From 54a781e4f50dab41f9256cfc3b3c45f2f928f9c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Chabrolles?= Date: Thu, 6 Aug 2020 14:47:56 +0200 Subject: [PATCH] Setup Chrony server on bastion node (#39) Fixes #38 Signed-off-by: Sebastien Chabrolles --- playbooks/roles/ocp-config/README.md | 8 +- .../roles/ocp-config/defaults/main/main.yaml | 2 +- playbooks/roles/ocp-config/handlers/main.yaml | 5 ++ playbooks/roles/ocp-config/tasks/chrony.yaml | 85 +++++++++++++++---- playbooks/roles/ocp-config/tasks/main.yaml | 5 +- .../templates/chrony-machineconfig.j2 | 25 ------ .../roles/ocp-config/templates/chrony.conf.j2 | 7 -- 7 files changed, 83 insertions(+), 54 deletions(-) delete mode 100644 playbooks/roles/ocp-config/templates/chrony-machineconfig.j2 delete mode 100644 playbooks/roles/ocp-config/templates/chrony.conf.j2 diff --git a/playbooks/roles/ocp-config/README.md b/playbooks/roles/ocp-config/README.md index a37654e7..b0f84c45 100644 --- a/playbooks/roles/ocp-config/README.md +++ b/playbooks/roles/ocp-config/README.md @@ -25,8 +25,9 @@ Role Variables | proxy_url | no | "" | Proxy url eg: http://[user:passwd@]server:port (NA when setup_squid_proxy: true)| | no_proxy | no | "" | Comma seperated string of domains/cidr to exclude proxy | | enable_local_registry | no | false | Set to true to enable usage of local registry for restricted network install | -| chronyconfig.enabled | no | flase | Set to true to enable chrony configuration on the coreOS node during install | -| chronyconfig.content | no | "" | List of time servers and options pair (see chronyconfig examples) | +| chronyconfig.enabled | no | true | Set to true to enable chrony configuration on the bastion node during installation. This also configure the bastion as a NTP server for the cluster. | +| chronyconfig.content | no | "" | List of time NTP servers and options pair (see chronyconfig examples). If empty, bastion will try sync with some default ntp server (internet) AND local HW clock (with higher stratum). | +| chronyconfig.allow | no | "" | List of network cidr (X.X.X.X/Y) allowed to sync with bastion configured as NTP server | *chronyconfig variable example * @@ -38,6 +39,9 @@ chronyconfig: options: iburst - server: ntp2.example.com options: iburst + allow: + - 10.1.1.1/24 + - 10.1.2.3/16 ``` Dependencies diff --git a/playbooks/roles/ocp-config/defaults/main/main.yaml b/playbooks/roles/ocp-config/defaults/main/main.yaml index 3c9765c7..5eafd51b 100644 --- a/playbooks/roles/ocp-config/defaults/main/main.yaml +++ b/playbooks/roles/ocp-config/defaults/main/main.yaml @@ -9,4 +9,4 @@ no_proxy: "" enable_local_registry: false chronyconfig: - enabled: false + enabled: true diff --git a/playbooks/roles/ocp-config/handlers/main.yaml b/playbooks/roles/ocp-config/handlers/main.yaml index 801a7fa8..2293384d 100644 --- a/playbooks/roles/ocp-config/handlers/main.yaml +++ b/playbooks/roles/ocp-config/handlers/main.yaml @@ -9,3 +9,8 @@ service: name: firewalld state: restarted + +- name: restart chrony + service: + name: chronyd + state: restarted diff --git a/playbooks/roles/ocp-config/tasks/chrony.yaml b/playbooks/roles/ocp-config/tasks/chrony.yaml index 90e19c22..b688934d 100644 --- a/playbooks/roles/ocp-config/tasks/chrony.yaml +++ b/playbooks/roles/ocp-config/tasks/chrony.yaml @@ -1,17 +1,72 @@ -- name: Create temporary chrony.conf file - template: - src: chrony.conf.j2 - dest: /tmp/chrony.conf.tmp +- name: Install chrony on bastion + yum: + name: chrony + state: present -- name: slurp contents of temporary chrony.conf file - slurp: - src: /tmp/chrony.conf.tmp - register: chronybase64 +- name: Open NTP port on firewall + firewalld: + service: ntp + permanent: yes + immediate: yes + state: enabled -- name: Generate Chrony machineconfig - template: - src: chrony-machineconfig.j2 - dest: "{{ workdir }}/manifests/99-{{item}}-chrony-configuration.yaml" - loop: - - master - - worker +- name: Configure chrony to synchronize with ntp servers + lineinfile: + path: /etc/chrony.conf + regexp: '^server {{ item.server }} ' + state: present + line: "server {{ item.server }} {{ item.options | default('iburst') }}" + insertafter: 'server ' + backup: yes + loop: "{{ chronyconfig.content }}" + when: + - chronyconfig.content is defined + - chronyconfig.content[0].server is defined + notify: + - restart chrony + +- name: Remove Chrony default pool when ntp server are used + lineinfile: + path: /etc/chrony.conf + regexp: '^pool .*\.rhel\.pool\.ntp\.org' + state: absent + backup: yes + when: + - chronyconfig.content is defined + - chronyconfig.content[0].server is defined + notify: + - restart chrony + +- name: Allow local stratum in chrony.conf on bastion + lineinfile: + path: /etc/chrony.conf + regexp: '^local stratum' + state: present + line: "local stratum 10" + insertafter: '^#local stratum' + backup: yes + notify: + - restart chrony + +- name: Allow Cluster Network in chrony.conf on bastion + lineinfile: + path: /etc/chrony.conf + regexp: '^allow' + state: present + line: "allow {{ item }}" + insertafter: '^#allow' + backup: yes + loop: "{{ chronyconfig.allow }}" + when: + - chronyconfig.allow is defined + - chronyconfig.allow[0] is defined + notify: + - restart chrony + +- name: Copy machineconfig files generated from helpernode + copy: + src: "{{ item }}" + dest: "{{ workdir }}/manifests" + remote_src: yes + with_fileglob: + - "../../ocp4-helpernode/machineconfig/*-chrony-configuration.yaml" diff --git a/playbooks/roles/ocp-config/tasks/main.yaml b/playbooks/roles/ocp-config/tasks/main.yaml index 9d882822..67515e3b 100644 --- a/playbooks/roles/ocp-config/tasks/main.yaml +++ b/playbooks/roles/ocp-config/tasks/main.yaml @@ -5,12 +5,10 @@ import_tasks: squid.yaml when: setup_squid_proxy - - name: Extract OCP4 tools import_tasks: extract.yaml when: release_image_override != "" - - name: Skip config if install workdir exist stat: path: "{{ workdir }}" @@ -28,7 +26,6 @@ # - absent - directory - - name: Generate install-config.yaml template: src: ../templates/install-config.yaml.j2 @@ -61,7 +58,7 @@ line: '\1mastersSchedulable: False' backrefs: yes -- name: Create Chrony machineconfig files for coreOS +- name: Setup time synchronisation with Chrony import_tasks: chrony.yaml when: chronyconfig.enabled diff --git a/playbooks/roles/ocp-config/templates/chrony-machineconfig.j2 b/playbooks/roles/ocp-config/templates/chrony-machineconfig.j2 deleted file mode 100644 index 9ca6d1b7..00000000 --- a/playbooks/roles/ocp-config/templates/chrony-machineconfig.j2 +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -metadata: - labels: - machineconfiguration.openshift.io/role: {{item}} - name: 99-{{item}}-chrony-configuration -spec: - config: - ignition: - config: {} - security: - tls: {} - timeouts: {} - version: 2.2.0 - networkd: {} - passwd: {} - storage: - files: - - contents: - source: data:text/plain;charset=utf-8;base64,{{ chronybase64.content }} - verification: {} - filesystem: root - mode: 420 - path: /etc/chrony.conf - osImageURL: "" diff --git a/playbooks/roles/ocp-config/templates/chrony.conf.j2 b/playbooks/roles/ocp-config/templates/chrony.conf.j2 deleted file mode 100644 index 9d3a3d48..00000000 --- a/playbooks/roles/ocp-config/templates/chrony.conf.j2 +++ /dev/null @@ -1,7 +0,0 @@ -{% for item in chronyconfig.content %} -server {{ item.server }} {{ item.options }} -{% endfor %} -driftfile /var/lib/chrony/drift -makestep 1.0 3 -rtcsync -logdir /var/log/chrony