Page MenuHomeVyOS Platform
Create Task
Maniphest T831

NTP daemon won't synchronize with "restrict default ignore"
Closed, ResolvedPublicBUG
Actions

Description

Upon service startup, the NTPd will refuse to accept time from its time sources (servers) if configured with "restrict default ignore". Users cannot alter this default by CLI. As shown below, this is hardcoded in the config generator script:

/usr/libexec/vyos/conf_mode/ntp.py: 
 34 #
 35 # Non-configurable defaults
 36 #
 37 driftfile /var/lib/ntp/ntp.drift
 38 # By default, only allow ntpd to query time sources, ignore any incoming requests
 39 restrict default ignore
 40 # Local users have unrestricted access, allowing reconfiguration via ntpdc
 41 restrict 127.0.0.1
 42 restrict -6 ::1

By configuring "restrict default noquery nopeer notrap nomodify", NTPd will start just fine and be available for downstream time sync within a few seconds.

To fix this, I propose to either alter line 39 in /usr/libexec/vyos/conf_mode/ntp.py from "restrict default ignore" to "restrict default noquery nopeer notrap nomodify" (works, tested) or allow this value to be user-configurable.

Best greetings!
Al

PS: VyOS version information:

Version:          VyOS 1.2.0-rolling+201808072059
Built by:         alainlamar
Built on:         Tue 07 Aug 2018 20:59 UTC
Build ID:         a8991cc6-24a5-4b63-ba9f-20d394c9743c

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  PC Engines
Hardware model:   apu2
Hardware S/N:     Unknown
Hardware UUID:    Unknown

Copyright:        VyOS maintainers and contributors

Details

Difficulty level
Easy (less than an hour)
Version
VyOS 1.2.0-rolling+201808072059
Why the issue appeared?
Issues in third-party code

Event Timeline

alainlamar created this task.Sep 5 2018, 7:45 PM
c-po added a subscriber: c-po.Sep 5 2018, 8:06 PM

Does downstreaming work when you configure set system ntp allow-clients address?

alainlamar added a comment.Sep 5 2018, 8:17 PM

In "broken" mode, no, as clients will refuse to sync to an unsynchrinized server. That's how I stumbled across this in first place.
In "fixed" mode, once NTPd is synced again, clients will fetch time from VyOS. On my testbed, I have this (now working) config:

vyos@vyos# show system ntp 
 allow-clients {
     address 192.168.44.0/24
     address 192.168.45.0/24
     address 192.168.30.0/24
     address 192.168.20.0/24
 }
 listen-address 192.168.20.254
 listen-address 192.168.30.254
 listen-address 192.168.44.254
 listen-address 192.168.45.254
 listen-address 127.0.0.1
 listen-address 172.31.255.1
 server 0.debian.pool.ntp.org {
 }
 server 0.de.pool.ntp.org {
 }
 server 1.debian.pool.ntp.org {
 }
 server 1.de.pool.ntp.org {
 }
 server 2.debian.pool.ntp.org {
 }
 server 2.de.pool.ntp.org {
 }
 server 3.debian.pool.ntp.org {
 }
 server 3.de.pool.ntp.org {
 }
 server 192.168.0.100 {
     prefer
 }
 server ntp.ubuntu.com {
 }
[edit]
vyos@vyos#
c-po added a comment.Sep 5 2018, 8:22 PM

I guess then it was "broken" all the time

alainlamar added a comment.Sep 5 2018, 8:26 PM

Thanks for fixing! Took me half a day today to figure this out :)

c-po closed this task as Resolved.Sep 6 2018, 3:51 AM
c-po claimed this task.
c-po edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc1); removed VyOS 1.2 Crux.
c-po changed Why the issue appeared? from Will be filled on close to Issues in third-party code.
c-po removed a subscriber: c-po.
syncer added a project: VyOS-1.2.0-GA.Oct 15 2018, 10:42 PM
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc1) board.Oct 15 2018, 10:42 PM