majic-ansible-roles Changeset

Changeset - 5bc6b7fb4cb5

Parent rev.

Child rev.

[Not reviewed]

0 4 1

Branko Majic (branko) - 7 years ago 2017-11-19 18:45:32
branko@majic.rs

MAR-127: Implemented time synchronisation set-up in common role:

- Added new parameter ntp_servers for defining list of servers to use.
- Deploy ntp and ntpdate packages and relevant configuration files.
- Updated tests, fixing expected restriction lines in ntp
configuration, and adding an additional test to make sure the ntp
daemon has reread its configuration.

5 files changed with 93 insertions and 2 deletions:

roles/common/defaults/main.yml

roles/common/handlers/main.yml

roles/common/tasks/main.yml

roles/common/templates/ntp.conf.j2

roles/common/tests/test_parameters_optional.py

0 comments (0 inline, 0 general)

roles/common/defaults/main.yml

➞

Show inline comments

 ---
 enable_backup: False
 common_packages: []
 os_users: []
 os_groups: []
 ca_certificates: {}
 incoming_connection_limit: 3/second
 incoming_connection_limit_burst: 9
 prompt_colour: none
 prompt_id: null
 extra_backup_patterns:
   - "/root"
   - "/home"
 pip_check_requirements:
   - click==6.7
   - first==2.0.1
   - pip-tools==1.9.0
   - six==1.10.0
 ntp_servers: []
 # Internal use only.
 prompt_colour_mapping:
   black: "0;30"
   red: "0;31"
   green: "0;32"
   brown: "0;33"
   blue: "0;34"
   purple: "0;35"
   cyan: "0;36"
   light_gray: "0;37"
   dark_gray: "1;30"
   light_red: "1;31"
   light_green: "1;32"
   yellow: "1;33"
   light_blue: "1;34"
   light_purple: "1;35"
   light_cyan: "1;36"
   white: "1;37"
   none: "0"

roles/common/handlers/main.yml

➞

Show inline comments

 ---
 - name: Update PAM configuration
   command: "/usr/sbin/pam-auth-update --package"
   tags:
     # [ANSIBLE0012] Commands should not change things if nothing needs doing
     #   This task is invoked only if user is very specific about requiring to
     #   run the handlers manually as a way to bring the system to consistency
     #   after interrupted runs.
     - skip_ansible_lint
 - name: Restart SSH
   service:
     name: ssh
     state: restarted
 - name: Update CA certificate cache
   command: "/usr/sbin/update-ca-certificates --fresh"
   tags:
     # [ANSIBLE0012] Commands should not change things if nothing needs doing
     #   This task is invoked only if user is very specific about requiring to
     #   run the handlers manually as a way to bring the system to consistency
     #   after interrupted runs.
     - skip_ansible_lint
 - name: Restart ferm
   service:
     name: ferm
     state: restarted
 # @TODO: Replace this with use of systemd module once Ansible is upgraded to
 # version 2.2+.
 - name: Reload systemd
   command: "systemctl daemon-reload"
   tags:
     # [ANSIBLE0012] Commands should not change things if nothing needs doing
     #   This task is invoked only if user is very specific about requiring to
     #   run the handlers manually as a way to bring the system to consistency
     #   after interrupted runs.
     - skip_ansible_lint
 - name: Restart NTP server
   service:
     name: ntp
     state: restarted

roles/common/tasks/main.yml

➞

Show inline comments

@@ @@ -344,53 +344,72 @@ @@
   template:
     src: "pipreqcheck_requirements.txt.j2"
     dest: "/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt"
     owner: root
     group: pipreqcheck
     mode: 0640
 - name: Install latest pip in pip-tools virtual environment
   pip:
     name:
       - "pip>=9.0.0,<10.0.0"
     virtualenv: "~pipreqcheck/virtualenv"
   become: yes
   become_user: "pipreqcheck"
 - name: Install pip-tools if not present
   pip:
     name: pip-tools
     state: present
     virtualenv: "~pipreqcheck/virtualenv"
   become: yes
   become_user: "pipreqcheck"
 - name: Synchronise pip-tools virtual environment via deployed requirements file
   shell: "source ~pipreqcheck/virtualenv/bin/activate && pip-sync /etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt"
   args:
     executable: /bin/bash
   become: yes
   become_user: "pipreqcheck"
   register: pipreqcheck_pip_sync
   changed_when: "pipreqcheck_pip_sync.stdout != 'Everything up-to-date'"
 - name: Deploy script for checking available upgrades
   copy:
     src: "pip_check_requirements_upgrades.sh"
     dest: "/usr/local/bin/pip_check_requirements_upgrades.sh"
     owner: root
     group: root
     mode: 0755
 - name: Deploy crontab entry for checking pip requirements
   copy:
     src: "cron_check_pip_requirements"
     dest: "/etc/cron.d/check_pip_requirements"
     owner: root
     group: root
     mode: 0644
 - name: Install NTP packages
   apt:
     name:
       - ntp
       - ntpdate
     state: installed
   when: ntp_servers
 - name: Deploy NTP configuration
   template:
     src: "ntp.conf.j2"
     dest: "/etc/ntp.conf"
     owner: root
     group: root
     mode: 0644
   when: ntp_servers
   notify:
     - Restart NTP server
 - name: Explicitly run all handlers
   include: ../handlers/main.yml
   when: "handlers | default(False) | bool() == True"
   tags:
     - handlers

