voxpupuli / puppet-chrony Goto Github PK

I can submit a simple PR to update version in metadata.json, but I think the more proper fix would be to remove dependency on stdlib altogether. Unless I missed it, I don't see any stdlib functions or types that module uses.

I've noticed that the chrony.conf.redhat.erb and chrony.conf.debian.erb are the exact same file and chrony.conf.archlinux.erb is missing several options.

I think it would make sense to have just a single template (epp whilst we're at it).

When are you planning to make a new release? It will be very convenient for me if you emit a new release after merging #113 and #112.

Just wondering if a service restart should be happening with every puppet run ?

[root@server:~]# puppet agent --test
Notice: Local environment: 'production' doesn't match server specified node environment 'sit', switching agent to 'sit'.
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for server
Info: Applying configuration version '1512517385'
Notice: /Stage[main]/Service_common/Service[chronyd.service]/ensure: ensure changed 'running' to 'stopped'
Notice: /Stage[main]/Chrony::Service/Service[chrony]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Chrony::Service/Service[chrony]: Unscheduling refresh on Service[chrony]
Notice: Applied catalog in 7.94 seconds
[root@server:~]# puppet agent --test
Notice: Local environment: 'production' doesn't match server specified node environment 'sit', switching agent to 'sit'.
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for server
Info: Applying configuration version '1512517470'
Notice: /Stage[main]/Service_common/Service[chronyd.service]/ensure: ensure changed 'running' to 'stopped'
Notice: /Stage[main]/Chrony::Service/Service[chrony]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Chrony::Service/Service[chrony]: Unscheduling refresh on Service[chrony]
Notice: Applied catalog in 7.76 seconds
[root@server:~]#

[root@server:~]# grep chrony /var/log/messages | grep puppet | head ; echo ...; grep chrony /var/log/messages | grep puppet | tail
Dec  3 03:35:38 server puppet-agent[12296]: (/Stage[main]/Service_common/Service[chronyd.service]/ensure) ensure changed 'running' to 'stopped'
Dec  3 03:35:39 server puppet-agent[12296]: (/Stage[main]/Chrony::Service/Service[chrony]/ensure) ensure changed 'stopped' to 'running'
Dec  3 04:05:38 server puppet-agent[12540]: (/Stage[main]/Service_common/Service[chronyd.service]/ensure) ensure changed 'running' to 'stopped'
Dec  3 04:05:39 server puppet-agent[12540]: (/Stage[main]/Chrony::Service/Service[chrony]/ensure) ensure changed 'stopped' to 'running'
Dec  3 04:35:38 server puppet-agent[12767]: (/Stage[main]/Service_common/Service[chronyd.service]/ensure) ensure changed 'running' to 'stopped'
Dec  3 04:35:39 server puppet-agent[12767]: (/Stage[main]/Chrony::Service/Service[chrony]/ensure) ensure changed 'stopped' to 'running'
Dec  3 05:05:38 server puppet-agent[13011]: (/Stage[main]/Service_common/Service[chronyd.service]/ensure) ensure changed 'running' to 'stopped'
Dec  3 05:05:39 server puppet-agent[13011]: (/Stage[main]/Chrony::Service/Service[chrony]/ensure) ensure changed 'stopped' to 'running'
Dec  3 05:35:38 server puppet-agent[13238]: (/Stage[main]/Service_common/Service[chronyd.service]/ensure) ensure changed 'running' to 'stopped'
Dec  3 05:35:39 server puppet-agent[13238]: (/Stage[main]/Chrony::Service/Service[chrony]/ensure) ensure changed 'stopped' to 'running'
...
Dec  6 09:22:09 server puppet-agent[19627]: (/Stage[main]/Chrony::Service/Service[chrony]/ensure) ensure changed 'stopped' to 'running'
Dec  6 09:22:09 server puppet-agent[19627]: (/Stage[main]/Chrony::Service/Service[chrony]) Unscheduling refresh on Service[chrony]
Dec  6 09:27:58 server puppet-agent[19834]: (/Stage[main]/Service_common/Service[chronyd.service]/ensure) ensure changed 'running' to 'stopped'
Dec  6 09:28:01 server puppet-agent[19834]: (/Stage[main]/Chrony::Service/Service[chrony]/ensure) ensure changed 'stopped' to 'running'
Dec  6 09:28:01 server puppet-agent[19834]: (/Stage[main]/Chrony::Service/Service[chrony]) Unscheduling refresh on Service[chrony]
Dec  6 09:35:38 server puppet-agent[20075]: (/Stage[main]/Service_common/Service[chronyd.service]/ensure) ensure changed 'running' to 'stopped'
Dec  6 09:35:41 server puppet-agent[20075]: (/Stage[main]/Chrony::Service/Service[chrony]/ensure) ensure changed 'stopped' to 'running'
Dec  6 09:36:04 server puppet-agent[20279]: (/Stage[main]/Service_common/Service[chronyd.service]/ensure) ensure changed 'running' to 'stopped'
Dec  6 09:36:07 server puppet-agent[20279]: (/Stage[main]/Chrony::Service/Service[chrony]/ensure) ensure changed 'stopped' to 'running'
Dec  6 09:36:07 server puppet-agent[20279]: (/Stage[main]/Chrony::Service/Service[chrony]) Unscheduling refresh on Service[chrony]
[root@server:~]#
[root@server:~]# grep chrony /var/log/messages | grep puppet | cut -d' ' -f 7- | sort | uniq -c
   160 (/Stage[main]/Chrony::Service/Service[chrony]/ensure) ensure changed 'stopped' to 'running'
   160 (/Stage[main]/Service_common/Service[chronyd.service]/ensure) ensure changed 'running' to 'stopped'
[root@server:~]#

