ntp: T3008: migrate from ntpd to chrony

* Move CLI from "system ntp" -> "service ntp"
* Drop NTP server option preempt as not supported by chrony

4 files changed, 63 insertions, 51 deletions

diff --git a/data/templates/chrony/chrony.conf.j2 b/data/templates/chrony/chrony.conf.j2
new file mode 100644
index 000000000..b3bfc8c0c
--- /dev/null
+++ b/data/templates/chrony/chrony.conf.j2
@@ -0,0 +1,58 @@
+### Autogenerated by ntp.py ###
+
+# This would step the system clock if the adjustment is larger than 0.1 seconds,
+# but only in the first three clock updates.
+makestep 1.0 3
+
+# The rtcsync directive enables a mode where the system time is periodically
+# copied to the RTC and chronyd does not try to track its drift. This directive
+# cannot be used with the rtcfile directive. On Linux, the RTC copy is performed
+# by the kernel every 11 minutes.
+rtcsync
+
+# This directive specifies the maximum amount of memory that chronyd is allowed
+# to allocate for logging of client accesses and the state that chronyd as an
+# NTP server needs to support the interleaved mode for its clients.
+clientloglimit 1048576
+
+driftfile /run/chrony/drift
+dumpdir /run/chrony
+pidfile {{ config_file | replace('.conf', '.pid') }}
+
+# Determine when will the next leap second occur and what is the current offset
+leapsectz right/UTC
+
+user {{ user }}
+
+# NTP servers to reach out to
+{% if server is vyos_defined %}
+{%     for server, config in server.items() %}
+{%         set association = 'server' %}
+{%         if config.pool is vyos_defined %}
+{%             set association = 'pool' %}
+{%         endif %}
+{{ association }} {{ server | replace('_', '-') }} iburst {{ 'noselect' if config.noselect is vyos_defined }} {{ 'prefer' if config.prefer is vyos_defined }}
+{%     endfor %}
+{% endif %}
+
+# Allowed clients configuration
+{% if allow_client.address is vyos_defined %}
+{%     for address in allow_client.address %}
+allow {{ address }}
+{%     endfor %}
+{% endif %}
+deny all
+
+{% if listen_address is vyos_defined or interface is vyos_defined %}
+# NTP should listen on configured addresses only
+{%     if listen_address is vyos_defined %}
+{%         for address in listen_address %}
+bindaddress {{ address }}
+{%         endfor %}
+{%     endif %}
+{%     if interface is vyos_defined %}
+{%         for ifname in interface %}
+binddevice {{ ifname }}
+{%         endfor %}
+{%     endif %}
+{% endif %}
diff --git a/data/templates/ntp/override.conf.j2 b/data/templates/chrony/override.conf.j2
index 6fed9d7d2..9eaea7608 100644
--- a/data/templates/ntp/override.conf.j2
+++ b/data/templates/chrony/override.conf.j2
@@ -5,10 +5,13 @@ ConditionPathExists={{ config_file }}
 After=vyos-router.service
 
 [Service]
+EnvironmentFile=
 ExecStart=
-ExecStart={{ vrf_command }}/usr/sbin/ntpd -g -p {{ config_file | replace('.conf', '.pid') }} -c {{ config_file }} -u ntp:ntp
+ExecStart={{ vrf_command }}/usr/sbin/chronyd -F 1 -f {{ config_file }}
 PIDFile=
 PIDFile={{ config_file | replace('.conf', '.pid') }}
 Restart=always
 RestartSec=10
+# Required for VRF support
+ProtectControlGroups=No
 
diff --git a/data/templates/ntp/ntpd.conf.j2 b/data/templates/ntp/ntpd.conf.j2
deleted file mode 100644
index 8921826fa..000000000
--- a/data/templates/ntp/ntpd.conf.j2
+++ /dev/null
@@ -1,49 +0,0 @@
-### Autogenerated by ntp.py ###
-
-#
-# Non-configurable defaults
-#
-driftfile /var/lib/ntp/ntp.drift
-# By default, only allow ntpd to query time sources, ignore any incoming requests
-restrict default noquery nopeer notrap nomodify
-# Allow pool associations
-restrict source nomodify notrap noquery
-# Local users have unrestricted access, allowing reconfiguration via ntpdc
-restrict 127.0.0.1
-restrict -6 ::1
-
-#
-# Configurable section
-#
-{% if server is vyos_defined %}
-{%     for server, config in server.items() %}
-{%         set association = 'server' %}
-{%         if config.pool is vyos_defined %}
-{%             set association = 'pool' %}
-{%         endif %}
-{{ association }} {{ server | replace('_', '-') }} iburst {{ 'noselect' if config.noselect is vyos_defined }} {{ 'preempt' if config.preempt is vyos_defined }} {{ 'prefer' if config.prefer is vyos_defined }}
-{%     endfor %}
-{% endif %}
-
-{% if allow_clients.address is vyos_defined %}
-# Allowed clients configuration
-restrict default ignore
-{%     for address in allow_clients.address %}
-restrict {{ address | address_from_cidr }} mask {{ address | netmask_from_cidr }} nomodify notrap nopeer
-{%     endfor %}
-{% endif %}
-
-{% if listen_address is vyos_defined or interface is vyos_defined %}
-# NTP should listen on configured addresses only
-interface ignore wildcard
-{%     if listen_address is vyos_defined %}
-{%         for address in listen_address %}
-interface listen {{ address }}
-{%         endfor %}
-{%     endif %}
-{%     if interface is vyos_defined %}
-{%         for ifname in interface %}
-interface listen {{ ifname }}
-{%         endfor %}
-{%     endif %}
-{% endif %}
diff --git a/data/templates/telegraf/telegraf.j2 b/data/templates/telegraf/telegraf.j2
index 36571ce98..c9f402281 100644
--- a/data/templates/telegraf/telegraf.j2
+++ b/data/templates/telegraf/telegraf.j2
@@ -102,7 +102,7 @@
   dirs = ["/proc/sys/net/ipv4/netfilter","/proc/sys/net/netfilter"]
 [[inputs.ethtool]]
   interface_include = {{ interfaces_ethernet }}
-[[inputs.ntpq]]
+[[inputs.chrony]]
   dns_lookup = true
 [[inputs.internal]]
 [[inputs.nstat]]