Migrate from ntp to ntpsec
Debian Bookworm no longer uses NTP, and instead uses NTPsec. Modify our files to update/replace the NTPsec files instead. Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
This commit is contained in:
parent
8517411792
commit
b401c909aa
@ -574,13 +574,12 @@ sudo cp files/dhcp/sethostname6 $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
|
||||
sudo cp files/dhcp/graphserviceurl $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
|
||||
sudo cp files/dhcp/snmpcommunity $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
|
||||
sudo cp files/dhcp/vrf $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
|
||||
if [ -f files/image_config/ntp/ntp ]; then
|
||||
sudo cp ./files/image_config/ntp/ntp $FILESYSTEM_ROOT/etc/init.d/
|
||||
if [ -f files/image_config/ntp/ntpsec ]; then
|
||||
sudo cp ./files/image_config/ntp/ntpsec $FILESYSTEM_ROOT/etc/init.d/
|
||||
fi
|
||||
|
||||
if [ -f files/image_config/ntp/ntp-systemd-wrapper ]; then
|
||||
sudo mkdir -p $FILESYSTEM_ROOT/usr/lib/ntp/
|
||||
sudo cp ./files/image_config/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/lib/ntp/
|
||||
sudo cp ./files/image_config/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/libexec/ntpsec/
|
||||
fi
|
||||
|
||||
## Version file part 1
|
||||
|
@ -374,9 +374,10 @@ sudo cp $IMAGE_CONFIGS/ntp/ntp-config.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_S
|
||||
echo "ntp-config.service" | sudo tee -a $GENERATED_SERVICE_FILE
|
||||
sudo cp $IMAGE_CONFIGS/ntp/ntp-config.sh $FILESYSTEM_ROOT/usr/bin/
|
||||
sudo cp $IMAGE_CONFIGS/ntp/ntp.conf.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
|
||||
sudo cp $IMAGE_CONFIGS/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/lib/ntp/
|
||||
sudo cp $IMAGE_CONFIGS/ntp/ntp.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM
|
||||
echo "ntp.service" | sudo tee -a $GENERATED_SERVICE_FILE
|
||||
sudo cp $IMAGE_CONFIGS/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/libexec/ntpsec/
|
||||
sudo mkdir $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/ntpsec.service.d
|
||||
sudo cp $IMAGE_CONFIGS/ntp/sonic-target.conf $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/ntpsec.service.d/
|
||||
echo "ntpsec.service" | sudo tee -a $GENERATED_SERVICE_FILE
|
||||
|
||||
# Copy DNS templates
|
||||
sudo cp $BUILD_TEMPLATES/dns.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
ntp_default_file='/etc/default/ntp'
|
||||
ntp_default_file='/etc/default/ntpsec'
|
||||
ntp_temp_file='/tmp/ntp.orig'
|
||||
|
||||
reboot_type='cold'
|
||||
@ -23,10 +23,10 @@ function modify_ntp_default
|
||||
sed -e "$1" ${ntp_temp_file} >${ntp_default_file}
|
||||
}
|
||||
|
||||
sonic-cfggen -d -t /usr/share/sonic/templates/ntp.conf.j2 >/etc/ntp.conf
|
||||
sonic-cfggen -d -t /usr/share/sonic/templates/ntp.conf.j2 >/etc/ntpsec/ntp.conf
|
||||
|
||||
get_database_reboot_type
|
||||
echo "Disabling NTP long jump for reboot type ${reboot_type} ..."
|
||||
modify_ntp_default "s/NTPD_OPTS='-g'/NTPD_OPTS='-x'/"
|
||||
modify_ntp_default "s/NTPD_OPTS=\"-g -N\"/NTPD_OPTS=\"-x -N\"/"
