NTP Charm

Merge ~barryprice/ntp-charm/+git/ntp-charm:lp1982517 into ntp-charm:master

  1. Git
  2. lp:~barryprice/ntp-charm/+git/ntp-charm
  3. lp1982517
  4. Merge into master
Proposed by Barry Price
Status: Merged
Approved by: Barry Price
Approved revision: 991cd01c66292c83d9e489c41b8b4ece00a44c70
Merged at revision: 2c0b1be5e54399c13736c9b3000fed222117a38c
Proposed branch: ~barryprice/ntp-charm/+git/ntp-charm:lp1982517
Merge into: ntp-charm:master
Diff against target: 74 lines (+31/-0)
3 files modified
config.yaml (+13/-0)
reactive/ntp.py (+4/-0)
templates/chrony.conf (+14/-0)
Reviewer Review Type Date Requested Status
Haw Loeung +1 Approve
Canonical IS Reviewers Pending
Review via email: mp+427414@code.launchpad.net

Commit message

Addressing LP:1982517 - when using chrony (on bionic and later), allow the operator to specify network ranges from which we will allow or deny NTP traffic accordingly.

To post a comment you must log in.
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

This merge proposal is being monitored by mergebot. Change the status to Approved to merge.

Revision history for this message
Haw Loeung (hloeung) wrote :

LGTM

review: Approve (+1)
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

Change successfully merged at revision 2c0b1be5e54399c13736c9b3000fed222117a38c

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/config.yaml b/config.yaml
2index 33919f6..08c29a6 100644
3--- a/config.yaml
4+++ b/config.yaml
5@@ -16,6 +16,19 @@ options:
6 description: >
7 Space-separated list of NTP servers to use as peers. Under ntpd,
8 peers are allowed to query the local NTP server via ntpq.
9+ restrict_allow:
10+ default: ""
11+ type: string
12+ description: >
13+ Space-separated list of CIDR subnets for which we will allow queries
14+ via chrony.conf's "allow x.x.x.x/x" directive. Default is a bare
15+ "allow" to accept traffic from all networks.
16+ restrict_deny:
17+ default: ""
18+ type: string
19+ description: >
20+ Space-separated list of subnets for which we will deny queries
21+ via chrony.conf's "deny" directive. Default is no "deny" directive.
22 unlimited_clients:
23 default: ""
24 type: string
25diff --git a/reactive/ntp.py b/reactive/ntp.py
26index 5bf3482..9403e97 100755
27--- a/reactive/ntp.py
28+++ b/reactive/ntp.py
29@@ -205,6 +205,8 @@ def write_config():
30 peers = hookenv.config('peers')
31 auto_peers = hookenv.config('auto_peers')
32 unlimited_clients = hookenv.config('unlimited_clients')
33+ restrict_allow = hookenv.config('restrict_allow')
34+ restrict_deny = hookenv.config('restrict_deny')
35 if os.path.exists("/dev/ptp0") and machine_type == 'vm':
36 use_phc = True
37 else:
38@@ -260,6 +262,8 @@ def write_config():
39 'pools': remote_pools,
40 'servers': remote_sources,
41 'unlimited_clients': unlimited_clients.split(','),
42+ 'restrict_allow': restrict_allow.split(),
43+ 'restrict_deny': restrict_deny.split(),
44 })
45
46 # /etc/nagios/nrpe.d doesn't exist, which means nagios has the config
47diff --git a/templates/chrony.conf b/templates/chrony.conf
48index bbcf765..e17ebc1 100644
49--- a/templates/chrony.conf
50+++ b/templates/chrony.conf
51@@ -37,9 +37,23 @@ dumpdir /var/lib/chrony
52 local stratum {{ orphan_stratum }} orphan
53 {%- endif %}
54
55+{%- if restrict_allow %}
56+# allow defined networks to use us as an NTP server
57+{%- for allow in restrict_allow %}
58+allow {{ allow }}
59+{%- endfor %}
60+{%- else %}
61 # allow any host to use us as an NTP server
62 # (use juju unexpose to prevent access)
63 allow
64+{%- endif %}
65+
66+{%- if restrict_deny %}
67+# restrict defined networks from using us as an NTP server
68+{%- for deny in restrict_deny %}
69+deny {{ deny }}
70+{%- endfor %}
71+{%- endif %}
72
73 # PEERS
74 {%- for peer in peers %}

Subscribers

People subscribed via source and target branches