Bug 1828434

It looks like chrony supports include directives: https://git.tuxfamily.org/chrony/chrony.git/tree/doc/chrony.conf.adoc?id=ad8fb64276bfaf94feedb7e5ae61bba2f741308e#n2143. Is it possible to have the example there (`include @SYSCONFDIR@/chrony.d/*.conf`) included by default in `/etc/chrony.conf`? (Or is there a reason why this is avoided?)

The reason why the default chrony.conf doesn't use the include directive is that there wasn't a good use case so far and it makes debugging more difficult (if you don't have access to all the files).

The default chrony.conf uses pool.ntp.org servers. If there is a trusted local time source like the PTP clock, the pool.ntp.org servers should be disabled. But that cannot be done by adding files to /etc/chrony.conf.d. A file needs to be removed or modified.

> But that cannot be done by adding files to /etc/chrony.conf.d. A file needs to be removed or modified.

OK so what you're saying here is that the Azure recommendations at
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/time-sync
are insufficient, because we want to *only* use the PHC by removing
the `pool` line?

> A file needs to be removed or modified.

The original ticket was a request to support dropins, which are a logical superset of include-directories.
Specifically, they cover this exact case without removing or modifying any vendor file.
The "same filename overriding" logic allows to surgically blankout/supercede a vendor default (in /usr) from a user customization fragment (in /etc).

It would be nice for chrony to support that.

(In reply to Colin Walters from comment #3)
> OK so what you're saying here is that the Azure recommendations at
> https://docs.microsoft.com/en-us/azure/virtual-machines/linux/time-sync
> are insufficient, because we want to *only* use the PHC by removing
> the `pool` line?

They list "Host-only using VMICTimeSync." as one of the three ways to synchronize the clock. If security is a concern, I think that should be preferred over using (unauthenticated) external NTP servers. If NTP servers need to be used, ideally they should be local to the datacenter.

(In reply to Luca BRUNO from comment #4)
> The original ticket was a request to support dropins, which are a logical
> superset of include-directories.
> Specifically, they cover this exact case without removing or modifying any
> vendor file.
> The "same filename overriding" logic allows to surgically blankout/supercede
> a vendor default (in /usr) from a user customization fragment (in /etc).

Ok, that makes sense. We would need to split the default configuration file into multiple files, where one would have the pool.ntp.org servers. This needs some thought. However, it would be a major change in the packaging. I don't think it can be done in a minor RHEL update.

FWIW, there is a chrony-helper script included in the chrony package. It can modify the sources in /etc/chrony.conf, e.g.

echo "refclock PHC /dev/ptp0 poll 2" | /usr/libexec/chrony-helper set-static-sources

FWIW, the latest upstream code now supports a "confdirs" directive, which allows configuration fragments to be disabled or replaced by adding files to other directories (e.g. /etc/chrony.d, /var/run/chrony.d). I'm not sure whether or how the packaged configuration should adopt that yet.

Some thoughts on DHCP-provided NTP servers - currently a record of the DHCP-provided NTP servers added to chrony is kept in `/run/chrony-helper/added_servers`, written by chrony-helper. One way to disable all DHCP-provided servers through host config is chrony-helper could be adjusted to write the servers to a config snippet `/run/chrony.d/10-dhcp-servers`, and then have chronyd re-read config snippets. That way, writing an empty file to `/etc/chrony.d/10-dhcp-servers` would disable DHCP-provided NTP servers. The empty host config file could be added as part of the generator https://github.com/coreos/fedora-coreos-config/blob/a8fb8e2caac6b981296c34e206dfc4157b56d486/overlay.d/20platform-chrony/usr/lib/systemd/system-generators/coreos-platform-chrony or in an overlay. To override the addition of the empty file (i.e. deleting it) https://github.com/coreos/ignition/issues/739 would probably be required, in FCOS/RHCOS at least. This should work considering interface-specific NTP servers from DHCP are currently stored persistently on disk at first at somewhere like `/var/lib/dhclient/chrony.servers.${interface}`, and then are read into a common (non interface-specific) location `/run/chrony-helper/added_servers` before being added to chronyd.

xref https://src.fedoraproject.org/rpms/chrony/pull-request/3#comment-46121

FWIW, chronyd doesn't currently support reloading of config files. It would need to be restarted, but we want to avoid unnecessary restarts to avoid losing NTP measurements and avoid a limited makestep triggering again. There is also an issue that some directives can't work after dropping the root privileges (e.g. opening an RTC or reference clock). So, we would probably need a new directive to read NTP sources from files, which could be reloaded with a "reload" command from chronyc.

The upstream code now has a "sourcedirs" directive to read NTP sources from files, which can be reloaded with "chronyc reload sources" command. However, I don't see how we could migrate to such a configuration in a minor RHEL release. On systems that have a non-default chrony.conf, we could add the sourcedirs directive to the file in a scriptlet, but that would break as soon as it was replaced by the user or regenerated by a configuration tool (e.g. the timesync ansible role). This looks like a major change in packaging that needs to wait for the next major release.

As explained in the previous comment, I don't see a way to enable this feature in RHEL8 without breaking compatibility with existing tools. I'm closing the bug.