Describe the Bug

Error: Systemd start for ntp failed!
journalctl log for ntp:
-- No entries --

Error: /Stage[main]/Ntp::Service/Service[ntp]/ensure: change from 'stopped' to 'running' failed: Systemd start for ntp failed!
journalctl log for ntp:
-- No entries --

When running a recent version of facter on opensuse, the ntp service name is not correctly matched because facter is now returning a string with different case so the hiera data file does not get matched. The string used to be "OpenSuSE" (facter 3.14.12) and now it is "openSUSE" (facter 4.4.1)

Expected Behavior

Correct service name of "ntpd" to be found by hiera and service started correctly.

Steps to Reproduce

Steps to reproduce the behavior:

1. upgrade facter to version 4.4 or so
2. run puppet on opensuse system

Environment

• Version Puppet 6.29.0, Facter 4.4.1
• Platform OpenSuse 15.5

Additional Context

I suppose the easiet solution is just to duplicate the hiera data file to match both cases. Pity we cannot just downcase all the facts as a more elegant solution.

Describe the Bug

logfile parameter is never working (target file is empty).

Expected Behavior

Logs should be written to the logfile target.

Steps to Reproduce

class { 'ntp':
  servers => ['ntp.ubuntu.com'],
  logfile => '/var/log/ntp.log',
}

Environment

• Version 9.2.0
• Platform: Ubuntu 20.04

Additional Context

Manual installation of ntp with logfile /var/log/ntp.log line in the /etc/ntp.conf works. Resulting file:

-rw-r--r--  1 root      root              1710 Sep 26 14:09 ntp.log

However this Puppet module will change the permissions to:

-rw-rw-r--  1 ntp       ntp                 822 Sep 26 14:12 ntp.log

Which somehow does not work:

# /var/log/syslog entry:
Sep 26 14:12:41 vm-focal ntpd[2462]: Cannot open logfile /var/log/ntp.log: Permission denied

I suspect this is related to AppArmor. Even if I cannot find any proof, it seems to work when the later is uninstalled.

Workaround:

class { 'ntp':
  servers => ['ntp.ubuntu.com'],
  logfile => '/var/log/ntp.log',
  logfile_user => 'root',
}

However, this works with /var/log/ntp.log only. If you try /var/log/ntp/ntp.log, AppArmor will explicitly deny the ntp daemon to access this file:

[  853.899701] audit: type=1400 audit(1664201792.505:73): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/var/log/ntp/ntp.log" pid=3409 comm="ntpd" requested_mask="ac" denied_mask="ac" fsuid=0 ouid=0

I'm not sure how this could be properly fixed. There is technically nothing wrong with the module itself, it's related to AppArmor restrictive/annoying behavior. Here are some ideas:

• Defaults logfile_user value should be root (at least for Ubuntu).
• Don't try to create or set permissions on the logfile, ntp is already able to create it (at least on Ubuntu).
• Update the documentation of the logfile parameter for Ubuntu users.

Current implementation of the restrict parameter only enables or disables restrictions on the server, but doesn't allow any customization beyond that.

Please consider either adding a parameter, or modifying the restrict parameter so that this module could be used to configure an NTP server for specific hosts or networks.

For example:

class { 'ntp':
  restrict => [
    'default kod nomodify notrap nopeer noquery',
    '192.168.0.0./16'
  ],
}

As it is right now, I need to provide my own template just to gain this functionality, so this module isn't very useful for me to set up NTP servers. This is especially problematic as I want to include the NTP module for all nodes, then customize accordingly with my hiera database.

When having different templating for ntp-servers and ntp-clients the parameter to define a specific template is used in the node-configuration of servers, if the ntp client class is included in a base class you will get double declaration of the ntp module for the ntp-server nodes..

If for example hiera was used you could override parameters for ntp servers and avoiding double declarations.

Hi,

we've got quite a few AIX servers and would love to use this module.

Could you please add this to params.pp?

'AIX': {
$config = '/etc/ntp.conf'
$keysfile = '/etc/ntp.keys'
$driftfile = '/etc/ntp.drift'
$package_name = [ 'bos.net.tcp.client' ]
$service_name = 'xntpd'
$servers = [
'0.debian.pool.ntp.org iburst',
'1.debian.pool.ntp.org iburst',
'2.debian.pool.ntp.org iburst',
'3.debian.pool.ntp.org iburst',
]
}

Thanks!

http://docs.puppetlabs.com/hiera/1/complete_example.html

Notice: Scope(Class[Ntp]): default kod nomodify notrap nopeer noquery -6 default kod nomodify notrap nopeer noquery 127.0.0.1 ::1
Notice: Scope(Class[Ntp::Config]): default kod nomodify notrap nopeer noquery -6 default kod nomodify notrap nopeer noquery 127.0.0.1 ::1
Error: Failed to parse template ntp/ntp.conf.erb:
  Filepath: /etc/puppet/environments/consuela/modules/ntp/templates/ntp.conf.erb
  Line: 12
  Detail: undefined method `flatten' for nil:NilClass
 on node super-secret-foo

Beware that this might be a future-parser 3.5.0-rc1 related issue.

I may submit a PR later but for now here are the params needed for Solaris 10.

  $driftfile = '/etc/ntp.drift'
  $ntpconfig = '/etc/inet/ntp.conf'
  $ntppkg    = [ ] 
  $ntpsvc    = 'ntp'
  $statsdir  = '/var/ntp/ntpstats/'

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: true is not an Array. It looks to be a TrueClass at /etc/puppet/environments/production/modules/ntp/manifests/init.pp:34

There is a version 2.0.1 on Forge, but there is no corresponding 2.0.1 tag in the repo under releases.

In the README is a hyperlink in the overview for the "setup requirements", but it points to nothing and the setup part is missing.

In the "Modulefile" lists a dependency with "puppetlabs-stdlib"...

On Solaris 11.4 hosts, the following error is received:

Error: /Stage[main]/Ntp::Service/Service[ntp]: Could not evaluate: Failed to get the FMRI of the network/ntp service: The pattern 'network/ntp' matches multiple FMRIs! These are the FMRIs it matches: svc:/network/ntp:default, svc:/network/ntp:monitor

Solaris 11.4 contains two services that match the 'network/ntp' FMRI.

root@myhost:~# svcs network/ntp
STATE STIME FMRI
disabled 2022-09-08T13:44:44 svc:/network/ntp:monitor
online 2022-10-25T10:40:43 svc:/network/ntp:default

The service name is set correctly within data/Solaris-11.yaml; however, the heira.yaml needs to be corrected so that the Solaris-11.yaml is properly incorporated into hiera data.

Line 16 of hiera.yaml should read:

path: '%{facts.os.name}-%{facts.os.major}.yaml'

Describe the Bug

I was reading the acceptance tests to understand how to deal with litmus. While checking https://github.com/puppetlabs/puppetlabs-ntp/blob/main/spec/acceptance/integration_ntp_spec.rb I found years 2022 and 2023 are hardcoded there. So those tests are going to be broken in a month.

Expected Behavior

I'd expect the tests to get the current year and deal with it instead of using hardcoded 2022.

Does not support the Amazon Linux variant

The module is currently lacking the ability to specify peers for running your own ntp server.

The module should allow the end user to easily specify relationships such as:

node default {

  notify { 'enduser-before': }
  notify { 'enduser-after': }

  class { 'ntp':
    require => Notify['enduser-before'],
    before  => Notify['enduser-after'],
  }

}

Describe the Bug

After recent solaris update (somewhere between 11.4.38 and 11.4.45) there are now multiple SMF services that match network/ntp.

