-
Notifications
You must be signed in to change notification settings - Fork 884
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add netsec ntp_client support for ntp client configuration (#5631)
In many distributions, ntp is a transitional package that provides a mechansim to install either ntpd or ntpsec. Installing ntp transitional package may cause issues with APT package dependency resolution when APT sources are not updated and latest systemd-timesyncd is out of date because both systemd-timesyncd and ntpsec declare a Provides: time-daemon and conflict with an unresolvable version upgrade path unless the conflicting package also happens to be fully updated. Add #cloud-config 'ntpsec' option for 'ntp_client' in user-data to allow opting into the specific ntpsec client over transitional ntp package on alpine, debian, redhat, sles and ubuntu. Add template config files for rhel, sles, ubuntu, debian and alpine obtain by pulling latest configuration files from lxc container launches of each distribution. Add json schema strict enum of ntp_client type to better document and limit ntp_client values to valid configuration. Update integration tests to prefer ntpsec over ntp
- Loading branch information
1 parent
a6fbcbe
commit 9c66960
Showing
9 changed files
with
414 additions
and
15 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| # /etc/ntp.conf | ||
| # Sensible default NTPsec configuration file. | ||
| # See ntp.conf(5) man page for help. | ||
| # More examples can be found at https://gitlab.com/NTPsec/ntpsec/-/tree/master/etc/ntp.d | ||
|
|
||
| # If you have no other local chimers to help NTP perform sanity checks | ||
| # then you can use some public chimers from the NTP public pool: | ||
| # http://www.pool.ntp.org/en/ | ||
| # | ||
| # iburst tells it to send the first few requests at 2 second intervals rather | ||
| # than wait for the poll interval, which defaults to 64 seconds. That greatly | ||
| # speeds up the time for ntpd to set the system time and start responding to | ||
| # requests. | ||
| # | ||
| # You can speed up initialization, and spread the load better, by | ||
| # using a country-specific potion of the pool, e.g. something like | ||
| # | ||
| # us.pool.ntp.org | ||
| # | ||
| # If you are not in the USA, then it will probably work to | ||
| # change the 'us' to your two letter country code. | ||
| # | ||
| # Major Internet-using countries with pools include: | ||
| # us de fr uk nl ch ru ca au cn za br | ||
| # | ||
| # If you don't know your country code, find it at | ||
| # | ||
| # https://en.wikipedia.org/wiki/ISO_3166-1 | ||
| # | ||
| # and then try prepending it to ".pool.ntp.org" and pinging that. | ||
| # hostname. If you get a response, you can use it. | ||
| # | ||
| # Alternatively, if you are running Linux your distribution may have | ||
| # a designated pool disparcher, e.g. ubuntu.pool.ntp.org | ||
| # | ||
| {% if pools %}# pools | ||
| {% endif %} | ||
| {% for pool in pools -%} | ||
| pool {{pool}} iburst | ||
| {% endfor %} | ||
| {%- if servers %}# servers | ||
| {% endif %} | ||
| {% for server in servers -%} | ||
| server {{server}} iburst | ||
| {% endfor %} | ||
| {% for peer in peers -%} | ||
| peer {{peer}} | ||
| {% endfor %} | ||
|
|
||
| # The following setting reduces the maximum number of sources to not use more | ||
| # than four servers from the pool.ntp.org pool. If you have specified other | ||
| # servers, you can increase the maxclock number accordingly. | ||
| tos maxclock 5 | ||
|
|
||
| # Exchange time with everybody, but don't allow configuration. | ||
| # This is the right security setup for 99% of deployments. | ||
| restrict default kod limited nomodify noquery | ||
| restrict -6 default kod limited nomodify noquery | ||
|
|
||
| # Local users may interrogate the NTP server more closely. | ||
| restrict 127.0.0.1 | ||
| restrict -6 ::1 | ||