roles/common/templates/ntp.conf.j2

➞

Show inline comments

@@ new file 100644 @@
 # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
 driftfile /var/lib/ntp/ntp.drift
 # Enable this if you want statistics to be logged.
 #statsdir /var/log/ntpstats/
 statistics loopstats peerstats clockstats
 filegen loopstats file loopstats type day enable
 filegen peerstats file peerstats type day enable
 filegen clockstats file clockstats type day enable
 # You do need to talk to an NTP server or two (or three).
 #server ntp.your-provider.example
 # pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
 # pick a different set every time it starts up.  Please consider joining the
 # pool: <http://www.pool.ntp.org/join.html>
 {% for server in ntp_servers %}
 server {{ server }} iburst
 {% endfor %}
 # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
 # details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
 # might also be helpful.
+#
 # Note that "restrict" applies to both servers and clients, so a configuration
 # that might be intended to block requests from certain clients could also end
 # up blocking replies from your own upstream servers.
 # By default, exchange time with everybody, but don't allow configuration.
 restrict -4 default kod notrap nomodify nopeer noquery
 restrict -6 default kod notrap nomodify nopeer noquery
 # Local users may interrogate the ntp server more closely.
 restrict 127.0.0.1
 restrict ::1
 # Clients from this (example!) subnet have unlimited access, but only if
 # cryptographically authenticated.
 #restrict 192.168.123.0 mask 255.255.255.0 notrust
 # If you want to provide time to your local subnet, change the next line.
 # (Again, the address is an example only.)
 #broadcast 192.168.123.255
 # If you want to listen to time broadcasts on your local subnet, de-comment the
 # next lines.  Please do this only if you trust everybody on the network!
 #disable auth
 #broadcastclient

roles/common/tests/test_parameters_optional.py

➞

Show inline comments

@@ @@ -275,60 +275,73 @@ def test_backup_configuration(File, Sudo): @@
         common = File('/etc/duply/main/patterns/common')
         assert common.is_file
         assert "/var/log" in common.content.split("\n")
         assert "/etc/shadow" in common.content.split("\n")
         assert "/var/mail" in common.content.split("\n")
         assert "/var/spool/cron" in common.content.split("\n")
         common_extra = File('/etc/duply/main/patterns/common_extra')
         assert common_extra.is_file
         assert "/home/user1" in common_extra.content.split("\n")
         assert "/home/user2" in common_extra.content.split("\n")
 def test_ntp_software_installed(Package):
     """
     Tests if NTP packages are installed.
     """
     assert Package('ntp').is_installed
     assert Package('ntpdate').is_installed
 def test_ntp_server_configuration(File, Sudo):
     """
     Tests if NTP server has been correctly configured.
     """
     with Sudo():
         # Read the configuration file.
         configuration = File("/etc/ntp.conf").content.split("\n")
         # Extract only the relevant sections of files (exculde empty
         # lines and comments).
         configuration = [c.strip() for c in configuration if re.match('^\s*(|#.*)$', c) is None]
         # Ensure correct servers have been configured in the pool.
         servers = [c for c in configuration if c.startswith('server')]
         expected_servers = ["server 0.debian.pool.ntp.org iburst",
                             "server 1.debian.pool.ntp.org iburst",
                             "server 2.debian.pool.ntp.org iburst"]
         assert sorted(servers) == sorted(expected_servers)
         # Ensure querying of server is disable for untrusted clients.
         restrictions = [c for c in configuration if c.startswith('restrict')]
         expected_restrictions = ["restrict -4 default kod notrap nomodify nopeer noquery notrust",
                                  "restrict -6 default kod notrap nomodify nopeer noquery notrust"]
         expected_restrictions = ["restrict -4 default kod notrap nomodify nopeer noquery",
                                  "restrict -6 default kod notrap nomodify nopeer noquery",
                                  "restrict 127.0.0.1",
                                  "restrict ::1"]
         assert sorted(restrictions) == sorted(expected_restrictions)
 def test_ntp_query_server_count(Command):
     # Two lines for headers, and one line per configured server.
     expected_stdout_line_count = 5
     ntpq = Command("ntpq -p -n")
     assert ntpq.rc == 0
     assert len(ntpq.stdout.split("\n")) == expected_stdout_line_count
 def test_ntp_listening_interfaces(Socket):
     """
     Tests if NTP server is listening on correct ports.
     """
     assert Socket('udp://:::123').is_listening

0 comments (0 inline, 0 general)