|
||||
|
||||
systemctl --no-block restart ntp
|
||||
|
@ -4,45 +4,47 @@
|
||||
# This is now manually modified for supporting NTP in management VRF.
|
||||
# When management VRF is enabled, the NTP application should be started using "ip vrf exec mgmt".
|
||||
# Check has been added to verify the management VRF enabled status and use "ip vrf exec mgmt" when it is enabled.
|
||||
# This file will be copied to /usr/lib/ntp/ntp-systemd-wrapper file that gets created during build process.
|
||||
|
||||
# This file will be copied to /usr/libexec/ntpsec/ntp-systemd-wrapper file that gets created during build process.
|
||||
DAEMON=/usr/sbin/ntpd
|
||||
PIDFILE=/var/run/ntpd.pid
|
||||
PIDFILE=/run/ntpd.pid
|
||||
LOCKFILE=/run/lock/ntpsec-ntpdate
|
||||
|
||||
if [ -r /etc/default/ntp ]; then
|
||||
. /etc/default/ntp
|
||||
if [ -r /etc/default/ntpsec ]; then
|
||||
. /etc/default/ntpsec
|
||||
fi
|
||||
|
||||
if [ -e /run/ntp.conf.dhcp ]; then
|
||||
NTPD_OPTS="$NTPD_OPTS -c /run/ntp.conf.dhcp"
|
||||
if [ "$IGNORE_DHCP" != "yes" ] && [ -e /run/ntpsec/ntp.conf.dhcp ]; then
|
||||
NTPD_OPTS="$NTPD_OPTS -c /run/ntpsec/ntp.conf.dhcp"
|
||||
else
|
||||
# List the default -c first, so if the admin has specified -c in
|
||||
# NTPD_OPTS, it is honored.
|
||||
NTPD_OPTS="-c /etc/ntpsec/ntp.conf $NTPD_OPTS"
|
||||
fi
|
||||
|
||||
LOCKFILE=/run/lock/ntpdate
|
||||
|
||||
RUNASUSER=ntp
|
||||
UGID=$(getent passwd $RUNASUSER | cut -f 3,4 -d:) || true
|
||||
if test "$(uname -s)" = "Linux"; then
|
||||
NTPD_OPTS="$NTPD_OPTS -u $UGID"
|
||||
fi
|
||||
NTPD_OPTS="$NTPD_OPTS -u ntpsec:ntpsec"
|
||||
|
||||
# Protect the service startup against concurrent ntpdate ifup hooks
|
||||
(
|
||||
flock -w 180 9
|
||||
# when mgmt vrf is configured, ntp starts in mgmt vrf by default unless user configures otherwise
|
||||
vrfEnabled=$(/usr/local/bin/sonic-cfggen -d -v 'MGMT_VRF_CONFIG["vrf_global"]["mgmtVrfEnabled"]' 2> /dev/null)
|
||||
vrfConfigured=$(/usr/local/bin/sonic-cfggen -d -v 'NTP["global"]["vrf"]' 2> /dev/null)
|
||||
if [ "$vrfEnabled" = "true" ]
|
||||
then
|
||||
if [ "$vrfConfigured" = "default" ]
|
||||
if flock -w 180 9; then
|
||||
# when mgmt vrf is configured, ntp starts in mgmt vrf by default unless user configures otherwise
|
||||
vrfEnabled=$(/usr/local/bin/sonic-cfggen -d -v 'MGMT_VRF_CONFIG["vrf_global"]["mgmtVrfEnabled"]' 2> /dev/null)
|
||||
vrfConfigured=$(/usr/local/bin/sonic-cfggen -d -v 'NTP["global"]["vrf"]' 2> /dev/null)
|
||||
if [ "$vrfEnabled" = "true" ]
|
||||
then
|
||||
log_daemon_msg "Starting NTP server in default-vrf for default set as NTP vrf" "ntpd"
|
||||
start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --startas $DAEMON -- -p $PIDFILE $NTPD_OPTS
|
||||
if [ "$vrfConfigured" = "default" ]
|
||||
then
|
||||
echo "Starting NTP server in default-vrf for default set as NTP vrf"
|
||||
exec $DAEMON -p $PIDFILE $NTPD_OPTS
|
||||
else
|
||||
echo "Starting NTP server in mgmt-vrf"
|
||||
exec ip vrf exec mgmt $DAEMON -p $PIDFILE $NTPD_OPTS
|
||||
fi
|
||||
else
|
||||
log_daemon_msg "Starting NTP server in mgmt-vrf" "ntpd"
|
||||
ip vrf exec mgmt start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --startas $DAEMON -- -p $PIDFILE $NTPD_OPTS
|
||||
echo "Starting NTP server in default-vrf"
|
||||
exec $DAEMON -p $PIDFILE $NTPD_OPTS
|
||||
fi
|
||||
else
|
||||
log_daemon_msg "Starting NTP server in default-vrf" "ntpd"
|
||||
start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --startas $DAEMON -- -p $PIDFILE $NTPD_OPTS
|
||||
echo "Timeout waiting for $LOCKFILE"
|
||||
exit 1
|
||||
fi
|
||||
) 9>$LOCKFILE
|
||||
|
||||
|
@ -3,43 +3,44 @@
|
||||
# file: ansible/roles/acs/templates/ntp.conf.j2
|
||||
###############################################################################
|
||||
|
||||
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
|
||||
# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
|
||||
|
||||
# To avoid ntpd from panic and exit if the drift between new time and
|
||||
# current system time is large.
|
||||
tinker panic 0
|
||||
|
||||
driftfile /var/lib/ntp/ntp.drift
|
||||
driftfile /var/lib/ntpsec/ntp.drift
|
||||
leapfile /usr/share/zoneinfo/leap-seconds.list
|
||||
|
||||
# To enable Network Time Security support as a server, obtain a certificate
|
||||
# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
|
||||
# nts cert CERT_FILE
|
||||
# nts key KEY_FILE
|
||||
# nts enable
|
||||
|
||||
# Enable this if you want statistics to be logged.
|
||||
#statsdir /var/log/ntpstats/
|
||||
# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
|
||||
#statsdir /var/log/ntpsec/
|
||||
#statistics loopstats peerstats clockstats
|
||||
#filegen loopstats file loopstats type day enable
|
||||
#filegen peerstats file peerstats type day enable
|
||||
#filegen clockstats file clockstats type day enable
|
||||
|
||||
statistics loopstats peerstats clockstats
|
||||
filegen loopstats file loopstats type day enable
|
||||
filegen peerstats file peerstats type day enable
|
||||
filegen clockstats file clockstats type day enable
|
||||
# Specify one or more NTP servers.
|
||||
|
||||
|
||||
# You do need to talk to an NTP server or two (or three).
|
||||
#server ntp.your-provider.example
|
||||
|
||||
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
|
||||
# pick a different set every time it starts up. Please consider joining the
|
||||
# pool: <http://www.pool.ntp.org/join.html>
|
||||
# Public NTP servers supporting Network Time Security:
|
||||
# server time.cloudflare.com nts
|
||||
{% for ntp_server in NTP_SERVER %}
|
||||
server {{ ntp_server }} iburst
|
||||
{% endfor %}
|
||||
|
||||
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
|
||||
# pick a different set every time it starts up. Please consider joining the
|
||||
# pool: <https://www.pool.ntp.org/join.html>
|
||||
|
||||
#listen on source interface if configured, else
|
||||
#only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0
|
||||
# if we don't have both of them (default is to listen on all ip addresses)
|
||||
interface ignore wildcard
|
||||
|
||||
# set global variable for configured source interface name
|
||||
# set global boolean to indicate if the ip of the configured source interface is configured
|
||||
# if the source interface is configured but no ip on that interface, then listen on another
|
||||
# interface based on existing logic
|
||||
{%- macro check_ip_on_interface(interface_name, table_name) %}
|
||||
{%- set ns = namespace(valid_intf = 'false') %}
|
||||
{%- if table_name %}
|
||||
@ -53,22 +54,22 @@ interface ignore wildcard
|
||||
{%- endmacro %}
|
||||
|
||||
{% set ns = namespace(source_intf = "") %}
|
||||
{% set ns = namespace(source_intf_ip = 'false') %}
|
||||
{% if (NTP) and (NTP['global']['src_intf']) %}
|
||||
{% set ns.source_intf = (NTP['global']['src_intf']) %}
|
||||
{% if ns.source_intf != "" %}
|
||||
{% if ns.source_intf == "eth0" %}
|
||||
{% set ns.source_intf_ip = 'true' %}
|
||||
{% elif ns.source_intf.startswith('Vlan') %}
|
||||
{% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, VLAN_INTERFACE) %}
|
||||
{% elif ns.source_intf.startswith('Ethernet') %}
|
||||
{% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, INTERFACE) %}
|
||||
{% elif ns.source_intf.startswith('PortChannel') %}
|
||||
{% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, PORTCHANNEL_INTERFACE) %}
|
||||
{% elif ns.source_intf.startswith('Loopback') %}
|
||||
{% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, LOOPBACK_INTERFACE) %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{%- set ns = namespace(source_intf_ip = 'false') %}
|
||||
{%- if (NTP) and (NTP['global']['src_intf']) %}
|
||||
{%- set ns.source_intf = (NTP['global']['src_intf']) %}
|
||||
{%- if ns.source_intf != "" %}
|
||||
{%- if ns.source_intf == "eth0" %}
|
||||
{%- set ns.source_intf_ip = 'true' %}
|
||||
{%- elif ns.source_intf.startswith('Vlan') %}
|
||||
{%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, VLAN_INTERFACE) %}
|
||||
{%- elif ns.source_intf.startswith('Ethernet') %}
|
||||
{%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, INTERFACE) %}
|
||||
{%- elif ns.source_intf.startswith('PortChannel') %}
|
||||
{%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, PORTCHANNEL_INTERFACE) %}
|
||||
{%- elif ns.source_intf.startswith('Loopback') %}
|
||||
{%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, LOOPBACK_INTERFACE) %}
|
||||
{%- endif %}
|
||||
{%- endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if ns.source_intf_ip == 'true' %}
|
||||
@ -90,32 +91,17 @@ interface listen eth0
|
||||
{% endif %}
|
||||
interface listen 127.0.0.1
|
||||
|
||||
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
|
||||
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
|
||||
# might also be helpful.
|
||||
# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
|
||||
# for details.
|
||||
#
|
||||
# Note that "restrict" applies to both servers and clients, so a configuration
|
||||
# that might be intended to block requests from certain clients could also end
|
||||
# up blocking replies from your own upstream servers.
|
||||
|
||||
# By default, exchange time with everybody, but don't allow configuration.
|
||||
restrict -4 default kod notrap nomodify nopeer noquery
|
||||
restrict -6 default kod notrap nomodify nopeer noquery
|
||||
# NTPsec doesn't establish peer associations, and so nopeer has no effect, and has been removed from here
|
||||
restrict default kod nomodify noquery limited
|
||||
|
||||
# Local users may interrogate the ntp server more closely.
|
||||
restrict 127.0.0.1
|
||||
restrict ::1
|
||||
|
||||
# Clients from this (example!) subnet have unlimited access, but only if
|
||||
# cryptographically authenticated.
|
||||
#restrict 192.168.123.0 mask 255.255.255.0 notrust
|
||||
|
||||
|
||||
# If you want to provide time to your local subnet, change the next line.
|
||||
# (Again, the address is an example only.)
|
||||
#broadcast 192.168.123.255
|
||||
|
||||
# If you want to listen to time broadcasts on your local subnet, de-comment the
|
||||
# next lines. Please do this only if you trust everybody on the network!
|
||||
#disable auth
|
||||
#broadcastclient
|
||||
|
@ -1,18 +0,0 @@
|
||||
[Unit]
|
||||
Description=Network Time Service
|
||||
Documentation=man:ntpd(8)
