From: David Galloway Date: Tue, 23 Jan 2018 16:44:32 +0000 (-0500) Subject: nameserver: Add support to run NTP server X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=e373babbac22ae84b2263a944b49c22d357411be;p=ceph-cm-ansible.git nameserver: Add support to run NTP server Signed-off-by: David Galloway --- diff --git a/roles/nameserver/README.rst b/roles/nameserver/README.rst index 3314daac..10aae919 100644 --- a/roles/nameserver/README.rst +++ b/roles/nameserver/README.rst @@ -88,6 +88,17 @@ Most variables are defined in ``roles/nameserver/defaults/main.yml`` and values |``ddns_keys: {}`` |A dictionary defining each Dynamic DNS zone's authorized key. See **Dynamic DNS** below. Defined in an encrypted file in | | |the secrets repo | +--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ +|``nameserver_as_ntp_server: false`` |Set to ``true`` in Ansible inventory host or group variables if you want the nameserver to act as an NTP server as well. | +| | | +| |**NOTE:** You must also define ``ntp_permitted_lans``. See below. | ++--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ +|:: |A list of LANs that are permitted to query the NTP server running on the host. | +| | | +| ntp_permitted_lans: | | +| - 192.168.0.0/24 |Must be in CIDR format as shown. | +| - 172.20.20.0/20 | | +| | | ++--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ **named_domains: []** diff --git a/roles/nameserver/defaults/main.yml b/roles/nameserver/defaults/main.yml index c4dc0a5f..88b7eb30 100644 --- a/roles/nameserver/defaults/main.yml +++ b/roles/nameserver/defaults/main.yml @@ -25,3 +25,6 @@ named_conf_soa_retry: 3600 named_conf_soa_expire: 604800 ddns_keys: {} + +# Default to false. Override in group or host vars +nameserver_as_ntp_server: false diff --git a/roles/nameserver/tasks/main.yml b/roles/nameserver/tasks/main.yml index c35dd0c8..5c0a2db1 100644 --- a/roles/nameserver/tasks/main.yml +++ b/roles/nameserver/tasks/main.yml @@ -10,6 +10,17 @@ tags: - packages +# Configure firewalld +- import_tasks: firewall.yml + tags: + - firewall + +# Configure host as NTP server if desired +- import_tasks: ntp_server.yml + when: nameserver_as_ntp_server == true + tags: + - ntp-server + - name: Enable and start ntpd service: name: ntpd @@ -27,11 +38,6 @@ tags: - always -# Configure firewalld -- import_tasks: firewall.yml - tags: - - firewall - # Configure BIND - import_tasks: config.yml tags: diff --git a/roles/nameserver/tasks/ntp_server.yml b/roles/nameserver/tasks/ntp_server.yml new file mode 100644 index 00000000..9e34d53c --- /dev/null +++ b/roles/nameserver/tasks/ntp_server.yml @@ -0,0 +1,28 @@ +--- +- name: Install NTP package + yum: + name: ntp + state: latest + +- name: Make sure chrony is not installed + yum: + name: chrony + state: absent + +- name: Write NTP config file + template: + src: ntp.conf.j2 + dest: /etc/ntp.conf + +- name: Start and enable NTP service + service: + name: ntpd + state: started + enabled: yes + +- name: Allow NTP traffic through firewalld + firewalld: + service: ntp + permanent: true + immediate: true + state: enabled diff --git a/roles/nameserver/templates/ntp.conf.j2 b/roles/nameserver/templates/ntp.conf.j2 new file mode 100644 index 00000000..83a882fc --- /dev/null +++ b/roles/nameserver/templates/ntp.conf.j2 @@ -0,0 +1,35 @@ +# For more information about this file, see the man pages +# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). + +driftfile /var/lib/ntp/drift + +# Permit time synchronization with our time source, but do not +# permit the source to query or modify the service on this system. +restrict default kod nomodify notrap nopeer noquery +restrict -6 default kod nomodify notrap nopeer noquery + +# Permit all access over the loopback interface. This could +# be tightened as well, but to do so would effect some of +# the administrative functions. +restrict 127.0.0.1 +restrict -6 ::1 + +# Allow these networks to query this NTP server +{% for lan in ntp_permitted_lans %} +restrict {{ lan | ipaddr('network') }} mask {{ ntp_lan | ipaddr('netmask') }} nomodify notrap +{% endfor %} + +# Get time from these public hosts +server 0.centos.pool.ntp.org iburst +server 1.centos.pool.ntp.org iburst +server 2.centos.pool.ntp.org iburst +server 3.centos.pool.ntp.org iburst + +includefile /etc/ntp/crypto/pw + +# Key file containing the keys and key identifiers used when operating +# with symmetric key cryptography. +keys /etc/ntp/keys + +# Enable writing of statistics records. +statistics clockstats cryptostats loopstats peerstats sysstats rawstats