Cockpit provides NTP server configuration when systemd-timesyncd is in use. Is it possible to use this NTP service on RHEV?

Yes and no.
AFAIK we currently document the configuration of older ntp implementations - but going forward having the support to configure timesyncd is sufficient.
This will just be an opportunity to converge to a single solution.

So I guess the question is whether we can just close this bug and just support configuring NTP servers in timesyncd.

Well, ain't this bug about being able to specify the NTP servers from Cockpit?
This feature is currently not present, regardless of the underlying NTP implementation.

This feature has been present since cockpit version 0.83. But is not available in the version of systemd on RHEL.

$ rpm -q systemd
systemd-219-19.el7_2.4.x86_64
$ ls /usr/lib/systemd/systemd-timesyncd
ls: cannot access /usr/lib/systemd/systemd-timesyncd: No such file or directory

The RHEL spec file for systemd contains: 

$ grep timesyncd systemd.spec 
Patch0016: 0016-Revert-timedated-manage-systemd-timesyncd-directly-i.patch
--disable-timesyncd

Should we reassign this to RHEL?

This feature has been present since cockpit version 0.83. But is not available in the version of systemd on RHEL.

$ rpm -q systemd
systemd-219-19.el7_2.4.x86_64
$ ls /usr/lib/systemd/systemd-timesyncd
ls: cannot access /usr/lib/systemd/systemd-timesyncd: No such file or directory

The RHEL spec file for systemd contains: 

$ grep timesyncd systemd.spec 
Patch0016: 0016-Revert-timedated-manage-systemd-timesyncd-directly-i.patch
--disable-timesyncd

Should we reassign this to systemd?

Good catch.

Let's ask Lukas on the plan, maybe it lands in 7.3?

Sorry no timesyncd in rhel7. I was told that we will stick to chrony, since it is more feature rich.

Thanks.
To me it then sounds reasonable that Cockpit should gain the functionality to set NTP servers when chrony is used.

One idea is to add a suitable API to timedated.  Systemd would implement it for timesyncd, and timedatex would need to implement it for ntpd and/or chrony.

The main obstacle is that chronyd has no programattic configuration API or file format. The format is hand editable, and it does not appear to have a configuration tool to manipulate the config file.

systemd-timesyncd uses a directory of drop in configuration files, thus removing this barrier.

Does RHEV already have a tool for manipulating chrony's configuration file? Is it general purpose? If both of the above are true, then we should work to include that tool in the chrony package.

We are currently using the old ntp package, and augeas for modifying the default configuration file /etc/ntpd.conf.

There is also an augeas lense for chrony.

A maybe nicer approach would be to enhance chrony to support a drop-in dir as well. And change the default configuration to recognize the drop-in dir.

chrony.conf actually supports "include <glob>" which would allow us to do something like "include /etc/chrony.conf.d/*.conf"

However, there are concerns that a consumer like cockpit, would not see all ntp servers if it is just updating one file.
This could be a security issue, and it does not necessarily mean that adding an ntp server has the desired effect.

Yes, a user configuring NTP should see all servers that are used. For instance, if a local server was unknowingly used together with public *.pool.ntp.org server from the default configuration, it could create a false sense of security (a MITM attacker could outvote the local server by modifying replies from the public servers and control the clock).

It would be also nice to have an option to enable/disable configuration of NTP sources from DHCP (PEERNTP variable in /etc/sysconfig/network).

(In reply to Fabian Deutsch from comment #14)

> However, there are concerns that a consumer like cockpit, would not see all
> ntp servers if it is just updating one file.
> This could be a security issue, and it does not necessarily mean that adding
> an ntp server has the desired effect.

The same is true for timesyncd, actually.

I've filed a blocking bug against chronyd for this work. We could coordinate contribution of that, so it's not just throwing responsibility over the wall ... but hopefully that bug will help us decide how this should be implemented.