|
||||
After=network.target
|
||||
Conflicts=systemd-timesyncd.service
|
||||
BindsTo=sonic.target
|
||||
After=sonic.target
|
||||
StartLimitIntervalSec=0
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
# Debian uses a shell wrapper to process /etc/default/ntp
|
||||
# and select DHCP-provided NTP servers if available
|
||||
ExecStart=/usr/lib/ntp/ntp-systemd-wrapper
|
||||
PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -4,15 +4,20 @@
|
||||
# This is now manually modified for supporting NTP in management VRF.
|
||||
# When management VRF is enabled, the NTP application should be started using "cgexec -g l3mdev:mgmt".
|
||||
# Check has been added to verify the management VRF enabled status and use cgexec when it is enabled.
|
||||
# This file will be copied on top of the etc/init.d/ntp file that gets created during build process.
|
||||
# This file will be copied on top of the etc/init.d/ntpsec file that gets created during build process.
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: ntp
|
||||
# Provides: ntpsec
|
||||
# Required-Start: $network $remote_fs $syslog
|
||||
# Required-Stop: $network $remote_fs $syslog
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop:
|
||||
# Default-Stop:
|
||||
# Short-Description: Start NTP daemon
|
||||
# Description: NTP, the Network Time Protocol, is used to keep computer
|
||||
# clocks accurate by synchronizing them over the Internet or
|
||||
# a local network, or by following an accurate hardware
|
||||
# receiver that interprets GPS, DCF-77, or similar time
|
||||
# signals.
|
||||
### END INIT INFO
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin
|
||||
@ -20,34 +25,29 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin
|
||||
. /lib/lsb/init-functions
|
||||
|
||||
DAEMON=/usr/sbin/ntpd
|
||||
PIDFILE=/var/run/ntpd.pid
|
||||
PIDFILE=/run/ntpd.pid
|
||||
|
||||
test -x $DAEMON || exit 5
|
||||
|
||||
if [ -r /etc/default/ntp ]; then
|
||||
. /etc/default/ntp
|
||||
if [ -r /etc/default/ntpsec ]; then
|
||||
. /etc/default/ntpsec
|
||||
fi
|
||||
|
||||
if [ -e /run/ntp.conf.dhcp ]; then
|
||||
NTPD_OPTS="$NTPD_OPTS -c /run/ntp.conf.dhcp"
|
||||
if [ "$IGNORE_DHCP" != "yes" ] && [ -e /run/ntpsec/ntp.conf.dhcp ]; then
|
||||
NTPD_OPTS="$NTPD_OPTS -c /run/ntpsec/ntp.conf.dhcp"
|
||||
else
|
||||
# List the default -c first, so if the admin has specified -c in
|
||||
# NTPD_OPTS, it is honored.
|
||||
NTPD_OPTS="-c /etc/ntpsec/ntp.conf $NTPD_OPTS"
|
||||
fi
|
||||
|
||||
NTPD_OPTS="$NTPD_OPTS -u ntpsec:ntpsec"
|
||||
|
||||
LOCKFILE=/run/lock/ntpdate
|
||||
|
||||
RUNASUSER=ntp
|
||||
UGID=$(getent passwd $RUNASUSER | cut -f 3,4 -d:) || true
|
||||
if test "$(uname -s)" = "Linux"; then
|
||||
NTPD_OPTS="$NTPD_OPTS -u $UGID"
|
||||
fi
|
||||
LOCKFILE=/run/lock/ntpsec-ntpdate
|
||||
|
||||
case $1 in
|
||||
start)
|
||||
log_daemon_msg "Starting NTP server" "ntpd"
|
||||
if [ -z "$UGID" ]; then
|
||||
log_failure_msg "user \"$RUNASUSER\" does not exist"
|
||||
exit 1
|
||||
fi
|
||||
(
|
||||
flock -w 180 9
|
||||
|
||||
@ -70,16 +70,16 @@ case $1 in
|
||||
fi
|
||||
) 9>$LOCKFILE
|
||||
log_end_msg $?
|
||||
;;
|
||||
;;
|
||||
stop)
|
||||
log_daemon_msg "Stopping NTP server" "ntpd"
|
||||
start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --retry=TERM/30/KILL/5 --exec $DAEMON
|
||||
log_end_msg $?
|
||||
rm -f $PIDFILE
|
||||
;;
|
||||
;;
|
||||
restart|force-reload)
|
||||
$0 stop && sleep 2 && $0 start
|
||||
;;
|
||||
;;
|
||||
try-restart)
|
||||
if $0 status >/dev/null; then
|
||||
$0 restart
|
3
files/image_config/ntp/sonic-target.conf
Normal file
3
files/image_config/ntp/sonic-target.conf
Normal file
@ -0,0 +1,3 @@
|
||||
[Unit]
