First Last Prev Next    This bug is not in your last search results.
Bug 56661 - Replace ntp with ntpsec - adjust univention-base-files
Replace ntp with ntpsec - adjust univention-base-files
Status: VERIFIED FIXED
Product: UCS
Classification: Unclassified
Component: NTP
UCS 5.2
Other Linux
: P5 normal (vote)
: UCS 5.2
Assigned To: Marius Meschter
Florian Best
:
: 56543 (view as bug list)
Depends on:
Blocks: 57147
  Show dependency treegraph
 
Reported: 2023-09-26 10:59 CEST by Florian Best
Modified: 2024-03-15 19:01 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2023-09-26 10:59:11 CEST 
In Debian 12 ntp was changed into a transitional package. The replacement is ntpsec.

univention-base-files provides (now obsolete) config files for ntp.
We should provide equal config files for ntpsec and adjust the dependencies accordingly.

# apt info ntp
Package: ntp
Version: 1:4.2.8p15+dfsg-2~1.2.2+dfsg1-1+deb12u1
Priority: optional
Section: net
Source: ntpsec (1.2.2+dfsg1-1+deb12u1)
Maintainer: Richard Laager <rlaager@debian.org>
Installed-Size: 63.5 kB
Depends: ntpsec
Homepage: https://www.ntpsec.org
Download-Size: 22.0 kB
APT-Manual-Installed: yes
APT-Sources: http://security.debian.org/debian-security bookworm-security/main amd64 Packages
Description: Network Time Protocol daemon/utilities (transitional package)
 This is a dummy transitional package to transition to NTPsec.
 It can be safely removed.



Previous config files:
# apt-file show ntp
ntp: /etc/NetworkManager/dispatcher.d/ntp
ntp: /etc/apparmor.d/tunables/ntpd
ntp: /etc/apparmor.d/usr.sbin.ntpd
ntp: /etc/apparmor/init/network-interface-security/usr.sbin.ntpd
ntp: /etc/cron.daily/ntp
ntp: /etc/default/ntp
ntp: /etc/dhcp/dhclient-exit-hooks.d/ntp
ntp: /etc/init.d/ntp
ntp: /etc/ntp.conf
…

New config files:
# apt-file show ntpsec
ntpsec: /etc/NetworkManager/dispatcher.d/ntpsec
ntpsec: /etc/apparmor.d/tunables/ntpd
ntpsec: /etc/apparmor.d/usr.sbin.ntpd
ntpsec: /etc/apparmor/init/network-interface-security/usr.sbin.ntpd
ntpsec: /etc/cron.d/ntpsec
ntpsec: /etc/default/ntpsec
ntpsec: /etc/dhcp/dhclient-exit-hooks.d/ntpsec
ntpsec: /etc/init.d/ntpsec
ntpsec: /etc/letsencrypt/renewal-hooks/deploy/ntpsec
ntpsec: /etc/ntpsec/ntp.conf
…

Provided UCR templates:
base/univention-base-files/conffiles/etc/default/ntpdate
base/univention-base-files/conffiles/etc/ntp.conf

Config diff:
--- /etc/ntp.conf
+++ /etc/ntpsec/ntp.conf
@@ -1,51 +1,60 @@
-# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

-driftfile /var/lib/ntpsec/ntp.drift
+driftfile /var/lib/ntp/ntp.drift
+
+# Leap seconds definition provided by tzdata
 leapfile /usr/share/zoneinfo/leap-seconds.list

-# To enable Network Time Security support as a server, obtain a certificate
-# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
-# nts cert CERT_FILE
-# nts key KEY_FILE
-# nts enable
-
-# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
-#statsdir /var/log/ntpsec/
-#statistics loopstats peerstats clockstats
-#filegen loopstats file loopstats type day enable
-#filegen peerstats file peerstats type day enable
-#filegen clockstats file clockstats type day enable
-
-# This should be maxclock 7, but the pool entries count towards maxclock.
-tos maxclock 11
-
-# Comment this out if you have a refclock and want it to be able to discipline
-# the clock by itself (e.g. if the system is not connected to the network).
-tos minclock 4 minsane 3
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable

-# Specify one or more NTP servers.

