Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

support Debian 12 / Bookworm / ntpsec #699

Open
juliantaylor opened this issue Sep 14, 2023 · 4 comments
Open

support Debian 12 / Bookworm / ntpsec #699

juliantaylor opened this issue Sep 14, 2023 · 4 comments

Comments

@juliantaylor
Copy link

juliantaylor commented Sep 14, 2023

Use Case

Debian 12/Bookworm switched their ntp package to ntpsec:
https://salsa.debian.org/debian/ntpsec/-/blob/debian/unstable/debian/NEWS

It is mostly a dropin replacement and the package copies configurations to new locations on upgrades so nothing breaks but you cannot modify the ntpd configuration via this module anymore after upgrade.

With a couple configuration changes it can be made to work so probably only few OS defaults need to be changed:

# default ntp is a transitional package install ntpsec
ntp::package_name: [ntpsec]
ntp::driftfile: /var/lib/ntpsec/ntp.drift
ntp::config: /etc/ntpsec/ntp.conf
ntp::daemon_config: /etc/default/ntpsec

some other minor things, ntp::statsdir is not created by the package so it may be good if it is created by the module if set

setting ntp::disable_auth: true with ntpsec results in a syntax error warning during startup, other disable flags do seem to work.
(ntpsec also supports enable [auth |stats ...] option)

@juliantaylor
Copy link
Author

@octomike
Copy link

octomike commented Oct 2, 2023

It does break Debian 12 / bookworm somewhat.

The ntpsec package ships with an apparmor profile and the old driftfile location (copied from ntp.conf) is denied:

[313205.924891] audit: type=1400 audit(1696226693.748:53): apparmor="DENIED" operation="mknod" profile="/usr/sbin/ntpd" name="/var/lib/ntp/drift-tmp" pid=705 comm="ntpd" requested_mask="c" denied_mask="c" fsuid=114 ouid=114

The current state of the module renders ntp unmanaged on new installs and broken on upgraded systems.

@mdklapwijk
Copy link

mdklapwijk commented Sep 20, 2024

This at least starts ntpsec using the /etc/ntp.conf:

  File['/etc/ntp.conf']
  ->file{'/etc/ntpsec/ntp.conf':
    target => '/etc/ntp.conf',
    replace => true,
  }
  ~>Service['ntp']

@perlybird
Copy link

perlybird commented Dec 19, 2024

CAT-2100 claim to add support for Debian 12/Bookworm in version v11.0.0 but it is not the case: If you try to configure ntpsec with this module, it has no effect at all.
The reason is that this module manage the configuration file for ntp in /et/ntp.conf but the ntpsec daemon which is started in Bookworm is using an other configuration file /etc/ntpsec/ntp.conf, which stay unchanged.
If you try to configure the daemon command line options of ntpsec using ntp::daemon_extra_opts, the setting is created in /etc/ntpsec/ntp.conf, which is the wrong place for such setting because it should be configured in /etc/default/ntpsec.
As already said in this issue above, even if you configure ntp::statsdir, the directory is not created and you always get an error at starttime that the statistic directory is missing.
I could list some more bugs but I would says that the list here is already a good start ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants