puppetlabs-ntp icon indicating copy to clipboard operation
puppetlabs-ntp copied to clipboard

Published 20 hours ago verified publisher icon puppetlabs

support Debian 12 / Bookworm / ntpsec

Open juliantaylor opened this issue 2 years ago • 5 comments

Use Case

Debian 12/Bookworm switched their ntp package to ntpsec: https://salsa.debian.org/debian/ntpsec/-/blob/debian/unstable/debian/NEWS

It is mostly a dropin replacement and the package copies configurations to new locations on upgrades so nothing breaks but you cannot modify the ntpd configuration via this module anymore after upgrade.

With a couple configuration changes it can be made to work so probably only few OS defaults need to be changed:

# default ntp is a transitional package install ntpsec
ntp::package_name: [ntpsec]
ntp::driftfile: /var/lib/ntpsec/ntp.drift
ntp::config: /etc/ntpsec/ntp.conf
ntp::daemon_config: /etc/default/ntpsec

some other minor things, ntp::statsdir is not created by the package so it may be good if it is created by the module if set

setting ntp::disable_auth: true with ntpsec results in a syntax error warning during startup, other disable flags do seem to work. (ntpsec also supports enable [auth |stats ...] option)

juliantaylor avatar Sep 14 '23 14:09 juliantaylor

debian package transition code: https://salsa.debian.org/debian/ntpsec/-/blob/debian/1.2.2+dfsg1-1+deb12u1/debian/ntpsec.preinst

juliantaylor avatar Sep 14 '23 15:09 juliantaylor

It does break Debian 12 / bookworm somewhat.

The ntpsec package ships with an apparmor profile and the old driftfile location (copied from ntp.conf) is denied:

[313205.924891] audit: type=1400 audit(1696226693.748:53): apparmor="DENIED" operation="mknod" profile="/usr/sbin/ntpd" name="/var/lib/ntp/drift-tmp" pid=705 comm="ntpd" requested_mask="c" denied_mask="c" fsuid=114 ouid=114

The current state of the module renders ntp unmanaged on new installs and broken on upgraded systems.

octomike avatar Oct 02 '23 09:10 octomike

This at least starts ntpsec using the /etc/ntp.conf:

  File['/etc/ntp.conf']
  ->file{'/etc/ntpsec/ntp.conf':
    target => '/etc/ntp.conf',
    replace => true,
  }
  ~>Service['ntp']

mdklapwijk avatar Sep 20 '24 00:09 mdklapwijk

CAT-2100 claim to add support for Debian 12/Bookworm in version v11.0.0 but it is not the case: If you try to configure ntpsec with this module, it has no effect at all. The reason is that this module manage the configuration file for ntp in /et/ntp.conf but the ntpsec daemon which is started in Bookworm is using an other configuration file /etc/ntpsec/ntp.conf, which stay unchanged. If you try to configure the daemon command line options of ntpsec using ntp::daemon_extra_opts, the setting is created in /etc/ntpsec/ntp.conf, which is the wrong place for such setting because it should be configured in /etc/default/ntpsec. As already said in this issue above, even if you configure ntp::statsdir, the directory is not created and you always get an error at starttime that the statistic directory is missing. I could list some more bugs but I would says that the list here is already a good start ;)

perlybird avatar Dec 19 '24 14:12 perlybird

A quickfix for now would be to add a file data/Debian-12.yaml: ntp::config: /etc/ntpsec/ntp.conf

But there's more versions on the horizon of course.

Furthermore, ntpsec's documentation states:

NTPsec, unlike legacy versions, can also be configured using an Apache-style directory /etc/ntp.d/ of configuration-file segments. This is intended to make life easier for software configurators, which can write independent segments rather than having to do the kind of edit-in-place on a flat ntp.conf that comes naturally to a human.

So I guess a more comprehensive recode is required to accommodate all scenarios for systems with ntpsec.

IceEyz avatar Jan 15 '25 13:01 IceEyz