Error: /Stage[main]/Ntp::Service/Service[ntp]: Could not evaluate: Failed to get the FMRI of the network/ntp service: The pattern 'network/ntp' matches multiple FMRIs! These are the FMRIs it matches: svc:/network/ntp:default, svc:/network/ntp:monitor

Manually specifying the service name in hiera fixes the issue as a workaround:
ntp::service_name: network/ntp:default

Expected Behavior

No errors

Steps to Reproduce

Steps to reproduce the behavior:

1. Update to Solaris 11.4.45
2. Run puppet
3. Error: /Stage[main]/Ntp::Service/Service[ntp]: Could not evaluate: Failed to get the FMRI of the network/ntp service: The pattern 'network/ntp' matches multiple FMRIs! These are the FMRIs it matches: svc:/network/ntp:default, svc:/network/ntp:monitor

Environment

• NTP module 9.1.0
• Solaris patch level 11.4.45

Additional Context

Add any other context about the problem here.

Describe the Bug

When ntp::keys_controlkey and ntp::keys_requestkey are null the generated ntp.conf contains:
requestkey
controlkey

ntpd complains about these lines as syntax errors.

Expected Behavior

Don't output these lines if the variables are null.

Steps to Reproduce

Steps to reproduce the behavior:
Generate a config file with these variables left on the default null from common.yaml in the module.

Environment

• Version 10.0.0
• Platform CentOS 7.9

Additional Context

Testing for null with "unless $ntp::keys_controlkey.empty" in the template seems to fix this.

Use Case

Debian 12/Bookworm switched their ntp package to ntpsec:
https://salsa.debian.org/debian/ntpsec/-/blob/debian/unstable/debian/NEWS

It is mostly a dropin replacement and the package copies configurations to new locations on upgrades so nothing breaks but you cannot modify the ntpd configuration via this module anymore after upgrade.

With a couple configuration changes it can be made to work so probably only few OS defaults need to be changed:

# default ntp is a transitional package install ntpsec
ntp::package_name: [ntpsec]
ntp::driftfile: /var/lib/ntpsec/ntp.drift
ntp::config: /etc/ntpsec/ntp.conf
ntp::daemon_config: /etc/default/ntpsec

some other minor things, ntp::statsdir is not created by the package so it may be good if it is created by the module if set

setting ntp::disable_auth: true with ntpsec results in a syntax error warning during startup, other disable flags do seem to work.
(ntpsec also supports enable [auth |stats ...] option)

Hi all,

I'm totally new to puppet, so I'm not sure what would be involved. If I knew how, I'd be sending you a pull request. I know just enough about ntp to be dangerous, but not enough to really understand all the deep implications and not nearly enough to know about Precision Time Protocol (PTP) to understand if there ever would be interactions.

Is it possible to add support for Mac OSX? The mac does come with ntpd running, but it would be great to be able to have the same puppet setup for ubuntu also set the hosts, configure more detailed logging and change the sandboxing to allow ntpd to log stats to a directory (aka /usr/share/sandbox/ntpd.sb but via the proper tools, which I don't know).

Especially with the sandboxing, there will need to be some version specific logic as I think sandboxing comes in at 10.6.

Additional useful commands:

ps aux | grep ntp
echo version | ntpq # e.g. ntpq [email protected] Fri May 28 01:21:19 UTC 2010 (1)
ntpq -p -n # Status of the ntp daemon
ntptrace localhost
ntpdc -c sysinfo
ntpdc -c loopinfo

How to restart ntpd on the mac (at least for 10.7):

 sudo launchctl stop org.ntp.ntpd

Here's what what I would currently like my setup to be with ntpd:

server 0.us.pool.ntp.org minpoll 12 maxpoll 17
server 1.us.pool.ntp.org minpoll 12 maxpoll 17
server 2.us.pool.ntp.org minpoll 12 maxpoll 17
server 3.us.pool.ntp.org minpoll 12 maxpoll 17
server 0.north-america.pool.ntp.org minpoll 12 maxpoll 17
server 1.north-america.pool.ntp.org minpoll 12 maxpoll 17
server 2.north-america.pool.ntp.org minpoll 12 maxpoll 17
server 127.127.1.0 minpoll 12 maxpoll 17

driftfile /var/db/ntp.drift
statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# The local UNH time server
server wilmot.unh.edu

