matthew/sonic-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Migrate from ntp to ntpsec

Browse Source 
Debian Bookworm no longer uses NTP, and instead uses NTPsec. Modify our
files to update/replace the NTPsec files instead.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
This commit is contained in:
Saikrishna Arcot 2023-10-23 08:44:13 -07:00 committed by Ying Xie
parent 3a23c8962d
commit 34a1ac1a0f
11 changed files with 150 additions and 206 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
build_debian.sh
View File

@ -574,13 +574,12 @@ sudo cp files/dhcp/sethostname6 $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
sudo cp files/dhcp/graphserviceurl $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/ sudo cp files/dhcp/graphserviceurl $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
sudo cp files/dhcp/snmpcommunity $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/ sudo cp files/dhcp/snmpcommunity $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
sudo cp files/dhcp/vrf $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/ sudo cp files/dhcp/vrf $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
if [ -f files/image_config/ntp/ntp ]; then if [ -f files/image_config/ntp/ntpsec ]; then
sudo cp ./files/image_config/ntp/ntp $FILESYSTEM_ROOT/etc/init.d/ sudo cp ./files/image_config/ntp/ntpsec $FILESYSTEM_ROOT/etc/init.d/
fi fi
if [ -f files/image_config/ntp/ntp-systemd-wrapper ]; then if [ -f files/image_config/ntp/ntp-systemd-wrapper ]; then
sudo mkdir -p $FILESYSTEM_ROOT/usr/lib/ntp/ sudo cp ./files/image_config/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/libexec/ntpsec/
sudo cp ./files/image_config/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/lib/ntp/
fi fi
## Version file part 1 ## Version file part 1

7
files/build_templates/sonic_debian_extension.j2
View File

@ -374,9 +374,10 @@ sudo cp $IMAGE_CONFIGS/ntp/ntp-config.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_S
echo "ntp-config.service" | sudo tee -a $GENERATED_SERVICE_FILE echo "ntp-config.service" | sudo tee -a $GENERATED_SERVICE_FILE
sudo cp $IMAGE_CONFIGS/ntp/ntp-config.sh $FILESYSTEM_ROOT/usr/bin/ sudo cp $IMAGE_CONFIGS/ntp/ntp-config.sh $FILESYSTEM_ROOT/usr/bin/
sudo cp $IMAGE_CONFIGS/ntp/ntp.conf.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/ sudo cp $IMAGE_CONFIGS/ntp/ntp.conf.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
sudo cp $IMAGE_CONFIGS/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/lib/ntp/ sudo cp $IMAGE_CONFIGS/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/libexec/ntpsec/
sudo cp $IMAGE_CONFIGS/ntp/ntp.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM sudo mkdir $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/ntpsec.service.d
echo "ntp.service" | sudo tee -a $GENERATED_SERVICE_FILE sudo cp $IMAGE_CONFIGS/ntp/sonic-target.conf $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/ntpsec.service.d/
echo "ntpsec.service" | sudo tee -a $GENERATED_SERVICE_FILE
# Copy DNS templates # Copy DNS templates
sudo cp $BUILD_TEMPLATES/dns.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/ sudo cp $BUILD_TEMPLATES/dns.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/

6
files/image_config/ntp/ntp-config.sh
View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
ntp_default_file='/etc/default/ntp' ntp_default_file='/etc/default/ntpsec'
ntp_temp_file='/tmp/ntp.orig' ntp_temp_file='/tmp/ntp.orig'
reboot_type='cold' reboot_type='cold'
@ -23,10 +23,10 @@ function modify_ntp_default
sed -e "$1" ${ntp_temp_file} >${ntp_default_file} sed -e "$1" ${ntp_temp_file} >${ntp_default_file}
} }
sonic-cfggen -d -t /usr/share/sonic/templates/ntp.conf.j2 >/etc/ntp.conf sonic-cfggen -d -t /usr/share/sonic/templates/ntp.conf.j2 >/etc/ntpsec/ntp.conf
get_database_reboot_type get_database_reboot_type
echo "Disabling NTP long jump for reboot type ${reboot_type} ..." echo "Disabling NTP long jump for reboot type ${reboot_type} ..."
modify_ntp_default "s/NTPD_OPTS='-g'/NTPD_OPTS='-x'/" modify_ntp_default "s/NTPD_OPTS=\"-g -N\"/NTPD_OPTS=\"-x -N\"/"
systemctl --no-block restart ntp systemctl --no-block restart ntp