|
||||
BindsTo=sonic.target
|
||||
After=sonic.target
|
1
slave.mk
1
slave.mk
@ -1332,7 +1332,6 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
|
||||
$(SONIC_DEVICE_DATA) \
|
||||
$(IFUPDOWN2) \
|
||||
$(KDUMP_TOOLS) \
|
||||
$(NTP) \
|
||||
$(LIBPAM_RADIUS) \
|
||||
$(LIBNSS_RADIUS) \
|
||||
$(LIBPAM_TACPLUS) \
|
||||
|
@ -3,70 +3,56 @@
|
||||
# file: ansible/roles/acs/templates/ntp.conf.j2
|
||||
###############################################################################
|
||||
|
||||
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
|
||||
# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
|
||||
|
||||
# To avoid ntpd from panic and exit if the drift between new time and
|
||||
# current system time is large.
|
||||
tinker panic 0
|
||||
|
||||
driftfile /var/lib/ntp/ntp.drift
|
||||
driftfile /var/lib/ntpsec/ntp.drift
|
||||
leapfile /usr/share/zoneinfo/leap-seconds.list
|
||||
|
||||
# To enable Network Time Security support as a server, obtain a certificate
|
||||
# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
|
||||
# nts cert CERT_FILE
|
||||
# nts key KEY_FILE
|
||||
# nts enable
|
||||
|
||||
# Enable this if you want statistics to be logged.
|
||||
#statsdir /var/log/ntpstats/
|
||||
# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
|
||||
#statsdir /var/log/ntpsec/
|
||||
#statistics loopstats peerstats clockstats
|
||||
#filegen loopstats file loopstats type day enable
|
||||
#filegen peerstats file peerstats type day enable
|
||||
#filegen clockstats file clockstats type day enable
|
||||
|
||||
statistics loopstats peerstats clockstats
|
||||
filegen loopstats file loopstats type day enable
|
||||
filegen peerstats file peerstats type day enable
|
||||
filegen clockstats file clockstats type day enable
|
||||
# Specify one or more NTP servers.
|
||||
|
||||
|
||||
# You do need to talk to an NTP server or two (or three).
|
||||
#server ntp.your-provider.example
|
||||
# Public NTP servers supporting Network Time Security:
|
||||
# server time.cloudflare.com nts
|
||||
|
||||
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
|
||||
# pick a different set every time it starts up. Please consider joining the
|
||||
# pool: <http://www.pool.ntp.org/join.html>
|
||||
# pool: <https://www.pool.ntp.org/join.html>
|
||||
|
||||
#listen on source interface if configured, else
|
||||
#only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0
|
||||
# if we don't have both of them (default is to listen on all ip addresses)
|
||||
interface ignore wildcard
|
||||
|
||||
# set global variable for configured source interface name
|
||||
# set global boolean to indicate if the ip of the configured source interface is configured
|
||||
# if the source interface is configured but no ip on that interface, then listen on another
|
||||
# interface based on existing logic
|
||||
|
||||
interface listen Ethernet0
|
||||
interface listen 127.0.0.1
|
||||
|
||||
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
|
||||
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
|
||||
# might also be helpful.
|
||||
# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
|
||||
# for details.
|
||||
#
|
||||
# Note that "restrict" applies to both servers and clients, so a configuration
|
||||
# that might be intended to block requests from certain clients could also end
|
||||
# up blocking replies from your own upstream servers.
|
||||
|
||||
# By default, exchange time with everybody, but don't allow configuration.
|
||||
restrict -4 default kod notrap nomodify nopeer noquery
|
||||
restrict -6 default kod notrap nomodify nopeer noquery
|
||||
# NTPsec doesn't establish peer associations, and so nopeer has no effect, and has been removed from here
|
||||
restrict default kod nomodify noquery limited
|
||||
|
||||
# Local users may interrogate the ntp server more closely.
|
||||
restrict 127.0.0.1
|
||||
restrict ::1
|
||||
|
||||
# Clients from this (example!) subnet have unlimited access, but only if
|
||||
# cryptographically authenticated.
|
||||
#restrict 192.168.123.0 mask 255.255.255.0 notrust
|
||||
|
||||
|
||||
# If you want to provide time to your local subnet, change the next line.
|
||||
# (Again, the address is an example only.)
|
||||
#broadcast 192.168.123.255
|
||||
|
||||
# If you want to listen to time broadcasts on your local subnet, de-comment the
|
||||
# next lines. Please do this only if you trust everybody on the network!
|
||||
#disable auth
|
||||
#broadcastclient
|
||||
|
@ -3,70 +3,56 @@
|
||||
# file: ansible/roles/acs/templates/ntp.conf.j2
|
||||
###############################################################################
|
||||
|
||||
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
|
||||
# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
|
||||
|
||||
# To avoid ntpd from panic and exit if the drift between new time and
|
||||
# current system time is large.
|
||||
tinker panic 0
|
||||
|
||||
driftfile /var/lib/ntp/ntp.drift
|
||||
driftfile /var/lib/ntpsec/ntp.drift
|
||||
leapfile /usr/share/zoneinfo/leap-seconds.list
|
||||
|
||||
# To enable Network Time Security support as a server, obtain a certificate
|
||||
# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
|
||||
# nts cert CERT_FILE
|
||||
# nts key KEY_FILE
|
||||
# nts enable
|
||||
|
||||
# Enable this if you want statistics to be logged.
|
||||
#statsdir /var/log/ntpstats/
|
||||
# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
|
||||
#statsdir /var/log/ntpsec/
|
||||
#statistics loopstats peerstats clockstats
|
||||
#filegen loopstats file loopstats type day enable
|
||||
#filegen peerstats file peerstats type day enable
|
||||
#filegen clockstats file clockstats type day enable
|
||||
|
||||
statistics loopstats peerstats clockstats
|
||||
filegen loopstats file loopstats type day enable
|
||||
filegen peerstats file peerstats type day enable
|
||||
filegen clockstats file clockstats type day enable
|
||||
# Specify one or more NTP servers.
|
||||
|
||||
|
||||
# You do need to talk to an NTP server or two (or three).
|
||||
#server ntp.your-provider.example
|
||||
# Public NTP servers supporting Network Time Security:
|
||||
# server time.cloudflare.com nts
|
||||
|
||||
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
|
||||
# pick a different set every time it starts up. Please consider joining the
|
||||
# pool: <http://www.pool.ntp.org/join.html>
|
||||
# pool: <https://www.pool.ntp.org/join.html>
|
||||
|
||||
#listen on source interface if configured, else
|
||||
#only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0
|
||||
# if we don't have both of them (default is to listen on all ip addresses)
|
||||
interface ignore wildcard
|
||||
|
||||
# set global variable for configured source interface name
|
||||
# set global boolean to indicate if the ip of the configured source interface is configured
|
||||
# if the source interface is configured but no ip on that interface, then listen on another
|
||||
# interface based on existing logic
|
||||
|
||||
interface listen Ethernet0
|
||||
interface listen 127.0.0.1
|
||||
|
||||
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
|
||||
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
|
||||
# might also be helpful.
|
||||
# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
|
||||
# for details.
|
||||
#
|
||||
# Note that "restrict" applies to both servers and clients, so a configuration
|
||||
# that might be intended to block requests from certain clients could also end
|
||||
# up blocking replies from your own upstream servers.
|
||||
|
||||
# By default, exchange time with everybody, but don't allow configuration.
|
||||
restrict -4 default kod notrap nomodify nopeer noquery
|
||||
restrict -6 default kod notrap nomodify nopeer noquery
|
||||
# NTPsec doesn't establish peer associations, and so nopeer has no effect, and has been removed from here
|
||||
restrict default kod nomodify noquery limited
|
||||
|
||||
# Local users may interrogate the ntp server more closely.
|
||||
restrict 127.0.0.1
|
||||
restrict ::1
|
||||
|
||||
# Clients from this (example!) subnet have unlimited access, but only if
|
||||
# cryptographically authenticated.
|
||||
#restrict 192.168.123.0 mask 255.255.255.0 notrust
|
||||
|
||||
|
||||
# If you want to provide time to your local subnet, change the next line.
|
||||
# (Again, the address is an example only.)
|
||||
#broadcast 192.168.123.255
|
||||
|
||||
# If you want to listen to time broadcasts on your local subnet, de-comment the
|
||||
# next lines. Please do this only if you trust everybody on the network!
|
||||
#disable auth
|
||||
#broadcastclient
|
||||
|
Loading…
Reference in New Issue
Block a user