search

puppetlabs / puppetlabs-ntp

Puppet module to manage the NTP service
http://forge.puppetlabs.com/puppetlabs/ntp
Apache License 2.0
145 stars 328 forks source link

logfile parameter not working on Ubuntu #651

Open xchotard-talentsoft opened 2 years ago

xchotard-talentsoft commented 2 years ago

Describe the Bug

logfile parameter is never working (target file is empty).

Expected Behavior

Logs should be written to the logfile target.

Steps to Reproduce

class { 'ntp':
  servers => ['ntp.ubuntu.com'],
  logfile => '/var/log/ntp.log',
}

Environment

Additional Context

Manual installation of ntp with logfile /var/log/ntp.log line in the /etc/ntp.conf works. Resulting file:

-rw-r--r--  1 root      root              1710 Sep 26 14:09 ntp.log

However this Puppet module will change the permissions to:

-rw-rw-r--  1 ntp       ntp                 822 Sep 26 14:12 ntp.log

Which somehow does not work:

# /var/log/syslog entry:
Sep 26 14:12:41 vm-focal ntpd[2462]: Cannot open logfile /var/log/ntp.log: Permission denied

I suspect this is related to AppArmor. Even if I cannot find any proof, it seems to work when the later is uninstalled.

Workaround:

class { 'ntp':
  servers => ['ntp.ubuntu.com'],
  logfile => '/var/log/ntp.log',
  logfile_user => 'root',
}

However, this works with /var/log/ntp.log only. If you try /var/log/ntp/ntp.log, AppArmor will explicitly deny the ntp daemon to access this file:

[  853.899701] audit: type=1400 audit(1664201792.505:73): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/var/log/ntp/ntp.log" pid=3409 comm="ntpd" requested_mask="ac" denied_mask="ac" fsuid=0 ouid=0

I'm not sure how this could be properly fixed. There is technically nothing wrong with the module itself, it's related to AppArmor restrictive/annoying behavior. Here are some ideas: