saltstack-formulas / ntp-formula Goto Github PK

View Code? Open in Web Editor NEW

23.0 42.0 159.0 253 KB

Home Page: http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html

License: Other

SaltStack 24.47% Ruby 31.59% JavaScript 21.50% Shell 6.52% Jinja 15.93%

ntp-formula's Introduction

ntp-formula

Formula to set up and configure the ntp client or server.

Table of Contents

General notes

See the full SaltStack Formulas installation and usage instructions.

If you are interested in writing or contributing to formulas, please pay attention to the Writing Formula Section.

If you want to use this formula, please pay attention to the FORMULA file and/or git tag, which contains the currently released version. This formula is versioned according to Semantic Versioning.

See Formula Versioning Section for more details.

If you need (non-default) configuration, please pay attention to the pillar.example file and/or Special notes section.

Contributing to this repo

Commit message formatting is significant!!

Please see How to contribute for more details.

Special notes

None

Available states

`ntp`

Installs the ntp package, and optionally, a basic config.

`ntp.server`

Installs the ntp server, an optional server config, and starts the ntp server.

`ntp.local_server`

This formula uses pillar data to determine if the server is an internal NTP server or a local server that syncs to the internal NTP server and will write the ntp.conf file accordingly.

Requires CentOS 5.X or CentOS 6.X.

`ntp.ng`

This state is a re-implementation of the original NTP formula. As a state, ntp.ng controls both the client and server through pillar parameters. This formula does not require that a configuration file be served directly and instead fully exposes all ntp configuration parameters as set in the pillar.

Note: ntp.ng relies upon some conventions first available in the Helium release.

Testing

Linux testing is done with kitchen-salt.

Requirements

Ruby
Docker

$ gem install bundler
$ bundle install
$ bin/kitchen test [platform]

Where [platform] is the platform name defined in kitchen.yml, e.g. debian-9-2019-2-py3.

`bin/kitchen converge`

Creates the docker instance and runs the template main state, ready for testing.

`bin/kitchen verify`

Runs the inspec tests on the actual instance.

`bin/kitchen destroy`

Removes the docker instance.

`bin/kitchen test`

Runs all of the stages above in one go: i.e. destroy + converge + verify + destroy.

`bin/kitchen login`

Gives you SSH access to the instance for manual testing.

ntp-formula's People

Contributors

Stargazers

Watchers

Forkers

metamx helioslite runtitle worlds-enough-studios opennode-salt-formulas propertysolutions rainsome-org1 spsoit agoragames crucialcloudhosting q1x westurner fei-lithicon mriedmann openenvi-formulas ckng mediavariance packetloop cloud-ee voxxit sixfeetup kitplummer heimdull tinuva daschatten ugns volantisops jdsieci gpcsolutions krustyhack uoitsci alkivi-sas backerman tuksik peakhosting joshland krihanse damianboune asku pravcorp w3w nvseismolab rbn-ops suaustralia zsjohny xetus-oss jspuij mikemckinney dyejon okl landergate beatle90 eedgar revelous ofzhur msielicki zhoufwind kmailb karlkode durchblicker mkhubbard spark-networks rodeofx aryantaheri dxclabs dachia markwherry9 tampakrap admindsi aanjaneyam sroegner gravyboat lookingcloudy codekoala kevops mhdali rocket-labs-sysadmins mattwillsher netmanagers keshabb ebu gwaters behype-inc buyways mbools stenstad avatarnewyork harvard-lil arabus aquto opdude srbolle markjing the-mx-group kubid-saltformulas scjcoder nginxinc jeroen92 vt-saltstack-formulas constet

ntp-formula's Issues

nptd isn't started and enabled

Hi all,

i'm new to salt and GitHub today but i have a first request.
On the ntp-formular i can't see a functionality that starts the ntpd and enabling it as service.

Can you add something like the service section i added below in the init.sls ?

{% from "ntp/map.jinja" import ntp with context %}

ntp:
  pkg:
    - installed
    - name: {{ ntp.client }}

{% set ntp_conf_src = salt['pillar.get']('ntp:ntp_conf') -%}

{% if ntp_conf_src %}
ntp_conf:
  file:
    - managed
    - name: {{ ntp.ntp_conf }}
    - template: jinja
    - source: {{ ntp_conf_src }}
    - require:
      - pkg: ntp

  service:
    - name: {{ ntp.service }}
    - running
    - enable: True
    - watch:
      - file: {{ ntp.ntp_conf }}
    - require:
      - pkg: ntp
{% endif %}

ntp.ng conf file issues - NTP DDOS attacks

ntp-formula should configure ntp.conf to mitigate these attacks as default behaviour. However, a quick fix is to adjust the pillar file.

Note that the solution really should have firewall configuration changes as well - but out of scope for this formula.

