majic-ansible-roles Changeset

Changeset - 49af212543b0

Parent rev.

Child rev.

[Not reviewed]

0 10 0

Branko Majic (branko) - 2 months ago 2024-02-26 21:47:49
branko@majic.rs

MAR-192: Switch to using NTP pools instead of servers:

- This is the recommended configuration by NTPsec, and also default on
Debian. Previuosly suggested values for servers have been pool
addresses in any case.

10 files changed with 28 insertions and 25 deletions:

docs/releasenotes.rst

docs/rolereference.rst

docs/usage.rst

roles/common/defaults/main.yml

roles/common/handlers/main.yml

roles/common/molecule/default/group_vars/parameters-optional.yml

roles/common/molecule/default/tests/test_parameters_optional.py

roles/common/tasks/main.yml

roles/common/templates/ntp.conf.j2

testsite/group_vars/all.yml

0 comments (0 inline, 0 general)

docs/releasenotes.rst

➞

Show inline comments

@@ @@ -42,6 +42,10 @@ Dropped support for Debian 10 (Buster). @@
     parameter expects a list of IPv4 and IPv6 addresses (or
     subnets). Resolvable names can no longer be specified.
   * NTP server configuration is now based on use of pools instead of
     servers. Parameter ``ntp_servers`` has been deprecated and
     replaced with parameter ``ntp_pools``.
 * ``mail_server`` role
   * Parameter ``mail_server_tls_protocols`` has been dropped and

docs/rolereference.rst

➞

Show inline comments

@@ @@ -290,7 +290,7 @@ The role implements the following: @@
   available. Script is run via cronjob on daily basis, and any output
   will be delivered to local ``root`` user.
 * Optionally configures time synchronisation using NTP (if
-  ``ntp_servers`` parameter is set).
+  ``ntp_pools`` parameter is set).
 Role dependencies
@@ @@ -404,13 +404,13 @@ Parameters @@
   connect to the server when in maintenance mode. Subnets can be
   specified as well.
 **ntp_servers** (list, optional, ``[]``)
   List of NTP servers to use for synchronising the time on managed
 **ntp_pools** (list, optional, ``[]``)
   List of NTP pools to use for synchronising the time on managed
   machine using NTP. If no time synchronisation should be set-up, set
   to empty list. Default is not to configure time synchronisation.
   If setting this parameter, it is recommended to set the list of
-  servers to list shipped by default Debian configuration::
+  pools to list shipped by default Debian configuration::
     - "0.debian.pool.ntp.org"
     - "1.debian.pool.ntp.org"

docs/usage.rst

➞

Show inline comments

@@ @@ -603,7 +603,7 @@ Let's take care of this common configuration right away: @@
    .. note::
       The ``common`` role comes with ability to set-up time
       synchronisation using NTP. This is not done by default. For
-      details see the role parameter ``ntp_servers``.
+      details see the role parameter ``ntp_pools``.
    .. note::
       The ``ca_certificates`` parameter lets us deploy custom CA

roles/common/defaults/main.yml

➞

Show inline comments

@@ @@ -30,7 +30,7 @@ pip_check_requirements: @@
   - typing-extensions==4.7.1
   - wheel==0.41.3
   - zipp==3.15.0
-ntp_servers: []
+ntp_pools: []
 maintenance: false
 maintenance_allowed_sources: []

roles/common/handlers/main.yml

➞

Show inline comments

@@ @@ -32,4 +32,4 @@ @@
   service:
     name: ntpsec
     state: restarted
-  when: ntp_servers | length > 0
+  when: ntp_pools | length > 0

roles/common/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

@@ @@ -46,7 +46,7 @@ prompt_colour: cyan @@
 prompt_id: test
 # Purposefully set this to 3 servers to make sure we are
 # overriding the default configuration.
-ntp_servers:
+ntp_pools:
   - "0.debian.pool.ntp.org"
   - "1.debian.pool.ntp.org"
   - "2.debian.pool.ntp.org"

roles/common/molecule/default/tests/test_parameters_optional.py

➞

Show inline comments

@@ @@ -293,14 +293,14 @@ def test_ntp_server_configuration(host): @@
         configuration = configuration_file.content_string.split("\n")
         configuration = [c.strip() for c in configuration if re.match(r'^\s*(|#.*)$', c) is None]
         # Ensure correct servers have been configured in the pool.
         servers = [c for c in configuration if c.startswith('server')]
         # Ensure correct pools have been configured.
         pools = [c for c in configuration if c.startswith('pool')]
         expected_servers = ["server 0.debian.pool.ntp.org iburst",
                             "server 1.debian.pool.ntp.org iburst",
                             "server 2.debian.pool.ntp.org iburst"]
         expected_pools = ["pool 0.debian.pool.ntp.org iburst",
                           "pool 1.debian.pool.ntp.org iburst",
                           "pool 2.debian.pool.ntp.org iburst"]
-        assert sorted(servers) == sorted(expected_servers)
+        assert sorted(pools) == sorted(expected_pools)
         # Ensure querying of server is disabled for untrusted clients.
         restrictions = [c for c in configuration if c.startswith('restrict')]
@@ @@ -311,15 +311,14 @@ def test_ntp_server_configuration(host): @@
         assert sorted(restrictions) == sorted(expected_restrictions)
 def test_ntp_query_server_count(host):
     # Two lines for headers, and one line per configured server.
     expected_stdout_line_count = 5
 def test_ntp_runtime_pool_count(host):
     ntpq = host.command("ntpq -p -n")
     assert ntpq.rc == 0
     assert len(ntpq.stdout.strip().split("\n")) == expected_stdout_line_count
     # We expect 3 pools, as requested via role parameter.
     ntpq_pool_info = [line for line in ntpq.stdout.split("\n") if ".POOL." in line]
     assert len(ntpq_pool_info) == 3
 def test_ntp_listening_interfaces(host):

roles/common/tasks/main.yml

➞

Show inline comments

@@ @@ -481,7 +481,7 @@ @@
       - ntpsec
       - ntpsec-ntpdate
     state: present
-  when: ntp_servers | length > 0
+  when: ntp_pools | length > 0
 - name: Deploy NTP configuration
   template:
@@ @@ -490,7 +490,7 @@ @@
     owner: root
     group: root
     mode: 0644
-  when: ntp_servers | length > 0
+  when: ntp_pools | length > 0
   notify:
     - Restart NTP server

roles/common/templates/ntp.conf.j2

➞

Show inline comments

@@ @@ -31,8 +31,8 @@ tos minclock 4 minsane 3 @@
 # pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
 # pick a different set every time it starts up.  Please consider joining the
 # pool: <https://www.pool.ntp.org/join.html>
 {% for server in ntp_servers %}
 server {{ server }} iburst
 {% for server in ntp_pools %}
 pool {{ server }} iburst
 {% endfor %}
 # Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html

testsite/group_vars/all.yml

➞

Show inline comments

@@ @@ -84,7 +84,7 @@ prompt_colour: light_purple @@
 prompt_id: MAR
 # Set-up NTP time synchronisation.
-ntp_servers:
+ntp_pools:
   - "0.debian.pool.ntp.org"
   - "1.debian.pool.ntp.org"
   - "2.debian.pool.ntp.org"

0 comments (0 inline, 0 general)