Add new parameter 'security_ntp_bind_local_interfaces_only'

With the parameter 'security_ntp_bind_local_interfaces_only' it is possible to configure if chronyd should listen on all available network interfaces for NTP requests. Change-Id: I7e56d60df7c7214e753d1ca86aceed05849addef
2016-05-19 13:51:40 +02:00 · 2016-05-19 13:51:40 +02:00 · 3114703ebb
commit 3114703ebb
parent 8a3a83acaa
4 changed files with 23 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -138,6 +138,8 @@ security_allowed_ntp_subnets:
  - 10/8
  - 192.168/16
  - 172.16/12
+# Listen for NTP requests only on local interfaces.
+security_ntp_bind_local_interfaces_only: yes

 ## Core dumps
 # V-38675 requires disabling core dumps for all users unless absolutely
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@ -218,9 +218,14 @@ openstack-ansible-security role.

 The default settings will work for most environments, but some deployers may
 prefer to use NTP servers which are geographically closer to their servers.
-Also, the default configuration allows `RFC1918`_ addresses to reach the NTP
-server running on each host. That could be reduced to ``127.0.0.1/32`` for
-greater security.
+
+The role configures the chrony daemon to listen only on localhost. To allow
+chrony to listen on all addresses (the upstream default for chrony),
+set the ``security_ntp_bind_local_interfaces_only`` variable to ``False``.
+
+The default configuration allows `RFC1918`_ addresses to reach the NTP server
+running on each host. That could be changed by using the
+``security_allowed_ntp_subnets`` parameter.

 .. _RFC1918: https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces

--- a/releasenotes/notes/ntp-bind-local-interfaces-only-05f03de632e81097.yaml
+++ b/releasenotes/notes/ntp-bind-local-interfaces-only-05f03de632e81097.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - A new configuration parameter ``security_ntp_bind_local_interfaces`` was
+    added to the security role to restrict the network interface to which
+    chronyd will listen for NTP requests.
--- a/templates/chrony.conf.j2
+++ b/templates/chrony.conf.j2
@ -91,3 +91,11 @@ logchange 0.5
 # chrony postinst based on what it found in /etc/default/rcS.  You may
 # change it if necessary.
 rtconutc
+
+{% if security_ntp_bind_local_interfaces_only | bool %}
+# Listen for NTP requests only on local interfaces.
+bindaddress 127.0.0.1
+{% if not security_disable_ipv6 | bool %}
+bindaddress ::1
+{% endif %}
+{% endif %}