Here is the ntp.ng pillar.example re-worked to limit the possibility of reflected attacks:

  # An arbitrary key to avoid clashes with the original configuration
  ng:
    # OS-specific data that should, in most cases, be handled by map.jinja.
    # It is an optional key and is only used to override defaults.
    lookup:
      package: ntp
      service: ntpd
      provider: systemd
      ntp_conf: /etc/ntp.conf
    # State-specific options
    settings:
      # If `True`, ntpd will be enabled. Otherwise ntp.conf will be configured
      # but ntpd will not be enabled or started.
      ntpd: True
      # A dictionary of lists, each key corresponds to a conf-file directive in
      # ntp.conf. Eg, the below will compile to:
      #
      #
      #     restrict default ignore
      #     restrict 127.0.0.1
      #     restrict ::1
      #     restrict 0.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
      #     restrict 1.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
      #
      #     disable monitor
      #
      #     driftile: /var/lib/ntp/ntp.drift
      #
      #     server 0.us.pool.ntp.org
      #     server 1.us.pool.ntp.org
      #
      ntp_conf:
        server:
          - '0.us.pool.ntp.org'
          - '1.us.pool.ntp.org'
        restrict:
          - 'default ignore'
          - '127.0.0.1'
          - '::1'
          - '0.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery'
          - '1.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery'
        driftfile: ['/var/lib/ntp/ntp.drift']
      # !! http://www.team-cymru.org/secure-ntp-template.html
        disable:
          - 'monitor'

Here's a diff of pillar example:

69,70d68
<       #     server 0.us.pool.ntp.org
<       #     server 1.us.pool.ntp.org
71a70
>       #     restrict default ignore
73a73,76
>       #     restrict 0.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
>       #     restrict 1.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
>       #
>       #     disable monitor
75a79,82
>       #
>       #     server 0.us.pool.ntp.org
>       #     server 1.us.pool.ntp.org
>       #
77,78c84,92
<         server: ['0.us.pool.ntp.org', '1.us.pool.ntp.org']
<         restrict: ['127.0.0.1', '::1']

---
>         server:
>           - '0.us.pool.ntp.org'
>           - '1.us.pool.ntp.org'
>         restrict:
>           - 'default ignore'
>           - '127.0.0.1'
>           - '::1'
>           - '0.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery'
>           - '1.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery'
79a94,96
>         # !! http://www.team-cymru.org/secure-ntp-template.html
>         disable:
>           - 'monitor'

salt formulas usage link needs updating

I believe this is now the correct URL:

http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html

mismatch between pillar usage and pillar.example to set servers on client

Hello,

it seems that the formula use ntp:servers pillar value to set servers in /etc/ntp.conf for the client, but the pillar.example indicates use of ntp:ntpservers.

jinja rendering issues

    Data failed to compile:
----------
    Rendering SLS ntp failed, render error: expected token ',', got ':'; line 12 in template:

I had to strip back init.sls to

ntp:
  pkg:
    - installed

ntpd_conf:
  file.managed:
    - name: /etc/ntp.conf
    - source: salt://ntp/ntp-client.conf
    - require:
      - pkg: ntp

before it would render.

Merge both formulas into one abstracted one using pillar data.

ntp.service fails over missing dependency

This is CentOS release 6.5 (Final), salt 2015.8.8.2 (Beryllium)

salt-call state.sls ntp.server

local:
----------
          ID: ntp
    Function: pkg.installed
      Result: True
     Comment: Package ntp is already installed
     Started: 15:30:51.197693
    Duration: 546.288 ms
     Changes:   
----------
          ID: ntp_running
    Function: service.running
        Name: ntpd
      Result: False
     Comment: The following requisites were not found:
                                 watch:
                                     file: /etc/ntp.conf
     Started: 
    Duration: 
     Changes:   
----------
          ID: ntpd
    Function: service.running
      Result: True
     Comment: The service ntpd is already running
     Started: 15:30:51.747220
    Duration: 119.102 ms
     Changes:   

Summary for local
------------
Succeeded: 2
Failed:    1
------------

Support for systemd-timesyncd

Support for systemd-timesyncd should be implemented for client-only setups where NTP server functionality isn't required:

Check, whether the latest available systemd version is >=216 [*]
Ensure, the latest (>=216) version is installed
Disable other implementation/services providing NTP client functionality
Enable systemd-timesyncd (timedatectl set-ntp 1) [**]

[*] The reason for wanting >=216 is, that since this release the whole NTP handling in systemd was streamlined. Before that, individual NTP services could provide drop-in configs which would then be used by systemd. This was quite a mess and error-prone. See also this entry from the NEWS file:

CHANGES WITH 216:

        * timedated no longer reads NTP implementation unit names from
          /usr/lib/systemd/ntp-units.d/*.list. Alternative NTP
          implementations should add a

            Conflicts=systemd-timesyncd.service

          to their unit files to take over and replace systemd's NTP
          default functionality.

[**] Once saltstack/salt#20392 is implemented, the whole timedatectl setup should be done via DBus which provides a proper interface for this instead of fiddling with cmd.run output/results.

[FEATURE] Implement semantic versioning

Is your feature request related to a problem?

This formula still provides ntp and ntp.ng states which is confusing and complicated.

Describe the solution you'd like

The solution to this problem is deprecate php legacy states and promote php.ng states to php ones, renaming them.
It means :

implement semantic versioning as we do in other formulas with all tools to automate work
create an initial release with current code
create a BREAKING CHANGE version deprecating legacy states and promoting new ones

Describe alternatives you've considered

I don't see any other solutions.

saltstack-formulas / ntp-formula Goto Github PK

ntp-formula's Introduction

ntp-formula

General notes

Contributing to this repo

Special notes

Available states

ntp

ntp.server

ntp.local_server

ntp.ng

Testing

Requirements

bin/kitchen converge

bin/kitchen verify

bin/kitchen destroy

bin/kitchen test

bin/kitchen login