Add some initial changes for using chrony instead of NTP

Signed-off-by: Saikrishna Arcot <[email protected]>

build_debian.sh

@@ -233,7 +233,6 @@ echo '[INFO] Install docker'
 ## Install apparmor utils since they're missing and apparmor is enabled in the kernel
 ## Otherwise Docker will fail to start
 sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install apparmor
-sudo cp files/image_config/ntp/ntp-apparmor $FILESYSTEM_ROOT/etc/apparmor.d/local/usr.sbin.ntpd
 sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install apt-transport-https \
                                                        ca-certificates \
                                                        curl
@@ -426,7 +425,7 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in
     picocom \
     systemd \
     systemd-sysv \
-    ntp
+    chrony
 
 if [[ $TARGET_BOOTLOADER == grub ]]; then
     if [[ $CONFIGURED_ARCH == amd64 ]]; then

files/build_templates/sonic_debian_extension.j2

@@ -415,18 +415,13 @@ sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/flashrom_*.deb
 sudo cp -f $IMAGE_CONFIGS/cron.d/* $FILESYSTEM_ROOT/etc/cron.d/
 
 # Copy NTP configuration files and templates
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT \
-    apt-get -y install ntpdate
-sudo rm -f $FILESYSTEM_ROOT/etc/network/if-up.d/ntpsec-ntpdate
-sudo cp $IMAGE_CONFIGS/ntp/ntp-config.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM
-echo "ntp-config.service" | sudo tee -a $GENERATED_SERVICE_FILE
-sudo cp $IMAGE_CONFIGS/ntp/ntp-config.sh $FILESYSTEM_ROOT/usr/bin/
-sudo cp $IMAGE_CONFIGS/ntp/ntp.conf.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
-sudo cp $IMAGE_CONFIGS/ntp/ntp.keys.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
-sudo cp $IMAGE_CONFIGS/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/libexec/ntpsec/
-sudo mkdir $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/ntpsec.service.d
-sudo cp $IMAGE_CONFIGS/ntp/sonic-target.conf $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/ntpsec.service.d/
-echo "ntpsec.service" | sudo tee -a $GENERATED_SERVICE_FILE
+sudo cp $IMAGE_CONFIGS/chrony/chrony-config.sh $FILESYSTEM_ROOT/usr/bin/
+sudo cp $IMAGE_CONFIGS/chrony/chrony.conf.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
+sudo cp $IMAGE_CONFIGS/chrony/chrony.keys.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
+sudo cp $IMAGE_CONFIGS/chrony/chronyd-starter.sh $FILESYSTEM_ROOT/usr/lib/systemd/scripts/
+sudo mkdir $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/chrony.service.d
+sudo cp $IMAGE_CONFIGS/chrony/override.conf $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM/chrony.service.d/
+echo "chrony.service" | sudo tee -a $GENERATED_SERVICE_FILE
 
 # Copy DNS templates
 sudo cp $BUILD_TEMPLATES/dns.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/

files/image_config/chrony/chrony-config.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+sonic-cfggen -d -t /usr/share/sonic/templates/chrony.conf.j2 >/etc/chrony/chrony.conf
+sonic-cfggen -d -t /usr/share/sonic/templates/chrony.keys.j2 >/etc/chrony/chrony.keys
+chmod o-r /etc/chrony/chrony.keys

files/image_config/chrony/chrony.conf.j2

@@ -0,0 +1,107 @@
+###############################################################################
+# This file was AUTOMATICALLY GENERATED. DO NOT MODIFY.
+# Controlled by ntp-config.service
+###############################################################################
+
+# Welcome to the chrony configuration file. See chrony.conf(5) for more
+# information about usable directives.
+
+# Include configuration files found in /etc/chrony/conf.d.
+confdir /etc/chrony/conf.d
+
+{# Getting NTP global configuration -#}
+{% set global = (NTP | d({})).get('global', {}) -%}
+
+{# Adding NTP servers. We need to know if we have some pools, to set proper config -#}
+{% set ns = namespace(is_pools=false) %}
+{% for server in NTP_SERVER if NTP_SERVER[server].admin_state != 'disabled' -%}
+    {% set config = NTP_SERVER[server] -%}
+    {# Server options -#}
+    {% set soptions = '' -%}
+
+    {# Define defaults if not defined -#}
+    {% set association_type = config.association_type | d('server') -%}
+    {% set resolve_as = config.resolve_as | d(server) -%}
+
+    {# Authentication key -#}
+    {% if global.authentication == 'enabled' -%}
+        {% if config.key -%}
+            {% set soptions = soptions ~ ' key ' ~ config.key -%}
+        {% endif -%}
+    {% endif -%}
+
+    {# Aggressive polling -#}
+    {% if config.iburst -%}
+        {% set soptions = soptions ~ ' iburst' -%}
+    {% endif -%}
+
+    {# Protocol version -#}
+    {% if config.version -%}
+        {% set soptions = soptions ~ ' version ' ~ config.version -%}
+    {% endif -%}
+
+    {# Check if there are any pool configured. BTW it doesn't matter what was
+    configured as "resolve_as" for pools. If they were configured with FQDN they
+    must remain like that -#}
+    {% if association_type == 'pool' -%}
+        {% set resolve_as = server -%}
+    {% endif -%}
+
+{{ association_type }} {{ resolve_as }}{{ soptions }}
+
+{% endfor -%}
+
+{# Access control options -#}
+{% set options = '' -%}
+
+{# Disable NTP server functionality. Should stay on when dhcp is enabled -#}
+{# {% if global.server_role == 'disabled' and global.dhcp == 'disabled' -%}
+    {% set options = options ~ ' ignore' -%}
+{% endif -%} #}
+
+# Access control configuration
+# By default, exchange time with everybody, but don't allow configuration.
+# NTPsec doesn't establish peer associations, and so nopeer has no effect, and
+# has been removed from here
+restrict default kod nomodify noquery limited{{ options }}
+
+# Use time sources from DHCP.
+sourcedir /run/chrony-dhcp
+
+# Use NTP sources found in /etc/chrony/sources.d.
+sourcedir /etc/chrony/sources.d
+
+{% if global.authentication == 'enabled' %}
+# This directive specify the location of the file containing ID/key pairs for
+# NTP authentication.
+keyfile /etc/chrony/chrony.keys
+{% endif %}
+
+# This directive specify the file into which chronyd will store the rate
+# information.
+driftfile /var/lib/chrony/chrony.drift
+
+# Save NTS keys and cookies.
+ntsdumpdir /var/lib/chrony
+
+# Uncomment the following line to turn logging on.
+#log tracking measurements statistics
+
+# Log files location.
+logdir /var/log/chrony
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
+rtcsync
+
+# Step the system clock instead of slewing it if the adjustment is larger than
+# one second, but only in the first three clock updates.
+makestep 1 3
+
+# Get TAI-UTC offset and leap seconds from the system tz database.
+# This directive must be commented out when using time sources serving
+# leap-smeared time.
+leapsectz right/UTC

files/image_config/chrony/chrony.keys.j2

@@ -0,0 +1,18 @@
+###############################################################################
+# This file was AUTOMATICALLY GENERATED. DO NOT MODIFY.
+# Controlled by ntp-config.service
+###############################################################################
+
+{# We can connect only to the servers we trust. Determine those servers -#}
+{% set trusted_arr = [] -%}
+{% for server in NTP_SERVER if NTP_SERVER[server].trusted == 'yes' and
+                               NTP_SERVER[server].resolve_as -%}
+    {% set _ = trusted_arr.append(NTP_SERVER[server].resolve_as) -%}
+{% endfor -%}
+
+{# Define authentication keys inventory -#}
+{% set trusted_str = ' ' ~ trusted_arr|join(',') -%}
+{% for keyid in NTP_KEY if NTP_KEY[keyid].type and NTP_KEY[keyid].value %}
+{% set keyval = NTP_KEY[keyid].value | b64decode %}
+{{ keyid }} {{ NTP_KEY[keyid].type | upper }} {{ keyval }}{{trusted_str}}
+{% endfor -%}

files/image_config/chrony/sonic-target.conf

@@ -0,0 +1,3 @@
+[Unit]
+BindsTo=sonic.target
+After=sonic.target