From 49af212543b0b18fdd985368fb1bd67524600f48 2024-02-26 21:47:49 From: Branko Majic Date: 2024-02-26 21:47:49 Subject: [PATCH] MAR-192: Switch to using NTP pools instead of servers: - This is the recommended configuration by NTPsec, and also default on Debian. Previuosly suggested values for servers have been pool addresses in any case. --- diff --git a/docs/releasenotes.rst b/docs/releasenotes.rst index d229b0f173732cbf57b83d5751588b49ee7fec6d..19d3015c7d0c911855736c6123bc09fff3ee971e 100644 --- a/docs/releasenotes.rst +++ b/docs/releasenotes.rst @@ -42,6 +42,10 @@ Dropped support for Debian 10 (Buster). parameter expects a list of IPv4 and IPv6 addresses (or subnets). Resolvable names can no longer be specified. + * NTP server configuration is now based on use of pools instead of + servers. Parameter ``ntp_servers`` has been deprecated and + replaced with parameter ``ntp_pools``. + * ``mail_server`` role * Parameter ``mail_server_tls_protocols`` has been dropped and diff --git a/docs/rolereference.rst b/docs/rolereference.rst index c48bb85ca642681c6eb7ed424a9cc8c19d41ba0e..c097259fa0f02cb4bf7158eaba635f14b8e6ce46 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -290,7 +290,7 @@ The role implements the following: available. Script is run via cronjob on daily basis, and any output will be delivered to local ``root`` user. * Optionally configures time synchronisation using NTP (if - ``ntp_servers`` parameter is set). + ``ntp_pools`` parameter is set). Role dependencies @@ -404,13 +404,13 @@ Parameters connect to the server when in maintenance mode. Subnets can be specified as well. -**ntp_servers** (list, optional, ``[]``) - List of NTP servers to use for synchronising the time on managed +**ntp_pools** (list, optional, ``[]``) + List of NTP pools to use for synchronising the time on managed machine using NTP. If no time synchronisation should be set-up, set to empty list. Default is not to configure time synchronisation. If setting this parameter, it is recommended to set the list of - servers to list shipped by default Debian configuration:: + pools to list shipped by default Debian configuration:: - "0.debian.pool.ntp.org" - "1.debian.pool.ntp.org" diff --git a/docs/usage.rst b/docs/usage.rst index ef698d3fdbbf64cbda7d2a69aa54a319cb675220..73b942195261a64b809d9a47bdaae52b86fc76b3 100644 --- a/docs/usage.rst +++ b/docs/usage.rst @@ -603,7 +603,7 @@ Let's take care of this common configuration right away: .. note:: The ``common`` role comes with ability to set-up time synchronisation using NTP. This is not done by default. For - details see the role parameter ``ntp_servers``. + details see the role parameter ``ntp_pools``. .. note:: The ``ca_certificates`` parameter lets us deploy custom CA diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index e2944342593c5fcd1eaf24cc69c6dbd0be8bb450..7890d622e24c360ea729a83581d10334e660e7fb 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -30,7 +30,7 @@ pip_check_requirements: - typing-extensions==4.7.1 - wheel==0.41.3 - zipp==3.15.0 -ntp_servers: [] +ntp_pools: [] maintenance: false maintenance_allowed_sources: [] diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index b32a1d8f973a1be32ea69a488d735ee15899efd8..8edf709573853d99b5c7f6f464e50416e8647c35 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -32,4 +32,4 @@ service: name: ntpsec state: restarted - when: ntp_servers | length > 0 + when: ntp_pools | length > 0 diff --git a/roles/common/molecule/default/group_vars/parameters-optional.yml b/roles/common/molecule/default/group_vars/parameters-optional.yml index 67e22d6015ac7970b745fdad9249a0cff9a60f43..d767084c52aad981ed6d21ecf85ef9e0853af68b 100644 --- a/roles/common/molecule/default/group_vars/parameters-optional.yml +++ b/roles/common/molecule/default/group_vars/parameters-optional.yml @@ -46,7 +46,7 @@ prompt_colour: cyan prompt_id: test # Purposefully set this to 3 servers to make sure we are # overriding the default configuration. -ntp_servers: +ntp_pools: - "0.debian.pool.ntp.org" - "1.debian.pool.ntp.org" - "2.debian.pool.ntp.org" diff --git a/roles/common/molecule/default/tests/test_parameters_optional.py b/roles/common/molecule/default/tests/test_parameters_optional.py index cccc20349a036b4f2e31eed2f2abd02e5859bab7..cf1185bd02fc34a715eb2478264f464bf7bf3401 100644 --- a/roles/common/molecule/default/tests/test_parameters_optional.py +++ b/roles/common/molecule/default/tests/test_parameters_optional.py @@ -293,14 +293,14 @@ def test_ntp_server_configuration(host): configuration = configuration_file.content_string.split("\n") configuration = [c.strip() for c in configuration if re.match(r'^\s*(|#.*)$', c) is None] - # Ensure correct servers have been configured in the pool. - servers = [c for c in configuration if c.startswith('server')] + # Ensure correct pools have been configured. + pools = [c for c in configuration if c.startswith('pool')] - expected_servers = ["server 0.debian.pool.ntp.org iburst", - "server 1.debian.pool.ntp.org iburst", - "server 2.debian.pool.ntp.org iburst"] + expected_pools = ["pool 0.debian.pool.ntp.org iburst", + "pool 1.debian.pool.ntp.org iburst", + "pool 2.debian.pool.ntp.org iburst"] - assert sorted(servers) == sorted(expected_servers) + assert sorted(pools) == sorted(expected_pools) # Ensure querying of server is disabled for untrusted clients. restrictions = [c for c in configuration if c.startswith('restrict')] @@ -311,15 +311,14 @@ def test_ntp_server_configuration(host): assert sorted(restrictions) == sorted(expected_restrictions) -def test_ntp_query_server_count(host): - - # Two lines for headers, and one line per configured server. - expected_stdout_line_count = 5 +def test_ntp_runtime_pool_count(host): ntpq = host.command("ntpq -p -n") - assert ntpq.rc == 0 - assert len(ntpq.stdout.strip().split("\n")) == expected_stdout_line_count + + # We expect 3 pools, as requested via role parameter. + ntpq_pool_info = [line for line in ntpq.stdout.split("\n") if ".POOL." in line] + assert len(ntpq_pool_info) == 3 def test_ntp_listening_interfaces(host): diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 6c00125a9749e19abde4c35e26f74628884b2f40..087d24d721560eba4716dd80d1da9ee140f5477b 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -481,7 +481,7 @@ - ntpsec - ntpsec-ntpdate state: present - when: ntp_servers | length > 0 + when: ntp_pools | length > 0 - name: Deploy NTP configuration template: @@ -490,7 +490,7 @@ owner: root group: root mode: 0644 - when: ntp_servers | length > 0 + when: ntp_pools | length > 0 notify: - Restart NTP server diff --git a/roles/common/templates/ntp.conf.j2 b/roles/common/templates/ntp.conf.j2 index 3eded9122bd39d1b52a312e1cc6d61ca559cb211..f596a8f9df8857519c7c50b366456f51feea137b 100644 --- a/roles/common/templates/ntp.conf.j2 +++ b/roles/common/templates/ntp.conf.j2 @@ -31,8 +31,8 @@ tos minclock 4 minsane 3 # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will # pick a different set every time it starts up. Please consider joining the # pool: -{% for server in ntp_servers %} -server {{ server }} iburst +{% for server in ntp_pools %} +pool {{ server }} iburst {% endfor %} # Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html diff --git a/testsite/group_vars/all.yml b/testsite/group_vars/all.yml index d61ee26bdeecf4b23bc3df7b6288c7cc39201873..9014b2e494510d96883c08fb39c48cd5bfc4f619 100644 --- a/testsite/group_vars/all.yml +++ b/testsite/group_vars/all.yml @@ -84,7 +84,7 @@ prompt_colour: light_purple prompt_id: MAR # Set-up NTP time synchronisation. -ntp_servers: +ntp_pools: - "0.debian.pool.ntp.org" - "1.debian.pool.ntp.org" - "2.debian.pool.ntp.org"