(In reply to Stef Walter from comment #17)
> I've filed a blocking bug against chronyd for this work. We could coordinate
> contribution of that, so it's not just throwing responsibility over the wall
> ... but hopefully that bug will help us decide how this should be
> implemented.

I think it would be awesome to get systemd involved, too, and to expose the API via timedated.  Then clients (like Cockpit) could be completely ignorant of which implementation of the NTP protocol is used.

This missed 7.3 -> 7.6; can we have a target milestone for this? 7.6.z? 7.7?

Is anyone still interested in this?

RHV is still interested.

not included in 7.7, retrying with 8.1 for RHV 4.4

*** Bug 1667970 has been marked as a duplicate of this bug. ***

*** Bug 1842797 has been marked as a duplicate of this bug. ***

A customer requested for this feature in RHEL 8 since system-config-date is no longer available.
There are no other options for defining NTP servers manually via a graphical interface.

(In reply to Sam Wachira from comment #26)
> A customer requested for this feature in RHEL 8 since system-config-date is
> no longer available.
> There are no other options for defining NTP servers manually via a graphical
> interface.

I will look at the source of system-config-date and see if we can copy what it does.

(In reply to Marius Vollmer from comment #27)
> (In reply to Sam Wachira from comment #26)
> > A customer requested for this feature in RHEL 8 since system-config-date is
> > no longer available.
> > There are no other options for defining NTP servers manually via a graphical
> > interface.
> 
> I will look at the source of system-config-date and see if we can copy what
> it does.

system-config-date will modify /etc/ntp.conf or /etc/chrony.conf in place and synchronize the "server" lines with what the user has specified.  It ignores "pool" lines and pretty much everything else.  I think Cockpit can do the same, maybe restricted to /etc/chrony.conf.

In this mode, Cockpit probably shouldn't make a distinction between "Automatically using NTP" and "Automatically using specific NTP servers" since there is no separate set of default NTP servers.

It would be good if it could display all server, peer and pool lines to avoid issues with unexpected NTP servers being used. 
There is a /usr/libexec/chrony-helper script which can list and set the static sources in chrony.conf, which might be a better example than the old system-config-date code. If your tool supported setting any option on the server/peer/pool line, that would be a nice feature.

Please note that there is a possibility that the servers in the default configuration will be moved to a separate file and it could be overridden with a different file. This probably won't happen in RHEL8, but just a thing to keep in mind if you are writing new code.

*** Bug 1825200 has been marked as a duplicate of this bug. ***

Any progress with this request?

Any progress with this request?

This is finally fixed in RHEL 9, where chronyd is properly integrated into the timedatectl D-Bus interface. So cockpit can talk to it.

Oops, sorry.. the "set custom NTP server" now works in RHEL 9 cockpit because systemd-timesyncd is now available -- it is not in RHEL 8. I am not sure if that is deliberate, or still needs to be re-dropped. (and thus custom servers are written into /etc/systemd/timesyncd.conf.d/50-cockpit.conf).

Also, timedatex now does not exist any more, it is using systemd's own timedated.

So indeed there is no change wrt. to timedated's D-Bus API not being able to steer chrony. Setting back to NEW.

chrony.conf now supports the "sourcedir" directive, so let's just use that to read our own /etc/chrony-cockpit-sources/custom.sources file.  Then everything is nicely parallel to the existing code for systemd-timesynd, where we use /etc/systemd/timesyncd.conf.d/50-cockpit.conf.

https://github.com/cockpit-project/cockpit/pull/17992

It's not nicely parallel. Merely adding "sourcedir" does not really help, as cockpit would *still* have to parse the entire config and all of its source dirs to find the custom NTP servers. That's even harder than just directly looking for "server" instances. It may help if chrony would define (in its chrony.conf) a standard /etc/chrony/servers/ directory where admins, ansible, cockpit etc. could drop files, then that would be easier to parse.

New try in https://github.com/cockpit-project/cockpit/pull/18298

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (cockpit bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7081