Page MenuHomePhabricator

NTP daemon won't synchronize with "restrict default ignore"
Closed, ResolvedPublicBUG

Description

Upon service startup, the NTPd will refuse to accept time from its time sources (servers) if configured with "restrict default ignore". Users cannot alter this default by CLI. As shown below, this is hardcoded in the config generator script:

/usr/libexec/vyos/conf_mode/ntp.py: 
 34 #
 35 # Non-configurable defaults
 36 #
 37 driftfile /var/lib/ntp/ntp.drift
 38 # By default, only allow ntpd to query time sources, ignore any incoming requests
 39 restrict default ignore
 40 # Local users have unrestricted access, allowing reconfiguration via ntpdc
 41 restrict 127.0.0.1
 42 restrict -6 ::1

By configuring "restrict default noquery nopeer notrap nomodify", NTPd will start just fine and be available for downstream time sync within a few seconds.

To fix this, I propose to either alter line 39 in /usr/libexec/vyos/conf_mode/ntp.py from "restrict default ignore" to "restrict default noquery nopeer notrap nomodify" (works, tested) or allow this value to be user-configurable.

Best greetings!
Al

PS: VyOS version information:

Version:          VyOS 1.2.0-rolling+201808072059
Built by:         alainlamar
Built on:         Tue 07 Aug 2018 20:59 UTC
Build ID:         a8991cc6-24a5-4b63-ba9f-20d394c9743c

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  PC Engines
Hardware model:   apu2
Hardware S/N:     Unknown
Hardware UUID:    Unknown

Copyright:        VyOS maintainers and contributors

Details

Difficulty level
Easy (less than an hour)
Version
VyOS 1.2.0-rolling+201808072059
Why the issue appeared?
Issues in third-party code
c-po added a subscriber: c-po.Sep 5 2018, 8:06 PM

Does downstreaming work when you configure set system ntp allow-clients address?

In "broken" mode, no, as clients will refuse to sync to an unsynchrinized server. That's how I stumbled across this in first place.
In "fixed" mode, once NTPd is synced again, clients will fetch time from VyOS. On my testbed, I have this (now working) config:

vyos@vyos# show system ntp 
 allow-clients {
     address 192.168.44.0/24
     address 192.168.45.0/24
     address 192.168.30.0/24
     address 192.168.20.0/24
 }
 listen-address 192.168.20.254
 listen-address 192.168.30.254
 listen-address 192.168.44.254
 listen-address 192.168.45.254
 listen-address 127.0.0.1
 listen-address 172.31.255.1
 server 0.debian.pool.ntp.org {
 }
 server 0.de.pool.ntp.org {
 }
 server 1.debian.pool.ntp.org {
 }
 server 1.de.pool.ntp.org {
 }
 server 2.debian.pool.ntp.org {
 }
 server 2.de.pool.ntp.org {
 }
 server 3.debian.pool.ntp.org {
 }
 server 3.de.pool.ntp.org {
 }
 server 192.168.0.100 {
     prefer
 }
 server ntp.ubuntu.com {
 }
[edit]
vyos@vyos#
c-po added a comment.Sep 5 2018, 8:22 PM

I guess then it was "broken" all the time

Thanks for fixing! Took me half a day today to figure this out :)

c-po claimed this task.Sep 6 2018, 3:51 AM
c-po closed this task as Resolved.
c-po edited projects, added VyOS 1.2.x (VyOS 1.2.0-rc1); removed VyOS 1.2.x.
c-po changed Why the issue appeared? from Will be filled on close to Issues in third-party code.
c-po removed a subscriber: c-po.