Merge "Add new parameter 'security_ntp_bind_local_interfaces_only'"

defaults/main.yml

@@ -138,6 +138,8 @@ security_allowed_ntp_subnets:
   - 10/8
   - 192.168/16
   - 172.16/12
+# Listen for NTP requests only on local interfaces.
+security_ntp_bind_local_interfaces_only: yes
 
 ## Core dumps
 # V-38675 requires disabling core dumps for all users unless absolutely

doc/source/configuration.rst

@@ -228,9 +228,14 @@ openstack-ansible-security role.
 
 The default settings will work for most environments, but some deployers may
 prefer to use NTP servers which are geographically closer to their servers.
-Also, the default configuration allows `RFC1918`_ addresses to reach the NTP
+
-server running on each host. That could be reduced to ``127.0.0.1/32`` for
+The role configures the chrony daemon to listen only on localhost. To allow
-greater security.
+chrony to listen on all addresses (the upstream default for chrony),
+set the ``security_ntp_bind_local_interfaces_only`` variable to ``False``.
+
+The default configuration allows `RFC1918`_ addresses to reach the NTP server
+running on each host. That could be changed by using the
+``security_allowed_ntp_subnets`` parameter.
 
 .. _RFC1918: https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces
 

releasenotes/notes/ntp-bind-local-interfaces-only-05f03de632e81097.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - A new configuration parameter ``security_ntp_bind_local_interfaces`` was
+    added to the security role to restrict the network interface to which
+    chronyd will listen for NTP requests.

templates/chrony.conf.j2

@@ -93,3 +93,11 @@ logchange 0.5
 # chrony postinst based on what it found in /etc/default/rcS.  You may
 # change it if necessary.
 rtconutc
+
+{% if security_ntp_bind_local_interfaces_only | bool %}
+# Listen for NTP requests only on local interfaces.
+bindaddress 127.0.0.1
+{% if not security_disable_ipv6 | bool %}
+bindaddress ::1
+{% endif %}
+{% endif %}