Ensure intended NTP client is used

[mbargull]

@johanneskoester reported non-synced times on some nodes.

Taking a look at it, I noticed that we have chrony instead of systemd-timesyncd running. We apparently do have

• https://github.com/IKIM-Essen/EMCP-config/blob/561c87949dc19a148979d9f31f202501eeb09920/ansible/site.yml#L7-L8
• https://github.com/IKIM-Essen/EMCP-config/blob/561c87949dc19a148979d9f31f202501eeb09920/ansible/roles/ntpclient/tasks/timesyncd.yml#L10-L13
• https://github.com/IKIM-Essen/EMCP-config/blob/561c87949dc19a148979d9f31f202501eeb09920/ansible/roles/ntpclient/tasks/timesyncd.yml#L3-L7

to make sure systemd-timesyncd is set up. But we also have

• https://github.com/IKIM-Essen/EMCP-config/blob/561c87949dc19a148979d9f31f202501eeb09920/ansible/site.yml#L121-L121
• https://github.com/IKIM-Essen/EMCP-config/blob/561c87949dc19a148979d9f31f202501eeb09920/ansible/roles/ipaclient_postinstall/tasks/ipa_tools.yml#L3-L5

which brings in chrony as a "recommended" dependency of freeipa-client.

A couple of things we could do:

1. Install freeipa-client without recommended packages ( https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_module.html#parameter-install_recommends ) in case it's appropriate.
2. In ntpclient role do things like printf '%s hold\n' ntp chrony | dpkg --set-selections or printf '\nPackage: %s\nPin: release *\nPin-Priority: -1\n' chrony ntp > /etc/apt/preferences.d/pin-no-chrony-ntp . AFAICT, the former could be done via https://docs.ansible.com/ansible/latest/collections/ansible/builtin/dpkg_selections_module.html#ansible-collections-ansible-builtin-dpkg-selections-module instead of doing it "manually".

Just going for 1. is of course not sufficient to prevent the observed failure, so 2. (or something equivalent) should be done in any case and 1. is an optional thing we might consider.

[enasca]

My fault, it didn't occur to me that on a fresh host the freeipa installation runs after the ntp role and breaks it. Sorry!

Both suggestions sound reasonable.

[mbargull]

My fault, it didn't occur to me that on a fresh host the freeipa installation runs after the ntp role and breaks it. Sorry!

No worries!

---

I tried the hold/pin stuff out in 22.04 and 24.04 containers.

1. dpkg --set-selections doesn't like it if listed packages are not installed (apt-mark hold work, though). We could just go with the pinning file to also be a bit more stern about not installing the packages.

2. For 24.04 we do have a problem though: Recent Debian/Ubuntu freeipa-client packages mark systemd-timesyncd as conflicting, see:

   • current issue downstream for Ubuntu: https://answers.launchpad.net/ubuntu/+source/freeipa/+question/816115
   • current issue upstream for Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072168
   • change introduced via https://salsa.debian.org/freeipa-team/freeipa/-/commit/a53b190a4203b8fe913cf95754b86553fe748e66 to address previous issue https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008195 .

   So, when we'll do a 24.04 upgrade, we'll need to adjust this again. E.g., by switching to chrony -- but I haven't yet looked into which parts need to be adjusted to have that one working.

So, since we might do change it go the other way around and install chrony instead of preventing its installation, I'd say, for now let's only go with the --no-install-recommends option and revisit possible pinnings later.

[enasca]

While declaring the timesyncd package conflicting for freeipa-client altogether seems rather ham-fisted, I agree it would be better for us to just switch to chrony.

Thank you Marcel for diving into this!