ntp_restrict is not used for chrony

[antoinetran]

Current behavior:

sudo ss -lpapn|grep chro
u_dgr UNCONN 0      0                                                                /run/chrony/chronyd.sock 81878                  * 0     users:(("chronyd",pid=10088,fd=7))                                                                                                 
u_dgr ESTAB  0      0                                                                                       * 81862                  * 12498 users:(("chronyd",pid=10088,fd=3))                                                                                                 
udp   UNCONN 0      0                                                                               127.0.0.1:323              0.0.0.0:*     users:(("chronyd",pid=10088,fd=5))                                                                                                 
udp   UNCONN 0      0                                                                                   [::1]:323                 [::]:*     users:(("chronyd",pid=10088,fd=6))

Expected behavior:

sudo ss -lpapn|grep chro
u_dgr UNCONN 0      0                                                                /run/chrony/chronyd.sock 81392                  * 0     users:(("chronyd",pid=10059,fd=8))                                                                                                 
u_dgr ESTAB  0      0                                                                                       * 81375                  * 12498 users:(("chronyd",pid=10059,fd=3))                                                                                                 
udp   UNCONN 0      0                                                                                 0.0.0.0:123              0.0.0.0:*     users:(("chronyd",pid=10059,fd=7))                                                                                                 
udp   UNCONN 0      0                                                                               127.0.0.1:323              0.0.0.0:*     users:(("chronyd",pid=10059,fd=5))                                                                                                 
udp   UNCONN 0      0                                                                                   [::1]:323                 [::]:*     users:(("chronyd",pid=10059,fd=6))

The port udp 123 as LISTEN is present.

Why? Because the template chrony.conf.j2 does not generate restriction. Eg of correct restriction:

allow 10.0.0.0/8

Which will enable udp listening.

[github-actions[bot]]

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

[github-actions[bot]]

This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.

[antoinetran]

This seems like it is not fixed yet in template code.

[antoinetran]

/reopen ?

[antoinetran]

ping @geerlingguy

[geerlingguy]

@antoinetran - It looks like that'd be this line: https://github.com/geerlingguy/ansible-role-ntp/blob/master/templates/chrony.conf.j2#L28

For now you could add a lineinfile task to make sure that line is set correctly. Otherwise this template could be updated with that option being allowed to be configured perhaps.

[antoinetran]

Exactly. Using lineinfile will modify the file outside this module, which will break idempotence.

In fact, this template should be configured with the same template as ntp.conf (https://github.com/geerlingguy/ansible-role-ntp/blob/master/templates/ntp.conf.j2#L38C32-L41C13). Something like:

{% for item in ntp_restrict %}
allow {{ item }}
{% endfor %}