diff options
| author | Alex Harpin <development@landsofshadow.co.uk> | 2015-02-26 22:50:05 +0000 |
|---|---|---|
| committer | Alex Harpin <development@landsofshadow.co.uk> | 2015-02-26 22:50:05 +0000 |
| commit | b9e07101d6347c0359fc68eac62e049acdfdbb78 (patch) | |
| tree | 1829823bf808c85df9d3eae49d910f5f55ff3196 | |
| parent | 2bea0c31e1469bc5ac1b20fdb16598b6e0d11699 (diff) | |
| download | vyatta-cfg-system-b9e07101d6347c0359fc68eac62e049acdfdbb78.tar.gz vyatta-cfg-system-b9e07101d6347c0359fc68eac62e049acdfdbb78.zip | |
vyatta-cfg-system: redesign the layout and updating of ntp
When NTP is configured on the system, it not only acts as a client
for the configured servers, but also as a server. Although the server
is only available as a time source, it still represents a service that
the user hasn't specifically enabled.
This commit sets the default configuration of NTP to disallow all
external access, so the system acts purely as a client by default, and
also introduces the ability to configure which addresses / subnets are
allowed to both query and use it as a time source. If the servers
configured are specified as host names, these are resolved to IP
addresses before being added to ntp.conf, with the same process carried
out after name server changes.
syntax 'set system ntp client address'
Bug #94 http://bugzilla.vyos.net/show_bug.cgi?id=94
| -rwxr-xr-x | scripts/system/vyatta_update_ntp.pl | 75 | ||||
| -rwxr-xr-x | scripts/system/vyatta_update_resolv.pl | 7 | ||||
| -rwxr-xr-x | scripts/vyatta-system-nameservers | 1 | ||||
| -rw-r--r-- | sysconf/ntp.conf | 22 | ||||
| -rw-r--r-- | templates/system/ntp/client/address/node.def | 6 | ||||
| -rw-r--r-- | templates/system/ntp/client/node.def | 1 | ||||
| -rw-r--r-- | templates/system/ntp/node.def | 4 |
7 files changed, 88 insertions, 28 deletions
diff --git a/scripts/system/vyatta_update_ntp.pl b/scripts/system/vyatta_update_ntp.pl index a162f858..118cfc18 100755 --- a/scripts/system/vyatta_update_ntp.pl +++ b/scripts/system/vyatta_update_ntp.pl @@ -21,27 +21,78 @@ use strict; use lib "/opt/vyatta/share/perl5"; use Vyatta::Config; +use NetAddr::IP; die "$0 expects no arguments\n" if (@ARGV); -# Weed existing servers from config -print grep {! /^server/ } <STDIN>; +sub ntp_format { + my ($cidr) = @_; + my $ip = NetAddr::IP->new($cidr); + die "$cidr: not a valid IP address" unless $ip; -my $cfg = new Vyatta::Config; -$cfg->setLevel("system ntp"); - -foreach my $server ($cfg->listNodes("server")) { - print "server $server iburst"; - for my $property (qw(dynamic noselect preempt prefer)) { - print " $property" if ($cfg->exists("server $server $property")); + my $address = $ip->addr(); + my $mask = $ip->mask(); + + if ($mask eq '255.255.255.255') { + if ($ip->version() == 6) { + return "-6 $address"; + } else { + return "$address"; + } + } else { + if ($ip->version() == 6) { + return "-6 $address mask $mask"; + } else { + return "$address mask $mask"; + } } - print "\n"; } -exit 0; +my @ntp; +if (-e '/etc/ntp.conf') { + open (my $file, '<', '/etc/ntp.conf') + or die("$0: Error! Unable to open '/etc/ntp.conf' for input: $!\n"); + @ntp = <$file>; + close ($file); +} +open (my $output, '>', '/etc/ntp.conf') + or die("$0: Error! Unable to open '/etc/ntp.conf' for output: $!\n"); + +my $cfg = new Vyatta::Config; +$cfg->setLevel("system ntp"); +foreach my $line (@ntp) { + if ($line =~ /^# VyOS CLI configuration options/) { + print $output $line; + print $output "\n"; + last; + } else { + print $output $line; + } +} +if ($cfg->exists("server")) { + print $output "# Servers\n\n"; + foreach my $server ($cfg->listNodes("server")) { + my $server_addr = ntp_format($server); + print $output "server $server_addr iburst"; + for my $property (qw(dynamic noselect preempt prefer)) { + print $output " $property" if ($cfg->exists("server $server $property")); + } + print $output "\nrestrict $server_addr nomodify notrap nopeer noquery\n"; + } + print $output "\n"; +} +if ($cfg->exists("client")) { + print $output "# Clients\n\n"; + my @clients = $cfg->returnValues("client address"); + foreach my $client (@clients) { + my $address = ntp_format($client); + print $output "restrict $address nomodify notrap nopeer\n"; + } + print $output "\n"; +} - +exit 0; diff --git a/scripts/system/vyatta_update_resolv.pl b/scripts/system/vyatta_update_resolv.pl index 0dfa4bec..5de1f789 100755 --- a/scripts/system/vyatta_update_resolv.pl +++ b/scripts/system/vyatta_update_resolv.pl @@ -227,8 +227,11 @@ if (($dhclient_script == 1) || ($config_mode == 1)) { } if ($restart_ntp == 1) { # this corresponds to what is done in name-server/node.def as a fix for bug 1300 - my $cmd_ntp_restart = "if [ -f /etc/ntp.conf ] && grep -q '^server' /etc/ntp.conf; then /usr/sbin/invoke-rc.d ntp restart >&/dev/null; fi &"; - system($cmd_ntp_restart); + if ($vc->exists("system ntp server") || $vc->existsOrig("system ntp server")) { + system("sudo /opt/vyatta/sbin/vyatta_update_ntp.pl"); + my $cmd_ntp_restart = "if [ -f /etc/ntp.conf ] && grep -q '^server' /etc/ntp.conf; then /usr/sbin/invoke-rc.d ntp restart >&/dev/null; fi &"; + system($cmd_ntp_restart); + } } } diff --git a/scripts/vyatta-system-nameservers b/scripts/vyatta-system-nameservers index 7b66cf77..99019fd1 100755 --- a/scripts/vyatta-system-nameservers +++ b/scripts/vyatta-system-nameservers @@ -39,6 +39,7 @@ restart_dnsmasq () { restart_ntp () { # restart ntp if ntp is configured if [ -f /etc/ntp.conf ] && grep -q "^server" /etc/ntp.conf; then + sudo /opt/vyatta/sbin/vyatta_update_ntp.pl /usr/sbin/invoke-rc.d ntp restart >&/dev/null fi } diff --git a/sysconf/ntp.conf b/sysconf/ntp.conf index 248cdc2d..855d5097 100644 --- a/sysconf/ntp.conf +++ b/sysconf/ntp.conf @@ -4,21 +4,21 @@ # configuration subsystem. Please do not manually edit it. # # The first section of this file consists of static parameters -# that can not be changed via the Vyatta configuration subsystem. +# (that can not be changed via the VyOS CLI) and default values +# that prevent ntpd being queried (client only mode). # driftfile /var/lib/ntp/ntp.drift -# By default, exchange time with everybody, but don't allow configuration. -restrict -4 default kod notrap nomodify nopeer noquery -restrict -6 default kod notrap nomodify nopeer noquery +# By default, only allow ntpd to query time sources, ignore any +# incoming requests. -# Local users may interrogate the ntp server more closely. -restrict 127.0.0.1 -restrict ::1 +restrict default ignore +restrict -6 default ignore -# -# The remainder of this file is for parameters that are set up via -# the Vyatta configuration subsystem. -# +# Local users have unrestricted access, allowing reconfiguration +# via ntpdc +restrict 127.0.0.1 +restrict -6 ::1 +# VyOS CLI configuration options diff --git a/templates/system/ntp/client/address/node.def b/templates/system/ntp/client/address/node.def new file mode 100644 index 00000000..a48a2b5a --- /dev/null +++ b/templates/system/ntp/client/address/node.def @@ -0,0 +1,6 @@ +multi: +type: ipv4net,ipv6net +help: IP address + +val_help: ipv4net; IP address and prefix length +val_help: ipv6net; IPv6 address and prefix length diff --git a/templates/system/ntp/client/node.def b/templates/system/ntp/client/node.def new file mode 100644 index 00000000..dd849f8f --- /dev/null +++ b/templates/system/ntp/client/node.def @@ -0,0 +1 @@ +help: Network Time Protocol (NTP) client diff --git a/templates/system/ntp/node.def b/templates/system/ntp/node.def index 7a4ddad7..38e67e05 100644 --- a/templates/system/ntp/node.def +++ b/templates/system/ntp/node.def @@ -2,8 +2,7 @@ priority: 400 help: Network Time Protocol (NTP) configuration end: - /opt/vyatta/sbin/vyatta_update_ntp.pl </etc/ntp.conf >/tmp/ntp.conf - sudo cp -b /tmp/ntp.conf /etc/ntp.conf + sudo /opt/vyatta/sbin/vyatta_update_ntp.pl if grep -q '^server' /etc/ntp.conf then if pgrep -f -u ntp /usr/sbin/ntpd > /dev/null @@ -15,4 +14,3 @@ end: else sudo /usr/sbin/invoke-rc.d ntp stop fi - rm -f /tmp/ntp.conf |