From 3c33359d0c9700a1c80f1a222fe5f43642cd4fde Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Sun, 17 Jan 2021 09:44:41 +0100
Subject: ntp: T2185: store configuration in volatile /run area

---
 data/templates/ntp/ntp.conf.tmpl         | 39 --------------------------------
 data/templates/ntp/ntpd.conf.tmpl        | 39 ++++++++++++++++++++++++++++++++
 data/templates/ntp/override.conf.tmpl    |  5 +++-
 smoketest/scripts/cli/test_system_ntp.py |  6 +++--
 src/conf_mode/ntp.py                     | 11 +++++----
 5 files changed, 54 insertions(+), 46 deletions(-)
 delete mode 100644 data/templates/ntp/ntp.conf.tmpl
 create mode 100644 data/templates/ntp/ntpd.conf.tmpl

diff --git a/data/templates/ntp/ntp.conf.tmpl b/data/templates/ntp/ntp.conf.tmpl
deleted file mode 100644
index 2b56b53c3..000000000
--- a/data/templates/ntp/ntp.conf.tmpl
+++ /dev/null
@@ -1,39 +0,0 @@
-### Autogenerated by ntp.py ###
-
-#
-# Non-configurable defaults
-#
-driftfile /var/lib/ntp/ntp.drift
-# By default, only allow ntpd to query time sources, ignore any incoming requests
-restrict default noquery nopeer notrap nomodify
-# Local users have unrestricted access, allowing reconfiguration via ntpdc
-restrict 127.0.0.1
-restrict -6 ::1
-
-#
-# Configurable section
-#
-{% if server is defined and server is not none %}
-{%   for server, config in server.items() %}
-{%     set association = 'server' %}
-{%     if config.pool is defined %}
-{%       set association = 'pool' %}
-{%     endif %}
-{{ association }} {{ server | replace('_', '-') }} iburst {{ 'noselect' if config.noselect is defined }} {{ 'preempt' if config.preempt is defined }} {{ 'prefer' if config.prefer is defined }}
-{%   endfor %}
-{% endif %}
-
-{% if allow_clients is defined and allow_clients.address is defined %}
-# Allowed clients configuration
-{%   for address in allow_clients.address %}
-restrict {{ address|address_from_cidr }} mask {{ address|netmask_from_cidr }} nomodify notrap nopeer
-{%   endfor %}
-{% endif %}
-
-{% if listen_address %}
-# NTP should listen on configured addresses only
-interface ignore wildcard
-{%   for address in listen_address %}
-interface listen {{ address }}
-{%   endfor %}
-{% endif %}
diff --git a/data/templates/ntp/ntpd.conf.tmpl b/data/templates/ntp/ntpd.conf.tmpl
new file mode 100644
index 000000000..2b56b53c3
--- /dev/null
+++ b/data/templates/ntp/ntpd.conf.tmpl
@@ -0,0 +1,39 @@
+### Autogenerated by ntp.py ###
+
+#
+# Non-configurable defaults
+#
+driftfile /var/lib/ntp/ntp.drift
+# By default, only allow ntpd to query time sources, ignore any incoming requests
+restrict default noquery nopeer notrap nomodify
+# Local users have unrestricted access, allowing reconfiguration via ntpdc
+restrict 127.0.0.1
+restrict -6 ::1
+
+#
+# Configurable section
+#
+{% if server is defined and server is not none %}
+{%   for server, config in server.items() %}
+{%     set association = 'server' %}
+{%     if config.pool is defined %}
+{%       set association = 'pool' %}
+{%     endif %}
+{{ association }} {{ server | replace('_', '-') }} iburst {{ 'noselect' if config.noselect is defined }} {{ 'preempt' if config.preempt is defined }} {{ 'prefer' if config.prefer is defined }}
+{%   endfor %}
+{% endif %}
+
+{% if allow_clients is defined and allow_clients.address is defined %}
+# Allowed clients configuration
+{%   for address in allow_clients.address %}
+restrict {{ address|address_from_cidr }} mask {{ address|netmask_from_cidr }} nomodify notrap nopeer
+{%   endfor %}
+{% endif %}
+
+{% if listen_address %}
+# NTP should listen on configured addresses only
+interface ignore wildcard
+{%   for address in listen_address %}
+interface listen {{ address }}
+{%   endfor %}
+{% endif %}
diff --git a/data/templates/ntp/override.conf.tmpl b/data/templates/ntp/override.conf.tmpl
index e0b947686..28eb61b21 100644
--- a/data/templates/ntp/override.conf.tmpl
+++ b/data/templates/ntp/override.conf.tmpl
@@ -1,11 +1,14 @@
 {% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %}
 [Unit]
 StartLimitIntervalSec=0
+ConditionPathExists={{config_file}}
 After=vyos-router.service
 