-# Public NTP servers supporting Network Time Security:
-# server time.cloudflare.com nts
+# You do need to talk to an NTP server or two (or three).
+#server ntp.your-provider.example

 # pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
 # pick a different set every time it starts up.  Please consider joining the
-# pool: <https://www.pool.ntp.org/join.html>
+# pool: <http://www.pool.ntp.org/join.html>
 pool 0.debian.pool.ntp.org iburst
 pool 1.debian.pool.ntp.org iburst
 pool 2.debian.pool.ntp.org iburst
 pool 3.debian.pool.ntp.org iburst

-# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
-# for details.
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
 #
 # Note that "restrict" applies to both servers and clients, so a configuration
 # that might be intended to block requests from certain clients could also end
 # up blocking replies from your own upstream servers.

 # By default, exchange time with everybody, but don't allow configuration.
-restrict default kod nomodify nopeer noquery limited
+restrict -4 default kod notrap nomodify nopeer noquery limited
+restrict -6 default kod notrap nomodify nopeer noquery limited

 # Local users may interrogate the ntp server more closely.
 restrict 127.0.0.1
-restrict :1
\ No newline at end of file
+restrict ::1
+
+# Needed for adding pool entries
+restrict source notrap nomodify noquery
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+#restrict 192.168.123.0 mask 255.255.255.0 notrust
+
+
+# If you want to provide time to your local subnet, change the next line.
+# (Again, the address is an example only.)
+#broadcast 192.168.123.255
+
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines.  Please do this only if you trust everybody on the network!
+#disable auth
+#broadcastclient
Comment 2 Marius Meschter univentionstaff 2023-10-10 16:02:59 CEST 
*** Bug 56543 has been marked as a duplicate of this bug. ***
Comment 3 Florian Best univentionstaff 2023-10-23 18:07:35 CEST 
REOPEN: the config file has not been rebased.
systemctl status ntpsec shows therefore these errors:
Okt 17 16:50:29 master52 ntpd[1276929]: LOG: frequency file /var/lib/ntp/ntp.drift-tmp: No such file or directory
Okt 17 17:50:29 master52 ntpd[1276929]: LOG: frequency file /var/lib/ntp/ntp.drift-tmp: No such file or directory
Okt 17 19:50:29 master52 ntpd[1276929]: LOG: frequency file /var/lib/ntp/ntp.drift-tmp: No such file or directory
Okt 17 21:50:29 master52 ntpd[1276929]: LOG: frequency file /var/lib/ntp/ntp.drift-tmp: No such file or directory
Okt 17 22:50:29 master52 ntpd[1276929]: LOG: frequency file /var/lib/ntp/ntp.drift-tmp: No such file or directory
Okt 18 00:50:29 master52 ntpd[1276929]: LOG: frequency file /var/lib/ntp/ntp.drift-tmp: No such file or directory
Okt 18 03:50:29 master52 ntpd[1276929]: LOG: frequency file /var/lib/ntp/ntp.drift-tmp: No such file or directory
Comment 4 Marius Meschter univentionstaff 2023-11-07 16:27:30 CET 
Replaced all references to ntp,ntp.service and ntpdate to their respective new ntpsec variant. The config file has been moved from /etc/ntp.conf to /etc/ntpsec/ntp.conf. All relevant paths have been updated.
Comment 5 Florian Best univentionstaff 2023-11-08 19:00:54 CET 
REPOEN: status says:
ntpd[1780335]: statistics directory /var/log/ntpstats/ does not exist or is unwriteable, error No such file or directory
Comment 6 Florian Best univentionstaff 2023-11-16 22:28:47 CET 
A fresh upgraded system tells:

# systemctl status ntpsec
● ntpsec.service - Network Time Service
     Loaded: loaded (/lib/systemd/system/ntpsec.service; enabled; preset: enabled)
     Active: active (running) since Thu 2023-11-16 22:27:11 CET; 2s ago
       Docs: man:ntpd(8)
    Process: 12965 ExecStart=/usr/libexec/ntpsec/ntp-systemd-wrapper (code=exited, status=0/SUCCESS)
   Main PID: 12968 (ntpd)
      Tasks: 1 (limit: 3554)
     Memory: 2.7M
     CGroup: /system.slice/ntpsec.service
             └─12968 /usr/sbin/ntpd -p /run/ntpd.pid -g -N -c /run/ntpsec/ntp.conf.dhcp -u ntpsec:ntpsec

Nov 16 22:27:11 master072 ntpd[12968]: IO: Listening on routing socket on fd #25 for interface updates
Nov 16 22:27:11 master072 ntpd[12968]: INIT: MRU 10922 entries, 13 hash bits, 65536 bytes
Nov 16 22:27:11 master072 ntpd[12968]: INIT: Built with OpenSSL 3.0.9 30 May 2023, 30000090
Nov 16 22:27:11 master072 ntpd[12968]: INIT: Running with OpenSSL 3.0.11 19 Sep 2023, 300000b0
Nov 16 22:27:11 master072 ntpd[12968]: NTSc: Using system default root certificates.
Nov 16 22:27:11 master072 ntpd[12968]: statistics directory /var/log/ntpstats/ does not exist or is unwriteable, error Permission denied
Nov 16 22:27:12 master072 ntpd[12968]: LOG: couldn't unlink /var/log/ntpstats/peerstats: Permission denied
Nov 16 22:27:12 master072 ntpd[12968]: LOG: can't open /var/log/ntpstats/peerstats.20231116: Permission denied
Nov 16 22:27:13 master072 ntpd[12968]: LOG: couldn't unlink /var/log/ntpstats/peerstats: Permission denied
Nov 16 22:27:13 master072 ntpd[12968]: LOG: can't open /var/log/ntpstats/peerstats.20231116: Permission denied
# ls -l /var/log/ntpstats/
insgesamt 24
-rw-r--r-- 2 ntp ntp  952 16. Nov 21:38 loopstats
-rw-r--r-- 2 ntp ntp  952 16. Nov 21:38 loopstats.20231116
-rw-r--r-- 2 ntp ntp 6856 16. Nov 21:38 peerstats
-rw-r--r-- 2 ntp ntp 6856 16. Nov 21:38 peerstats.20231116
# ls -ld /var/log/ntpstats/
drwxr-xr-x 2 ntp ntp 4096 16. Nov 21:28 /var/log/ntpstats/
Comment 7 Florian Best univentionstaff 2023-11-16 22:40:21 CET 
the configuration file /etc/ntpsec/ntp.conf differs from Debian 12:

@@ -19,26 +9,43 @@
 # nts key KEY_FILE
 # nts enable
 
-# ntpd will use syslog() if logfile is not defined
-#logfile /var/log/ntpsec
+# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
+#statsdir /var/log/ntpsec/
+#statistics loopstats peerstats clockstats
+#filegen loopstats file loopstats type day enable
+#filegen peerstats file peerstats type day enable
+#filegen clockstats file clockstats type day enable
+
+# This should be maxclock 7, but the pool entries count towards maxclock.
+tos maxclock 11
+
+# Comment this out if you have a refclock and want it to be able to discipline
+# the clock by itself (e.g. if the system is not connected to the network).
+tos minclock 4 minsane 3
+
+# Specify one or more NTP servers.
+
+# Public NTP servers supporting Network Time Security:
+# server time.cloudflare.com nts
+
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <https://www.pool.ntp.org/join.html>
+pool 0.debian.pool.ntp.org iburst
+pool 1.debian.pool.ntp.org iburst
+pool 2.debian.pool.ntp.org iburst
+pool 3.debian.pool.ntp.org iburst
+
+# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
+# for details.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict default kod nomodify nopeer noquery limited
 
-statsdir /var/log/ntpsec
-statistics loopstats peerstats clockstats
-filegen loopstats file loopstats type day enable
-filegen peerstats file peerstats type day enable
-filegen clockstats file clockstats type day enable
-
-server ntp.knut.univention.de burst
-ntpsigndsocket /var/lib/samba/ntp_signd
-restrict default mssntp noquery
+# Local users may interrogate the ntp server more closely.
 restrict 127.0.0.1
 restrict ::1
-tinker panic 0
-
-
-### Synchronize with local server, if no other
-### could be reached
-
-server 127.127.1.0
-fudge 127.127.1.0 stratum 5
-
Comment 8 Florian Best univentionstaff 2023-11-18 00:15:30 CET 
OK: after the upgrade ntpsec service is running, no errors in the logs
OK: all directories have correct permissions
OK: new installations
OK: changelog entry
Comment 9 Florian Best univentionstaff 2024-03-08 10:33:34 CET 
univention-server (17.0.2)
975fe85d4ec5 | Bug #56661: migrate from NTP to NTPSEC

univention-samba4 (11.0.3)
975fe85d4ec5 | Bug #56661: migrate from NTP to NTPSEC

univention-management-console-module-diagnostic (8.0.2)
975fe85d4ec5 | Bug #56661: migrate from NTP to NTPSEC

univention-base-files (11.0.2)
975fe85d4ec5 | Bug #56661: migrate from NTP to NTPSEC

ucs-test (12.0.5)
975fe85d4ec5 | Bug #56661: migrate from NTP to NTPSEC
First Last Prev Next    This bug is not in your last search results.