Migrate from ntp to ntpsec

Debian Bookworm no longer uses NTP, and instead uses NTPsec. Modify our
files to update/replace the NTPsec files instead.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
This commit is contained in:
Saikrishna Arcot 2023-10-23 08:44:13 -07:00
parent 8517411792
commit b401c909aa
11 changed files with 150 additions and 206 deletions

View File

@ -574,13 +574,12 @@ sudo cp files/dhcp/sethostname6 $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
sudo cp files/dhcp/graphserviceurl $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
sudo cp files/dhcp/snmpcommunity $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
sudo cp files/dhcp/vrf $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
if [ -f files/image_config/ntp/ntp ]; then
sudo cp ./files/image_config/ntp/ntp $FILESYSTEM_ROOT/etc/init.d/
if [ -f files/image_config/ntp/ntpsec ]; then
sudo cp ./files/image_config/ntp/ntpsec $FILESYSTEM_ROOT/etc/init.d/
fi
if [ -f files/image_config/ntp/ntp-systemd-wrapper ]; then
sudo mkdir -p $FILESYSTEM_ROOT/usr/lib/ntp/
sudo cp ./files/image_config/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/lib/ntp/
sudo cp ./files/image_config/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/libexec/ntpsec/
fi
## Version file part 1

View File

@ -374,9 +374,10 @@ sudo cp $IMAGE_CONFIGS/ntp/ntp-config.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_S
echo "ntp-config.service" | sudo tee -a $GENERATED_SERVICE_FILE
sudo cp $IMAGE_CONFIGS/ntp/ntp-config.sh $FILESYSTEM_ROOT/usr/bin/
sudo cp $IMAGE_CONFIGS/ntp/ntp.conf.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
sudo cp $IMAGE_CONFIGS/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/lib/ntp/
sudo cp $IMAGE_CONFIGS/ntp/ntp.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM
echo "ntp.service" | sudo tee -a $GENERATED_SERVICE_FILE
sudo cp $IMAGE_CONFIGS/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/libexec/ntpsec/
sudo mkdir $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/ntpsec.service.d
sudo cp $IMAGE_CONFIGS/ntp/sonic-target.conf $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/ntpsec.service.d/
echo "ntpsec.service" | sudo tee -a $GENERATED_SERVICE_FILE
# Copy DNS templates
sudo cp $BUILD_TEMPLATES/dns.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/

View File

@ -1,6 +1,6 @@
#!/bin/bash
ntp_default_file='/etc/default/ntp'
ntp_default_file='/etc/default/ntpsec'
ntp_temp_file='/tmp/ntp.orig'
reboot_type='cold'
@ -23,10 +23,10 @@ function modify_ntp_default
sed -e "$1" ${ntp_temp_file} >${ntp_default_file}
}
sonic-cfggen -d -t /usr/share/sonic/templates/ntp.conf.j2 >/etc/ntp.conf
sonic-cfggen -d -t /usr/share/sonic/templates/ntp.conf.j2 >/etc/ntpsec/ntp.conf
get_database_reboot_type
echo "Disabling NTP long jump for reboot type ${reboot_type} ..."
modify_ntp_default "s/NTPD_OPTS='-g'/NTPD_OPTS='-x'/"
modify_ntp_default "s/NTPD_OPTS=\"-g -N\"/NTPD_OPTS=\"-x -N\"/"
systemctl --no-block restart ntp

View File

@ -4,45 +4,47 @@
# This is now manually modified for supporting NTP in management VRF.
# When management VRF is enabled, the NTP application should be started using "ip vrf exec mgmt".
# Check has been added to verify the management VRF enabled status and use "ip vrf exec mgmt" when it is enabled.
# This file will be copied to /usr/lib/ntp/ntp-systemd-wrapper file that gets created during build process.
# This file will be copied to /usr/libexec/ntpsec/ntp-systemd-wrapper file that gets created during build process.
DAEMON=/usr/sbin/ntpd
PIDFILE=/var/run/ntpd.pid
PIDFILE=/run/ntpd.pid
LOCKFILE=/run/lock/ntpsec-ntpdate
if [ -r /etc/default/ntp ]; then
. /etc/default/ntp
if [ -r /etc/default/ntpsec ]; then
. /etc/default/ntpsec
fi
if [ -e /run/ntp.conf.dhcp ]; then
NTPD_OPTS="$NTPD_OPTS -c /run/ntp.conf.dhcp"
if [ "$IGNORE_DHCP" != "yes" ] && [ -e /run/ntpsec/ntp.conf.dhcp ]; then
NTPD_OPTS="$NTPD_OPTS -c /run/ntpsec/ntp.conf.dhcp"
else
# List the default -c first, so if the admin has specified -c in
# NTPD_OPTS, it is honored.
NTPD_OPTS="-c /etc/ntpsec/ntp.conf $NTPD_OPTS"
fi
LOCKFILE=/run/lock/ntpdate
RUNASUSER=ntp
UGID=$(getent passwd $RUNASUSER | cut -f 3,4 -d:) || true
if test "$(uname -s)" = "Linux"; then
NTPD_OPTS="$NTPD_OPTS -u $UGID"
fi
NTPD_OPTS="$NTPD_OPTS -u ntpsec:ntpsec"
# Protect the service startup against concurrent ntpdate ifup hooks
(
flock -w 180 9
# when mgmt vrf is configured, ntp starts in mgmt vrf by default unless user configures otherwise
vrfEnabled=$(/usr/local/bin/sonic-cfggen -d -v 'MGMT_VRF_CONFIG["vrf_global"]["mgmtVrfEnabled"]' 2> /dev/null)
vrfConfigured=$(/usr/local/bin/sonic-cfggen -d -v 'NTP["global"]["vrf"]' 2> /dev/null)
if [ "$vrfEnabled" = "true" ]
then
if [ "$vrfConfigured" = "default" ]
if flock -w 180 9; then
# when mgmt vrf is configured, ntp starts in mgmt vrf by default unless user configures otherwise
vrfEnabled=$(/usr/local/bin/sonic-cfggen -d -v 'MGMT_VRF_CONFIG["vrf_global"]["mgmtVrfEnabled"]' 2> /dev/null)
vrfConfigured=$(/usr/local/bin/sonic-cfggen -d -v 'NTP["global"]["vrf"]' 2> /dev/null)
if [ "$vrfEnabled" = "true" ]
then
log_daemon_msg "Starting NTP server in default-vrf for default set as NTP vrf" "ntpd"
start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --startas $DAEMON -- -p $PIDFILE $NTPD_OPTS
if [ "$vrfConfigured" = "default" ]
then
echo "Starting NTP server in default-vrf for default set as NTP vrf"
exec $DAEMON -p $PIDFILE $NTPD_OPTS
else
echo "Starting NTP server in mgmt-vrf"
exec ip vrf exec mgmt $DAEMON -p $PIDFILE $NTPD_OPTS
fi
else
log_daemon_msg "Starting NTP server in mgmt-vrf" "ntpd"
ip vrf exec mgmt start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --startas $DAEMON -- -p $PIDFILE $NTPD_OPTS
echo "Starting NTP server in default-vrf"
exec $DAEMON -p $PIDFILE $NTPD_OPTS
fi
else
log_daemon_msg "Starting NTP server in default-vrf" "ntpd"
start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --startas $DAEMON -- -p $PIDFILE $NTPD_OPTS
echo "Timeout waiting for $LOCKFILE"
exit 1
fi
) 9>$LOCKFILE