46
files/image_config/ntp/ntp-systemd-wrapper
View File

@ -4,29 +4,28 @@
# This is now manually modified for supporting NTP in management VRF. # This is now manually modified for supporting NTP in management VRF.
# When management VRF is enabled, the NTP application should be started using "ip vrf exec mgmt". # When management VRF is enabled, the NTP application should be started using "ip vrf exec mgmt".
# Check has been added to verify the management VRF enabled status and use "ip vrf exec mgmt" when it is enabled. # Check has been added to verify the management VRF enabled status and use "ip vrf exec mgmt" when it is enabled.
# This file will be copied to /usr/lib/ntp/ntp-systemd-wrapper file that gets created during build process. # This file will be copied to /usr/libexec/ntpsec/ntp-systemd-wrapper file that gets created during build process.
DAEMON=/usr/sbin/ntpd DAEMON=/usr/sbin/ntpd
PIDFILE=/var/run/ntpd.pid PIDFILE=/run/ntpd.pid
LOCKFILE=/run/lock/ntpsec-ntpdate
if [ -r /etc/default/ntp ]; then if [ -r /etc/default/ntpsec ]; then
. /etc/default/ntp . /etc/default/ntpsec
fi fi
if [ -e /run/ntp.conf.dhcp ]; then if [ "$IGNORE_DHCP" != "yes" ] && [ -e /run/ntpsec/ntp.conf.dhcp ]; then
NTPD_OPTS="$NTPD_OPTS -c /run/ntp.conf.dhcp" NTPD_OPTS="$NTPD_OPTS -c /run/ntpsec/ntp.conf.dhcp"
else
# List the default -c first, so if the admin has specified -c in
# NTPD_OPTS, it is honored.
NTPD_OPTS="-c /etc/ntpsec/ntp.conf $NTPD_OPTS"
fi fi
LOCKFILE=/run/lock/ntpdate NTPD_OPTS="$NTPD_OPTS -u ntpsec:ntpsec"
RUNASUSER=ntp
UGID=$(getent passwd $RUNASUSER | cut -f 3,4 -d:) || true
if test "$(uname -s)" = "Linux"; then
NTPD_OPTS="$NTPD_OPTS -u $UGID"
fi
# Protect the service startup against concurrent ntpdate ifup hooks
( (
flock -w 180 9 if flock -w 180 9; then
# when mgmt vrf is configured, ntp starts in mgmt vrf by default unless user configures otherwise # when mgmt vrf is configured, ntp starts in mgmt vrf by default unless user configures otherwise
vrfEnabled=$(/usr/local/bin/sonic-cfggen -d -v 'MGMT_VRF_CONFIG["vrf_global"]["mgmtVrfEnabled"]' 2> /dev/null) vrfEnabled=$(/usr/local/bin/sonic-cfggen -d -v 'MGMT_VRF_CONFIG["vrf_global"]["mgmtVrfEnabled"]' 2> /dev/null)
vrfConfigured=$(/usr/local/bin/sonic-cfggen -d -v 'NTP["global"]["vrf"]' 2> /dev/null) vrfConfigured=$(/usr/local/bin/sonic-cfggen -d -v 'NTP["global"]["vrf"]' 2> /dev/null)
@ -34,15 +33,18 @@ fi
then then
if [ "$vrfConfigured" = "default" ] if [ "$vrfConfigured" = "default" ]
then then
log_daemon_msg "Starting NTP server in default-vrf for default set as NTP vrf" "ntpd" echo "Starting NTP server in default-vrf for default set as NTP vrf"
start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --startas $DAEMON -- -p $PIDFILE $NTPD_OPTS exec $DAEMON -p $PIDFILE $NTPD_OPTS
else else
log_daemon_msg "Starting NTP server in mgmt-vrf" "ntpd" echo "Starting NTP server in mgmt-vrf"
ip vrf exec mgmt start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --startas $DAEMON -- -p $PIDFILE $NTPD_OPTS exec ip vrf exec mgmt $DAEMON -p $PIDFILE $NTPD_OPTS
fi fi
else else
log_daemon_msg "Starting NTP server in default-vrf" "ntpd" echo "Starting NTP server in default-vrf"
start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --startas $DAEMON -- -p $PIDFILE $NTPD_OPTS exec $DAEMON -p $PIDFILE $NTPD_OPTS
fi
else
echo "Timeout waiting for $LOCKFILE"
exit 1
fi fi
) 9>$LOCKFILE ) 9>$LOCKFILE

