Migrate from ntp to ntpsec

Debian Bookworm no longer uses NTP, and instead uses NTPsec. Modify our
files to update/replace the NTPsec files instead.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

build_debian.sh

@@ -574,13 +574,12 @@ sudo cp files/dhcp/sethostname6 $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
 sudo cp files/dhcp/graphserviceurl $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
 sudo cp files/dhcp/snmpcommunity $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
 sudo cp files/dhcp/vrf $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
-if [ -f files/image_config/ntp/ntp ]; then
-    sudo cp ./files/image_config/ntp/ntp $FILESYSTEM_ROOT/etc/init.d/
+if [ -f files/image_config/ntp/ntpsec ]; then
+    sudo cp ./files/image_config/ntp/ntpsec $FILESYSTEM_ROOT/etc/init.d/
 fi
 
 if [ -f files/image_config/ntp/ntp-systemd-wrapper ]; then
-    sudo mkdir -p $FILESYSTEM_ROOT/usr/lib/ntp/
-    sudo cp ./files/image_config/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/lib/ntp/
+    sudo cp ./files/image_config/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/libexec/ntpsec/
 fi
 
 ## Version file part 1

files/build_templates/sonic_debian_extension.j2

@@ -374,9 +374,10 @@ sudo cp $IMAGE_CONFIGS/ntp/ntp-config.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_S
 echo "ntp-config.service" | sudo tee -a $GENERATED_SERVICE_FILE
 sudo cp $IMAGE_CONFIGS/ntp/ntp-config.sh $FILESYSTEM_ROOT/usr/bin/
 sudo cp $IMAGE_CONFIGS/ntp/ntp.conf.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
-sudo cp $IMAGE_CONFIGS/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/lib/ntp/
-sudo cp $IMAGE_CONFIGS/ntp/ntp.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM
-echo "ntp.service" | sudo tee -a $GENERATED_SERVICE_FILE
+sudo cp $IMAGE_CONFIGS/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/libexec/ntpsec/
+sudo mkdir $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/ntpsec.service.d
+sudo cp $IMAGE_CONFIGS/ntp/sonic-target.conf $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/ntpsec.service.d/
+echo "ntpsec.service" | sudo tee -a $GENERATED_SERVICE_FILE
 
 # Copy DNS templates
 sudo cp $BUILD_TEMPLATES/dns.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/

files/image_config/ntp/ntp-config.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-ntp_default_file='/etc/default/ntp'
+ntp_default_file='/etc/default/ntpsec'
 ntp_temp_file='/tmp/ntp.orig'
 
 reboot_type='cold'
@@ -23,10 +23,10 @@ function modify_ntp_default
     sed -e "$1" ${ntp_temp_file} >${ntp_default_file}
 }
 
-sonic-cfggen -d -t /usr/share/sonic/templates/ntp.conf.j2 >/etc/ntp.conf
+sonic-cfggen -d -t /usr/share/sonic/templates/ntp.conf.j2 >/etc/ntpsec/ntp.conf
 
 get_database_reboot_type
 echo "Disabling NTP long jump for reboot type ${reboot_type} ..."
-modify_ntp_default "s/NTPD_OPTS='-g'/NTPD_OPTS='-x'/"
+modify_ntp_default "s/NTPD_OPTS=\"-g -N\"/NTPD_OPTS=\"-x -N\"/"
 
 systemctl --no-block restart ntp

files/image_config/ntp/ntp-systemd-wrapper

@@ -4,45 +4,47 @@
 # This is now manually modified for supporting NTP in management VRF.
 # When management VRF is enabled, the NTP application should be started using "ip vrf exec mgmt".
 # Check has been added to verify the management VRF enabled status and use "ip vrf exec mgmt"  when it is enabled.
-# This file will be copied to /usr/lib/ntp/ntp-systemd-wrapper file that gets created during build process.
-
+# This file will be copied to /usr/libexec/ntpsec/ntp-systemd-wrapper file that gets created during build process.
 DAEMON=/usr/sbin/ntpd
-PIDFILE=/var/run/ntpd.pid
+PIDFILE=/run/ntpd.pid
+LOCKFILE=/run/lock/ntpsec-ntpdate
 
