cloud-config user-data: ntp to provide ntp_client: ntpsec support #5631
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
documentation
blackboxsw
added a commit
to blackboxsw/cloud-init
that referenced
this pull request
Aug 21, 2024
…onical#5631) In many distributions, ntp is a transitional package that provides a mechansim to install either ntpd or ntpsec. Installing ntp transitional package may cause issues with APT package dependency resolution when APT sources are not updated and latest systemd-timesyncd is out of date because both systemd-timesyncd and ntpsec declare a Provides: time-daemon and conflict with an unresolvable version upgrade path unless the conflicting package also happens to be fully updated. Add #cloud-config 'ntpsec' option for 'ntp_client' in user-data to allow opting into the specific ntpsec client over transitional ntp package on alpine, debian, redhat, sles and ubuntu. Add template config files for rhel, sles, ubuntu, debian and alpine obtain by pulling latest configuration files from lxc container launches of each distribution. Add json schema strict enum of ntp_client type to better document and limit ntp_client values to valid configuration. Update integration tests to prefer ntpsec over ntp
blackboxsw
force-pushed
the
ntp-provide-ntpsec-client-option
branch
from
fd75c51
to
09bd0ce
Compare
blackboxsw
added a commit
to blackboxsw/cloud-init
that referenced
this pull request
Aug 22, 2024
- Avoid subp call to ifconfig -a as side-effect of __init__ in cloudinit.distros.networking.BSDNetworking by declaring a cached @Property 'ifs' that is only called when needed to avoid mocking - Drop CiTestCase and FilesystemMockingTestCase uses in favor of pytest, fixtures and tmpdir/caplog use - pytest parametrize a couple of tests based on ntp_client input params to avoid nested for loops in unittests
blackboxsw
force-pushed
the
ntp-provide-ntpsec-client-option
branch
from
09bd0ce
to
95c0b51
Compare
blackboxsw
added a commit
to blackboxsw/cloud-init
that referenced
this pull request
Aug 22, 2024
…onical#5631) In many distributions, ntp is a transitional package that provides a mechansim to install either ntpd or ntpsec. Installing ntp transitional package may cause issues with APT package dependency resolution when APT sources are not updated and latest systemd-timesyncd is out of date because both systemd-timesyncd and ntpsec declare a Provides: time-daemon and conflict with an unresolvable version upgrade path unless the conflicting package also happens to be fully updated. Add #cloud-config 'ntpsec' option for 'ntp_client' in user-data to allow opting into the specific ntpsec client over transitional ntp package on alpine, debian, redhat, sles and ubuntu. Add template config files for rhel, sles, ubuntu, debian and alpine obtain by pulling latest configuration files from lxc container launches of each distribution. Add json schema strict enum of ntp_client type to better document and limit ntp_client values to valid configuration. Update integration tests to prefer ntpsec over ntp
blackboxsw
added a commit
to blackboxsw/cloud-init
that referenced
this pull request
Aug 23, 2024
- Avoid subp call to ifconfig -a as side-effect of __init__ in cloudinit.distros.networking.BSDNetworking by declaring a cached @Property 'ifs' that is only called when needed to avoid mocking - Drop CiTestCase and FilesystemMockingTestCase uses in favor of pytest, fixtures and tmpdir/caplog use - pytest parametrize a couple of tests based on ntp_client input params to avoid nested for loops in unittests
blackboxsw
added a commit
to blackboxsw/cloud-init
that referenced
this pull request
Aug 23, 2024
…onical#5631) In many distributions, ntp is a transitional package that provides a mechansim to install either ntpd or ntpsec. Installing ntp transitional package may cause issues with APT package dependency resolution when APT sources are not updated and latest systemd-timesyncd is out of date because both systemd-timesyncd and ntpsec declare a Provides: time-daemon and conflict with an unresolvable version upgrade path unless the conflicting package also happens to be fully updated. Add #cloud-config 'ntpsec' option for 'ntp_client' in user-data to allow opting into the specific ntpsec client over transitional ntp package on alpine, debian, redhat, sles and ubuntu. Add template config files for rhel, sles, ubuntu, debian and alpine obtain by pulling latest configuration files from lxc container launches of each distribution. Add json schema strict enum of ntp_client type to better document and limit ntp_client values to valid configuration. Update integration tests to prefer ntpsec over ntp
blackboxsw
force-pushed
the
ntp-provide-ntpsec-client-option
branch
from
95c0b51
to
931357f
Compare
- Avoid subp call to ifconfig -a as side-effect of __init__ in cloudinit.distros.networking.BSDNetworking by declaring a cached @Property 'ifs' that is only called when needed to avoid mocking - Drop CiTestCase and FilesystemMockingTestCase uses in favor of pytest, fixtures and tmpdir/caplog use - pytest parametrize a couple of tests based on ntp_client input params to avoid nested for loops in unittests
…onical#5631) In many distributions, ntp is a transitional package that provides a mechansim to install either ntpd or ntpsec. Installing ntp transitional package may cause issues with APT package dependency resolution when APT sources are not updated and latest systemd-timesyncd is out of date because both systemd-timesyncd and ntpsec declare a Provides: time-daemon and conflict with an unresolvable version upgrade path unless the conflicting package also happens to be fully updated. Add #cloud-config 'ntpsec' option for 'ntp_client' in user-data to allow opting into the specific ntpsec client over transitional ntp package on alpine, debian, redhat, sles and ubuntu. Add template config files for rhel, sles, ubuntu, debian and alpine obtain by pulling latest configuration files from lxc container launches of each distribution. Add json schema strict enum of ntp_client type to better document and limit ntp_client values to valid configuration. Update integration tests to prefer ntpsec over ntp
blackboxsw
force-pushed
the
ntp-provide-ntpsec-client-option
branch
from
931357f
to
9c66960
Compare
There was a problem hiding this comment.
Having this file doesn't make sense as Busybox's ntpd is limited and does not support NTPSEC.
ntpsec and openntpd are packages for Alpine but cloud-init doesn't currently support them (or ntpd-rs either, which I might consider adding support for in the future).
aciba90
reviewed
Sep 3, 2024
There was a problem hiding this comment.
General approach looks good, thanks @blackboxsw.
I left an inline question about an integration tests. In addition to that, could you please resolve the merge conflict?
| pytest.skip("/etc/ntp.conf.dist does not exist") | ||
| dist_file = class_client.read_from_file("/etc/ntp.conf.dist") | ||
| if class_client.execute( | ||
| "test -e /etc/ntpsec/ntp.conf.dpkg-dist" |
There was a problem hiding this comment.
Shouldn't we operate over /etc/ntpsec/ntp.conf.dist?
Suggested change
| "test -e /etc/ntpsec/ntp.conf.dpkg-dist" | |
| "test -e /etc/ntpsec/ntp.conf.dist" |
/etc/ntpsec/ntp.conf.dist is the file cloud-init renames if /etc/ntpsec/ntp.conf is present and /etc/ntpsec/ntp.conf.dpkg-dist is the one apt / dpkg creates on installation / upgrade paths.
| pytest.skip("/etc/ntpsec/ntp.conf.dpkg-dist does not exist") | ||
| dist_file = class_client.read_from_file( | ||
| "/etc/ntpsec/ntp.conf.dpkg-dist" | ||
| ) | ||
| assert 0 == len(dist_file.strip().splitlines()) |
There was a problem hiding this comment.
This assertion fails, the file has content. Is this due to my previous comment?
It feels like somewhere while the test instance is being customized or the last boot, ntpsec gets reinstalled with /etc/ntpsec/ntp.conf present and modified and then etc/ntpsec/ntp.conf.dpkg-dist gets created as a backup by dpkg.
Is this a testing error or what is the intention with this test?
|
Hello! Thank you for this proposed change to cloud-init. This pull request is now marked as stale as it has not seen any activity in 14 days. If no activity occurs within the next 7 days, this pull request will automatically close. If you are waiting for code review and you are seeing this message, apologies! Please reply, tagging TheRealFalcon, and he will ensure that someone takes a look soon. (If the pull request is closed and you would like to continue working on it, please do tag TheRealFalcon to reopen it.) |
github-actions
bot
added
the
stale-pr
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Due to the ntp being a transitional package in may install ntpd or ntpsec on different distributions, it may be preferred
to specify ntpsec as the preferred ntp_client in general to strictly define the client that an admin wishes to install/enable. Provide a mechanism to directly prefer a specific
ntp_client: ntpsecinstead of the ntp transitional package.Also, in Ubuntu, daily integration tests against development Ubuntu series will occasionally hit issues with APT dependency resolution when trying to provide user-data declaring a preference for ntp transitional package when systemd-timesyncd packages in Ubuntu cloud images are out of date with latest published packages in the -updates pocket. APT is unable to resolve a stale systemd-timesyncd package as it
Provides: time-daemonwhich conflicts withntpsecwhich alsoProvides: time-daemon.Proposed Commit Message
see individual commits
ntp_client: ntpsecsupport to #cloud-configAdditional Context
Intermittent yet repeated ntp error on ubuntu devel releases
https://jenkins.canonical.com/server-team/view/cloud-init/job/cloud-init-integration-oracular-lxd_container/48/
Test Steps
Merge type