From b401c909aad51c86549dddcdc63815f221a866ce Mon Sep 17 00:00:00 2001 From: Saikrishna Arcot Date: Mon, 23 Oct 2023 08:44:13 -0700 Subject: [PATCH] Migrate from ntp to ntpsec Debian Bookworm no longer uses NTP, and instead uses NTPsec. Modify our files to update/replace the NTPsec files instead. Signed-off-by: Saikrishna Arcot --- build_debian.sh | 7 +- .../build_templates/sonic_debian_extension.j2 | 7 +- files/image_config/ntp/ntp-config.sh | 6 +- files/image_config/ntp/ntp-systemd-wrapper | 58 +++++------ files/image_config/ntp/ntp.conf.j2 | 96 ++++++++----------- files/image_config/ntp/ntp.service | 18 ---- files/image_config/ntp/{ntp => ntpsec} | 44 ++++----- files/image_config/ntp/sonic-target.conf | 3 + slave.mk | 1 - .../tests/sample_output/py2/ntp.conf | 58 +++++------ .../tests/sample_output/py3/ntp.conf | 58 +++++------ 11 files changed, 150 insertions(+), 206 deletions(-) delete mode 100644 files/image_config/ntp/ntp.service rename files/image_config/ntp/{ntp => ntpsec} (71%) create mode 100644 files/image_config/ntp/sonic-target.conf diff --git a/build_debian.sh b/build_debian.sh index 055daba9e6..0a66f73389 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -574,13 +574,12 @@ sudo cp files/dhcp/sethostname6 $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/ sudo cp files/dhcp/graphserviceurl $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/ sudo cp files/dhcp/snmpcommunity $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/ sudo cp files/dhcp/vrf $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/ -if [ -f files/image_config/ntp/ntp ]; then - sudo cp ./files/image_config/ntp/ntp $FILESYSTEM_ROOT/etc/init.d/ +if [ -f files/image_config/ntp/ntpsec ]; then + sudo cp ./files/image_config/ntp/ntpsec $FILESYSTEM_ROOT/etc/init.d/ fi if [ -f files/image_config/ntp/ntp-systemd-wrapper ]; then - sudo mkdir -p $FILESYSTEM_ROOT/usr/lib/ntp/ - sudo cp ./files/image_config/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/lib/ntp/ + sudo cp ./files/image_config/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/libexec/ntpsec/ fi ## Version file part 1 diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2 index 848911433c..915e4698cb 100644 --- a/files/build_templates/sonic_debian_extension.j2 +++ b/files/build_templates/sonic_debian_extension.j2 @@ -374,9 +374,10 @@ sudo cp $IMAGE_CONFIGS/ntp/ntp-config.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_S echo "ntp-config.service" | sudo tee -a $GENERATED_SERVICE_FILE sudo cp $IMAGE_CONFIGS/ntp/ntp-config.sh $FILESYSTEM_ROOT/usr/bin/ sudo cp $IMAGE_CONFIGS/ntp/ntp.conf.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/ -sudo cp $IMAGE_CONFIGS/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/lib/ntp/ -sudo cp $IMAGE_CONFIGS/ntp/ntp.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM -echo "ntp.service" | sudo tee -a $GENERATED_SERVICE_FILE +sudo cp $IMAGE_CONFIGS/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/libexec/ntpsec/ +sudo mkdir $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/ntpsec.service.d +sudo cp $IMAGE_CONFIGS/ntp/sonic-target.conf $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/ntpsec.service.d/ +echo "ntpsec.service" | sudo tee -a $GENERATED_SERVICE_FILE # Copy DNS templates sudo cp $BUILD_TEMPLATES/dns.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/ diff --git a/files/image_config/ntp/ntp-config.sh b/files/image_config/ntp/ntp-config.sh index ace9ad1c8a..cda88dbf99 100755 --- a/files/image_config/ntp/ntp-config.sh +++ b/files/image_config/ntp/ntp-config.sh @@ -1,6 +1,6 @@ #!/bin/bash -ntp_default_file='/etc/default/ntp' +ntp_default_file='/etc/default/ntpsec' ntp_temp_file='/tmp/ntp.orig' reboot_type='cold' @@ -23,10 +23,10 @@ function modify_ntp_default sed -e "$1" ${ntp_temp_file} >${ntp_default_file} } -sonic-cfggen -d -t /usr/share/sonic/templates/ntp.conf.j2 >/etc/ntp.conf +sonic-cfggen -d -t /usr/share/sonic/templates/ntp.conf.j2 >/etc/ntpsec/ntp.conf get_database_reboot_type echo "Disabling NTP long jump for reboot type ${reboot_type} ..." -modify_ntp_default "s/NTPD_OPTS='-g'/NTPD_OPTS='-x'/" +modify_ntp_default "s/NTPD_OPTS=\"-g -N\"/NTPD_OPTS=\"-x -N\"/" systemctl --no-block restart ntp diff --git a/files/image_config/ntp/ntp-systemd-wrapper b/files/image_config/ntp/ntp-systemd-wrapper index 1e646f3936..87e8f8601b 100644 --- a/files/image_config/ntp/ntp-systemd-wrapper +++ b/files/image_config/ntp/ntp-systemd-wrapper @@ -4,45 +4,47 @@ # This is now manually modified for supporting NTP in management VRF. # When management VRF is enabled, the NTP application should be started using "ip vrf exec mgmt". # Check has been added to verify the management VRF enabled status and use "ip vrf exec mgmt" when it is enabled. -# This file will be copied to /usr/lib/ntp/ntp-systemd-wrapper file that gets created during build process. - +# This file will be copied to /usr/libexec/ntpsec/ntp-systemd-wrapper file that gets created during build process. DAEMON=/usr/sbin/ntpd -PIDFILE=/var/run/ntpd.pid +PIDFILE=/run/ntpd.pid +LOCKFILE=/run/lock/ntpsec-ntpdate -if [ -r /etc/default/ntp ]; then - . /etc/default/ntp +if [ -r /etc/default/ntpsec ]; then + . /etc/default/ntpsec fi -if [ -e /run/ntp.conf.dhcp ]; then - NTPD_OPTS="$NTPD_OPTS -c /run/ntp.conf.dhcp" +if [ "$IGNORE_DHCP" != "yes" ] && [ -e /run/ntpsec/ntp.conf.dhcp ]; then + NTPD_OPTS="$NTPD_OPTS -c /run/ntpsec/ntp.conf.dhcp" +else + # List the default -c first, so if the admin has specified -c in + # NTPD_OPTS, it is honored. + NTPD_OPTS="-c /etc/ntpsec/ntp.conf $NTPD_OPTS" fi -LOCKFILE=/run/lock/ntpdate - -RUNASUSER=ntp -UGID=$(getent passwd $RUNASUSER | cut -f 3,4 -d:) || true -if test "$(uname -s)" = "Linux"; then - NTPD_OPTS="$NTPD_OPTS -u $UGID" -fi +NTPD_OPTS="$NTPD_OPTS -u ntpsec:ntpsec" +# Protect the service startup against concurrent ntpdate ifup hooks ( - flock -w 180 9 - # when mgmt vrf is configured, ntp starts in mgmt vrf by default unless user configures otherwise - vrfEnabled=$(/usr/local/bin/sonic-cfggen -d -v 'MGMT_VRF_CONFIG["vrf_global"]["mgmtVrfEnabled"]' 2> /dev/null) - vrfConfigured=$(/usr/local/bin/sonic-cfggen -d -v 'NTP["global"]["vrf"]' 2> /dev/null) - if [ "$vrfEnabled" = "true" ] - then - if [ "$vrfConfigured" = "default" ] + if flock -w 180 9; then + # when mgmt vrf is configured, ntp starts in mgmt vrf by default unless user configures otherwise + vrfEnabled=$(/usr/local/bin/sonic-cfggen -d -v 'MGMT_VRF_CONFIG["vrf_global"]["mgmtVrfEnabled"]' 2> /dev/null) + vrfConfigured=$(/usr/local/bin/sonic-cfggen -d -v 'NTP["global"]["vrf"]' 2> /dev/null) + if [ "$vrfEnabled" = "true" ] then - log_daemon_msg "Starting NTP server in default-vrf for default set as NTP vrf" "ntpd" - start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --startas $DAEMON -- -p $PIDFILE $NTPD_OPTS + if [ "$vrfConfigured" = "default" ] + then + echo "Starting NTP server in default-vrf for default set as NTP vrf" + exec $DAEMON -p $PIDFILE $NTPD_OPTS + else + echo "Starting NTP server in mgmt-vrf" + exec ip vrf exec mgmt $DAEMON -p $PIDFILE $NTPD_OPTS + fi else - log_daemon_msg "Starting NTP server in mgmt-vrf" "ntpd" - ip vrf exec mgmt start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --startas $DAEMON -- -p $PIDFILE $NTPD_OPTS + echo "Starting NTP server in default-vrf" + exec $DAEMON -p $PIDFILE $NTPD_OPTS fi else - log_daemon_msg "Starting NTP server in default-vrf" "ntpd" - start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --startas $DAEMON -- -p $PIDFILE $NTPD_OPTS + echo "Timeout waiting for $LOCKFILE" + exit 1 fi ) 9>$LOCKFILE - diff --git a/files/image_config/ntp/ntp.conf.j2 b/files/image_config/ntp/ntp.conf.j2 index 280b46a426..c0c19db3b1 100644 --- a/files/image_config/ntp/ntp.conf.j2 +++ b/files/image_config/ntp/ntp.conf.j2 @@ -3,43 +3,44 @@ # file: ansible/roles/acs/templates/ntp.conf.j2 ############################################################################### -# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help +# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help # To avoid ntpd from panic and exit if the drift between new time and # current system time is large. tinker panic 0 -driftfile /var/lib/ntp/ntp.drift +driftfile /var/lib/ntpsec/ntp.drift +leapfile /usr/share/zoneinfo/leap-seconds.list +# To enable Network Time Security support as a server, obtain a certificate +# (e.g. with Let's Encrypt), configure the paths below, and uncomment: +# nts cert CERT_FILE +# nts key KEY_FILE +# nts enable -# Enable this if you want statistics to be logged. -#statsdir /var/log/ntpstats/ +# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging. +#statsdir /var/log/ntpsec/ +#statistics loopstats peerstats clockstats +#filegen loopstats file loopstats type day enable +#filegen peerstats file peerstats type day enable +#filegen clockstats file clockstats type day enable -statistics loopstats peerstats clockstats -filegen loopstats file loopstats type day enable -filegen peerstats file peerstats type day enable -filegen clockstats file clockstats type day enable +# Specify one or more NTP servers. - -# You do need to talk to an NTP server or two (or three). -#server ntp.your-provider.example - -# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will -# pick a different set every time it starts up. Please consider joining the -# pool: +# Public NTP servers supporting Network Time Security: +# server time.cloudflare.com nts {% for ntp_server in NTP_SERVER %} server {{ ntp_server }} iburst {% endfor %} +# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will +# pick a different set every time it starts up. Please consider joining the +# pool: + #listen on source interface if configured, else #only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0 # if we don't have both of them (default is to listen on all ip addresses) interface ignore wildcard - -# set global variable for configured source interface name -# set global boolean to indicate if the ip of the configured source interface is configured -# if the source interface is configured but no ip on that interface, then listen on another -# interface based on existing logic {%- macro check_ip_on_interface(interface_name, table_name) %} {%- set ns = namespace(valid_intf = 'false') %} {%- if table_name %} @@ -53,22 +54,22 @@ interface ignore wildcard {%- endmacro %} {% set ns = namespace(source_intf = "") %} -{% set ns = namespace(source_intf_ip = 'false') %} -{% if (NTP) and (NTP['global']['src_intf']) %} - {% set ns.source_intf = (NTP['global']['src_intf']) %} - {% if ns.source_intf != "" %} - {% if ns.source_intf == "eth0" %} - {% set ns.source_intf_ip = 'true' %} - {% elif ns.source_intf.startswith('Vlan') %} - {% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, VLAN_INTERFACE) %} - {% elif ns.source_intf.startswith('Ethernet') %} - {% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, INTERFACE) %} - {% elif ns.source_intf.startswith('PortChannel') %} - {% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, PORTCHANNEL_INTERFACE) %} - {% elif ns.source_intf.startswith('Loopback') %} - {% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, LOOPBACK_INTERFACE) %} - {% endif %} - {% endif %} +{%- set ns = namespace(source_intf_ip = 'false') %} +{%- if (NTP) and (NTP['global']['src_intf']) %} + {%- set ns.source_intf = (NTP['global']['src_intf']) %} + {%- if ns.source_intf != "" %} + {%- if ns.source_intf == "eth0" %} + {%- set ns.source_intf_ip = 'true' %} + {%- elif ns.source_intf.startswith('Vlan') %} + {%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, VLAN_INTERFACE) %} + {%- elif ns.source_intf.startswith('Ethernet') %} + {%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, INTERFACE) %} + {%- elif ns.source_intf.startswith('PortChannel') %} + {%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, PORTCHANNEL_INTERFACE) %} + {%- elif ns.source_intf.startswith('Loopback') %} + {%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, LOOPBACK_INTERFACE) %} + {%- endif %} + {%- endif %} {% endif %} {% if ns.source_intf_ip == 'true' %} @@ -90,32 +91,17 @@ interface listen eth0 {% endif %} interface listen 127.0.0.1 -# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for -# details. The web page -# might also be helpful. +# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html +# for details. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. -restrict -4 default kod notrap nomodify nopeer noquery -restrict -6 default kod notrap nomodify nopeer noquery +# NTPsec doesn't establish peer associations, and so nopeer has no effect, and has been removed from here +restrict default kod nomodify noquery limited # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1 - -# Clients from this (example!) subnet have unlimited access, but only if -# cryptographically authenticated. -#restrict 192.168.123.0 mask 255.255.255.0 notrust - - -# If you want to provide time to your local subnet, change the next line. -# (Again, the address is an example only.) -#broadcast 192.168.123.255 - -# If you want to listen to time broadcasts on your local subnet, de-comment the -# next lines. Please do this only if you trust everybody on the network! -#disable auth -#broadcastclient diff --git a/files/image_config/ntp/ntp.service b/files/image_config/ntp/ntp.service deleted file mode 100644 index 32a55dea89..0000000000 --- a/files/image_config/ntp/ntp.service +++ /dev/null @@ -1,18 +0,0 @@ -[Unit] -Description=Network Time Service -Documentation=man:ntpd(8) -After=network.target -Conflicts=systemd-timesyncd.service -BindsTo=sonic.target -After=sonic.target -StartLimitIntervalSec=0 - -[Service] -Type=forking -# Debian uses a shell wrapper to process /etc/default/ntp -# and select DHCP-provided NTP servers if available -ExecStart=/usr/lib/ntp/ntp-systemd-wrapper -PrivateTmp=true - -[Install] -WantedBy=multi-user.target diff --git a/files/image_config/ntp/ntp b/files/image_config/ntp/ntpsec similarity index 71% rename from files/image_config/ntp/ntp rename to files/image_config/ntp/ntpsec index f0ca500fb8..2056a0e125 100755 --- a/files/image_config/ntp/ntp +++ b/files/image_config/ntp/ntpsec @@ -4,15 +4,20 @@ # This is now manually modified for supporting NTP in management VRF. # When management VRF is enabled, the NTP application should be started using "cgexec -g l3mdev:mgmt". # Check has been added to verify the management VRF enabled status and use cgexec when it is enabled. -# This file will be copied on top of the etc/init.d/ntp file that gets created during build process. +# This file will be copied on top of the etc/init.d/ntpsec file that gets created during build process. ### BEGIN INIT INFO -# Provides: ntp +# Provides: ntpsec # Required-Start: $network $remote_fs $syslog # Required-Stop: $network $remote_fs $syslog # Default-Start: 2 3 4 5 -# Default-Stop: +# Default-Stop: # Short-Description: Start NTP daemon +# Description: NTP, the Network Time Protocol, is used to keep computer +# clocks accurate by synchronizing them over the Internet or +# a local network, or by following an accurate hardware +# receiver that interprets GPS, DCF-77, or similar time +# signals. ### END INIT INFO PATH=/sbin:/bin:/usr/sbin:/usr/bin @@ -20,34 +25,29 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin . /lib/lsb/init-functions DAEMON=/usr/sbin/ntpd -PIDFILE=/var/run/ntpd.pid +PIDFILE=/run/ntpd.pid test -x $DAEMON || exit 5 -if [ -r /etc/default/ntp ]; then - . /etc/default/ntp +if [ -r /etc/default/ntpsec ]; then + . /etc/default/ntpsec fi -if [ -e /run/ntp.conf.dhcp ]; then - NTPD_OPTS="$NTPD_OPTS -c /run/ntp.conf.dhcp" +if [ "$IGNORE_DHCP" != "yes" ] && [ -e /run/ntpsec/ntp.conf.dhcp ]; then + NTPD_OPTS="$NTPD_OPTS -c /run/ntpsec/ntp.conf.dhcp" +else + # List the default -c first, so if the admin has specified -c in + # NTPD_OPTS, it is honored. + NTPD_OPTS="-c /etc/ntpsec/ntp.conf $NTPD_OPTS" fi +NTPD_OPTS="$NTPD_OPTS -u ntpsec:ntpsec" -LOCKFILE=/run/lock/ntpdate - -RUNASUSER=ntp -UGID=$(getent passwd $RUNASUSER | cut -f 3,4 -d:) || true -if test "$(uname -s)" = "Linux"; then - NTPD_OPTS="$NTPD_OPTS -u $UGID" -fi +LOCKFILE=/run/lock/ntpsec-ntpdate case $1 in start) log_daemon_msg "Starting NTP server" "ntpd" - if [ -z "$UGID" ]; then - log_failure_msg "user \"$RUNASUSER\" does not exist" - exit 1 - fi ( flock -w 180 9 @@ -70,16 +70,16 @@ case $1 in fi ) 9>$LOCKFILE log_end_msg $? - ;; + ;; stop) log_daemon_msg "Stopping NTP server" "ntpd" start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --retry=TERM/30/KILL/5 --exec $DAEMON log_end_msg $? rm -f $PIDFILE - ;; + ;; restart|force-reload) $0 stop && sleep 2 && $0 start - ;; + ;; try-restart) if $0 status >/dev/null; then $0 restart diff --git a/files/image_config/ntp/sonic-target.conf b/files/image_config/ntp/sonic-target.conf new file mode 100644 index 0000000000..83dd118fe5 --- /dev/null +++ b/files/image_config/ntp/sonic-target.conf @@ -0,0 +1,3 @@ +[Unit] +BindsTo=sonic.target +After=sonic.target diff --git a/slave.mk b/slave.mk index c9b8baf7a9..e0a44689d8 100644 --- a/slave.mk +++ b/slave.mk @@ -1332,7 +1332,6 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \ $(SONIC_DEVICE_DATA) \ $(IFUPDOWN2) \ $(KDUMP_TOOLS) \ - $(NTP) \ $(LIBPAM_RADIUS) \ $(LIBNSS_RADIUS) \ $(LIBPAM_TACPLUS) \ diff --git a/src/sonic-config-engine/tests/sample_output/py2/ntp.conf b/src/sonic-config-engine/tests/sample_output/py2/ntp.conf index bc98019e88..fc2228e269 100644 --- a/src/sonic-config-engine/tests/sample_output/py2/ntp.conf +++ b/src/sonic-config-engine/tests/sample_output/py2/ntp.conf @@ -3,70 +3,56 @@ # file: ansible/roles/acs/templates/ntp.conf.j2 ############################################################################### -# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help +# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help # To avoid ntpd from panic and exit if the drift between new time and # current system time is large. tinker panic 0 -driftfile /var/lib/ntp/ntp.drift +driftfile /var/lib/ntpsec/ntp.drift +leapfile /usr/share/zoneinfo/leap-seconds.list +# To enable Network Time Security support as a server, obtain a certificate +# (e.g. with Let's Encrypt), configure the paths below, and uncomment: +# nts cert CERT_FILE +# nts key KEY_FILE +# nts enable -# Enable this if you want statistics to be logged. -#statsdir /var/log/ntpstats/ +# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging. +#statsdir /var/log/ntpsec/ +#statistics loopstats peerstats clockstats +#filegen loopstats file loopstats type day enable +#filegen peerstats file peerstats type day enable +#filegen clockstats file clockstats type day enable -statistics loopstats peerstats clockstats -filegen loopstats file loopstats type day enable -filegen peerstats file peerstats type day enable -filegen clockstats file clockstats type day enable +# Specify one or more NTP servers. - -# You do need to talk to an NTP server or two (or three). -#server ntp.your-provider.example +# Public NTP servers supporting Network Time Security: +# server time.cloudflare.com nts # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will # pick a different set every time it starts up. Please consider joining the -# pool: +# pool: #listen on source interface if configured, else #only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0 # if we don't have both of them (default is to listen on all ip addresses) interface ignore wildcard -# set global variable for configured source interface name -# set global boolean to indicate if the ip of the configured source interface is configured -# if the source interface is configured but no ip on that interface, then listen on another -# interface based on existing logic - interface listen Ethernet0 interface listen 127.0.0.1 -# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for -# details. The web page -# might also be helpful. +# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html +# for details. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. -restrict -4 default kod notrap nomodify nopeer noquery -restrict -6 default kod notrap nomodify nopeer noquery +# NTPsec doesn't establish peer associations, and so nopeer has no effect, and has been removed from here +restrict default kod nomodify noquery limited # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1 - -# Clients from this (example!) subnet have unlimited access, but only if -# cryptographically authenticated. -#restrict 192.168.123.0 mask 255.255.255.0 notrust - - -# If you want to provide time to your local subnet, change the next line. -# (Again, the address is an example only.) -#broadcast 192.168.123.255 - -# If you want to listen to time broadcasts on your local subnet, de-comment the -# next lines. Please do this only if you trust everybody on the network! -#disable auth -#broadcastclient diff --git a/src/sonic-config-engine/tests/sample_output/py3/ntp.conf b/src/sonic-config-engine/tests/sample_output/py3/ntp.conf index bc98019e88..fc2228e269 100644 --- a/src/sonic-config-engine/tests/sample_output/py3/ntp.conf +++ b/src/sonic-config-engine/tests/sample_output/py3/ntp.conf @@ -3,70 +3,56 @@ # file: ansible/roles/acs/templates/ntp.conf.j2 ############################################################################### -# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help +# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help # To avoid ntpd from panic and exit if the drift between new time and # current system time is large. tinker panic 0 -driftfile /var/lib/ntp/ntp.drift +driftfile /var/lib/ntpsec/ntp.drift +leapfile /usr/share/zoneinfo/leap-seconds.list +# To enable Network Time Security support as a server, obtain a certificate +# (e.g. with Let's Encrypt), configure the paths below, and uncomment: +# nts cert CERT_FILE +# nts key KEY_FILE +# nts enable -# Enable this if you want statistics to be logged. -#statsdir /var/log/ntpstats/ +# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging. +#statsdir /var/log/ntpsec/ +#statistics loopstats peerstats clockstats +#filegen loopstats file loopstats type day enable +#filegen peerstats file peerstats type day enable +#filegen clockstats file clockstats type day enable -statistics loopstats peerstats clockstats -filegen loopstats file loopstats type day enable -filegen peerstats file peerstats type day enable -filegen clockstats file clockstats type day enable +# Specify one or more NTP servers. - -# You do need to talk to an NTP server or two (or three). -#server ntp.your-provider.example +# Public NTP servers supporting Network Time Security: +# server time.cloudflare.com nts # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will # pick a different set every time it starts up. Please consider joining the -# pool: +# pool: #listen on source interface if configured, else #only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0 # if we don't have both of them (default is to listen on all ip addresses) interface ignore wildcard -# set global variable for configured source interface name -# set global boolean to indicate if the ip of the configured source interface is configured -# if the source interface is configured but no ip on that interface, then listen on another -# interface based on existing logic - interface listen Ethernet0 interface listen 127.0.0.1 -# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for -# details. The web page -# might also be helpful. +# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html +# for details. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. -restrict -4 default kod notrap nomodify nopeer noquery -restrict -6 default kod notrap nomodify nopeer noquery +# NTPsec doesn't establish peer associations, and so nopeer has no effect, and has been removed from here +restrict default kod nomodify noquery limited # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1 - -# Clients from this (example!) subnet have unlimited access, but only if -# cryptographically authenticated. -#restrict 192.168.123.0 mask 255.255.255.0 notrust - - -# If you want to provide time to your local subnet, change the next line. -# (Again, the address is an example only.) -#broadcast 192.168.123.255 - -# If you want to listen to time broadcasts on your local subnet, de-comment the -# next lines. Please do this only if you trust everybody on the network! -#disable auth -#broadcastclient