-if [ -r /etc/default/ntp ]; then
-        . /etc/default/ntp
+if [ -r /etc/default/ntpsec ]; then
+        . /etc/default/ntpsec
 fi
 
-if [ -e /run/ntp.conf.dhcp ]; then
-        NTPD_OPTS="$NTPD_OPTS -c /run/ntp.conf.dhcp"
+if [ "$IGNORE_DHCP" != "yes" ] && [ -e /run/ntpsec/ntp.conf.dhcp ]; then
+        NTPD_OPTS="$NTPD_OPTS -c /run/ntpsec/ntp.conf.dhcp"
+else
+	# List the default -c first, so if the admin has specified -c in
+	# NTPD_OPTS, it is honored.
+	NTPD_OPTS="-c /etc/ntpsec/ntp.conf $NTPD_OPTS"
 fi
 
-LOCKFILE=/run/lock/ntpdate
-
-RUNASUSER=ntp
-UGID=$(getent passwd $RUNASUSER | cut -f 3,4 -d:) || true
-if test "$(uname -s)" = "Linux"; then
-        NTPD_OPTS="$NTPD_OPTS -u $UGID"
-fi
+NTPD_OPTS="$NTPD_OPTS -u ntpsec:ntpsec"
 
+# Protect the service startup against concurrent ntpdate ifup hooks
 (
-        flock -w 180 9
-        # when mgmt vrf is configured, ntp starts in mgmt vrf by default unless user configures otherwise
-        vrfEnabled=$(/usr/local/bin/sonic-cfggen -d -v 'MGMT_VRF_CONFIG["vrf_global"]["mgmtVrfEnabled"]' 2> /dev/null)
-        vrfConfigured=$(/usr/local/bin/sonic-cfggen -d -v 'NTP["global"]["vrf"]' 2> /dev/null)
-        if [ "$vrfEnabled" = "true" ]
-        then
-                if [ "$vrfConfigured" = "default" ]
+        if flock -w 180 9; then
+                # when mgmt vrf is configured, ntp starts in mgmt vrf by default unless user configures otherwise
+                vrfEnabled=$(/usr/local/bin/sonic-cfggen -d -v 'MGMT_VRF_CONFIG["vrf_global"]["mgmtVrfEnabled"]' 2> /dev/null)
+                vrfConfigured=$(/usr/local/bin/sonic-cfggen -d -v 'NTP["global"]["vrf"]' 2> /dev/null)
+                if [ "$vrfEnabled" = "true" ]
                 then
-                            log_daemon_msg "Starting NTP server in default-vrf for default set as NTP vrf" "ntpd"
-                            start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --startas $DAEMON -- -p $PIDFILE $NTPD_OPTS
+                        if [ "$vrfConfigured" = "default" ]
+                        then
+                                    echo "Starting NTP server in default-vrf for default set as NTP vrf"
+                                    exec $DAEMON -p $PIDFILE $NTPD_OPTS
+                        else
+                                    echo "Starting NTP server in mgmt-vrf"
+                                    exec ip vrf exec mgmt $DAEMON -p $PIDFILE $NTPD_OPTS
+                        fi
                 else
-                            log_daemon_msg "Starting NTP server in mgmt-vrf" "ntpd"
-                            ip vrf exec mgmt start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --startas $DAEMON -- -p $PIDFILE $NTPD_OPTS
+                        echo "Starting NTP server in default-vrf"
+                        exec $DAEMON -p $PIDFILE $NTPD_OPTS
                 fi
         else
-                log_daemon_msg "Starting NTP server in default-vrf" "ntpd"
-                start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --startas $DAEMON -- -p $PIDFILE $NTPD_OPTS
+                echo "Timeout waiting for $LOCKFILE"
+                exit 1
         fi
 ) 9>$LOCKFILE
-

files/image_config/ntp/ntp.conf.j2

@@ -3,43 +3,44 @@
 # file: ansible/roles/acs/templates/ntp.conf.j2
 ###############################################################################
 
-# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
 
 # To avoid ntpd from panic and exit if the drift between new time and
 # current system time is large.
 tinker panic 0
 
-driftfile /var/lib/ntp/ntp.drift
+driftfile /var/lib/ntpsec/ntp.drift
+leapfile /usr/share/zoneinfo/leap-seconds.list
 
+# To enable Network Time Security support as a server, obtain a certificate
+# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
+# nts cert CERT_FILE
+# nts key KEY_FILE
+# nts enable
 
-# Enable this if you want statistics to be logged.
-#statsdir /var/log/ntpstats/
+# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
+#statsdir /var/log/ntpsec/
+#statistics loopstats peerstats clockstats
+#filegen loopstats file loopstats type day enable
+#filegen peerstats file peerstats type day enable
+#filegen clockstats file clockstats type day enable
 
-statistics loopstats peerstats clockstats
-filegen loopstats file loopstats type day enable
-filegen peerstats file peerstats type day enable
-filegen clockstats file clockstats type day enable
+# Specify one or more NTP servers.
 
-
-# You do need to talk to an NTP server or two (or three).
-#server ntp.your-provider.example
-
-# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
-# pick a different set every time it starts up.  Please consider joining the
-# pool: <http://www.pool.ntp.org/join.html>
+# Public NTP servers supporting Network Time Security:
+# server time.cloudflare.com nts
 {% for ntp_server in NTP_SERVER %}
 server {{ ntp_server }} iburst
 {% endfor %}
 
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <https://www.pool.ntp.org/join.html>
+
 #listen on source interface if configured, else 
 #only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0 
 # if we don't have both of them (default is to listen on all ip addresses)
 interface ignore wildcard
-
-# set global variable for configured source interface name
-# set global boolean to indicate if the ip of the configured source interface is configured
-# if the source interface is configured but no ip on that interface, then listen on another
-# interface based on existing logic
 {%- macro check_ip_on_interface(interface_name, table_name) %}
     {%- set ns = namespace(valid_intf = 'false') %}
     {%- if table_name %}
@@ -53,22 +54,22 @@ interface ignore wildcard
 {%- endmacro %}
 
 {% set ns = namespace(source_intf = "") %}
-{% set ns = namespace(source_intf_ip = 'false') %}
-{% if (NTP) and (NTP['global']['src_intf'])  %}
-    {% set ns.source_intf = (NTP['global']['src_intf']) %}
-    {% if ns.source_intf != "" %}
-        {% if ns.source_intf == "eth0" %}
-            {% set ns.source_intf_ip = 'true' %}
-        {% elif ns.source_intf.startswith('Vlan') %}
-            {% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, VLAN_INTERFACE) %}
-        {% elif ns.source_intf.startswith('Ethernet') %}
-            {% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, INTERFACE) %}
-        {% elif ns.source_intf.startswith('PortChannel') %}
-            {% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, PORTCHANNEL_INTERFACE) %}
-        {% elif ns.source_intf.startswith('Loopback') %}
-            {% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, LOOPBACK_INTERFACE) %}
-        {% endif %}
-    {% endif %}
+{%- set ns = namespace(source_intf_ip = 'false') %}
+{%- if (NTP) and (NTP['global']['src_intf'])  %}
+    {%- set ns.source_intf = (NTP['global']['src_intf']) %}
+    {%- if ns.source_intf != "" %}
+        {%- if ns.source_intf == "eth0" %}
+            {%- set ns.source_intf_ip = 'true' %}
+        {%- elif ns.source_intf.startswith('Vlan') %}
+            {%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, VLAN_INTERFACE) %}
+        {%- elif ns.source_intf.startswith('Ethernet') %}
+            {%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, INTERFACE) %}
+        {%- elif ns.source_intf.startswith('PortChannel') %}
+            {%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, PORTCHANNEL_INTERFACE) %}
+        {%- elif ns.source_intf.startswith('Loopback') %}
+            {%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, LOOPBACK_INTERFACE) %}
+        {%- endif %}
+    {%- endif %}
 {% endif %}
 
 {% if ns.source_intf_ip == 'true' %}
@@ -90,32 +91,17 @@ interface listen eth0
 {% endif %}
 interface listen 127.0.0.1
 
-# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
-# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
-# might also be helpful.
+# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
+# for details.
 #
 # Note that "restrict" applies to both servers and clients, so a configuration
 # that might be intended to block requests from certain clients could also end
 # up blocking replies from your own upstream servers.
 
 # By default, exchange time with everybody, but don't allow configuration.
-restrict -4 default kod notrap nomodify nopeer noquery
-restrict -6 default kod notrap nomodify nopeer noquery
+# NTPsec doesn't establish peer associations, and so nopeer has no effect, and has been removed from here
+restrict default kod nomodify noquery limited
 
 # Local users may interrogate the ntp server more closely.
 restrict 127.0.0.1
 restrict ::1
-
-# Clients from this (example!) subnet have unlimited access, but only if
-# cryptographically authenticated.
-#restrict 192.168.123.0 mask 255.255.255.0 notrust
-
-
-# If you want to provide time to your local subnet, change the next line.
-# (Again, the address is an example only.)
-#broadcast 192.168.123.255
-
-# If you want to listen to time broadcasts on your local subnet, de-comment the
-# next lines.  Please do this only if you trust everybody on the network!
-#disable auth
-#broadcastclient

files/image_config/ntp/ntp.service

@@ -1,18 +0,0 @@
-[Unit]
-Description=Network Time Service
-Documentation=man:ntpd(8)
-After=network.target
-Conflicts=systemd-timesyncd.service
-BindsTo=sonic.target
-After=sonic.target
-StartLimitIntervalSec=0
-
-[Service]
-Type=forking
-# Debian uses a shell wrapper to process /etc/default/ntp
-# and select DHCP-provided NTP servers if available
-ExecStart=/usr/lib/ntp/ntp-systemd-wrapper
-PrivateTmp=true
-
-[Install]
-WantedBy=multi-user.target

files/image_config/ntp/ntpsec

@@ -4,15 +4,20 @@
 # This is now manually modified for supporting NTP in management VRF.
 # When management VRF is enabled, the NTP application should be started using "cgexec -g l3mdev:mgmt". 
 # Check has been added to verify the management VRF enabled status and use cgexec when it is enabled.
-# This file will be copied on top of the etc/init.d/ntp file that gets created during build process.
+# This file will be copied on top of the etc/init.d/ntpsec file that gets created during build process.
 
 ### BEGIN INIT INFO
-# Provides:        ntp
+# Provides:        ntpsec
 # Required-Start:  $network $remote_fs $syslog
 # Required-Stop:   $network $remote_fs $syslog
 # Default-Start:   2 3 4 5
-# Default-Stop: 
+# Default-Stop:
 # Short-Description: Start NTP daemon
+# Description:       NTP, the Network Time Protocol, is used to keep computer
+#                    clocks accurate by synchronizing them over the Internet or
+#                    a local network, or by following an accurate hardware
+#                    receiver that interprets GPS, DCF-77, or similar time
+#                    signals.
 ### END INIT INFO
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin
@@ -20,34 +25,29 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin
 . /lib/lsb/init-functions
 
 DAEMON=/usr/sbin/ntpd
-PIDFILE=/var/run/ntpd.pid
+PIDFILE=/run/ntpd.pid
 
 test -x $DAEMON || exit 5
 
-if [ -r /etc/default/ntp ]; then
-	. /etc/default/ntp
+if [ -r /etc/default/ntpsec ]; then
+	. /etc/default/ntpsec
 fi
 
-if [ -e /run/ntp.conf.dhcp ]; then
-	NTPD_OPTS="$NTPD_OPTS -c /run/ntp.conf.dhcp"
+if [ "$IGNORE_DHCP" != "yes" ] && [ -e /run/ntpsec/ntp.conf.dhcp ]; then
+	NTPD_OPTS="$NTPD_OPTS -c /run/ntpsec/ntp.conf.dhcp"
+else
+	# List the default -c first, so if the admin has specified -c in
+	# NTPD_OPTS, it is honored.
+	NTPD_OPTS="-c /etc/ntpsec/ntp.conf $NTPD_OPTS"
 fi
 
+NTPD_OPTS="$NTPD_OPTS -u ntpsec:ntpsec"
 
-LOCKFILE=/run/lock/ntpdate
-
-RUNASUSER=ntp
-UGID=$(getent passwd $RUNASUSER | cut -f 3,4 -d:) || true
-if test "$(uname -s)" = "Linux"; then
-        NTPD_OPTS="$NTPD_OPTS -u $UGID"
-fi
+LOCKFILE=/run/lock/ntpsec-ntpdate
 
 case $1 in
 	start)
 		log_daemon_msg "Starting NTP server" "ntpd"
-		if [ -z "$UGID" ]; then
-			log_failure_msg "user \"$RUNASUSER\" does not exist"
-			exit 1
-		fi
 		(
 			flock -w 180 9
 
@@ -70,16 +70,16 @@ case $1 in
 			fi
 		) 9>$LOCKFILE
 		log_end_msg $?
-  		;;
+		;;
 	stop)
 		log_daemon_msg "Stopping NTP server" "ntpd"
 		start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --retry=TERM/30/KILL/5 --exec $DAEMON
 		log_end_msg $?
 		rm -f $PIDFILE
-  		;;
+		;;
 	restart|force-reload)
 		$0 stop && sleep 2 && $0 start
-  		;;
+		;;
 	try-restart)
 		if $0 status >/dev/null; then
 			$0 restart

files/image_config/ntp/sonic-target.conf

@@ -0,0 +1,3 @@
+[Unit]
+BindsTo=sonic.target
+After=sonic.target

slave.mk

@@ -1337,7 +1337,6 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
                 $(SONIC_DEVICE_DATA) \
                 $(IFUPDOWN2) \
                 $(KDUMP_TOOLS) \
-                $(NTP) \
                 $(LIBPAM_RADIUS) \
                 $(LIBNSS_RADIUS) \
                 $(LIBPAM_TACPLUS) \

src/sonic-config-engine/tests/sample_output/py2/ntp.conf

@@ -3,70 +3,56 @@
 # file: ansible/roles/acs/templates/ntp.conf.j2
 ###############################################################################
 
-# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
 
 # To avoid ntpd from panic and exit if the drift between new time and
 # current system time is large.
 tinker panic 0
 
-driftfile /var/lib/ntp/ntp.drift
+driftfile /var/lib/ntpsec/ntp.drift
+leapfile /usr/share/zoneinfo/leap-seconds.list
 
+# To enable Network Time Security support as a server, obtain a certificate
+# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
+# nts cert CERT_FILE
+# nts key KEY_FILE
+# nts enable
 
-# Enable this if you want statistics to be logged.
-#statsdir /var/log/ntpstats/
+# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
+#statsdir /var/log/ntpsec/
+#statistics loopstats peerstats clockstats
+#filegen loopstats file loopstats type day enable
+#filegen peerstats file peerstats type day enable
+#filegen clockstats file clockstats type day enable
 
-statistics loopstats peerstats clockstats
-filegen loopstats file loopstats type day enable
-filegen peerstats file peerstats type day enable
-filegen clockstats file clockstats type day enable
+# Specify one or more NTP servers.
 
-
-# You do need to talk to an NTP server or two (or three).
-#server ntp.your-provider.example
+# Public NTP servers supporting Network Time Security:
+# server time.cloudflare.com nts
 
 # pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
 # pick a different set every time it starts up.  Please consider joining the
-# pool: <http://www.pool.ntp.org/join.html>
+# pool: <https://www.pool.ntp.org/join.html>
 
 #listen on source interface if configured, else 
 #only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0 
 # if we don't have both of them (default is to listen on all ip addresses)
 interface ignore wildcard
 
-# set global variable for configured source interface name
-# set global boolean to indicate if the ip of the configured source interface is configured
-# if the source interface is configured but no ip on that interface, then listen on another
-# interface based on existing logic
-                                        
 interface listen Ethernet0
 interface listen 127.0.0.1
 
-# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
-# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
-# might also be helpful.
+# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
+# for details.
 #
 # Note that "restrict" applies to both servers and clients, so a configuration
 # that might be intended to block requests from certain clients could also end
 # up blocking replies from your own upstream servers.
 
 # By default, exchange time with everybody, but don't allow configuration.
-restrict -4 default kod notrap nomodify nopeer noquery
-restrict -6 default kod notrap nomodify nopeer noquery
+# NTPsec doesn't establish peer associations, and so nopeer has no effect, and has been removed from here
+restrict default kod nomodify noquery limited
 
 # Local users may interrogate the ntp server more closely.
 restrict 127.0.0.1
 restrict ::1
-
-# Clients from this (example!) subnet have unlimited access, but only if
-# cryptographically authenticated.
-#restrict 192.168.123.0 mask 255.255.255.0 notrust
-
-
-# If you want to provide time to your local subnet, change the next line.
-# (Again, the address is an example only.)
-#broadcast 192.168.123.255
-
-# If you want to listen to time broadcasts on your local subnet, de-comment the
-# next lines.  Please do this only if you trust everybody on the network!
-#disable auth
-#broadcastclient

src/sonic-config-engine/tests/sample_output/py3/ntp.conf

@@ -3,70 +3,56 @@
 # file: ansible/roles/acs/templates/ntp.conf.j2
 ###############################################################################
 
-# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
 
 # To avoid ntpd from panic and exit if the drift between new time and
 # current system time is large.
 tinker panic 0
 
-driftfile /var/lib/ntp/ntp.drift
+driftfile /var/lib/ntpsec/ntp.drift
+leapfile /usr/share/zoneinfo/leap-seconds.list
 
+# To enable Network Time Security support as a server, obtain a certificate
+# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
+# nts cert CERT_FILE
+# nts key KEY_FILE
+# nts enable
 
-# Enable this if you want statistics to be logged.
-#statsdir /var/log/ntpstats/
+# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
+#statsdir /var/log/ntpsec/
+#statistics loopstats peerstats clockstats
+#filegen loopstats file loopstats type day enable
+#filegen peerstats file peerstats type day enable
+#filegen clockstats file clockstats type day enable
 
-statistics loopstats peerstats clockstats
-filegen loopstats file loopstats type day enable
-filegen peerstats file peerstats type day enable
-filegen clockstats file clockstats type day enable
+# Specify one or more NTP servers.
 
-
-# You do need to talk to an NTP server or two (or three).
-#server ntp.your-provider.example
+# Public NTP servers supporting Network Time Security:
+# server time.cloudflare.com nts
 
 # pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
 # pick a different set every time it starts up.  Please consider joining the
-# pool: <http://www.pool.ntp.org/join.html>
+# pool: <https://www.pool.ntp.org/join.html>
 
 #listen on source interface if configured, else 
 #only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0 
 # if we don't have both of them (default is to listen on all ip addresses)
 interface ignore wildcard
 
-# set global variable for configured source interface name
-# set global boolean to indicate if the ip of the configured source interface is configured
-# if the source interface is configured but no ip on that interface, then listen on another
-# interface based on existing logic
-                                        
 interface listen Ethernet0
 interface listen 127.0.0.1
 
-# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
-# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
-# might also be helpful.
+# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
+# for details.
 #
 # Note that "restrict" applies to both servers and clients, so a configuration
 # that might be intended to block requests from certain clients could also end
 # up blocking replies from your own upstream servers.
 
 # By default, exchange time with everybody, but don't allow configuration.
-restrict -4 default kod notrap nomodify nopeer noquery
-restrict -6 default kod notrap nomodify nopeer noquery
+# NTPsec doesn't establish peer associations, and so nopeer has no effect, and has been removed from here
+restrict default kod nomodify noquery limited
 
 # Local users may interrogate the ntp server more closely.
 restrict 127.0.0.1
 restrict ::1
-
-# Clients from this (example!) subnet have unlimited access, but only if
-# cryptographically authenticated.
-#restrict 192.168.123.0 mask 255.255.255.0 notrust
-
-
-# If you want to provide time to your local subnet, change the next line.
-# (Again, the address is an example only.)
-#broadcast 192.168.123.255
-
-# If you want to listen to time broadcasts on your local subnet, de-comment the
-# next lines.  Please do this only if you trust everybody on the network!
-#disable auth
-#broadcastclient