View File

@ -3,43 +3,44 @@
# file: ansible/roles/acs/templates/ntp.conf.j2
###############################################################################
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
# To avoid ntpd from panic and exit if the drift between new time and
# current system time is large.
tinker panic 0
driftfile /var/lib/ntp/ntp.drift
driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
# To enable Network Time Security support as a server, obtain a certificate
# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
# nts cert CERT_FILE
# nts key KEY_FILE
# nts enable
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
#statsdir /var/log/ntpsec/
#statistics loopstats peerstats clockstats
#filegen loopstats file loopstats type day enable
#filegen peerstats file peerstats type day enable
#filegen clockstats file clockstats type day enable
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# Specify one or more NTP servers.
# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
# Public NTP servers supporting Network Time Security:
# server time.cloudflare.com nts
{% for ntp_server in NTP_SERVER %}
server {{ ntp_server }} iburst
{% endfor %}
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <https://www.pool.ntp.org/join.html>
#listen on source interface if configured, else
#only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0
# if we don't have both of them (default is to listen on all ip addresses)
interface ignore wildcard
# set global variable for configured source interface name
# set global boolean to indicate if the ip of the configured source interface is configured
# if the source interface is configured but no ip on that interface, then listen on another
# interface based on existing logic
{%- macro check_ip_on_interface(interface_name, table_name) %}
{%- set ns = namespace(valid_intf = 'false') %}
{%- if table_name %}
@ -53,22 +54,22 @@ interface ignore wildcard
{%- endmacro %}
{% set ns = namespace(source_intf = "") %}
{% set ns = namespace(source_intf_ip = 'false') %}
{% if (NTP) and (NTP['global']['src_intf']) %}
{% set ns.source_intf = (NTP['global']['src_intf']) %}
{% if ns.source_intf != "" %}
{% if ns.source_intf == "eth0" %}
{% set ns.source_intf_ip = 'true' %}
{% elif ns.source_intf.startswith('Vlan') %}
{% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, VLAN_INTERFACE) %}
{% elif ns.source_intf.startswith('Ethernet') %}
{% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, INTERFACE) %}
{% elif ns.source_intf.startswith('PortChannel') %}
{% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, PORTCHANNEL_INTERFACE) %}
{% elif ns.source_intf.startswith('Loopback') %}
{% set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, LOOPBACK_INTERFACE) %}
{% endif %}
{% endif %}
{%- set ns = namespace(source_intf_ip = 'false') %}
{%- if (NTP) and (NTP['global']['src_intf']) %}
{%- set ns.source_intf = (NTP['global']['src_intf']) %}
{%- if ns.source_intf != "" %}
{%- if ns.source_intf == "eth0" %}
{%- set ns.source_intf_ip = 'true' %}
{%- elif ns.source_intf.startswith('Vlan') %}
{%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, VLAN_INTERFACE) %}
{%- elif ns.source_intf.startswith('Ethernet') %}
{%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, INTERFACE) %}
{%- elif ns.source_intf.startswith('PortChannel') %}
{%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, PORTCHANNEL_INTERFACE) %}
{%- elif ns.source_intf.startswith('Loopback') %}
{%- set ns.source_intf_ip = check_ip_on_interface(ns.source_intf, LOOPBACK_INTERFACE) %}
{%- endif %}
{%- endif %}
{% endif %}
{% if ns.source_intf_ip == 'true' %}
@ -90,32 +91,17 @@ interface listen eth0
{% endif %}
interface listen 127.0.0.1
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
# for details.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
# NTPsec doesn't establish peer associations, and so nopeer has no effect, and has been removed from here
restrict default kod nomodify noquery limited
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

View File

@ -1,18 +0,0 @@
[Unit]
Description=Network Time Service
Documentation=man:ntpd(8)
After=network.target
Conflicts=systemd-timesyncd.service
BindsTo=sonic.target
After=sonic.target
StartLimitIntervalSec=0
[Service]
Type=forking
# Debian uses a shell wrapper to process /etc/default/ntp
# and select DHCP-provided NTP servers if available
ExecStart=/usr/lib/ntp/ntp-systemd-wrapper
PrivateTmp=true
[Install]
WantedBy=multi-user.target

View File

@ -4,15 +4,20 @@
# This is now manually modified for supporting NTP in management VRF.
# When management VRF is enabled, the NTP application should be started using "cgexec -g l3mdev:mgmt".
# Check has been added to verify the management VRF enabled status and use cgexec when it is enabled.
# This file will be copied on top of the etc/init.d/ntp file that gets created during build process.
# This file will be copied on top of the etc/init.d/ntpsec file that gets created during build process.
### BEGIN INIT INFO
# Provides: ntp
# Provides: ntpsec
# Required-Start: $network $remote_fs $syslog
# Required-Stop: $network $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: Start NTP daemon
# Description: NTP, the Network Time Protocol, is used to keep computer
# clocks accurate by synchronizing them over the Internet or
# a local network, or by following an accurate hardware
# receiver that interprets GPS, DCF-77, or similar time
# signals.
### END INIT INFO
PATH=/sbin:/bin:/usr/sbin:/usr/bin
@ -20,34 +25,29 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin
. /lib/lsb/init-functions
DAEMON=/usr/sbin/ntpd
PIDFILE=/var/run/ntpd.pid
PIDFILE=/run/ntpd.pid
test -x $DAEMON || exit 5
if [ -r /etc/default/ntp ]; then
. /etc/default/ntp
if [ -r /etc/default/ntpsec ]; then
. /etc/default/ntpsec
fi
if [ -e /run/ntp.conf.dhcp ]; then
NTPD_OPTS="$NTPD_OPTS -c /run/ntp.conf.dhcp"
if [ "$IGNORE_DHCP" != "yes" ] && [ -e /run/ntpsec/ntp.conf.dhcp ]; then
NTPD_OPTS="$NTPD_OPTS -c /run/ntpsec/ntp.conf.dhcp"
else
# List the default -c first, so if the admin has specified -c in
# NTPD_OPTS, it is honored.
NTPD_OPTS="-c /etc/ntpsec/ntp.conf $NTPD_OPTS"
fi
NTPD_OPTS="$NTPD_OPTS -u ntpsec:ntpsec"
LOCKFILE=/run/lock/ntpdate
RUNASUSER=ntp
UGID=$(getent passwd $RUNASUSER | cut -f 3,4 -d:) || true
if test "$(uname -s)" = "Linux"; then
NTPD_OPTS="$NTPD_OPTS -u $UGID"
fi
LOCKFILE=/run/lock/ntpsec-ntpdate
case $1 in
start)
log_daemon_msg "Starting NTP server" "ntpd"
if [ -z "$UGID" ]; then
log_failure_msg "user \"$RUNASUSER\" does not exist"
exit 1
fi
(
flock -w 180 9
@ -70,16 +70,16 @@ case $1 in
fi
) 9>$LOCKFILE
log_end_msg $?
;;
;;
stop)
log_daemon_msg "Stopping NTP server" "ntpd"
start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --retry=TERM/30/KILL/5 --exec $DAEMON
log_end_msg $?
rm -f $PIDFILE
;;
;;
restart|force-reload)
$0 stop && sleep 2 && $0 start
;;
;;
try-restart)
if $0 status >/dev/null; then
$0 restart

View File

@ -0,0 +1,3 @@
[Unit]
BindsTo=sonic.target
After=sonic.target

View File

@ -1332,7 +1332,6 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
$(SONIC_DEVICE_DATA) \
$(IFUPDOWN2) \
$(KDUMP_TOOLS) \
$(NTP) \
$(LIBPAM_RADIUS) \
$(LIBNSS_RADIUS) \
$(LIBPAM_TACPLUS) \

View File

@ -3,70 +3,56 @@
# file: ansible/roles/acs/templates/ntp.conf.j2
###############################################################################
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
# To avoid ntpd from panic and exit if the drift between new time and
# current system time is large.
tinker panic 0
driftfile /var/lib/ntp/ntp.drift
driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
# To enable Network Time Security support as a server, obtain a certificate
# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
# nts cert CERT_FILE
# nts key KEY_FILE
# nts enable
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
#statsdir /var/log/ntpsec/
#statistics loopstats peerstats clockstats
#filegen loopstats file loopstats type day enable
#filegen peerstats file peerstats type day enable
#filegen clockstats file clockstats type day enable
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# Specify one or more NTP servers.
# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
# Public NTP servers supporting Network Time Security:
# server time.cloudflare.com nts
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
# pool: <https://www.pool.ntp.org/join.html>
#listen on source interface if configured, else
#only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0
# if we don't have both of them (default is to listen on all ip addresses)
interface ignore wildcard
# set global variable for configured source interface name
# set global boolean to indicate if the ip of the configured source interface is configured
# if the source interface is configured but no ip on that interface, then listen on another
# interface based on existing logic
interface listen Ethernet0
interface listen 127.0.0.1
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
# for details.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
# NTPsec doesn't establish peer associations, and so nopeer has no effect, and has been removed from here
restrict default kod nomodify noquery limited
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

View File

@ -3,70 +3,56 @@
# file: ansible/roles/acs/templates/ntp.conf.j2
###############################################################################
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
# To avoid ntpd from panic and exit if the drift between new time and
# current system time is large.
tinker panic 0
driftfile /var/lib/ntp/ntp.drift
driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
# To enable Network Time Security support as a server, obtain a certificate
# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
# nts cert CERT_FILE
# nts key KEY_FILE
# nts enable
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
#statsdir /var/log/ntpsec/
#statistics loopstats peerstats clockstats
#filegen loopstats file loopstats type day enable
#filegen peerstats file peerstats type day enable
#filegen clockstats file clockstats type day enable
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# Specify one or more NTP servers.
# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
# Public NTP servers supporting Network Time Security:
# server time.cloudflare.com nts
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
# pool: <https://www.pool.ntp.org/join.html>
#listen on source interface if configured, else
#only listen on MGMT_INTERFACE, LOOPBACK_INTERFACE ip when MGMT_INTERFACE is not defined, or eth0
# if we don't have both of them (default is to listen on all ip addresses)
interface ignore wildcard
# set global variable for configured source interface name
# set global boolean to indicate if the ip of the configured source interface is configured
# if the source interface is configured but no ip on that interface, then listen on another
# interface based on existing logic
interface listen Ethernet0
interface listen 127.0.0.1
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
# for details.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
# NTPsec doesn't establish peer associations, and so nopeer has no effect, and has been removed from here
restrict default kod nomodify noquery limited
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient