Univention Bugzilla – Bug 56661
Replace ntp with ntpsec - adjust univention-base-files
Last modified: 2024-03-15 19:01:28 CET
In Debian 12 ntp was changed into a transitional package. The replacement is ntpsec. univention-base-files provides (now obsolete) config files for ntp. We should provide equal config files for ntpsec and adjust the dependencies accordingly. # apt info ntp Package: ntp Version: 1:4.2.8p15+dfsg-2~1.2.2+dfsg1-1+deb12u1 Priority: optional Section: net Source: ntpsec (1.2.2+dfsg1-1+deb12u1) Maintainer: Richard Laager <rlaager@debian.org> Installed-Size: 63.5 kB Depends: ntpsec Homepage: https://www.ntpsec.org Download-Size: 22.0 kB APT-Manual-Installed: yes APT-Sources: http://security.debian.org/debian-security bookworm-security/main amd64 Packages Description: Network Time Protocol daemon/utilities (transitional package) This is a dummy transitional package to transition to NTPsec. It can be safely removed. Previous config files: # apt-file show ntp ntp: /etc/NetworkManager/dispatcher.d/ntp ntp: /etc/apparmor.d/tunables/ntpd ntp: /etc/apparmor.d/usr.sbin.ntpd ntp: /etc/apparmor/init/network-interface-security/usr.sbin.ntpd ntp: /etc/cron.daily/ntp ntp: /etc/default/ntp ntp: /etc/dhcp/dhclient-exit-hooks.d/ntp ntp: /etc/init.d/ntp ntp: /etc/ntp.conf … New config files: # apt-file show ntpsec ntpsec: /etc/NetworkManager/dispatcher.d/ntpsec ntpsec: /etc/apparmor.d/tunables/ntpd ntpsec: /etc/apparmor.d/usr.sbin.ntpd ntpsec: /etc/apparmor/init/network-interface-security/usr.sbin.ntpd ntpsec: /etc/cron.d/ntpsec ntpsec: /etc/default/ntpsec ntpsec: /etc/dhcp/dhclient-exit-hooks.d/ntpsec ntpsec: /etc/init.d/ntpsec ntpsec: /etc/letsencrypt/renewal-hooks/deploy/ntpsec ntpsec: /etc/ntpsec/ntp.conf … Provided UCR templates: base/univention-base-files/conffiles/etc/default/ntpdate base/univention-base-files/conffiles/etc/ntp.conf Config diff: --- /etc/ntp.conf +++ /etc/ntpsec/ntp.conf @@ -1,51 +1,60 @@ -# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help +# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help -driftfile /var/lib/ntpsec/ntp.drift +driftfile /var/lib/ntp/ntp.drift + +# Leap seconds definition provided by tzdata leapfile /usr/share/zoneinfo/leap-seconds.list -# To enable Network Time Security support as a server, obtain a certificate -# (e.g. with Let's Encrypt), configure the paths below, and uncomment: -# nts cert CERT_FILE -# nts key KEY_FILE -# nts enable - -# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging. -#statsdir /var/log/ntpsec/ -#statistics loopstats peerstats clockstats -#filegen loopstats file loopstats type day enable -#filegen peerstats file peerstats type day enable -#filegen clockstats file clockstats type day enable - -# This should be maxclock 7, but the pool entries count towards maxclock. -tos maxclock 11 - -# Comment this out if you have a refclock and want it to be able to discipline -# the clock by itself (e.g. if the system is not connected to the network). -tos minclock 4 minsane 3 +# Enable this if you want statistics to be logged. +#statsdir /var/log/ntpstats/ + +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable -# Specify one or more NTP servers. -# Public NTP servers supporting Network Time Security: -# server time.cloudflare.com nts +# You do need to talk to an NTP server or two (or three). +#server ntp.your-provider.example # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will # pick a different set every time it starts up. Please consider joining the -# pool: <https://www.pool.ntp.org/join.html> +# pool: <http://www.pool.ntp.org/join.html> pool 0.debian.pool.ntp.org iburst pool 1.debian.pool.ntp.org iburst pool 2.debian.pool.ntp.org iburst pool 3.debian.pool.ntp.org iburst -# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html -# for details. + +# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for +# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> +# might also be helpful. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. -restrict default kod nomodify nopeer noquery limited +restrict -4 default kod notrap nomodify nopeer noquery limited +restrict -6 default kod notrap nomodify nopeer noquery limited # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 -restrict :1 \ No newline at end of file +restrict ::1 + +# Needed for adding pool entries +restrict source notrap nomodify noquery + +# Clients from this (example!) subnet have unlimited access, but only if +# cryptographically authenticated. +#restrict 192.168.123.0 mask 255.255.255.0 notrust + + +# If you want to provide time to your local subnet, change the next line. +# (Again, the address is an example only.) +#broadcast 192.168.123.255 + +# If you want to listen to time broadcasts on your local subnet, de-comment the +# next lines. Please do this only if you trust everybody on the network! +#disable auth +#broadcastclient
*** Bug 56543 has been marked as a duplicate of this bug. ***
REOPEN: the config file has not been rebased. systemctl status ntpsec shows therefore these errors: Okt 17 16:50:29 master52 ntpd[1276929]: LOG: frequency file /var/lib/ntp/ntp.drift-tmp: No such file or directory Okt 17 17:50:29 master52 ntpd[1276929]: LOG: frequency file /var/lib/ntp/ntp.drift-tmp: No such file or directory Okt 17 19:50:29 master52 ntpd[1276929]: LOG: frequency file /var/lib/ntp/ntp.drift-tmp: No such file or directory Okt 17 21:50:29 master52 ntpd[1276929]: LOG: frequency file /var/lib/ntp/ntp.drift-tmp: No such file or directory Okt 17 22:50:29 master52 ntpd[1276929]: LOG: frequency file /var/lib/ntp/ntp.drift-tmp: No such file or directory Okt 18 00:50:29 master52 ntpd[1276929]: LOG: frequency file /var/lib/ntp/ntp.drift-tmp: No such file or directory Okt 18 03:50:29 master52 ntpd[1276929]: LOG: frequency file /var/lib/ntp/ntp.drift-tmp: No such file or directory
Replaced all references to ntp,ntp.service and ntpdate to their respective new ntpsec variant. The config file has been moved from /etc/ntp.conf to /etc/ntpsec/ntp.conf. All relevant paths have been updated.
REPOEN: status says: ntpd[1780335]: statistics directory /var/log/ntpstats/ does not exist or is unwriteable, error No such file or directory
A fresh upgraded system tells: # systemctl status ntpsec ● ntpsec.service - Network Time Service Loaded: loaded (/lib/systemd/system/ntpsec.service; enabled; preset: enabled) Active: active (running) since Thu 2023-11-16 22:27:11 CET; 2s ago Docs: man:ntpd(8) Process: 12965 ExecStart=/usr/libexec/ntpsec/ntp-systemd-wrapper (code=exited, status=0/SUCCESS) Main PID: 12968 (ntpd) Tasks: 1 (limit: 3554) Memory: 2.7M CGroup: /system.slice/ntpsec.service └─12968 /usr/sbin/ntpd -p /run/ntpd.pid -g -N -c /run/ntpsec/ntp.conf.dhcp -u ntpsec:ntpsec Nov 16 22:27:11 master072 ntpd[12968]: IO: Listening on routing socket on fd #25 for interface updates Nov 16 22:27:11 master072 ntpd[12968]: INIT: MRU 10922 entries, 13 hash bits, 65536 bytes Nov 16 22:27:11 master072 ntpd[12968]: INIT: Built with OpenSSL 3.0.9 30 May 2023, 30000090 Nov 16 22:27:11 master072 ntpd[12968]: INIT: Running with OpenSSL 3.0.11 19 Sep 2023, 300000b0 Nov 16 22:27:11 master072 ntpd[12968]: NTSc: Using system default root certificates. Nov 16 22:27:11 master072 ntpd[12968]: statistics directory /var/log/ntpstats/ does not exist or is unwriteable, error Permission denied Nov 16 22:27:12 master072 ntpd[12968]: LOG: couldn't unlink /var/log/ntpstats/peerstats: Permission denied Nov 16 22:27:12 master072 ntpd[12968]: LOG: can't open /var/log/ntpstats/peerstats.20231116: Permission denied Nov 16 22:27:13 master072 ntpd[12968]: LOG: couldn't unlink /var/log/ntpstats/peerstats: Permission denied Nov 16 22:27:13 master072 ntpd[12968]: LOG: can't open /var/log/ntpstats/peerstats.20231116: Permission denied # ls -l /var/log/ntpstats/ insgesamt 24 -rw-r--r-- 2 ntp ntp 952 16. Nov 21:38 loopstats -rw-r--r-- 2 ntp ntp 952 16. Nov 21:38 loopstats.20231116 -rw-r--r-- 2 ntp ntp 6856 16. Nov 21:38 peerstats -rw-r--r-- 2 ntp ntp 6856 16. Nov 21:38 peerstats.20231116 # ls -ld /var/log/ntpstats/ drwxr-xr-x 2 ntp ntp 4096 16. Nov 21:28 /var/log/ntpstats/
the configuration file /etc/ntpsec/ntp.conf differs from Debian 12: @@ -19,26 +9,43 @@ # nts key KEY_FILE # nts enable -# ntpd will use syslog() if logfile is not defined -#logfile /var/log/ntpsec +# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging. +#statsdir /var/log/ntpsec/ +#statistics loopstats peerstats clockstats +#filegen loopstats file loopstats type day enable +#filegen peerstats file peerstats type day enable +#filegen clockstats file clockstats type day enable + +# This should be maxclock 7, but the pool entries count towards maxclock. +tos maxclock 11 + +# Comment this out if you have a refclock and want it to be able to discipline +# the clock by itself (e.g. if the system is not connected to the network). +tos minclock 4 minsane 3 + +# Specify one or more NTP servers. + +# Public NTP servers supporting Network Time Security: +# server time.cloudflare.com nts + +# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will +# pick a different set every time it starts up. Please consider joining the +# pool: <https://www.pool.ntp.org/join.html> +pool 0.debian.pool.ntp.org iburst +pool 1.debian.pool.ntp.org iburst +pool 2.debian.pool.ntp.org iburst +pool 3.debian.pool.ntp.org iburst + +# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html +# for details. +# +# Note that "restrict" applies to both servers and clients, so a configuration +# that might be intended to block requests from certain clients could also end +# up blocking replies from your own upstream servers. + +# By default, exchange time with everybody, but don't allow configuration. +restrict default kod nomodify nopeer noquery limited -statsdir /var/log/ntpsec -statistics loopstats peerstats clockstats -filegen loopstats file loopstats type day enable -filegen peerstats file peerstats type day enable -filegen clockstats file clockstats type day enable - -server ntp.knut.univention.de burst -ntpsigndsocket /var/lib/samba/ntp_signd -restrict default mssntp noquery +# Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1 -tinker panic 0 - - -### Synchronize with local server, if no other -### could be reached - -server 127.127.1.0 -fudge 127.127.1.0 stratum 5 -
OK: after the upgrade ntpsec service is running, no errors in the logs OK: all directories have correct permissions OK: new installations OK: changelog entry
univention-server (17.0.2) 975fe85d4ec5 | Bug #56661: migrate from NTP to NTPSEC univention-samba4 (11.0.3) 975fe85d4ec5 | Bug #56661: migrate from NTP to NTPSEC univention-management-console-module-diagnostic (8.0.2) 975fe85d4ec5 | Bug #56661: migrate from NTP to NTPSEC univention-base-files (11.0.2) 975fe85d4ec5 | Bug #56661: migrate from NTP to NTPSEC ucs-test (12.0.5) 975fe85d4ec5 | Bug #56661: migrate from NTP to NTPSEC