# ... and use the local system clock as a reference if all else fails
# NOTE: in a local network, set the local stratum of *one* stable server
# to 10; otherwise your clocks will drift apart if you lose connectivity.
server 127.127.1.0
fudge 127.127.1.0 stratum 13

# By default, exchange time with everybody, but don't allow configuration.
# See /usr/share/doc/ntp-doc/html/accopt.html for details.
restrict default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1 nomodify

on forge.puppetlabs.com, if you search for archlinux,
this module won't show up, that's too bad, because it works fine on archlinux

The module should allow the end user to easily specify relationships such as:

node default {

  notify { 'enduser-before': }
  notify { 'enduser-after': }

  class { 'ntp':
    require => Notify['enduser-before'],
    before  => Notify['enduser-after'],
  }

}

I apologize in advance for not being able to give you a more technical understanding of the issue.

I was dealing with a problem where I noticed that every time my puppet agent ran, there were "changes applied," even though I didn't make any changes to my manifests, yamls, etc.

I found out what the issue was. The box shipped with these 2 lines at the top of ntp.conf:

#Allowing 10.10.10.10 for time.mycompany.com
restrict 10.10.10.10 mask 255.255.255.255 nomodify

It was confusing your module and it was trying to make changes on very puppet run. I removed the 2 lines and the next puppet run went smooth with no changes applied.

I recommend you insert these 2 lines at the top of ntp.conf and watch it's behavior.

Let me know if you need anything else, thanks!

My common.yaml includes the following:

# NTP
ntp::servers:
  - '0.centos.pool.ntp.org iburst'
  - '1.centos.pool.ntp.org iburst'
  - '2.centos.pool.ntp.org iburst'

I've got this input:

class { '::ntp':
  servers  => [ '0.us.pool.ntp.org', '1.us.pool.ntp.org',
                '2.us.pool.ntp.org', '3.us.pool.ntp.org' ],
  restrict => 'restrict 127.0.0.1',
}

And this output:

root@csv5:/etc/puppet# puppet apply /tmp/ntp_test.pp
Warning: Config file /etc/puppet/hiera.yaml not found, using Hiera defaults
Error: "restrict 127.0.0.1" is not an Array.  It looks to be a String at /etc/puppet/modules/ntp/manifests/init.pp:34 on node csv5.clanspum.net
Error: "restrict 127.0.0.1" is not an Array.  It looks to be a String at /etc/puppet/modules/ntp/manifests/init.pp:34 on node csv5.clanspum.net

For good measure, I tried the exact example from the docs (http://forge.puppetlabs.com/puppetlabs/ntp, under "I'd like to make sure I restrict who can connect as well."):

class { '::ntp':
  servers  => [ 'ntp1.corp.com', 'ntp2.corp.com' ],
  restrict => 'restrict 127.0.0.1',
}

Same warning.

This is Debian 7.1, puppet 3.3.0 from your repo, and version 2.0.1 of the ntp module installed from the forge via librarian-puppet.

Describe the Bug

Expected Behavior

When running with include_legacy_facts = false, no errors should occur.

Steps to Reproduce

• Install 7.21.0 agent
• set include_legacy_facts = false
• run a manifest that uses this module

Environment

• Version - 7.21.0
• Platform - Linux

Additional Context

I'm running a Gentoo Linux system and the module errors out because the osfamily is set to 'Gentoo' so it never falls into the operatingsystem case statement nested within the 'Linux' case.

Let me know if you need any help and/or testing. Thanks!

https://forge.puppetlabs.com/puppetlabs/ntp#setup states that the restrict should be a string:

restrict => 'restrict 127.0.0.1',

The NTP class is looking for an array and results in error when you try to pass it a string:

err: Could not retrieve catalog from remote server: Error 400 on SERVER: "restrict 127.0.0.1" is not an Array. It looks to be a String at /etc/puppet/modules/ntp/manifests/init.pp:34 on node

Thanks

please ignore