|
|
||
| # Minimal logging - we declare a drift file and that's it. | ||
| driftfile /var/lib/ntp/ntp.drift | ||
|
|
||
| # We don't log any statistics by default, but the directory | ||
| # still needs to exist | ||
| statsdir /var/log/ntpstats/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| ## template:jinja | ||
|
|
||
| # /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help | ||
|
|
||
| driftfile /var/lib/ntpsec/ntp.drift | ||
| leapfile /usr/share/zoneinfo/leap-seconds.list | ||
|
|
||
| # To enable Network Time Security support as a server, obtain a certificate | ||
| # (e.g. with Let's Encrypt), configure the paths below, and uncomment: | ||
| # nts cert CERT_FILE | ||
| # nts key KEY_FILE | ||
| # nts enable | ||
|
|
||
| # You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging. | ||
| #statsdir /var/log/ntpsec/ | ||
| #statistics loopstats peerstats clockstats | ||
| #filegen loopstats file loopstats type day enable | ||
| #filegen peerstats file peerstats type day enable | ||
| #filegen clockstats file clockstats type day enable | ||
|
|
||
| # This should be maxclock 7, but the pool entries count towards maxclock. | ||
| tos maxclock 11 | ||
|
|
||
| # Comment this out if you have a refclock and want it to be able to discipline | ||
| # the clock by itself (e.g. if the system is not connected to the network). | ||
| tos minclock 4 minsane 3 | ||
|
|
||
| # Specify one or more NTP servers. | ||
|
|
||
| # Public NTP servers supporting Network Time Security: | ||
| # server time.cloudflare.com nts | ||
|
|
||
| # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will | ||
| # pick a different set every time it starts up. Please consider joining the | ||
| # pool: <https://www.pool.ntp.org/join.html> | ||
| {% if pools %}# pools | ||
| {% endif %} | ||
| {% for pool in pools -%} | ||
| pool {{pool}} iburst | ||
| {% endfor %} | ||
| {%- if servers %}# servers | ||
| {% endif %} | ||
| {% for server in servers -%} | ||
| server {{server}} iburst | ||
| {% endfor %} | ||
| {% for peer in peers -%} | ||
| peer {{peer}} | ||
| {% endfor %} | ||
|
|
||
| # Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html | ||
| # for details. | ||
| # | ||
| # Note that "restrict" applies to both servers and clients, so a configuration | ||
| # that might be intended to block requests from certain clients could also end | ||
| # up blocking replies from your own upstream servers. | ||
|
|
||
| # By default, exchange time with everybody, but don't allow configuration. | ||
| restrict default kod nomodify nopeer noquery limited | ||
|
|
||
| # Local users may interrogate the ntp server more closely. | ||
| restrict 127.0.0.1 | ||
| restrict ::1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| ## template:jinja | ||
|
|
||
| # For more information about this file, see the ntp.conf(5) man page. | ||
|
|
||
| # Use public servers from the pool.ntp.org project. | ||
| # Please consider joining the pool (https://www.pool.ntp.org/join.html). | ||
| {% if pools %}# pools | ||
| {% endif %} | ||
| {% for pool in pools -%} | ||
| pool {{pool}} iburst | ||
| {% endfor %} | ||
| {%- if servers %}# servers | ||
| {% endif %} | ||
| {% for server in servers -%} | ||
| server {{server}} iburst | ||
| {% endfor %} | ||
| {% for peer in peers -%} | ||
| peer {{peer}} | ||
| {% endfor %} | ||
|
|
||
| # Reduce the maximum number of servers used from the pool. | ||
| tos maxclock 5 | ||
|
|
||
| # Record the frequency of the system clock. | ||
| driftfile /var/lib/ntp/drift | ||
|
|
||
| # Disable configuration and monitoring access by default. | ||
| restrict default nomodify noquery | ||
|
|
||
| # Enable all access for localhost. | ||
| restrict 127.0.0.1 | ||
| restrict ::1 | ||
|
|
||
| # Enable writing of statistics records. | ||
| #statistics clockstats cryptostats loopstats peerstats |
Oops, something went wrong.