bottlerocket-os
NTP/Chrony Daemon Access Options
What I'd like:
We have a regulatory requirement to validate that our servers are synced with time.nist.gov and we need to be able to provide record of that synchronization when requested.
Currently we provide that record by scheduling a job that pings our Amazon Linux 2-based servers using chronyc -h [ HOST_IP ] sources -v and logging the responses daily.
As far as I can tell, Bottlerocket only provides the ability to configure its NTP servers via the settings.ntp.time-servers and no other chrony.conf related directives: https://bottlerocket.dev/en/os/1.26.x/api/settings/ntp/
We would like the configuration option to set the following chrony.conf directives:
allow [ CIDR_BLOCK ]
cmdallow [ CIDR_BLOCK ]
bindcmdaddress [ IP_ADDRESS ]
- https://chrony-project.org/doc/3.4/chrony.conf.html#allow
- https://chrony-project.org/doc/3.4/chrony.conf.html#cmdallow
- https://chrony-project.org/doc/3.4/chrony.conf.html#bindaddress
Any alternatives you've considered:
We considered having our Bottlerocket-based nodes spin up a job that runs as admin since the chronyc command only seems to be able to reach the chronyd daemon if its running in an admin pod. This doesn't feel ideal. We're open to suggestions, but until we have a solution we'll have to stick with Amazon Linux 2/2023.
Thanks for opening this feature request! Sounds like we need to expose some new settings to allow these to be set.
Linking another request for setting a value in chrony.conf here as well. https://github.com/bottlerocket-os/bottlerocket/issues/4407