 [Service]
 ExecStart=
-ExecStart={{vrf_command}}/usr/lib/ntp/ntp-systemd-wrapper
+ExecStart={{vrf_command}}/usr/sbin/ntpd -g -p {{config_file | replace('.conf', '.pid') }} -c {{config_file}} -u ntp:ntp
+PIDFile=
+PIDFile={{config_file | replace('.conf', '.pid') }}
 Restart=always
 RestartSec=10
 
diff --git a/smoketest/scripts/cli/test_system_ntp.py b/smoketest/scripts/cli/test_system_ntp.py
index 986c8dfb2..edb6ad94d 100755
--- a/smoketest/scripts/cli/test_system_ntp.py
+++ b/smoketest/scripts/cli/test_system_ntp.py
@@ -26,7 +26,7 @@ from vyos.util import read_file
 from vyos.util import process_named_running
 
 PROCESS_NAME = 'ntpd'
-NTP_CONF = '/etc/ntp.conf'
+NTP_CONF = '/run/ntpd/ntpd.conf'
 base_path = ['system', 'ntp']
 
 def get_config_value(key):
@@ -47,6 +47,8 @@ class TestSystemNTP(unittest.TestCase):
         self.session.commit()
         del self.session
 
+        self.assertFalse(process_named_running(PROCESS_NAME))
+
     def test_ntp_options(self):
         # Test basic NTP support with multiple servers and their options
         servers = ['192.0.2.1', '192.0.2.2']
@@ -76,7 +78,7 @@ class TestSystemNTP(unittest.TestCase):
         self.assertTrue(process_named_running(PROCESS_NAME))
 
     def test_ntp_clients(self):
-        """ Test the allowed-networks statement """
+        # Test the allowed-networks statement
         listen_address = ['127.0.0.1', '::1']
         for listen in listen_address:
             self.session.set(base_path + ['listen-address', listen])
diff --git a/src/conf_mode/ntp.py b/src/conf_mode/ntp.py
index b102b3e9e..52070aabc 100755
--- a/src/conf_mode/ntp.py
+++ b/src/conf_mode/ntp.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2018-2020 VyOS maintainers and contributors
+# Copyright (C) 2018-2021 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -24,7 +24,7 @@ from vyos.template import render
 from vyos import airbag
 airbag.enable()
 
-config_file = r'/etc/ntp.conf'
+config_file = r'/run/ntpd/ntpd.conf'
 systemd_override = r'/etc/systemd/system/ntp.service.d/override.conf'
 
 def get_config(config=None):
@@ -33,8 +33,11 @@ def get_config(config=None):
     else:
         conf = Config()
     base = ['system', 'ntp']
+    if not conf.exists(base):
+        return None
 
     ntp = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
+    ntp['config_file'] = config_file
     return ntp
 
 def verify(ntp):
@@ -42,7 +45,7 @@ def verify(ntp):
     if not ntp:
         return None
 
-    if len(ntp.get('allow_clients', {})) and not (len(ntp.get('server', {})) > 0):
+    if 'allow_clients' in ntp and 'server' not in ntp:
         raise ConfigError('NTP server not configured')
 
     verify_vrf(ntp)
@@ -53,7 +56,7 @@ def generate(ntp):
     if not ntp:
         return None
 
-    render(config_file, 'ntp/ntp.conf.tmpl', ntp)
+    render(config_file, 'ntp/ntpd.conf.tmpl', ntp)
     render(systemd_override, 'ntp/override.conf.tmpl', ntp)
 
     return None
-- 
cgit v1.2.3