96
files/image_config/ntp/ntp.conf.j2
View File

@ -3,43 +3,44 @@
# file: ansible/roles/acs/templates/ntp.conf.j2 # file: ansible/roles/acs/templates/ntp.conf.j2
############################################################################### ###############################################################################
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help # /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
# To avoid ntpd from panic and exit if the drift between new time and # To avoid ntpd from panic and exit if the drift between new time and
# current system time is large. # current system time is large.
tinker panic 0 tinker panic 0
driftfile /var/lib/ntp/ntp.drift driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
# To enable Network Time Security support as a server, obtain a certificate
# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
# nts cert CERT_FILE
# nts key KEY_FILE
# nts enable
# Enable this if you want statistics to be logged. # You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
#statsdir /var/log/ntpstats/ #statsdir /var/log/ntpsec/
#statistics loopstats peerstats clockstats
#filegen loopstats file loopstats type day enable
#filegen peerstats file peerstats type day enable
#filegen clockstats file clockstats type day enable
statistics loopstats peerstats clockstats # Specify one or more NTP servers.
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# Public NTP servers supporting Network Time Security:
# You do need to talk to an NTP server or two (or three). # server time.cloudflare.com nts
#server ntp.your-provider.example
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
{% for ntp_server in NTP_SERVER %} {% for ntp_server in NTP_SERVER %}
server {{ ntp_server }} iburst server {{ ntp_server }} iburst
{% endfor %} {% endfor %}
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <https://www.pool.ntp.org/join.html>
#listen on source interface if configured, else #listen on source interface if configured, else
#only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0 #only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0
# if we don't have both of them (default is to listen on all ip addresses) # if we don't have both of them (default is to listen on all ip addresses)
interface ignore wildcard interface ignore wildcard
# set global variable for configured source interface name
# set global boolean to indicate if the ip of the configured source interface is configured
# if the source interface is configured but no ip on that interface, then listen on another
# interface based on existing logic
{%- macro check_ip_on_interface(interface_name, table_name) %} {%- macro check_ip_on_interface(interface_name, table_name) %}
{%- set ns = namespace(valid_intf = 'false') %} {%- set ns = namespace(valid_intf = 'false') %}
{%- if table_name %} {%- if table_name %}
@ -53,22 +54,22 @@ interface ignore wildcard
{%- endmacro %} {%- endmacro %}
{% set ns = namespace(source_intf = "") %} {% set ns = namespace(source_intf = "") %}
{% set ns = namespace(source_intf_ip = 'false') %} {%- set ns = namespace(source_intf_ip = 'false') %}
{% if (NTP) and (NTP['global']['src_intf']) %} {%- if (NTP) and (NTP['global']['src_intf']) %}
{% set ns.source_intf = (NTP['global']['src_intf']) %} {%- set ns.source_intf = (NTP['global']['src_intf']) %}
{% if ns.source_intf != "" %} {%- if ns.source_intf != "" %}
{% if ns.source_intf == "eth0" %} {%- if ns.source_intf == "eth0" %}
{% set ns.source_intf_ip = 'true' %} {%- set ns.source_intf_ip = 'true' %}
{% elif ns.source_intf.startswith('Vlan') %} {%- elif ns.source_intf.startswith('Vlan') %}
{% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, VLAN_INTERFACE) %} {%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, VLAN_INTERFACE) %}
{% elif ns.source_intf.startswith('Ethernet') %} {%- elif ns.source_intf.startswith('Ethernet') %}
{% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, INTERFACE) %} {%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, INTERFACE) %}
{% elif ns.source_intf.startswith('PortChannel') %} {%- elif ns.source_intf.startswith('PortChannel') %}
{% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, PORTCHANNEL_INTERFACE) %} {%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, PORTCHANNEL_INTERFACE) %}
{% elif ns.source_intf.startswith('Loopback') %} {%- elif ns.source_intf.startswith('Loopback') %}
{% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, LOOPBACK_INTERFACE) %} {%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, LOOPBACK_INTERFACE) %}
{% endif %} {%- endif %}
{% endif %} {%- endif %}
{% endif %} {% endif %}
{% if ns.source_intf_ip == 'true' %} {% if ns.source_intf_ip == 'true' %}
@ -90,32 +91,17 @@ interface listen eth0
{% endif %} {% endif %}
interface listen 127.0.0.1 interface listen 127.0.0.1
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for # Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> # for details.
# might also be helpful.
# #
# Note that "restrict" applies to both servers and clients, so a configuration # Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end # that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers. # up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration. # By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery # NTPsec doesn't establish peer associations, and so nopeer has no effect, and has been removed from here
restrict -6 default kod notrap nomodify nopeer noquery restrict default kod nomodify noquery limited
# Local users may interrogate the ntp server more closely. # Local users may interrogate the ntp server more closely.
restrict 127.0.0.1 restrict 127.0.0.1
restrict ::1 restrict ::1
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

