OpenVPN AMIs in AWS should use AWS NTP server by default

[jcottrill@…]

Currently, /etc/ntp.conf on the OpenVPN 2.6.1 AMIs for AWS is configured like this:

# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
# more information.
pool 0.ubuntu.pool.ntp.org iburst
pool 1.ubuntu.pool.ntp.org iburst
pool 2.ubuntu.pool.ntp.org iburst
pool 3.ubuntu.pool.ntp.org iburst

# Use Ubuntu's ntp server as a fallback.
pool ntp.ubuntu.com

This requires opening an outbound security group for NTP (which is not necessarily an issue, but is an extra bit of configuration to mess with). AWS provides an NTP service for use in their cloud (see: ​AWS Docs), and it can be configured like this:

server 169.254.169.123 prefer iburst

This server requires no security group rule modifications.

[novaflash]

Just reviewing and closing old tickets that were left open in the community site, although these were already copied into our internal tracking system and handled there.

Every change we make to the base image of Ubuntu means maintenance for us and a deviation from established standards. Most everyone will have outbound access enabled and never run into this issue, and will instead enforce firewall rules on incoming connections. I feel that if you want to really tighten everything down, then that's fine, but the consequences of that are your own to solve. There may be other programs that also do outgoing connections and will also need adjustments if you tighten things down. We don't want to take on the burden of doing that maintenance, for a situation that is uncommon.

Also, it looks like lately the package 'ntp' isn't the recommended anymore, and that 'chrony', which seems to come with Ubuntu 18.04 LTS these days, is the recommended NTP client package.

At this moment, and unless something major comes along to change our point of view on this, we will not implement this item, sorry.