Im using the following config:

            package { 'ntp':
               ensure => 'purged',
            }

            class { '::chrony':
                package_ensure => 'latest',
                service_enable => true,
                service_ensure => 'running',
                chrony_password    => 'unset',
                config_keys_manage => false,
                servers => [
                    'time1.server',
                    'time2.server',
                    'time3.server',
                    'time4.server',
                    'time5.server',
                    'time6.server',
                    'time8.server',
                    'time9.server',
                    'time10.server',
                ],
            }
        }

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: Any
• Ruby: Any
• Distribution: Amazon Linux 2
• Module version: Any

Feature Request

Amazon Linux 2 is based on RHEL 7. The module performs well without modification so the only update required should be the addition of Amazon Linux 2 to the metadata.json.

"operatingsystem_support": [
  {
    "operatingsystem": "Amazon",
    "operatingsystemrelease": [
      "2"
    ]
  }
]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet:
• Ruby:
• Distribution: CentOS
• Module version:

How to reproduce (e.g Puppet code you use)

Consider adding CentOS 8+9 to CI workflow. Currently covers CentOS 7 only.

What are you seeing

What behaviour did you expect instead

Output log

Any additional information you'd like to impart

Since Linux-4.11 ptp_kvm kernel module is available allowing use of kvm infrastructure as a PTP clock.
The following line is required in chrony.conf:
refclock PHC /dev/ptp0 poll 3 dpoll -2 offset 0
It could be used in more generic way to add GPS and other hardware reference clocks too.

Since there's no generic option to add arbitrary data to chrony.conf, patching puppet-chrony code is required.

See also article: https://opensource.com/article/17/6/timekeeping-linux-vms

Currently, with each new managed parameter, configuration file gets new 'hanging' comments and empty lines, for example:

# Hardware reference clock drivers


# https://chrony.tuxfamily.org/doc/3.4/chrony.conf.html#leapsecmode

# https://chrony.tuxfamily.org/doc/3.4/chrony.conf.html#maxslewrate

# https://chrony.tuxfamily.org/doc/3.4/chrony.conf.html#smoothtime

Conditionals in the template should encompass optional comments and not to add empty lines, causing unnecessary global service restart

I had to apply the following:

diff --git forge_modules/chrony/manifests/config.pp forge_modules/chrony/manifests/config.pp
index 9a750aa..1d8fe63 100644
--- forge_modules/chrony/manifests/config.pp
+++ forge_modules/chrony/manifests/config.pp
@@ -3,7 +3,7 @@ class chrony::config inherits chrony {
ensure => file,
owner => 0,
group => 0,

• mode => 0644,
• mode => '0644',
  content => template($config_template),
  notify => Service['chrony'],
  }

to avoid:

Warning: Non-string values for the file mode property are deprecated. It must be a string, either a symbolic mode like 'o+w,a+r' or an octal representation like '0644' or '755'.
(at /usr/share/ruby/vendor_ruby/puppet/type/file/mode.rb:69:in `block (2 levels) in module:Puppet')

Newer versions of chrony have added the "slew" leap second handling mode, which I suspect is becoming pretty popular (since it handles them smoothly, rather than doing the step-back-in-time that it otherwise does)

A kind of typical leap second config for this looks like this in the chrony config:

leapsecmode slew
maxslewrate 1000
smoothtime 400 0.001 leaponly

Those default values are probably reasonable for many people, though making the values configurable should be easy. Do note that maxslewrate is a global value, but that the smoothtime values, if there is a 'leaponly' suffix, are specific to leap-second handling, so should probably be named appropriately.

Thanks!

Please add an option to set the cmdport parameter in chrony.conf.

Hi,
First thanks for the module, secondly I was trying to achieve a bit more granulated config generation. I am trying to get one of the servers with "prefer" option so that chrony prefers that server over other servers. I am not a ruby literate and the configuration does its job as promised...however can you please guide me how I can do that tweak as well?
One way was trying to apply the file from the puppet source in a file resource declaration, however if I can get it through your module it will be a perfect neat way...
(The desired status on a centos7 environment eventually would like to look like this:
server 172.16.1.1 iburst prefer
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
)
Thank you for your time and efforts

Just something I noticed whilst working on #56

We're currently using 0.1.2 of this module, and we'd like to update it to a newer version.
The lack of a changelog makes this process more complex than needed.

Can you add a Changelog to this project? If possible with the historic data

When attempting to manage chrony I noticed there are many valid config options that are missing. Namely,

• allow
• logchange
• minsamples
• minsources

My suspicion is that there are others. I'd like to make a PR to address at least these items though I think it's worth looking into adding a parameter such as chrony::config_extras or something similar where a user could pass key/value pairs directly into the resulting chrony.yaml

PR to follow adding class params for the 4 mentioned above.

Metadata suggests the current version covers both RHEL 6+7, but not RHEL 8.

https://github.com/aboe76/puppet-chrony/blob/master/metadata.json#L14-L17

Puppet 6 is eol and 8 not marked as supported.
Puppet >= 6.1.0 < 8.0.0

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 3.7
• Ruby:
• Distribution: RHEL 7 & 8
• Module version: v2.0.0

How to reproduce (e.g Puppet code you use)

There is no support for the dynamic configuration of chrony.

What are you seeing

A missing parameter and corresponding functionality

What behaviour did you expect instead

The possibility to specify a list of DNS Service records containing the NTP service records.

Output log

None, as the functionality is missing.

Any additional information you'd like to impart

The code I created outside of the module to support the required functionality:

  # Support for dynamic configuration is not supported by the module (yet), so we configure it here.
  $dnssrv_records.each | String $srv_record | {
    exec { "chronyc-enable-${srv_record}":
      command => "/usr/libexec/chrony-helper enable-dnssrv ${srv_record}",
      unless  => "/bin/test -f /etc/systemd/system/timers.target.wants/chrony-dnssrv@${srv_record}.timer",
    }
  }

This does the trick, but should be in the module.
The current test for the existence of the timer file should be replaced by matching the output of /usr/lib/chrony-helper list-dnssrv when this is in the module, allowing the removal of dynamic entries when they are no longer in the list.

This is more of a feature request.

The parameter ntpsigndsocket is not available. This option is typically used in samba environments and would be helpful to add to the configuration.

Similar functionality has been added to NTP:
ntpsigndsocket
Data type: Optional[Stdlib::Absolutepath]

Sets NTP to sign packets using the socket in the ntpsigndsocket path. Requires NTP to be configured to sign sockets. Value: Path to the socket directory; for example, for Samba: usr/local/samba/var/lib/ntp_signd/. Default value: undef.

This is the first release of this module under Vox Pupuli's puppet namespace. It was migrated to Vox Pupuli from oboe76/chrony.

• Module version: 2.6.0 (source for this does not appear to have changed in main)

How to reproduce (e.g Puppet code you use)

This should be reproducibe with the example in the init.pp file as well for refclock

class { 'chrony':
  refclock => { 'sock' => ['/run/chrony.ttyAMA0.sock refid GPS precision 1e-1', '/run/chrony.pps0.sock refid PPS precision 1e-7'] }
}

What are you seeing

refclocks expects an array value, got a struct

What behaviour did you expect instead

a properly formed chrony.conf with two hardware refclocks configured

when updating init.pp to be a hash to accept the above line, it then concatenates both hardware clocks into a single line which is an error in the chrony config. this should be two lines. the template needs another layer of looping to generate this.

with some luck will be able to provide a pr for this later this week/next week

This will happens, because the templates used removed options.
Since 2.2 commandkey and generatecommandkey are removed.
See: this.

Can support for configuring 'pools' be added?

Putting a pool in the server list only adds one server, whereas we'd quite like chrony to add multiple servers from the pool automatically.

When chrony crashes systemd will still exit with a 0 when the process is exited so puppet never detects it.

systemctl will show exited

systemctl status chrony
● chrony.service - LSB: Controls chronyd NTP time daemon
   Loaded: loaded (/etc/init.d/chrony; bad; vendor preset: enabled)
   Active: active (exited) since Fri 2019-05-31 20:09:57 UTC; 52s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 19298 ExecStop=/etc/init.d/chrony stop (code=exited, status=0/SUCCESS)
  Process: 19307 ExecStart=/etc/init.d/chrony start (code=exited, status=0/SUCCESS)

you can recreate this with kill -11 <chrony_pid>

I worked arround it with

  service { 'chrony':
    ensure    => 'running',
    name      => 'chrony',
    hasstatus => false,
    status    => 'systemctl status chrony | grep "active (running)"',
    start     => 'systemctl restart chrony',
    require   => Class['chrony'],
  }

I've been doing a lot of STIG and CIS compliance and they both check for the "OPTIONS=-u chrony" in /etc/sysconfig/chronyd file.

I realize that (at least on newer RHEL and variants) that the chrony daemon does run as the chrony user but the vendors don't check for the process owner and trying to convince them to change the ruleset to pass the rule/audit is extremely difficult.

I recommend that the /etc/sysconfig/chronyd be managed as it's easier to manage this file (in order to pass CIS/STIG tests) than it is to convince the vendors to change their rules. In addition, the file is part of the Red Hat RPM package and probably should be managed anyway.

• @aboe76 to migrate github repository to voxpupuli
• Update metadata.json #71
• Plumbing PR and travis secret generation voxpupuli/plumbing#231
• modulesync_config PR
• Modulesync
• Perform label sync
• Update Readme acknowledging migration to Vox #71
• Create release summary ticket #70
• Fix badges #71
• Move existing Changelog to HISTORY.MD and setup for github-changelog-generator
• Perform first release
• Deprecate old module (via JIRA ticket or API call by @aboe76)

Hi,
is it possible to add "prefer" option for the specific server?
Can't find any available option for this.
Thank you in advance!

Hello,

this module looks like it does what it advertises. Could you please add tags for each release so we can have a local mirror of your repository and use a specific version of your module?
Using commits as anchor for r10k works most of the time, but sometimes things are being re-based causing commits to vanish.

Thanks
Andreas

Puppet Forge and CHANGELOG.md list release v0.3.2 but it isn't tagged in git. Could you please tag the release so we can anchor in our submodules. Thanks!

Hi,

FYI, I've packaged your puppet module, which is now available in Debian:
https://packages.debian.org/search?keywords=puppet-module-aboe-chrony

I'm happy of your module, and I use it in production (together, with a lot of other modules, I'm using it to setup OpenStack). Though, in /etc/chrony/chrony.conf, it's normally possible to do:

pool pool.example.com iburst

instead of:

server pool.example.com iburst

though this puppet module doesn't allow it. Could you please add the feature? It'd be great to just have a flag to be able to select that.

Cheers,

Thomas

Hi,

can someone provide an example of how to set servers via hieradata?

Thanks
Kristian

Please add parameters to this module:

1. deny (array) - similar to allow -- complementary option
2. enable_lock_all => if true, set "lock_all" to keep chronyd from swapping to disk
3. mailonchange => we have had issues with our internal ntp servers drifting and VM hang/restarts
   getting a notice when a host suffers an exceptional sync diff is handy.

I just noticed that chrony.conf(5) states the following about the keyfile

Each line consists of an ID, name of an authentication hash function (optional), and a
password. The ID can be any unsigned integer in the range 1 through 2^32-1. The default
hash function is MD5, which is always supported.

But we are creating a keyfile with ID=0 default. Is that a problem?

By default, port is set to 0 (good idea!).
However, the examples still show a simple server configuration only specifying queryhosts. Without setting port to something different from 0, server mode will still not work.
A hint on this in the readme (or maybe even a warn if queryhosts is specified but port=0) would be very helpful,