support Debian 12 / Bookworm / ntpsec

[juliantaylor]

Use Case

Debian 12/Bookworm switched their ntp package to ntpsec:
https://salsa.debian.org/debian/ntpsec/-/blob/debian/unstable/debian/NEWS

It is mostly a dropin replacement and the package copies configurations to new locations on upgrades so nothing breaks but you cannot modify the ntpd configuration via this module anymore after upgrade.

With a couple configuration changes it can be made to work so probably only few OS defaults need to be changed:

# default ntp is a transitional package install ntpsec
ntp::package_name: [ntpsec]
ntp::driftfile: /var/lib/ntpsec/ntp.drift
ntp::config: /etc/ntpsec/ntp.conf
ntp::daemon_config: /etc/default/ntpsec

some other minor things, ntp::statsdir is not created by the package so it may be good if it is created by the module if set

setting ntp::disable_auth: true with ntpsec results in a syntax error warning during startup, other disable flags do seem to work.
(ntpsec also supports enable [auth |stats ...] option)

[juliantaylor]

debian package transition code:
https://salsa.debian.org/debian/ntpsec/-/blob/debian/1.2.2+dfsg1-1+deb12u1/debian/ntpsec.preinst

[octomike]

It does break Debian 12 / bookworm somewhat.

The ntpsec package ships with an apparmor profile and the old driftfile location (copied from ntp.conf) is denied:

[313205.924891] audit: type=1400 audit(1696226693.748:53): apparmor="DENIED" operation="mknod" profile="/usr/sbin/ntpd" name="/var/lib/ntp/drift-tmp" pid=705 comm="ntpd" requested_mask="c" denied_mask="c" fsuid=114 ouid=114

The current state of the module renders ntp unmanaged on new installs and broken on upgraded systems.

[mdklapwijk]

This at least starts ntpsec using the /etc/ntp.conf:

  File['/etc/ntp.conf']
  ->file{'/etc/ntpsec/ntp.conf':
    target => '/etc/ntp.conf',
    replace => true,
  }
  ~>Service['ntp']