Opened 5 years ago

Closed 5 years ago

#1168 closed Feature Wish (wontfix)

OpenVPN AMIs in AWS should use AWS NTP server by default

Reported by: jcottrill@… Owned by: jamesyonan
Priority: minor Milestone:
Component: Access Server Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: AWS AMI NTP


Currently, /etc/ntp.conf on the OpenVPN 2.6.1 AMIs for AWS is configured like this:

# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See for
# more information.
pool iburst
pool iburst
pool iburst
pool iburst

# Use Ubuntu's ntp server as a fallback.

This requires opening an outbound security group for NTP (which is not necessarily an issue, but is an extra bit of configuration to mess with). AWS provides an NTP service for use in their cloud (see: AWS Docs), and it can be configured like this:

server prefer iburst

This server requires no security group rule modifications.

Change History (1)

comment:1 Changed 5 years ago by novaflash

Resolution: wontfix
Status: newclosed

Just reviewing and closing old tickets that were left open in the community site, although these were already copied into our internal tracking system and handled there.

Every change we make to the base image of Ubuntu means maintenance for us and a deviation from established standards. Most everyone will have outbound access enabled and never run into this issue, and will instead enforce firewall rules on incoming connections. I feel that if you want to really tighten everything down, then that's fine, but the consequences of that are your own to solve. There may be other programs that also do outgoing connections and will also need adjustments if you tighten things down. We don't want to take on the burden of doing that maintenance, for a situation that is uncommon.

Also, it looks like lately the package 'ntp' isn't the recommended anymore, and that 'chrony', which seems to come with Ubuntu 18.04 LTS these days, is the recommended NTP client package.

At this moment, and unless something major comes along to change our point of view on this, we will not implement this item, sorry.

Note: See TracTickets for help on using tickets.