Page MenuHomeVyOS Platform

chrony not listening as a server
Closed, ResolvedPublicBUG

Description

The "deny all" option that is always set currently in the chrony config overrides any allow option set. This forces chrony to never listen to NTP requests.

This can be see by setting up the NTP server, commiting, and running ss -antpul | grep 123. I see nothing listing to port 123.

It looks like "allow all" or "deny all" options trounce any other allow or deny options: https://chrony.tuxfamily.org/doc/3.4/chrony.conf.html#_ntp_server

I was able to fix this temporarily by removing the "deny all" option in the generated config and restarting chrony. After that clients could use the vyos router for NTP.

I don't think "deny all" is needed at all, but I already have a PR to put the "deny all" in an else condition so it will only appear if the config if no allowed IPs are added.

Details

Difficulty level
Easy (less than an hour)
Version
1.4-rolling-202301210856
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

This comment was removed by kylem.
kylem updated the task description. (Show Details)
Viacheslav changed the task status from Open to Needs testing.Feb 7 2023, 4:03 PM
Viacheslav assigned this task to kylem.
kylem closed this task as Resolved.EditedFeb 7 2023, 4:16 PM

I built a 1.4 ISO after my change was merged and deployed it to my home network. Setting a restrictive allow list works as expected, only the allowed IPs/subnets are able to use NTP. Removing all allow IPs prevents chrony/ntp from even listening to port 123. I don't think the "deny all" is needed in the code at all, but it is also not preventing the service to run as expected so I'll leave it.