From: Frank Brehm Date: Tue, 22 Mar 2016 20:59:36 +0000 (+0100) Subject: Adding state for chrony package X-Git-Url: https://git.uhu-banane.de/?a=commitdiff_plain;h=6494935aa7d8e8c534a2e33b67d0885de1062c1f;p=salt%2Fstates.git Adding state for chrony package --- diff --git a/basic/chrony.sls b/basic/chrony.sls new file mode 100644 index 0000000..26d90cd --- /dev/null +++ b/basic/chrony.sls @@ -0,0 +1,99 @@ + +chrony: + pkg: + - installed + service: + - running + - enable: True + - watch: + - pkg: chrony + - file: /etc/chrony/chrony.conf + - file: /etc/chrony/chrony.keys + +/etc/chrony: + file.directory: + - user: root + - group: root + - dir_mode: 755 + - require: + - pkg: chrony + +/etc/chrony/chrony.keys: + file.managed: + - user: root + - group: root + - mode: 640 + - replace: False + - source: salt://basic/files/chrony.keys + - template: jinja + - backup: minion + - require: + - pkg: chrony + - file: /etc/chrony + +/var/lib/chrony: + file.directory: + - user: root + - group: root + - dir_mode: 755 + - require: + - pkg: chrony + +/var/log/chrony: + file.directory: + - user: root + - group: root + - dir_mode: 755 + - require: + - pkg: chrony + +/etc/chrony/chrony.conf: + file.managed: + - user: root + - group: root + - mode: 644 + - source: salt://basic/files/chrony.conf + - template: jinja + - backup: minion + - require: + - pkg: chrony + - file: /etc/chrony + - file: /etc/chrony/chrony.keys + - file: /var/lib/chrony + - file: /var/log/chrony + +chrony-logswitch-script-parent: + file.directory: + - name: /usr/local/bin + - user: root + - group: staff + - dir_mode: 2775 + +chrony-logswitch-script: + file.managed: + - name: /usr/local/bin/rotate-chrony + - source: salt://basic/files/rotate-chrony + - user: root + - group: staff + - mode: 755 + - template: jinja + - backup: minion + - require: + - pkg: chrony + - file: chrony-logswitch-script-parent + - file: /etc/chrony/chrony.keys + +/etc/logrotate.d/chrony: + file.managed: + - user: root + - group: root + - mode: 755 + - source: salt://basic/files/chrony.logrotate + - template: jinja + - backup: minion + - onlyif: + - test -d /etc/logrotate.d + - require: + - pkg: chrony + - file: chrony-logswitch-script + diff --git a/basic/files/chrony.conf b/basic/files/chrony.conf new file mode 100644 index 0000000..edbcf16 --- /dev/null +++ b/basic/files/chrony.conf @@ -0,0 +1,104 @@ +# This the default chrony.conf file for the Debian chrony package. After +# editing this file use the command 'invoke-rc.d chrony restart' to make +# your changes take effect. John Hasler 1998-2008 + +# See www.pool.ntp.org for an explanation of these servers. Please +# consider joining the project if possible. If you can't or don't want to +# use these servers I suggest that you try your ISP's nameservers. We mark +# the servers 'offline' so that chronyd won't try to connect when the link +# is down. Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc +# commands to switch it on when a dialup link comes up and off when it goes +# down. Code in /etc/init.d/chrony attempts to determine whether or not +# the link is up at boot time and set the online status accordingly. If +# you have an always-on connection such as cable omit the 'offline' +# directive and chronyd will default to online. +# +# Note that if Chrony tries to go "online" and dns lookup of the servers +# fails they will be discarded. Thus under some circumstances it is +# better to use IP numbers than host names. + +server 0.debian.pool.ntp.org auto_offline iburst minpoll 8 +server 1.debian.pool.ntp.org auto_offline iburst minpoll 8 +server 2.debian.pool.ntp.org auto_offline iburst minpoll 8 +server 3.debian.pool.ntp.org auto_offline iburst minpoll 8 + +# Look here for the admin password needed for chronyc. The initial +# password is generated by a random process at install time. You may +# change it if you wish. + +keyfile /etc/chrony/chrony.keys + +# Set runtime command key. Note that if you change the key (not the +# password) to anything other than 1 you will need to edit +# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony +# and /etc/cron.weekly/chrony as these scripts use it to get the password. + +commandkey 1 + +# I moved the driftfile to /var/lib/chrony to comply with the Debian +# filesystem standard. + +driftfile /var/lib/chrony/chrony.drift + +# Comment this line out to turn off logging. + +log tracking measurements statistics +logdir /var/log/chrony + +# Stop bad estimates upsetting machine clock. + +maxupdateskew 100.0 + +# Dump measurements when daemon exits. + +dumponexit + +# Specify directory for dumping measurements. + +dumpdir /var/lib/chrony + +# Let computer be a server when it is unsynchronised. + +local stratum 10 + +# GRIDSCALE - Disable server functionality and only bind on localhost +bindcmdaddress 127.0.0.1 +bindcmdaddress ::1 +port 0 + +# GRIDSCALE - Allow stepping the clock. Normally, it’s recommended to allow the step only in +# the first few updates, but in some cases (a virtual machine which can be suspended and resumed +# with incorrect time) it may be necessary to allow the step at any clock update. +makestep 1 -1 + +# Allow computers on the unrouted nets to use the server. + +allow 10/8 +allow 192.168/16 +allow 172.16/12 + +# This directive forces `chronyd' to send a message to syslog if it +# makes a system clock adjustment larger than a threshold value in seconds. + +logchange 0.5 + +# This directive defines an email address to which mail should be sent +# if chronyd applies a correction exceeding a particular threshold to the +# system clock. + +# mailonchange root@localhost 0.5 + +# This directive tells chrony to regulate the real-time clock and tells it +# Where to store related data. It may not work on some newer motherboards +# that use the HPET real-time clock. It requires enhanced real-time +# support in the kernel. I've commented it out because with certain +# combinations of motherboard and kernel it is reported to cause lockups. + +# rtcfile /var/lib/chrony/chrony.rtc + +# If the last line of this file reads 'rtconutc' chrony will assume that +# the CMOS clock is on UTC (GMT). If it reads '# rtconutc' or is absent +# chrony will assume local time. The line (if any) was written by the +# chrony postinst based on what it found in /etc/default/rcS. You may +# change it if necessary. +rtconutc diff --git a/basic/files/chrony.keys b/basic/files/chrony.keys new file mode 100644 index 0000000..ac952c8 --- /dev/null +++ b/basic/files/chrony.keys @@ -0,0 +1,2 @@ +{%- set key_str = salt['random.get_str'](8) -%} +1 {{ key_str }} diff --git a/basic/files/chrony.logrotate b/basic/files/chrony.logrotate new file mode 100644 index 0000000..5b3758e --- /dev/null +++ b/basic/files/chrony.logrotate @@ -0,0 +1,15 @@ +/var/log/chrony/*.log { + weekly + rotate 7 + missingok + notifempty + compress + delaycompress + dateext + size 4M + sharedscripts + create 644 + postrotate + /usr/local/bin/rotate-chrony + endscript +} diff --git a/basic/files/rotate-chrony b/basic/files/rotate-chrony new file mode 100755 index 0000000..734971b --- /dev/null +++ b/basic/files/rotate-chrony @@ -0,0 +1,18 @@ +#!/bin/bash + +set -e +set -u + +if [[ ! -f /etc/chrony/chrony.keys ]] ; then + exit 0 +fi + +PASSWORD=$( cat /etc/chrony/chrony.keys | awk '$1 ~ /^1$/ {print $2; exit}' ) +#echo "Password: '${PASSWORD}'" + +cat <<- EOF | /usr/bin/chronyc | sed '/^200 OK$/d' + password $PASSWORD + cyclelogs + EOF + +# vim: ts=4 et diff --git a/basic/pkgs.sls b/basic/pkgs.sls index e23446b..23ec8f6 100644 --- a/basic/pkgs.sls +++ b/basic/pkgs.sls @@ -11,7 +11,6 @@ common-pkgs: - binutils - bzip2 - ca-certificates - - chrony - colordiff - console-data - console-setup diff --git a/top.sls b/top.sls index 31c27f7..c459544 100644 --- a/top.sls +++ b/top.sls @@ -8,6 +8,7 @@ base: - debian.sysvinit - basic.logrotate - basic.pkgs + - basic.chrony - basic.rsyslog - basic.shells - basic.skel