18
files/image_config/ntp/ntp.service
View File

@ -1,18 +0,0 @@
[Unit]
Description=Network Time Service
Documentation=man:ntpd(8)
After=network.target
Conflicts=systemd-timesyncd.service
BindsTo=sonic.target
After=sonic.target
StartLimitIntervalSec=0
[Service]
Type=forking
# Debian uses a shell wrapper to process /etc/default/ntp
# and select DHCP-provided NTP servers if available
ExecStart=/usr/lib/ntp/ntp-systemd-wrapper
PrivateTmp=true
[Install]
WantedBy=multi-user.target

36
files/image_config/ntp/ntp → files/image_config/ntp/ntpsec
View File

@ -4,15 +4,20 @@
# This is now manually modified for supporting NTP in management VRF. # This is now manually modified for supporting NTP in management VRF.
# When management VRF is enabled, the NTP application should be started using "cgexec -g l3mdev:mgmt". # When management VRF is enabled, the NTP application should be started using "cgexec -g l3mdev:mgmt".
# Check has been added to verify the management VRF enabled status and use cgexec when it is enabled. # Check has been added to verify the management VRF enabled status and use cgexec when it is enabled.
# This file will be copied on top of the etc/init.d/ntp file that gets created during build process. # This file will be copied on top of the etc/init.d/ntpsec file that gets created during build process.
### BEGIN INIT INFO ### BEGIN INIT INFO
# Provides: ntp # Provides: ntpsec
# Required-Start: $network $remote_fs $syslog # Required-Start: $network $remote_fs $syslog
# Required-Stop: $network $remote_fs $syslog # Required-Stop: $network $remote_fs $syslog
# Default-Start: 2 3 4 5 # Default-Start: 2 3 4 5
# Default-Stop: # Default-Stop:
# Short-Description: Start NTP daemon # Short-Description: Start NTP daemon
# Description: NTP, the Network Time Protocol, is used to keep computer
# clocks accurate by synchronizing them over the Internet or
# a local network, or by following an accurate hardware
# receiver that interprets GPS, DCF-77, or similar time
# signals.
### END INIT INFO ### END INIT INFO
PATH=/sbin:/bin:/usr/sbin:/usr/bin PATH=/sbin:/bin:/usr/sbin:/usr/bin
