Page MenuHomeVyOS Platform
Create Task
Maniphest T6091

[1.3.3->1.4.0-epa1 Migration] NTP "listen-address" config removed
Closed, WontfixPublicBUG
Actions

Description

On 1.3.3:-

set system ntp listen-address 'xxx.xxx.42.171'
set system ntp listen-address 'xxx.xxx.42.210'
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld

and after migration to 1.4.0-epa1:-

set service ntp allow-client address '0.0.0.0/0'
set service ntp allow-client address '::/0'
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld

The "listen-address" directives have been removed, when they should have been migrated. They do appear still to be configurable within 1.4.

Details

Difficulty level
Unknown (require assessment)
Version
1.4.0-epa1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects

Event Timeline

matthewr created this task.Mar 3 2024, 12:04 PM
pasik added a subscriber: pasik.Mar 3 2024, 1:18 PM
Viacheslav triaged this task as Normal priority.Mar 15 2024, 2:23 PM
Viacheslav added a subscriber: Viacheslav.

Most likely won't fix
https://chrony-project.org/doc/3.4/chrony.conf.html

bindaddress 192.168.1.1

Currently, for each of the IPv4 and IPv6 protocols, only one bindaddress directive can be specified. Therefore, it is not useful on computers which should serve NTP on multiple network interfaces.
c-po added a subscriber: c-po.Mar 15 2024, 2:26 PM

The issue is which to choose if there are multiple, thus removing all, chrony will listen on all interfaces.

As this is an upstream package limitation its a wontfix, sorry

c-po closed this task as Wontfix.Mar 15 2024, 2:26 PM
matthewr added a comment.Mar 15 2024, 3:12 PM

Given that Chrony only allows one bind address, versus ntpd which allows multiple, a "wontfix" sounds like the correct answer! :-)

Apachez added a subscriber: Apachez.EditedMar 15 2024, 5:06 PM

Proper would be to throw out chrony and use ntpsec instead which supports proper filtering.

Another fix would be to by default have a default firewall were this filtering is applied if the broken chrony cannot filter this properly itself.

Something like this task: https://vyos.dev/T5509