGMT_INTERFACE %}
{% for (mgmt_intf, mgmt_prefix) in MGMT_INTERFACE|pfx_filter %}
interface listen {{ mgmt_prefix | ip }}
{% endfor %}
{% elif LOOPBACK_INTERFACE %}
{% for (name, prefix) in LOOPBACK_INTERFACE|pfx_filter %}
{% if prefix | ipv4 and name == 'Loopback0' %}
interface listen {{ prefix | ip }}
{% endif %}
{% endfor %}
{% else %}
interface listen eth0
{% endif %}
interface listen 127.0.0.1

# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust


# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient
one image implementation (#215) * Single image * Fix review comments * Update syncd service. Add HW mgmt to Mellanox single image. * Add single image template for Broadcom platform. SKU should be provided during configure: make configure PLATFORM=broadcom SKU=Force10-S6000 * Add single image template for Cavium platform. SKU should be provided during configure: make configure PLATFORM=cavium SKU=AS7512 * Add description to sonic_debian_extension.j2 file. 2017-01-29 13:33:33 -06:00			`###############################################################################`
			`# Managed by Ansible`
			`# file: ansible/roles/acs/templates/ntp.conf.j2`
			`###############################################################################`

			`# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help`

[ntp]: Add "tinker panic 0" in ntp.conf to avoid ntpd from panic (#4263) - What I did Add configuration to avoid ntpd from panic and exit if the drift between new time and current system time is large. - How I did it Added "tinker panic 0" in ntp.conf file. - How to verify it [this assumes that there is a valid NTP server IP in config_db/ntp.conf] Change the current system time to a bad time with a large drift from time in ntp server; drift should be greater than 1000s. Reboot the device. Before the fix: 3. upon reboot, ntp-config service comes up fine, ntp service goes to active(exited) state without any error message. This is because the offset between new time (from ntp server) and the current system time is very large, ntpd goes to panic mode and exits. The system continues to show the bad time. After the fix: 3. Upon reboot, ntp-config comes up fine, ntp services comes up from and stays in active (running) state. The system clock gets synced with the ntp server time. 2020-03-21 20:50:12 -05:00			`# To avoid ntpd from panic and exit if the drift between new time and`
			`# current system time is large.`
			`tinker panic 0`

one image implementation (#215) * Single image * Fix review comments * Update syncd service. Add HW mgmt to Mellanox single image. * Add single image template for Broadcom platform. SKU should be provided during configure: make configure PLATFORM=broadcom SKU=Force10-S6000 * Add single image template for Cavium platform. SKU should be provided during configure: make configure PLATFORM=cavium SKU=AS7512 * Add description to sonic_debian_extension.j2 file. 2017-01-29 13:33:33 -06:00			`driftfile /var/lib/ntp/ntp.drift`


			`# Enable this if you want statistics to be logged.`
			`#statsdir /var/log/ntpstats/`

			`statistics loopstats peerstats clockstats`
			`filegen loopstats file loopstats type day enable`
			`filegen peerstats file peerstats type day enable`
			`filegen clockstats file clockstats type day enable`


			`# You do need to talk to an NTP server or two (or three).`
			`#server ntp.your-provider.example`

			`# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will`
			`# pick a different set every time it starts up. Please consider joining the`
			`# pool: <http://www.pool.ntp.org/join.html>`
[configdb] Migrate minigraph configurations to DB (#942) Modify minigraph parser output format so it fit DB schema Modify configuration templates to fit new schema Systemd services dependencies are modified so database starts before any configuration consumer 2017-09-12 16:13:27 -05:00			`{% for ntp_server in NTP_SERVER %}`
one image implementation (#215) * Single image * Fix review comments * Update syncd service. Add HW mgmt to Mellanox single image. * Add single image template for Broadcom platform. SKU should be provided during configure: make configure PLATFORM=broadcom SKU=Force10-S6000 * Add single image template for Cavium platform. SKU should be provided during configure: make configure PLATFORM=cavium SKU=AS7512 * Add description to sonic_debian_extension.j2 file. 2017-01-29 13:33:33 -06:00			`server {{ ntp_server }} iburst`
			`{% endfor %}`

[ntp]: Source interface support for NTP (#6033) Added source interface support for NTP. Also made NTP start on Mgmt-VRF by default when configured. - How I did it 1) Updated hostcfg to listen to global config NTP and NTP_SERVER tables and restart ntp when ever the configuration changes. NTP table includes source interface configuration. 2) The ntp script updated to by default start on Mgmt-VFT when configured. Signed-off-by: Prabhu Sreenivasan <prabhu.sreenivasan@broadcom> 2020-12-21 07:34:13 -06:00			`#listen on source interface if configured, else`
[ntp]: Use loopback address when we don't have MGMT interface (#3566) Added configuration to use Loopback ip if a switch doesn't have MGMT_PORT. 2019-10-07 09:49:25 -05:00			`#only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0`
			`# if we don't have both of them (default is to listen on all ip addresses)`
one image implementation (#215) * Single image * Fix review comments * Update syncd service. Add HW mgmt to Mellanox single image. * Add single image template for Broadcom platform. SKU should be provided during configure: make configure PLATFORM=broadcom SKU=Force10-S6000 * Add single image template for Cavium platform. SKU should be provided during configure: make configure PLATFORM=cavium SKU=AS7512 * Add description to sonic_debian_extension.j2 file. 2017-01-29 13:33:33 -06:00			`interface ignore wildcard`
[ntp]: Source interface support for NTP (#6033) Added source interface support for NTP. Also made NTP start on Mgmt-VRF by default when configured. - How I did it 1) Updated hostcfg to listen to global config NTP and NTP_SERVER tables and restart ntp when ever the configuration changes. NTP table includes source interface configuration. 2) The ntp script updated to by default start on Mgmt-VFT when configured. Signed-off-by: Prabhu Sreenivasan <prabhu.sreenivasan@broadcom> 2020-12-21 07:34:13 -06:00
			`# set global variable for configured source interface name`
			`# set global boolean to indicate if the ip of the configured source interface is configured`
			`# if the source interface is configured but no ip on that interface, then listen on another`
			`# interface based on existing logic`
			`{%- macro check_ip_on_interface(interface_name, table_name) %}`
[ntp] Fix ntp.conf template to allow setting of source port in CONFIG_DB (#7586) Why I did it Currently, there is a bug in the ntp.conf jinja2 template where it will ignore the src_intf directive in CONFIG_DB if there are multiple IP addresses associated with an interface. This code change fixes that bug and allows the template to select the correct source interface for NTP. How I did it I did this by modifying the macro in ntp.conf.j2 which determines if there is an ip address associated with an interface to set a state variable when it detects a valid interface entry in CONFIG_DB instead of outputting "true" directly (which could result in multiple "trues" outputted for interfaces with multiple valid IP addresses). How to verify it Add two ipv4 addresses to an interface in SONiC Add the following configuration to config_db.json { "NTP": { "global": { "src_intf": "Ethernet1" } } } Replace Ethernet1 with the interface name of the one you assigned the IP addresses to. Run sudo config reload -y Open /etc/ntp.conf and verify that the following line exists ... interface listen Ethernet1 ... The interface specified should be the one set in the previous steps. Description for the changelog [ntp] Fix ntp.conf template to allow setting of source port in CONFIG_DB 2021-05-23 15:40:43 -05:00			`{%- set ns = namespace(valid_intf = 'false') %}`
[ntp]: Source interface support for NTP (#6033) Added source interface support for NTP. Also made NTP start on Mgmt-VRF by default when configured. - How I did it 1) Updated hostcfg to listen to global config NTP and NTP_SERVER tables and restart ntp when ever the configuration changes. NTP table includes source interface configuration. 2) The ntp script updated to by default start on Mgmt-VFT when configured. Signed-off-by: Prabhu Sreenivasan <prabhu.sreenivasan@broadcom> 2020-12-21 07:34:13 -06:00			`{%- if table_name %}`
			`{%- for (name, source_prefix) in table_name\|pfx_filter %}`
			`{%- if source_prefix and name == interface_name %}`
[ntp] Fix ntp.conf template to allow setting of source port in CONFIG_DB (#7586) Why I did it Currently, there is a bug in the ntp.conf jinja2 template where it will ignore the src_intf directive in CONFIG_DB if there are multiple IP addresses associated with an interface. This code change fixes that bug and allows the template to select the correct source interface for NTP. How I did it I did this by modifying the macro in ntp.conf.j2 which determines if there is an ip address associated with an interface to set a state variable when it detects a valid interface entry in CONFIG_DB instead of outputting "true" directly (which could result in multiple "trues" outputted for interfaces with multiple valid IP addresses). How to verify it Add two ipv4 addresses to an interface in SONiC Add the following configuration to config_db.json { "NTP": { "global": { "src_intf": "Ethernet1" } } } Replace Ethernet1 with the interface name of the one you assigned the IP addresses to. Run sudo config reload -y Open /etc/ntp.conf and verify that the following line exists ... interface listen Ethernet1 ... The interface specified should be the one set in the previous steps. Description for the changelog [ntp] Fix ntp.conf template to allow setting of source port in CONFIG_DB 2021-05-23 15:40:43 -05:00			`{%- set ns.valid_intf = 'true' %}`
[ntp]: Source interface support for NTP (#6033) Added source interface support for NTP. Also made NTP start on Mgmt-VRF by default when configured. - How I did it 1) Updated hostcfg to listen to global config NTP and NTP_SERVER tables and restart ntp when ever the configuration changes. NTP table includes source interface configuration. 2) The ntp script updated to by default start on Mgmt-VFT when configured. Signed-off-by: Prabhu Sreenivasan <prabhu.sreenivasan@broadcom> 2020-12-21 07:34:13 -06:00			`{%- endif %}`
			`{%- endfor %}`
			`{%- endif %}`
[ntp] Fix ntp.conf template to allow setting of source port in CONFIG_DB (#7586) Why I did it Currently, there is a bug in the ntp.conf jinja2 template where it will ignore the src_intf directive in CONFIG_DB if there are multiple IP addresses associated with an interface. This code change fixes that bug and allows the template to select the correct source interface for NTP. How I did it I did this by modifying the macro in ntp.conf.j2 which determines if there is an ip address associated with an interface to set a state variable when it detects a valid interface entry in CONFIG_DB instead of outputting "true" directly (which could result in multiple "trues" outputted for interfaces with multiple valid IP addresses). How to verify it Add two ipv4 addresses to an interface in SONiC Add the following configuration to config_db.json { "NTP": { "global": { "src_intf": "Ethernet1" } } } Replace Ethernet1 with the interface name of the one you assigned the IP addresses to. Run sudo config reload -y Open /etc/ntp.conf and verify that the following line exists ... interface listen Ethernet1 ... The interface specified should be the one set in the previous steps. Description for the changelog [ntp] Fix ntp.conf template to allow setting of source port in CONFIG_DB 2021-05-23 15:40:43 -05:00			`{{ ns.valid_intf }}`
[ntp]: Source interface support for NTP (#6033) Added source interface support for NTP. Also made NTP start on Mgmt-VRF by default when configured. - How I did it 1) Updated hostcfg to listen to global config NTP and NTP_SERVER tables and restart ntp when ever the configuration changes. NTP table includes source interface configuration. 2) The ntp script updated to by default start on Mgmt-VFT when configured. Signed-off-by: Prabhu Sreenivasan <prabhu.sreenivasan@broadcom> 2020-12-21 07:34:13 -06:00			`{%- endmacro %}`

			`{% set ns = namespace(source_intf = "") %}`
			`{% set ns = namespace(source_intf_ip = 'false') %}`
			`{% if (NTP) and (NTP['global']['src_intf']) %}`
			`{% set ns.source_intf = (NTP['global']['src_intf']) %}`
			`{% if ns.source_intf != "" %}`
			`{% if ns.source_intf == "eth0" %}`
			`{% set ns.source_intf_ip = 'true' %}`
			`{% elif ns.source_intf.startswith('Vlan') %}`
			`{% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, VLAN_INTERFACE) %}`
			`{% elif ns.source_intf.startswith('Ethernet') %}`
			`{% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, INTERFACE) %}`
			`{% elif ns.source_intf.startswith('PortChannel') %}`
			`{% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, PORTCHANNEL_INTERFACE) %}`
			`{% elif ns.source_intf.startswith('Loopback') %}`
			`{% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, LOOPBACK_INTERFACE) %}`
			`{% endif %}`
			`{% endif %}`
			`{% endif %}`

			`{% if ns.source_intf_ip == 'true' %}`
			`interface listen {{ns.source_intf}}`
			`{% elif (NTP) and NTP['global']['vrf'] == 'mgmt' %}`
			`interface listen eth0`
			`{% elif MGMT_INTERFACE %}`
Generate interface table to have an entry designated to default VRF. (#2848) * Generate default VRF table for router interfaces * Updated jinja2 template to have prefix filter 2019-06-10 16:02:55 -05:00			`{% for (mgmt_intf, mgmt_prefix) in MGMT_INTERFACE\|pfx_filter %}`
[configdb] Migrate minigraph configurations to DB (#942) Modify minigraph parser output format so it fit DB schema Modify configuration templates to fit new schema Systemd services dependencies are modified so database starts before any configuration consumer 2017-09-12 16:13:27 -05:00			`interface listen {{ mgmt_prefix \| ip }}`
			`{% endfor %}`
[ntp]: Use loopback address when we don't have MGMT interface (#3566) Added configuration to use Loopback ip if a switch doesn't have MGMT_PORT. 2019-10-07 09:49:25 -05:00			`{% elif LOOPBACK_INTERFACE %}`
			`{% for (name, prefix) in LOOPBACK_INTERFACE\|pfx_filter %}`
			`{% if prefix \| ipv4 and name == 'Loopback0' %}`
			`interface listen {{ prefix \| ip }}`
			`{% endif %}`
			`{% endfor %}`
[ntp]: Fix NTP sync while using DHCP (#1035) 2017-10-13 19:08:35 -05:00			`{% else %}`
			`interface listen eth0`
			`{% endif %}`
one image implementation (#215) * Single image * Fix review comments * Update syncd service. Add HW mgmt to Mellanox single image. * Add single image template for Broadcom platform. SKU should be provided during configure: make configure PLATFORM=broadcom SKU=Force10-S6000 * Add single image template for Cavium platform. SKU should be provided during configure: make configure PLATFORM=cavium SKU=AS7512 * Add description to sonic_debian_extension.j2 file. 2017-01-29 13:33:33 -06:00			`interface listen 127.0.0.1`

			`# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for`
			`# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>`
			`# might also be helpful.`
			`#`
			`# Note that "restrict" applies to both servers and clients, so a configuration`
			`# that might be intended to block requests from certain clients could also end`
			`# up blocking replies from your own upstream servers.`

			`# By default, exchange time with everybody, but don't allow configuration.`
			`restrict -4 default kod notrap nomodify nopeer noquery`
			`restrict -6 default kod notrap nomodify nopeer noquery`

			`# Local users may interrogate the ntp server more closely.`
			`restrict 127.0.0.1`
			`restrict ::1`

			`# Clients from this (example!) subnet have unlimited access, but only if`
			`# cryptographically authenticated.`
			`#restrict 192.168.123.0 mask 255.255.255.0 notrust`


			`# If you want to provide time to your local subnet, change the next line.`
			`# (Again, the address is an example only.)`
			`#broadcast 192.168.123.255`

			`# If you want to listen to time broadcasts on your local subnet, de-comment the`
			`# next lines. Please do this only if you trust everybody on the network!`
			`#disable auth`
			`#broadcastclient`