@ -20,34 +25,29 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin
. /lib/lsb/init-functions . /lib/lsb/init-functions
DAEMON=/usr/sbin/ntpd DAEMON=/usr/sbin/ntpd
PIDFILE=/var/run/ntpd.pid PIDFILE=/run/ntpd.pid
test -x $DAEMON || exit 5 test -x $DAEMON || exit 5
if [ -r /etc/default/ntp ]; then if [ -r /etc/default/ntpsec ]; then
. /etc/default/ntp . /etc/default/ntpsec
fi fi
if [ -e /run/ntp.conf.dhcp ]; then if [ "$IGNORE_DHCP" != "yes" ] && [ -e /run/ntpsec/ntp.conf.dhcp ]; then
NTPD_OPTS="$NTPD_OPTS -c /run/ntp.conf.dhcp" NTPD_OPTS="$NTPD_OPTS -c /run/ntpsec/ntp.conf.dhcp"
else
# List the default -c first, so if the admin has specified -c in
# NTPD_OPTS, it is honored.
NTPD_OPTS="-c /etc/ntpsec/ntp.conf $NTPD_OPTS"
fi fi
NTPD_OPTS="$NTPD_OPTS -u ntpsec:ntpsec"
LOCKFILE=/run/lock/ntpdate LOCKFILE=/run/lock/ntpsec-ntpdate
RUNASUSER=ntp
UGID=$(getent passwd $RUNASUSER | cut -f 3,4 -d:) || true
if test "$(uname -s)" = "Linux"; then
NTPD_OPTS="$NTPD_OPTS -u $UGID"
fi
case $1 in case $1 in
start) start)
log_daemon_msg "Starting NTP server" "ntpd" log_daemon_msg "Starting NTP server" "ntpd"
if [ -z "$UGID" ]; then
log_failure_msg "user \"$RUNASUSER\" does not exist"
exit 1
fi
( (
flock -w 180 9 flock -w 180 9

3
files/image_config/ntp/sonic-target.conf Normal file
View File

@ -0,0 +1,3 @@
[Unit]
BindsTo=sonic.target
After=sonic.target

1
slave.mk
View File

@ -1337,7 +1337,6 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
$(SONIC_DEVICE_DATA) \ $(SONIC_DEVICE_DATA) \
$(IFUPDOWN2) \ $(IFUPDOWN2) \
$(KDUMP_TOOLS) \ $(KDUMP_TOOLS) \
$(NTP) \
$(LIBPAM_RADIUS) \ $(LIBPAM_RADIUS) \
$(LIBNSS_RADIUS) \ $(LIBNSS_RADIUS) \
$(LIBPAM_TACPLUS) \ $(LIBPAM_TACPLUS) \

