Overview
I already have a configured and working chrony on my management server. Now i would like to assure this management server to be the one and only time source for all hosts in my lab and that the timezone on the servers are set correctly.
As the hosts are quite old and sometimes might loose their bios information completely, i added some steps to assure time is set correctly no matter how much server time and real time differ.
configuring timezone, ntp, and hwclock
You do not find to much variables and to much fancy voodoo inside this playbook to keep things simple.
In the playbook you will also find some changes on the local firewall of the management server. This needed to be done, so the clients can reach the master time server.
Please note the following grouping:
- manager – only the management host (recognized as not being part of the DCs) (has the ip address 172.16.20.1)
- servers – all servers in my datacenter(s), except the management host
# cat /etc/ansible/ntp_playbook.yml # ntp playbook - first attempt - hosts: manager tasks: - name: allow ntp through firewall shell: firewall-cmd --add-service=ntp --permanent - name: firewall reload shell: firewall-cmd --reload - name: Make sure Chrony is started up service: name=chronyd state=running enabled=yes tags: chrony - hosts: servers tasks: - name: set timezone shell: timedatectl set-timezone Europe/Berlin - name: Install NTP yum: name=ntp state=installed tags: ntp - name: Copy over the NTP configuration template: src=./templates/ntp.conf dest=/etc/ntp.conf notify: - restart ntpd tags: ntp - name: Make sure NTP is stopped service: name=ntpd state=stopped enabled=yes tags: ntp - name: Sync time initialy shell: ntpdate 172.16.20.1 tags: ntp - name: Make sure NTP is started up service: name=ntpd state=running enabled=yes tags: ntp - name: Sync hwclock shell: hwclock -w tags: ntp handlers: - name: restart ntpd service: name=ntpd state=restarted
For this to work we need the source ntp.conf file (here you find a version without any comments):
# cat /etc/ansible/templates/ntp.conf driftfile /var/lib/ntp/drift restrict default nomodify notrap nopeer noquery restrict 127.0.0.1 restrict ::1 server 172.16.20.1 iburst includefile /etc/ntp/crypto/pw keys /etc/ntp/keys disable monitor
And the command to run this playbook:
# ansible-playbook /etc/ansible/ntp_playbook.yml
Conclusion
All servers now run in the same timezone, they have their ntp server configured correctly and activated. The hw clock was adjusted, so that boot messages are recorded with reasonable time stamps as well.
There is a ‘firewalld:’ module (since Ansible 1.4) that will let you handle the firewalld in an idempotent manner. https://docs.ansible.com/ansible/latest/modules/firewalld_module.html
It does not look like you’re using the dynamic options of the template: module. I think the copy: module would do much the same thing? In other words, is the ntp.conf file the same on all the member machines?
I’m about to roll this out in a lab environment, where one machine has connection to external time source, and the others inside the lab go to that one to sync. So it’s almost the same as what you have. I’m trying to keep it idempotent so I can run the playbook any time I add a new host, and it will only change those that need it.
LikeLike
Hi Scott,
thanks for your comments. You are absolutely right about the firewalld module. It is better to use a dedicated ansible module instead of issuing shell commands. – so if the firewalld module does what you need go for it.
I’m not having any dynamic in this ntp.conf, so again the copy module would have done the job. Maybe you even find reasons (like being faster or utilizing less cpu cycles, etc.) to use the copy module. I personally prefer to stay with the template module, as i do not need to change code, when introducing some dynamic into my conf-files.
The usecase you mentioned is exactly the same. Using the firewall module is for sure some improvement. If you want to have it idempotent in a way that you do not see “changed” when there is no reason to change anything, things might get more complex.
Maybe you find some other modules, write your own or utilize an existing role, to approach some issues…
If you stick to the idea/need of ntpdate, you would need to create something like:
– name: check state of ntpd
register: ….
– block
– name: stop ntpd
– name: ntpdate
– name: start ntpd
when: state of ntpd is ‘stopped’ or ‘failed’
– name: check hwclock
register:
– name: sync hwclock
when: hwclock out of sync
Again you run into some issues as the check – tasks will always run with the output “changed”, you might want to alter this with “changed_when:” clause.
I’d be happy to see your version of the script.
Markus
LikeLike
With the exception of the notes I made, and the fact that I made it a role, my list of tasks is very similar to yours. Exceptions, I have RHEL 6 and 7 in my environment, so the packages and configs are different, and I’ve written conditionals where there’s differences. Very low fi and hard coded. But until RHEL 7 is out of my environment, I can reuse the role simply.
LikeLike
Thank you for the insights.
LikeLike