NTP Charm

Merge ~barryprice/ntp-charm/+git/ntp-charm:lp1982517 into ntp-charm:master

  1. Git
  2. lp:~barryprice/ntp-charm/+git/ntp-charm
  3. lp1982517
  4. Merge into master
Proposed by Barry Price
Status: Merged
Approved by: Barry Price
Approved revision: 991cd01c66292c83d9e489c41b8b4ece00a44c70
Merged at revision: 2c0b1be5e54399c13736c9b3000fed222117a38c
Proposed branch: ~barryprice/ntp-charm/+git/ntp-charm:lp1982517
Merge into: ntp-charm:master
Diff against target: 74 lines (+31/-0)
3 files modified
config.yaml (+13/-0)
reactive/ntp.py (+4/-0)
templates/chrony.conf (+14/-0)
Reviewer Review Type Date Requested Status
Haw Loeung +1 Approve
Canonical IS Reviewers Pending
Review via email: mp+427414@code.launchpad.net

Commit message

Addressing LP:1982517 - when using chrony (on bionic and later), allow the operator to specify network ranges from which we will allow or deny NTP traffic accordingly.

To post a comment you must log in.
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

This merge proposal is being monitored by mergebot. Change the status to Approved to merge.

Revision history for this message
Haw Loeung (hloeung) wrote :

LGTM

review: Approve (+1)
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

Change successfully merged at revision 2c0b1be5e54399c13736c9b3000fed222117a38c

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/config.yaml b/config.yaml
index 33919f6..08c29a6 100644
--- a/config.yaml
+++ b/config.yaml
@@ -16,6 +16,19 @@ options:
16 description: >16 description: >
17 Space-separated list of NTP servers to use as peers. Under ntpd,17 Space-separated list of NTP servers to use as peers. Under ntpd,
18 peers are allowed to query the local NTP server via ntpq.18 peers are allowed to query the local NTP server via ntpq.
19 restrict_allow:
20 default: ""
21 type: string
22 description: >
23 Space-separated list of CIDR subnets for which we will allow queries
24 via chrony.conf's "allow x.x.x.x/x" directive. Default is a bare
25 "allow" to accept traffic from all networks.
26 restrict_deny:
27 default: ""
28 type: string
29 description: >
30 Space-separated list of subnets for which we will deny queries
31 via chrony.conf's "deny" directive. Default is no "deny" directive.
19 unlimited_clients:32 unlimited_clients:
20 default: ""33 default: ""
21 type: string34 type: string
diff --git a/reactive/ntp.py b/reactive/ntp.py
index 5bf3482..9403e97 100755
--- a/reactive/ntp.py
+++ b/reactive/ntp.py
@@ -205,6 +205,8 @@ def write_config():
205 peers = hookenv.config('peers')205 peers = hookenv.config('peers')
206 auto_peers = hookenv.config('auto_peers')206 auto_peers = hookenv.config('auto_peers')
207 unlimited_clients = hookenv.config('unlimited_clients')207 unlimited_clients = hookenv.config('unlimited_clients')
208 restrict_allow = hookenv.config('restrict_allow')
209 restrict_deny = hookenv.config('restrict_deny')
208 if os.path.exists("/dev/ptp0") and machine_type == 'vm':210 if os.path.exists("/dev/ptp0") and machine_type == 'vm':
209 use_phc = True211 use_phc = True
210 else:212 else:
@@ -260,6 +262,8 @@ def write_config():
260 'pools': remote_pools,262 'pools': remote_pools,
261 'servers': remote_sources,263 'servers': remote_sources,
262 'unlimited_clients': unlimited_clients.split(','),264 'unlimited_clients': unlimited_clients.split(','),
265 'restrict_allow': restrict_allow.split(),
266 'restrict_deny': restrict_deny.split(),
263 })267 })
264268
265 # /etc/nagios/nrpe.d doesn't exist, which means nagios has the config269 # /etc/nagios/nrpe.d doesn't exist, which means nagios has the config
diff --git a/templates/chrony.conf b/templates/chrony.conf
index bbcf765..e17ebc1 100644
--- a/templates/chrony.conf
+++ b/templates/chrony.conf
@@ -37,9 +37,23 @@ dumpdir /var/lib/chrony
37local stratum {{ orphan_stratum }} orphan37local stratum {{ orphan_stratum }} orphan
38{%- endif %}38{%- endif %}
3939
40{%- if restrict_allow %}
41# allow defined networks to use us as an NTP server
42{%- for allow in restrict_allow %}
43allow {{ allow }}
44{%- endfor %}
45{%- else %}
40# allow any host to use us as an NTP server46# allow any host to use us as an NTP server
41# (use juju unexpose to prevent access)47# (use juju unexpose to prevent access)
42allow48allow
49{%- endif %}
50
51{%- if restrict_deny %}
52# restrict defined networks from using us as an NTP server
53{%- for deny in restrict_deny %}
54deny {{ deny }}
55{%- endfor %}
56{%- endif %}
4357
44# PEERS58# PEERS
45{%- for peer in peers %}59{%- for peer in peers %}

Subscribers

People subscribed via source and target branches