58
src/sonic-config-engine/tests/sample_output/py2/ntp.conf
View File

@ -3,70 +3,56 @@
# file: ansible/roles/acs/templates/ntp.conf.j2 # file: ansible/roles/acs/templates/ntp.conf.j2
############################################################################### ###############################################################################
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help # /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
# To avoid ntpd from panic and exit if the drift between new time and # To avoid ntpd from panic and exit if the drift between new time and
# current system time is large. # current system time is large.
tinker panic 0 tinker panic 0
driftfile /var/lib/ntp/ntp.drift driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
# To enable Network Time Security support as a server, obtain a certificate
# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
# nts cert CERT_FILE
# nts key KEY_FILE
# nts enable
# Enable this if you want statistics to be logged. # You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
#statsdir /var/log/ntpstats/ #statsdir /var/log/ntpsec/
#statistics loopstats peerstats clockstats
#filegen loopstats file loopstats type day enable
#filegen peerstats file peerstats type day enable
#filegen clockstats file clockstats type day enable
statistics loopstats peerstats clockstats # Specify one or more NTP servers.
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# Public NTP servers supporting Network Time Security:
# You do need to talk to an NTP server or two (or three). # server time.cloudflare.com nts
#server ntp.your-provider.example
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the # pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html> # pool: <https://www.pool.ntp.org/join.html>
#listen on source interface if configured, else #listen on source interface if configured, else
#only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0 #only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0
# if we don't have both of them (default is to listen on all ip addresses) # if we don't have both of them (default is to listen on all ip addresses)
interface ignore wildcard interface ignore wildcard
# set global variable for configured source interface name
# set global boolean to indicate if the ip of the configured source interface is configured
# if the source interface is configured but no ip on that interface, then listen on another
# interface based on existing logic
interface listen Ethernet0 interface listen Ethernet0
interface listen 127.0.0.1 interface listen 127.0.0.1
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for # Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> # for details.
# might also be helpful.
# #
# Note that "restrict" applies to both servers and clients, so a configuration # Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end # that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers. # up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration. # By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery # NTPsec doesn't establish peer associations, and so nopeer has no effect, and has been removed from here
restrict -6 default kod notrap nomodify nopeer noquery restrict default kod nomodify noquery limited
# Local users may interrogate the ntp server more closely. # Local users may interrogate the ntp server more closely.
restrict 127.0.0.1 restrict 127.0.0.1
restrict ::1 restrict ::1
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

58
src/sonic-config-engine/tests/sample_output/py3/ntp.conf
View File

@ -3,70 +3,56 @@
# file: ansible/roles/acs/templates/ntp.conf.j2 # file: ansible/roles/acs/templates/ntp.conf.j2
############################################################################### ###############################################################################
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help # /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
# To avoid ntpd from panic and exit if the drift between new time and # To avoid ntpd from panic and exit if the drift between new time and
# current system time is large. # current system time is large.
tinker panic 0 tinker panic 0
driftfile /var/lib/ntp/ntp.drift driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
# To enable Network Time Security support as a server, obtain a certificate
# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
# nts cert CERT_FILE
# nts key KEY_FILE
# nts enable
# Enable this if you want statistics to be logged. # You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
#statsdir /var/log/ntpstats/ #statsdir /var/log/ntpsec/
#statistics loopstats peerstats clockstats
#filegen loopstats file loopstats type day enable
#filegen peerstats file peerstats type day enable
#filegen clockstats file clockstats type day enable
statistics loopstats peerstats clockstats # Specify one or more NTP servers.
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# Public NTP servers supporting Network Time Security:
# You do need to talk to an NTP server or two (or three). # server time.cloudflare.com nts
#server ntp.your-provider.example
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the # pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html> # pool: <https://www.pool.ntp.org/join.html>
#listen on source interface if configured, else #listen on source interface if configured, else
#only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0 #only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0
# if we don't have both of them (default is to listen on all ip addresses) # if we don't have both of them (default is to listen on all ip addresses)
interface ignore wildcard interface ignore wildcard
# set global variable for configured source interface name
# set global boolean to indicate if the ip of the configured source interface is configured
# if the source interface is configured but no ip on that interface, then listen on another
# interface based on existing logic
interface listen Ethernet0 interface listen Ethernet0
interface listen 127.0.0.1 interface listen 127.0.0.1
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for # Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> # for details.
# might also be helpful.
# #
# Note that "restrict" applies to both servers and clients, so a configuration # Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end # that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers. # up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration. # By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery # NTPsec doesn't establish peer associations, and so nopeer has no effect, and has been removed from here
restrict -6 default kod notrap nomodify nopeer noquery restrict default kod nomodify noquery limited
# Local users may interrogate the ntp server more closely. # Local users may interrogate the ntp server more closely.
restrict 127.0.0.1 restrict 127.0.0.1
restrict ::1 restrict ::1
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient