diff --git a/Batali b/Batali index 62c91ba..f3e322f 100644 --- a/Batali +++ b/Batali @@ -36,4 +36,5 @@ Batali.define do cookbook 'ark', '~> 3.0.0' cookbook 'logrotate', '~> 2.1.0' cookbook 'openssl', '~> 7.0.1' + cookbook 'ntp' end diff --git a/batali.manifest b/batali.manifest index ccda933..9ca1a93 100644 --- a/batali.manifest +++ b/batali.manifest @@ -1019,6 +1019,18 @@ "url": "https://supermarket.chef.io:443/api/v1/cookbooks/logrotate/versions/2.1.0/download", "version": "2.1.0" } + }, + { + "name": "ntp", + "dependencies": [ + + ], + "version": "3.4.0", + "source": { + "type": "Batali::Source::Site", + "url": "https://supermarket.chef.io:443/api/v1/cookbooks/ntp/versions/3.4.0/download", + "version": "3.4.0" + } } ] } \ No newline at end of file diff --git a/cookbooks/ntp/CHANGELOG.md b/cookbooks/ntp/CHANGELOG.md new file mode 100644 index 0000000..290eb68 --- /dev/null +++ b/cookbooks/ntp/CHANGELOG.md @@ -0,0 +1,274 @@ +# ntp Cookbook CHANGELOG + +This file is used to list changes made in each version of the ntp cookbook. + +## 3.4.0 (2017-05-06) + +- Ensure metadata compatibility with older Chef 12 releases +- Testing updates for Chef 13 +- Test with Delivery local mode instead of a Rakefile +- Use a SPDX standard license string +- Remove xcp as a platform in the metadata +- Added requestkey attribute + +## 3.3.1 (2016-12-21) + +- Fix resource cloning warning in recipe[default] + +## 3.3.0 (2016-12-16) + +- Add Mac OS X client config support + +## 3.2.1 (2016-11-23) + +- Update leap seconds file to version 3676924800 + +## 3.2.0 (2016-09-28) + +- Remove support for Arch +- Remove legacy apparmor config that wasn't used +- Don't install ntpdate (and uninstall it) on Ubuntu 16.04+ +- Expand specs and avoid deprecation warnings + +## 3.1.0 (2016-09-16) + +- Require Chef 12.1 not 12.0 +- Remove the dependency on the Windows cookbook + +## 3.0.0 (2016-09-07) + +- Require Chef 12+ + +## 2.0.3 (2016-08-31) + +- Remove minitest tests from the undo recipe + +## 2.0.2 (2016-08-30) + +- Replace node.set with node.normal to avoid deprecation notices + +## 2.0.1 (2016-08-29) + +- Update the leap seconds file +- Remove node name from configs +- Switch to cookstyle and use the Rakefile directly for testing in Travis CI +- Update platforms we test on +- Fix failing Chefspecs and avoid deprecation warnings during spec runs + +## v2.0.0 (2016-05-18) + +- Remove the undo recipe. This functionality is better suited for a custom cookbook that matches the needs of individual organizations +- Removed the installation of the visual studio 2008 runtime that was only necessary for Windows 2003. +- Fixed the forced clock syncing on FreeBSD hosts + +## v1.11.1 (2016-05-12) + +- Ownership of this cookbook has been transferred back to Chef Software. + +## v1.11.0 (2016-03-29) + +- When force setting the clock run ntp as the ntp user to ensure we don't set file ownership to root +- Added optional support for orphan mode +- Require windows cookbook 1.38.0 to resolve several issues with the older cookbook versions +- Add support for using keys + +## v1.10.1 (2016-02-04) + +- Update the Readme to include openSUSE and Arch Linux +- Guard the timeout set in the service to prevent failures on old chef releases + +## v1.10.0 (2016-02-04) + +- Fixed compatibility with FreeBSD hosts by skipping the sync with the hardware clock and using the proper path to the "true" command +- Fixed compatibility with Windows by extending the service start timeout, introducing retries, and excluding Windows from the hardware sync logic +- Changed the default array of packages to install from ntp and ntpdate to just ntp. ntpdate is used on Debian and modern RHEL/Fedora hosts only. This gives us out of the box support for Arch and Suse +- Ensure that Fedora systems also install ntpdate +- Updated test dependencies to the latest +- Updated test documentation to point to the official Chef testing documentation +- Expanded the Test Kitchen config with better support for FreeBSD/Fedora and new Windows boxes + +## v1.9.2 (2016-02-04) + +- **PR [#121]** - Remove nomodify config from loopback + +## v1.9.1 (2016-01-07) + +- **PR [#132]** - Update ntp.leapseconds + +## v1.9.0 (2015-12-16) + +- **PR [#111]** - Fix duplication of localhost listen directive in template +- **PR [#127]** - Set `var_owner` on FreeBSD to root instead of default ntp +- **PR [#117]** - Document node['ntp']['ignore'] +- **PR [#118]** - Add attributes to support pld-linux +- **PR [#120]** - Fix links to Github PRs in the Changelog +- **PR [#124]** - Additional fix for apparmor issue gmiranda23#103 +- Depend on windows cookbook instead of suggesting. Suggests doesn't actually do anything +- Fix / expand apparmor specs to pass and test the auto apparmor config logic +- Enable Travis CI and update the travis.yml file to run full integration tests with Kitchen Docker so we test all PRs on Ubuntu 12.04/14.04 and CentOS 6.7 / 7.1 +- Reformat all markdown files +- Update all references to Opscode to be Chef Software. +- Update copyright dates and contact e-mails +- Expanded platforms in the Test Kitchen config +- Added new supermarket issues_url and source_url metadata +- Update the Berkfile API url and removed version pins on the testing cookbooks +- Remove yum from the Berksfile as it isn't actually used +- Use the standard Chef testing Rakefile +- Remove the attribute documentation from the metadata as it is quickly out of sync +- Resolve rubocop warnings and include the standard Chef rubocop.yml file +- Update development deps in the Gemfile to the latest releases +- Remove the outdated contributing.md doc from the Opscode days + +## v1.8.6 (2015-05-14) + +- **PR [#102](102)** - Update leapseconds file to 3660249600 (through C49) +- Gemfile parity with ChefDK 0.5.1 +- .kitchen.yml platform updates to current bento boxes + +## v1.8.4 (2015-04-17) + +- **PR [#101]** - add logfile attribute + +## v1.8.2 (2015-04-15) + +- **PR [#100]** - Sort peers & servers for consistency + +## v1.8.0 (2015-04-13) + +- Chefspec 4.0 updates +- Rubocop updates +- **PR [#85]** - Update leapseconds for June 2015 leapsecond +- **PR [#70]** - Allow setting tinker options in attributes +- **PR [#84]** - Add attributes for tinker option customization +- **PR [#88]** - Attribute sets noquery for localhost lines +- **PR [#89]** - ntp.leapseconds notifies ntp service with delayed restart +- **PR [#91]** - Allow ntp.conf update to restart immediate +- **PR [#95]** - Add preferred ntp server support +- **PR [#96]** - Add restrict default attribute +- **PR [#72]** - Move high stratum real CMOs to an attribute +- **PR [#98]** - Bump test-kitchen gem version +- **PR [#99]** - Lazy attribute for leapfile_enabled + +## v1.7.0 (2014-12-10) + +- Added CentOS 7 support for test-kitchen +- **PR [#37]** - Check that apparmor exists before enabling service +- **PR [#45]** - Statistics logging switch (not available for Windows) +- **PR [#57]** - Move include statement on helper outside 'windows?' check +- **PR [#71]** - Ability to listen more than one interface +- **PR [#73]** - Fix appamor configuration for Ubuntu +- **PR [#74]** - Remove is_server from example +- **PR [#75]** - Add more settings for server and peer declarations +- **PR [#83]** - Fix apparmor spec tests + +## v1.6.8 (2014-12-04) + +- **PR [#81]** - Update to berkshelf3 + +## v1.6.6 (2014-12-02) + +- **PR [#76]** - Overhauled Testing +- **PR [#68]** - Updated Leapseconds +- **PR [#51]** - Berksfile source deprecation + +## v1.6.5 (2014-09-25) + +- Ensure that ntp version is captured + +## v1.6.4 (2014-07-02) + +- Leapseconds File Expired, update to 3626380800 +- **[COOK-3887](https://tickets.opscode.com/browse/COOK-3887)** - Trivial changes to achieve Gentoo support +- **[COOK-1876](https://tickets.opscode.com/browse/COOK-1876)** - ntp leapfile assumes ntpd >= 4.2.6 syntax + +## v1.6.2 (2014-03-19) + +- [COOK-4162] - change "No NTP servers specified" message to :debug + +## v1.6.0 (2014-02-21) + +### Improvement + +- **[COOK-4346](https://tickets.opscode.com/browse/COOK-4346)** - Solaris 11 support for ntp +- **[COOK-4339](https://tickets.opscode.com/browse/COOK-4339)** - Disable Monitoring by Default +- **[COOK-3604](https://tickets.opscode.com/browse/COOK-3604)** - Enable listening on specific interfaces + +### Bug + +- **[COOK-4106](https://tickets.opscode.com/browse/COOK-4106)** - Check for default content in ntp.conf +- **[COOK-4087](https://tickets.opscode.com/browse/COOK-4087)** - quote option in readme +- **[COOK-3797](https://tickets.opscode.com/browse/COOK-3797)** - Cookbook fails to upload due to 1.9.x syntax +- **[COOK-3023](https://tickets.opscode.com/browse/COOK-3023)** - NTP leapseconds file denied by Ubuntu apparmor profile + +## v1.5.4 (2013-12-29) + +[COOK-4007]- update to 3612902400 + +## v1.5.2 + +### Bug + +- **[COOK-3797](https://tickets.opscode.com/browse/COOK-3797)** - Add /spec to Chefignore + +## v1.5.0 + +### Improvement + +- **[COOK-3651](https://tickets.opscode.com/browse/COOK-3651)** - Refactor and clean up +- **[COOK-3630](https://tickets.opscode.com/browse/COOK-3630)** - Switch NTP cookbook linting from Tailor to Rubocop +- **[COOK-3273](https://tickets.opscode.com/browse/COOK-3273)** - Add tests + +### New Feature + +- **[COOK-3636](https://tickets.opscode.com/browse/COOK-3636)** - Allow ntp cookbook to update clock to ntp servers + +### Bug + +- **[COOK-3410](https://tickets.opscode.com/browse/COOK-3410)** - Remove redundant ntpdate/disable recipes +- **[COOK-1170](https://tickets.opscode.com/browse/COOK-1170)** - Allow redefining NTP servers in a role + +## v1.4.0 + +### Improvement + +- **[COOK-3365](https://tickets.opscode.com/browse/COOK-3365)** - Update ntp leapseconds file to version 3597177600 +- **[COOK-1674](https://tickets.opscode.com/browse/COOK-1674)** - Add Windows support + +## v1.3.2 + +- [COOK-2024] - update leapfile for IERS Bulletin C + +## v1.3.0 + +- [COOK-1404] - add leapfile for handling leap seconds + +## v1.2.0 + +- [COOK-1184] - Add recipe to disable NTP completely +- [COOK-1298] - Refactor into a reference cookbook for testing + +## v1.1.8 + +- [COOK-1158] - RHEL family >= 6 has ntpdate package + +## v1.1.6 + +- Related to changes in COOK-1124, fix group for freebsd and else + +## v1.1.4 + +- [COOK-1124] - parameterised driftfile and statsdir to be configurable by platform + +## v1.1.2 + +- [COOK-952] - freebsd support +- [COOK-949] - check for any virtual system not just vmware + +## v1.1.0 + +- Fixes COOK-376 (use LAN peers, iburst option, LAN restriction attribute) + +## v1.0.1 + +- Support scientific linux +- Use service name attribute in resource (fixes EL derivatives) diff --git a/cookbooks/ntp/CONTRIBUTING.md b/cookbooks/ntp/CONTRIBUTING.md new file mode 100644 index 0000000..ef2f2b8 --- /dev/null +++ b/cookbooks/ntp/CONTRIBUTING.md @@ -0,0 +1,2 @@ +Please refer to +https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD diff --git a/cookbooks/ntp/MAINTAINERS.md b/cookbooks/ntp/MAINTAINERS.md new file mode 100644 index 0000000..645ed14 --- /dev/null +++ b/cookbooks/ntp/MAINTAINERS.md @@ -0,0 +1,15 @@ + + +# Maintainers + +This file lists how this cookbook project is maintained. When making changes to the system, this file tells you who needs to review your patch - you need a review from an existing maintainer for the cookbook to provide a :+1: on your pull request. Additionally, you need to not receive a veto from a Lieutenant or the Project Lead. + +Check out [How Cookbooks are Maintained](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD) for details on the process and how to become a maintainer or the project lead. + +# Project Maintainer +* [Tim Smith](https://github.com/tas50) + +# Maintainers +* [Jennifer Davis](https://github.com/sigje) +* [Tim Smith](https://github.com/tas50) +* [Thom May](https://github.com/thommay) diff --git a/cookbooks/ntp/README.md b/cookbooks/ntp/README.md new file mode 100644 index 0000000..af671cb --- /dev/null +++ b/cookbooks/ntp/README.md @@ -0,0 +1,305 @@ +# NTP Cookbook + +[![Build Status](https://travis-ci.org/chef-cookbooks/ntp.svg?branch=master)](http://travis-ci.org/chef-cookbooks/ntp) [![Cookbook Version](https://img.shields.io/cookbook/v/ntp.svg)](https://supermarket.chef.io/cookbooks/ntp) + +Installs and configures ntp. On Windows systems it uses the Meinberg port of the standard NTPd client to Windows. + +## Requirements + +### Platforms + +- Debian-family Linux Distributions +- RedHat-family Linux Distributions +- Fedora +- Gentoo Linux +- openSUSE +- FreeBSD +- Windows 2008 R2+ +- Mac OS X 10.11+ + +### Chef + +- Chef 12.1+ + +### Cookbooks + +- none + +## Attributes + +### Recommended tunables + +- `ntp['servers']` - (applies to NTP Servers and Clients) + + - Array, should be a list of upstream NTP servers that will be considered authoritative by the local NTP daemon. The local NTP daemon will act as a client, adjusting local time to match time data retrieved from the upstream NTP servers. + + The NTP protocol works best with at least 4 servers. The ntp daemon will disregard any server after the 10th listed, but will continue monitoring all listed servers. For more information, see [Upstream Server Time Quantity](http://support.ntp.org/bin/view/Support/SelectingOffsiteNTPServers#Section_5.3.3.) at [support.ntp.org](http://support.ntp.org). + +- `ntp['peers']` - (applies to NTP Servers ONLY) + + - Array, should be a list of local NTP peers. For more information, see [Designing Your NTP Network](http://support.ntp.org/bin/view/Support/DesigningYourNTPNetwork) at [support.ntp.org](http://support.ntp.org). + +- `ntp['restrictions']` - (applies to NTP Servers only) + + - Array, should be a list of restrict lines to define access to NTP clients on your LAN. + +- `ntp['sync_clock']` (applies to NTP Servers and Clients) + + - Boolean. Defaults to false. Forces the ntp daemon to be halted, an ntp -q command to be issued, and the ntp daemon to be restarted again on every Chef-client run. Will have no effect if drift is over 1000 seconds. + +- `ntp['sync_hw_clock']` (applies to NTP Servers and Clients) + + - Boolean. Defaults to false. On *nix-based systems, forces the 'hwclock --systohc' command to be issued on every Chef-client run. This will sync the hardware clock to the system clock. + - Not available on Windows. + +- `ntp['restrict_default']` + + - String. Defaults to 'kod notrap nomodify nopeer noquery'. Set to 'ignore' to [further lock down access](http://support.ntp.org/bin/view/Support/AccessRestrictions#Section_6.5.1.1.2.). + +- `ntp["listen_network"]` / `ntp["listen"]` + + - String, optional attribute. Default is for NTP to listen on all addresses. + - `ntp["listen_network"]` should be set to 'primary' to listen on the node's primary IP address as determined by ohai, or set to a CIDR (eg: '192.168.4.0/24') to listen on the last node address on that CIDR. + - `ntp["listen"]` can be set to a specific address (eg: '192.168.4.10') instead of `ntp["listen_network"]` to force listening on a specific address. + - If both `ntp["listen"]` and `ntp["listen_network"]` are set then `ntp["listen"]` will always win. + +- `ntp["ignore"]` + + - Array, interface names to ignore from listening. Can be used to disable listening wildcard interfaces (eg: ['wildcard', '::1']), can be combined with `ntp["listen"]` + +- `ntp["statistics"]` + + - Boolean. Default to true. Enable/disable statistics data logging into `ntp['statsdir']`. + - Not available on Windows. + +- `ntp['conf_restart_immediate']` + + - Boolean. Defaults to false. Restarts NTP service immediately after a config update if true. Otherwise it is a delayed restart. + +- `ntp['peer']['disable_tinker_panic_on_virtualization_guest']` (applies to virtualized hosts only) + + - Boolean. Defaults to true. Sets tinker panic to 0\. NTP default it 1000\. (See p. 23 for explanation on disabling panic) (Note: this overrides `ntp['tinker']['panic']` attribute) + +- `ntp['peer']['use_iburst']` (applies to NTP Servers ONLY) + + - Boolean. Defaults to true. Enables iburst in peer declaration. + +- `ntp['peer']['use_burst']` (applies to NTP Servers ONLY) + + - Boolean. Defaults to false. Enables burst in peer declaration. + +- `ntp['peer']['minpoll']` (applies to NTP Servers ONLY) + + - Boolean. Defaults to 6 (ntp default). Specify the minimum poll intervals for NTP messages, in seconds to the power of two. + +- `ntp['peer']['maxpoll']` (applies to NTP Servers ONLY) + + - Boolean. Defaults to 10 (ntp default). Specify the maximum poll intervals for NTP messages, in seconds to the power of two. + +- `ntp['server']['prefer']` (applies to NTP Servers and Clients) + + - String. Defaults to emtpy string. The server from `ntp['servers']` to prefer getting the time from. + +- `ntp['server']['use_iburst']` (applies to NTP Servers and Clients) + + - Boolean. Defaults to true. Enables iburst in server declaration. + +- `ntp['server']['use_burst']` (applies to NTP Servers and Clients) + + - Boolean. Defaults to false. Enables burst in server declaration. + +- `ntp['server']['minpoll']` (applies to NTP Servers and Clients) + + - Boolean. Defaults to 6 (ntp default). Specify the minimum poll intervals for NTP messages, in seconds to the power of two. + +- `ntp['server']['maxpoll']` (applies to NTP Servers and Clients) + + - Boolean. Defaults to 10 (ntp default). Specify the maximum poll intervals for NTP messages, in seconds to the power of two. + +- `ntp['tinker']['allan']` + + - Number. Defaults to 1500 (ntp default). Spedifies the Allan intercept, which is a parameter of the PLL/FLL clock discipline algorithm, in seconds. + +- `ntp['tinker']['dispersion']` + + - Number. Defaults to 15 (ntp default). Specifies the dispersion increase rate in parts-per-million (PPM). + +- `ntp['tinker']['panic']` + + - Number. Defaults to 1000 (ntp default). Spedifies the panic threshold in seconds. If set to zero, the panic sanity check is disabled and a clock offset of any value will be accepted. + +- `ntp['tinker']['step']` + + - Number. Defaults to 0.128 (ntp default). Spedifies the step threshold in seconds. If set to zero, step adjustments will never occur. Note: The kernel time discipline is disabled if the step threshold is set to zero or greater than 0.5 s. + +- `ntp['tinker']['stepout']` + + - Number. Defaults to 900 (ntp default). Specifies the stepout threshold in seconds. If set to zero, popcorn spikes will not be suppressed. + +- `ntp['localhost']['noquery']` (applies to NTP Servers and Clients) + + - Boolean. Defaults to false. Set to true if using ntp < 4.2.8 or any unpatched ntp version to mitigate CVE-2014-9293 / CVE-2014-9294 / CVE-2014-9295 + +- `ntp['orphan']['enabled']` + + - Boolean, enables orphan mode if set to true + +- `ntp['orphan']['stratum']` + + - Number. Defaults to 5, recommended value for stratum is 2 more than the worst-case externally-reachable source of time + +### Automatically Set Attributes + +These attributes are set based on platform / system information provided by Ohai + +- `ntp['packages']` + + - Array, the packages to install + - Default, ntp for everything, ntpdate depending on platform. Not applicable for + - Windows nodes + +- `ntp['service']` + + - String, the service to act on + - Default, ntp, NTP, or ntpd, depending on platform + +- `ntp['varlibdir']` + + - String, the path to /var/lib files such as the driftfile. + - Default, platform-specific location. Not applicable for Windows nodes + +- `ntp['driftfile']` + + - String, the path to the frequency file. + - Default, platform-specific location. + +- `ntp['conffile']` + + - String, the path to the ntp configuration file. + - Default, platform-specific location. + +- `ntp['statsdir']` + + - String, the directory path for files created by the statistics facility. + - Default, platform-specific location. Not applicable for Windows nodes + +- `ntp['conf_owner'] and ntp['conf_group']` + + - String, the owner and group of the sysconf directory files, such as /etc/ntp.conf. + - Default, platform-specific root:root or root:wheel. + +- `ntp['var_owner'] and ntp['var_group']` + + - String, the owner and group of the /var/lib directory files, such as /var/lib/ntp. + - Default, platform-specific ntp:ntp or root:wheel. Not applicable for Windows nodes + +- `ntp['leapfile']` + + - String, the path to the ntp leapfile. + - Default, /etc/ntp.leapseconds. + +- `ntp['package_url']` + + - String, the URL to the the Meinberg NTPd client installation package. + - Default, Meinberg site download URL + - Windows platform only + +- `ntp['vs_runtime_url']` + + - String, the URL to the the Visual Studio C++ 2008 runtime libraries that are required for the Meinberg NTP client. + - Default, Microsoft site download URL + - Windows platform only + +- `ntp['vs_runtime_productname']` + + - String, the installation name of the Visual Studio C++ Runtimes file. + - Default, "Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022" + - Windows platform only + +- `ntp['sync_hw_clock']` + + - Boolean, determines if the ntpdate command is issued to sync the hardware clock + - Default, false + - Not applicable for Windows nodes + +- `ntp['apparmor_enabled']` + + - Boolean, enables configuration of apparmor if set to true + - Defaults to false and will make no provisions for apparmor. + - If a platform has apparmor enabled (currently Ubuntu) default will become true. + +- `ntp['use_cmos']` + + - Boolean, uses a high stratum undisciplined clock for machines with real CMOS clock. + - Defaults to true unless a platform appears to be virtualized according to Ohai. + +## Usage + +### default recipe + +Set up the ntp attributes in a role. For example in a base.rb role applied to all nodes: + +```ruby +name 'base' +description 'Role applied to all systems' +default_attributes( + 'ntp' => { + 'servers' => ['time0.int.example.org', 'time1.int.example.org'] + } +) +``` + +Then in an ntpserver.rb role that is applied to NTP servers (e.g., time.int.example.org): + +```ruby +name 'ntp_server' +description 'Role applied to the system that should be an NTP server.' +default_attributes( + 'ntp' => { + 'servers' => ['0.pool.ntp.org', '1.pool.ntp.org'], + 'peers' => ['time0.int.example.org', 'time1.int.example.org'], + 'restrictions' => ['10.0.0.0 mask 255.0.0.0 nomodify notrap'] + } +) +``` + +The timeX.int.example.org used in these roles should be the names or IP addresses of internal NTP servers. Then simply add ntp, or `ntp::default` to your run_list to apply the ntp daemon's configuration. + +### windows_client recipe + +Windows only. Apply on a Windows host to install the Meinberg NTPd client. + +### mac_os_x_client recipe + +Mac OS X only. Apply on a Mac OS X host to configure NTP. + +## License & Authors + +- Author:: Joshua Timberman ([joshua@chef.io](mailto:joshua@chef.io)) +- Contributor:: Eric G. Wolfe ([wolfe21@marshall.edu](mailto:wolfe21@marshall.edu)) +- Contributor:: Fletcher Nichol ([fletcher@nichol.ca](mailto:fletcher@nichol.ca)) +- Contributor:: Tim Smith ([tsmith@chef.io](mailto:tsmith@chef.io)) +- Contributor:: Charles Johnson ([charles@chef.io](mailto:charles@chef.io)) +- Contributor:: Brad Knowles ([bknowles@momentumsi.com](mailto:bknowles@momentumsi.com)) + +```text +Copyright 2009-2016, Chef Software, Inc. +Copyright 2012, Eric G. Wolfe +Copyright 2012, Fletcher Nichol +Copyright 2012, Webtrends, Inc. +Copyright 2013, Limelight Networks, Inc. +Copyright 2013, Brad Knowles +Copyright 2013, Brad Beam + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +``` diff --git a/cookbooks/ntp/attributes/default.rb b/cookbooks/ntp/attributes/default.rb new file mode 100644 index 0000000..671a974 --- /dev/null +++ b/cookbooks/ntp/attributes/default.rb @@ -0,0 +1,130 @@ +# +# Cookbook:: ntp +# Attributes:: default +# +# Author:: Joshua Timberman () +# Author:: Tim Smith () +# Author:: Charles Johnson () +# +# Copyright:: 2009-2017, Chef Software, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# default attributes for all platforms +default['ntp']['servers'] = [] # The default recipe sets a list of common NTP servers (COOK-1170) +default['ntp']['peers'] = [] +default['ntp']['restrictions'] = [] +default['ntp']['tinker'] = { 'panic' => 0 } + +# set `restrict default` for IPv4 and IPv6 +default['ntp']['restrict_default'] = 'kod notrap nomodify nopeer noquery' + +# internal attributes +default['ntp']['packages'] = %w(ntp) +default['ntp']['service'] = 'ntpd' +default['ntp']['varlibdir'] = '/var/lib/ntp' +default['ntp']['driftfile'] = "#{node['ntp']['varlibdir']}/ntp.drift" +default['ntp']['logfile'] = nil +default['ntp']['conffile'] = '/etc/ntp.conf' +default['ntp']['statsdir'] = '/var/log/ntpstats/' +default['ntp']['conf_owner'] = 'root' +default['ntp']['conf_group'] = 'root' +default['ntp']['var_owner'] = 'ntp' +default['ntp']['var_group'] = 'ntp' +default['ntp']['leapfile'] = '/etc/ntp.leapseconds' +default['ntp']['sync_clock'] = false +default['ntp']['sync_hw_clock'] = false +default['ntp']['listen'] = nil +default['ntp']['listen_network'] = nil +default['ntp']['ignore'] = nil +default['ntp']['apparmor_enabled'] = false +default['ntp']['monitor'] = false +default['ntp']['statistics'] = true +default['ntp']['conf_restart_immediate'] = false +default['ntp']['keys'] = nil +default['ntp']['trustedkey'] = nil +default['ntp']['requestkey'] = nil + +# See http://www.vmware.com/vmtn/resources/238 p. 23 for explanation +default['ntp']['disable_tinker_panic_on_virtualization_guest'] = true + +default['ntp']['peer']['key'] = nil +default['ntp']['peer']['use_iburst'] = true +default['ntp']['peer']['use_burst'] = false +default['ntp']['peer']['minpoll'] = 6 +default['ntp']['peer']['maxpoll'] = 10 + +default['ntp']['server']['prefer'] = '' +default['ntp']['server']['use_iburst'] = true +default['ntp']['server']['use_burst'] = false +default['ntp']['server']['minpoll'] = 6 +default['ntp']['server']['maxpoll'] = 10 + +default['ntp']['tinker']['allan'] = 1500 +default['ntp']['tinker']['dispersion'] = 15 +default['ntp']['tinker']['panic'] = 1000 +default['ntp']['tinker']['step'] = 0.128 +default['ntp']['tinker']['stepout'] = 900 + +default['ntp']['orphan']['enabled'] = false +default['ntp']['orphan']['stratum'] = 5 # ntp recommends 2 more than the worst-case externally-reachable source of time + +# Set to true if using ntp < 4.2.8 or any unpatched ntp version to mitigate CVE-2014-9293 / CVE-2014-9294 / CVE-2014-9295 +default['ntp']['localhost']['noquery'] = false + +# overrides on a platform-by-platform basis +case node['platform_family'] +when 'debian' + default['ntp']['service'] = 'ntp' + default['ntp']['apparmor_enabled'] = true if File.exist? '/etc/init.d/apparmor' +when 'rhel', 'fedora' + default['ntp']['packages'] = %w(ntp ntpdate) if node['platform_version'].to_i >= 7 +when 'windows' + default['ntp']['service'] = 'NTP' + default['ntp']['driftfile'] = 'C:\\NTP\\ntp.drift' + default['ntp']['conffile'] = 'C:\\NTP\\etc\\ntp.conf' + default['ntp']['conf_owner'] = 'Administrators' + default['ntp']['conf_group'] = 'Administrators' + default['ntp']['package_url'] = 'https://www.meinbergglobal.com/download/ntp/windows/ntp-4.2.8p5-win32-setup.exe' + default['ntp']['statistics'] = false +when 'freebsd' + default['ntp']['varlibdir'] = '/var/db' + default['ntp']['driftfile'] = "#{node['ntp']['varlibdir']}/ntpd.drift" + default['ntp']['statsdir'] = "#{node['ntp']['varlibdir']}/ntpstats" + default['ntp']['conf_group'] = 'wheel' + default['ntp']['var_owner'] = 'root' + default['ntp']['var_group'] = 'wheel' +when 'gentoo' + default['ntp']['leapfile'] = "#{node['ntp']['varlibdir']}/ntp.leapseconds" +when 'solaris2' + default['ntp']['service'] = 'ntp' + default['ntp']['varlibdir'] = '/var/ntp' + default['ntp']['conffile'] = '/etc/inet/ntp.conf' + default['ntp']['statsdir'] = "#{node['ntp']['varlibdir']}/ntpstats/" + default['ntp']['conf_owner'] = 'root' + default['ntp']['conf_group'] = 'root' + default['ntp']['var_owner'] = 'root' + default['ntp']['var_group'] = 'sys' + default['ntp']['leapfile'] = '/etc/inet/ntp.leap' +when 'pld' + default['ntp']['packages'] = %w(ntpd) + default['ntp']['conffile'] = '/etc/ntp/ntp.conf' + default['ntp']['leapfile'] = '/etc/ntp/ntp.leapseconds' + default['ntp']['driftfile'] = "#{node['ntp']['varlibdir']}/drift" + default['ntp']['var_owner'] = 'root' +end + +unless node['platform'] == 'windows' + default['ntp']['use_cmos'] = !node['virtualization'] || node['virtualization']['role'] != 'guest' ? true : false +end diff --git a/cookbooks/ntp/files/default/ntp.ini b/cookbooks/ntp/files/default/ntp.ini new file mode 100644 index 0000000..11498b4 --- /dev/null +++ b/cookbooks/ntp/files/default/ntp.ini @@ -0,0 +1,23 @@ +[Installer] +InstallDir=C:\NTP +UpgradeMode=Reinstall +Logfile=C:\NTP\install.log +Silent=yes + +[Components] +InstallDocs=yes +InstallTools=yes +InstallOpenSSL=yes +CreateStartMenuEntries=yes + +[Service] +ModifyFirewall=yes +ServiceAccount=@SYSTEM +DisableOthers=yes +AllowBigInitialTimestep=yes +EnableMMTimer=yes +AutoStart=yes +StartAfterInstallation=yes + +[Configuration] +UseConfigFile=C:\NTP\ntp.conf diff --git a/cookbooks/ntp/files/default/ntp.leapseconds b/cookbooks/ntp/files/default/ntp.leapseconds new file mode 100644 index 0000000..22fa785 --- /dev/null +++ b/cookbooks/ntp/files/default/ntp.leapseconds @@ -0,0 +1,250 @@ +# +# In the following text, the symbol '#' introduces +# a comment, which continues from that symbol until +# the end of the line. A plain comment line has a +# whitespace character following the comment indicator. +# There are also special comment lines defined below. +# A special comment will always have a non-whitespace +# character in column 2. +# +# A blank line should be ignored. +# +# The following table shows the corrections that must +# be applied to compute International Atomic Time (TAI) +# from the Coordinated Universal Time (UTC) values that +# are transmitted by almost all time services. +# +# The first column shows an epoch as a number of seconds +# since 1 January 1900, 00:00:00 (1900.0 is also used to +# indicate the same epoch.) Both of these time stamp formats +# ignore the complexities of the time scales that were +# used before the current definition of UTC at the start +# of 1972. (See note 3 below.) +# The second column shows the number of seconds that +# must be added to UTC to compute TAI for any timestamp +# at or after that epoch. The value on each line is +# valid from the indicated initial instant until the +# epoch given on the next one or indefinitely into the +# future if there is no next line. +# (The comment on each line shows the representation of +# the corresponding initial epoch in the usual +# day-month-year format. The epoch always begins at +# 00:00:00 UTC on the indicated day. See Note 5 below.) +# +# Important notes: +# +# 1. Coordinated Universal Time (UTC) is often referred to +# as Greenwich Mean Time (GMT). The GMT time scale is no +# longer used, and the use of GMT to designate UTC is +# discouraged. +# +# 2. The UTC time scale is realized by many national +# laboratories and timing centers. Each laboratory +# identifies its realization with its name: Thus +# UTC(NIST), UTC(USNO), etc. The differences among +# these different realizations are typically on the +# order of a few nanoseconds (i.e., 0.000 000 00x s) +# and can be ignored for many purposes. These differences +# are tabulated in Circular T, which is published monthly +# by the International Bureau of Weights and Measures +# (BIPM). See www.bipm.org for more information. +# +# 3. The current definition of the relationship between UTC +# and TAI dates from 1 January 1972. A number of different +# time scales were in use before that epoch, and it can be +# quite difficult to compute precise timestamps and time +# intervals in those "prehistoric" days. For more information, +# consult: +# +# The Explanatory Supplement to the Astronomical +# Ephemeris. +# or +# Terry Quinn, "The BIPM and the Accurate Measurement +# of Time," Proc. of the IEEE, Vol. 79, pp. 894-905, +# July, 1991. +# +# 4. The decision to insert a leap second into UTC is currently +# the responsibility of the International Earth Rotation and +# Reference Systems Service. (The name was changed from the +# International Earth Rotation Service, but the acronym IERS +# is still used.) +# +# Leap seconds are announced by the IERS in its Bulletin C. +# +# See www.iers.org for more details. +# +# Every national laboratory and timing center uses the +# data from the BIPM and the IERS to construct UTC(lab), +# their local realization of UTC. +# +# Although the definition also includes the possibility +# of dropping seconds ("negative" leap seconds), this has +# never been done and is unlikely to be necessary in the +# foreseeable future. +# +# 5. If your system keeps time as the number of seconds since +# some epoch (e.g., NTP timestamps), then the algorithm for +# assigning a UTC time stamp to an event that happens during a positive +# leap second is not well defined. The official name of that leap +# second is 23:59:60, but there is no way of representing that time +# in these systems. +# Many systems of this type effectively stop the system clock for +# one second during the leap second and use a time that is equivalent +# to 23:59:59 UTC twice. For these systems, the corresponding TAI +# timestamp would be obtained by advancing to the next entry in the +# following table when the time equivalent to 23:59:59 UTC +# is used for the second time. Thus the leap second which +# occurred on 30 June 1972 at 23:59:59 UTC would have TAI +# timestamps computed as follows: +# +# ... +# 30 June 1972 23:59:59 (2287785599, first time): TAI= UTC + 10 seconds +# 30 June 1972 23:59:60 (2287785599,second time): TAI= UTC + 11 seconds +# 1 July 1972 00:00:00 (2287785600) TAI= UTC + 11 seconds +# ... +# +# If your system realizes the leap second by repeating 00:00:00 UTC twice +# (this is possible but not usual), then the advance to the next entry +# in the table must occur the second time that a time equivalent to +# 00:00:00 UTC is used. Thus, using the same example as above: +# +# ... +# 30 June 1972 23:59:59 (2287785599): TAI= UTC + 10 seconds +# 30 June 1972 23:59:60 (2287785600, first time): TAI= UTC + 10 seconds +# 1 July 1972 00:00:00 (2287785600,second time): TAI= UTC + 11 seconds +# ... +# +# in both cases the use of timestamps based on TAI produces a smooth +# time scale with no discontinuity in the time interval. However, +# although the long-term behavior of the time scale is correct in both +# methods, the second method is technically not correct because it adds +# the extra second to the wrong day. +# +# This complexity would not be needed for negative leap seconds (if they +# are ever used). The UTC time would skip 23:59:59 and advance from +# 23:59:58 to 00:00:00 in that case. The TAI offset would decrease by +# 1 second at the same instant. This is a much easier situation to deal +# with, since the difficulty of unambiguously representing the epoch +# during the leap second does not arise. +# +# Some systems implement leap seconds by amortizing the leap second +# over the last few minutes of the day. The frequency of the local +# clock is decreased (or increased) to realize the positive (or +# negative) leap second. This method removes the time step described +# above. Although the long-term behavior of the time scale is correct +# in this case, this method introduces an error during the adjustment +# period both in time and in frequency with respect to the official +# definition of UTC. +# +# Questions or comments to: +# Judah Levine +# Time and Frequency Division +# NIST +# Boulder, Colorado +# Judah.Levine@nist.gov +# +# Last Update of leap second values: 8 July 2016 +# +# The following line shows this last update date in NTP timestamp +# format. This is the date on which the most recent change to +# the leap second data was added to the file. This line can +# be identified by the unique pair of characters in the first two +# columns as shown below. +# +#$ 3676924800 +# +# The NTP timestamps are in units of seconds since the NTP epoch, +# which is 1 January 1900, 00:00:00. The Modified Julian Day number +# corresponding to the NTP time stamp, X, can be computed as +# +# X/86400 + 15020 +# +# where the first term converts seconds to days and the second +# term adds the MJD corresponding to the time origin defined above. +# The integer portion of the result is the integer MJD for that +# day, and any remainder is the time of day, expressed as the +# fraction of the day since 0 hours UTC. The conversion from day +# fraction to seconds or to hours, minutes, and seconds may involve +# rounding or truncation, depending on the method used in the +# computation. +# +# The data in this file will be updated periodically as new leap +# seconds are announced. In addition to being entered on the line +# above, the update time (in NTP format) will be added to the basic +# file name leap-seconds to form the name leap-seconds.. +# In addition, the generic name leap-seconds.list will always point to +# the most recent version of the file. +# +# This update procedure will be performed only when a new leap second +# is announced. +# +# The following entry specifies the expiration date of the data +# in this file in units of seconds since the origin at the instant +# 1 January 1900, 00:00:00. This expiration date will be changed +# at least twice per year whether or not a new leap second is +# announced. These semi-annual changes will be made no later +# than 1 June and 1 December of each year to indicate what +# action (if any) is to be taken on 30 June and 31 December, +# respectively. (These are the customary effective dates for new +# leap seconds.) This expiration date will be identified by a +# unique pair of characters in columns 1 and 2 as shown below. +# In the unlikely event that a leap second is announced with an +# effective date other than 30 June or 31 December, then this +# file will be edited to include that leap second as soon as it is +# announced or at least one month before the effective date +# (whichever is later). +# If an announcement by the IERS specifies that no leap second is +# scheduled, then only the expiration date of the file will +# be advanced to show that the information in the file is still +# current -- the update time stamp, the data and the name of the file +# will not change. +# +# Updated through IERS Bulletin C52 +# File expires on: 28 June 2017 +# +#@ 3707596800 +# +2272060800 10 # 1 Jan 1972 +2287785600 11 # 1 Jul 1972 +2303683200 12 # 1 Jan 1973 +2335219200 13 # 1 Jan 1974 +2366755200 14 # 1 Jan 1975 +2398291200 15 # 1 Jan 1976 +2429913600 16 # 1 Jan 1977 +2461449600 17 # 1 Jan 1978 +2492985600 18 # 1 Jan 1979 +2524521600 19 # 1 Jan 1980 +2571782400 20 # 1 Jul 1981 +2603318400 21 # 1 Jul 1982 +2634854400 22 # 1 Jul 1983 +2698012800 23 # 1 Jul 1985 +2776982400 24 # 1 Jan 1988 +2840140800 25 # 1 Jan 1990 +2871676800 26 # 1 Jan 1991 +2918937600 27 # 1 Jul 1992 +2950473600 28 # 1 Jul 1993 +2982009600 29 # 1 Jul 1994 +3029443200 30 # 1 Jan 1996 +3076704000 31 # 1 Jul 1997 +3124137600 32 # 1 Jan 1999 +3345062400 33 # 1 Jan 2006 +3439756800 34 # 1 Jan 2009 +3550089600 35 # 1 Jul 2012 +3644697600 36 # 1 Jul 2015 +3692217600 37 # 1 Jan 2017 +# +# the following special comment contains the +# hash value of the data in this file computed +# use the secure hash algorithm as specified +# by FIPS 180-1. See the files in ~/pub/sha for +# the details of how this hash value is +# computed. Note that the hash computation +# ignores comments and whitespace characters +# in data lines. It includes the NTP values +# of both the last modification time and the +# expiration time of the file, but not the +# white space on those lines. +# the hash line is also ignored in the +# computation. +# +#h dacf2c42 2c4765d6 3c797af8 2cf630eb 699c8c67 diff --git a/cookbooks/ntp/files/default/usr.sbin.ntpd.apparmor b/cookbooks/ntp/files/default/usr.sbin.ntpd.apparmor new file mode 100644 index 0000000..7dfbeb0 --- /dev/null +++ b/cookbooks/ntp/files/default/usr.sbin.ntpd.apparmor @@ -0,0 +1,88 @@ +# vim:syntax=apparmor +# +# Maintained by Chef +# +# Updated for Ubuntu by: Jamie Strandboge +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# Copyright (C) 2009-2012 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include +#include +/usr/sbin/ntpd { + #include + #include + #include + + capability ipc_lock, + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + capability sys_time, + capability sys_nice, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + @{PROC}/net/if_inet6 r, + @{PROC}/*/net/if_inet6 r, + @{NTPD_DEVICE} rw, + + /{,s}bin/ r, + /usr/{,s}bin/ r, + /usr/local/{,s}bin/ r, + /usr/sbin/ntpd rmix, + + /opt/chef/embedded/bin/ r, + + /etc/ntp.conf r, + /etc/ntp.conf.dhcp r, + /etc/ntpd.conf r, + /etc/ntpd.conf.tmp r, + /var/lib/ntp/ntp.conf.dhcp r, + + /etc/ntp.leapseconds r, + + /etc/ntp.keys r, + /etc/ntp/** r, + + /etc/ntp.drift rwl, + /etc/ntp.drift.TEMP rwl, + /etc/ntp/drift* rwl, + /var/lib/ntp/*drift rw, + /var/lib/ntp/*drift.TEMP rw, + + /var/log/ntp w, + /var/log/ntp.log w, + /var/log/ntpd w, + /var/log/ntpstats/clockstats* rwl, + /var/log/ntpstats/loopstats* rwl, + /var/log/ntpstats/peerstats* rwl, + /var/log/ntpstats/rawstats* rwl, + /var/log/ntpstats/sysstats* rwl, + + /{,var/}run/ntpd.pid w, + + # samba4 ntp signing socket + /{,var/}run/samba/ntp_signd/socket rw, + + # For use with clocks that report via shared memory (e.g. gpsd), + # you may need to give ntpd access to all of shared memory, though + # this can be considered dangerous. See https://launchpad.net/bugs/722815 + # for details. To enable, add this to local/usr.sbin.ntpd: + # capability ipc_owner, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/cookbooks/ntp/libraries/ntp_helper.rb b/cookbooks/ntp/libraries/ntp_helper.rb new file mode 100644 index 0000000..8560994 --- /dev/null +++ b/cookbooks/ntp/libraries/ntp_helper.rb @@ -0,0 +1,49 @@ +# +# Author:: Julian C. Dunn () +# Cookbook:: ntp +# Library:: helper +# +# Copyright:: 2014-2017, Chef Software, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +require 'chef/mixin/shell_out' + +module Opscode + module Ntp + # Helper methods for ntp + module Helper + include Chef::Mixin::ShellOut + + def ntpd_supports_native_leapfiles + ntpd_version = determine_ntpd_version + if ntpd_version + ntpd_version =~ /ntpd.*(\d+\.\d+\.\d+)/ + # Abuse of Gem::Requirement, but it works + Gem::Requirement.new('>= 4.2.6').satisfied_by?(Gem::Version.new(Regexp.last_match(1))) + else + false + end + end + + private + + def determine_ntpd_version + cmd = shell_out!('ntpd --version 2>&1') + cmd.stdout.strip + rescue Errno::ENOENT, Mixlib::ShellOut::ShellCommandFailed + nil + end + end + end +end diff --git a/cookbooks/ntp/metadata.json b/cookbooks/ntp/metadata.json new file mode 100644 index 0000000..8791de2 --- /dev/null +++ b/cookbooks/ntp/metadata.json @@ -0,0 +1 @@ +{"name":"ntp","version":"3.4.0","description":"Installs and configures ntp as a client or server","long_description":"# NTP Cookbook\n\n[![Build Status](https://travis-ci.org/chef-cookbooks/ntp.svg?branch=master)](http://travis-ci.org/chef-cookbooks/ntp) [![Cookbook Version](https://img.shields.io/cookbook/v/ntp.svg)](https://supermarket.chef.io/cookbooks/ntp)\n\nInstalls and configures ntp. On Windows systems it uses the Meinberg port of the standard NTPd client to Windows.\n\n## Requirements\n\n### Platforms\n\n- Debian-family Linux Distributions\n- RedHat-family Linux Distributions\n- Fedora\n- Gentoo Linux\n- openSUSE\n- FreeBSD\n- Windows 2008 R2+\n- Mac OS X 10.11+\n\n### Chef\n\n- Chef 12.1+\n\n### Cookbooks\n\n- none\n\n## Attributes\n\n### Recommended tunables\n\n- `ntp['servers']` - (applies to NTP Servers and Clients)\n\n - Array, should be a list of upstream NTP servers that will be considered authoritative by the local NTP daemon. The local NTP daemon will act as a client, adjusting local time to match time data retrieved from the upstream NTP servers.\n\n The NTP protocol works best with at least 4 servers. The ntp daemon will disregard any server after the 10th listed, but will continue monitoring all listed servers. For more information, see [Upstream Server Time Quantity](http://support.ntp.org/bin/view/Support/SelectingOffsiteNTPServers#Section_5.3.3.) at [support.ntp.org](http://support.ntp.org).\n\n- `ntp['peers']` - (applies to NTP Servers ONLY)\n\n - Array, should be a list of local NTP peers. For more information, see [Designing Your NTP Network](http://support.ntp.org/bin/view/Support/DesigningYourNTPNetwork) at [support.ntp.org](http://support.ntp.org).\n\n- `ntp['restrictions']` - (applies to NTP Servers only)\n\n - Array, should be a list of restrict lines to define access to NTP clients on your LAN.\n\n- `ntp['sync_clock']` (applies to NTP Servers and Clients)\n\n - Boolean. Defaults to false. Forces the ntp daemon to be halted, an ntp -q command to be issued, and the ntp daemon to be restarted again on every Chef-client run. Will have no effect if drift is over 1000 seconds.\n\n- `ntp['sync_hw_clock']` (applies to NTP Servers and Clients)\n\n - Boolean. Defaults to false. On *nix-based systems, forces the 'hwclock --systohc' command to be issued on every Chef-client run. This will sync the hardware clock to the system clock.\n - Not available on Windows.\n\n- `ntp['restrict_default']`\n\n - String. Defaults to 'kod notrap nomodify nopeer noquery'. Set to 'ignore' to [further lock down access](http://support.ntp.org/bin/view/Support/AccessRestrictions#Section_6.5.1.1.2.).\n\n- `ntp[\"listen_network\"]` / `ntp[\"listen\"]`\n\n - String, optional attribute. Default is for NTP to listen on all addresses.\n - `ntp[\"listen_network\"]` should be set to 'primary' to listen on the node's primary IP address as determined by ohai, or set to a CIDR (eg: '192.168.4.0/24') to listen on the last node address on that CIDR.\n - `ntp[\"listen\"]` can be set to a specific address (eg: '192.168.4.10') instead of `ntp[\"listen_network\"]` to force listening on a specific address.\n - If both `ntp[\"listen\"]` and `ntp[\"listen_network\"]` are set then `ntp[\"listen\"]` will always win.\n\n- `ntp[\"ignore\"]`\n\n - Array, interface names to ignore from listening. Can be used to disable listening wildcard interfaces (eg: ['wildcard', '::1']), can be combined with `ntp[\"listen\"]`\n\n- `ntp[\"statistics\"]`\n\n - Boolean. Default to true. Enable/disable statistics data logging into `ntp['statsdir']`.\n - Not available on Windows.\n\n- `ntp['conf_restart_immediate']`\n\n - Boolean. Defaults to false. Restarts NTP service immediately after a config update if true. Otherwise it is a delayed restart.\n\n- `ntp['peer']['disable_tinker_panic_on_virtualization_guest']` (applies to virtualized hosts only)\n\n - Boolean. Defaults to true. Sets tinker panic to 0\\. NTP default it 1000\\. (See p. 23 for explanation on disabling panic) (Note: this overrides `ntp['tinker']['panic']` attribute)\n\n- `ntp['peer']['use_iburst']` (applies to NTP Servers ONLY)\n\n - Boolean. Defaults to true. Enables iburst in peer declaration.\n\n- `ntp['peer']['use_burst']` (applies to NTP Servers ONLY)\n\n - Boolean. Defaults to false. Enables burst in peer declaration.\n\n- `ntp['peer']['minpoll']` (applies to NTP Servers ONLY)\n\n - Boolean. Defaults to 6 (ntp default). Specify the minimum poll intervals for NTP messages, in seconds to the power of two.\n\n- `ntp['peer']['maxpoll']` (applies to NTP Servers ONLY)\n\n - Boolean. Defaults to 10 (ntp default). Specify the maximum poll intervals for NTP messages, in seconds to the power of two.\n\n- `ntp['server']['prefer']` (applies to NTP Servers and Clients)\n\n - String. Defaults to emtpy string. The server from `ntp['servers']` to prefer getting the time from.\n\n- `ntp['server']['use_iburst']` (applies to NTP Servers and Clients)\n\n - Boolean. Defaults to true. Enables iburst in server declaration.\n\n- `ntp['server']['use_burst']` (applies to NTP Servers and Clients)\n\n - Boolean. Defaults to false. Enables burst in server declaration.\n\n- `ntp['server']['minpoll']` (applies to NTP Servers and Clients)\n\n - Boolean. Defaults to 6 (ntp default). Specify the minimum poll intervals for NTP messages, in seconds to the power of two.\n\n- `ntp['server']['maxpoll']` (applies to NTP Servers and Clients)\n\n - Boolean. Defaults to 10 (ntp default). Specify the maximum poll intervals for NTP messages, in seconds to the power of two.\n\n- `ntp['tinker']['allan']`\n\n - Number. Defaults to 1500 (ntp default). Spedifies the Allan intercept, which is a parameter of the PLL/FLL clock discipline algorithm, in seconds.\n\n- `ntp['tinker']['dispersion']`\n\n - Number. Defaults to 15 (ntp default). Specifies the dispersion increase rate in parts-per-million (PPM).\n\n- `ntp['tinker']['panic']`\n\n - Number. Defaults to 1000 (ntp default). Spedifies the panic threshold in seconds. If set to zero, the panic sanity check is disabled and a clock offset of any value will be accepted.\n\n- `ntp['tinker']['step']`\n\n - Number. Defaults to 0.128 (ntp default). Spedifies the step threshold in seconds. If set to zero, step adjustments will never occur. Note: The kernel time discipline is disabled if the step threshold is set to zero or greater than 0.5 s.\n\n- `ntp['tinker']['stepout']`\n\n - Number. Defaults to 900 (ntp default). Specifies the stepout threshold in seconds. If set to zero, popcorn spikes will not be suppressed.\n\n- `ntp['localhost']['noquery']` (applies to NTP Servers and Clients)\n\n - Boolean. Defaults to false. Set to true if using ntp < 4.2.8 or any unpatched ntp version to mitigate CVE-2014-9293 / CVE-2014-9294 / CVE-2014-9295\n\n- `ntp['orphan']['enabled']`\n\n - Boolean, enables orphan mode if set to true\n\n- `ntp['orphan']['stratum']`\n\n - Number. Defaults to 5, recommended value for stratum is 2 more than the worst-case externally-reachable source of time\n\n### Automatically Set Attributes\n\nThese attributes are set based on platform / system information provided by Ohai\n\n- `ntp['packages']`\n\n - Array, the packages to install\n - Default, ntp for everything, ntpdate depending on platform. Not applicable for\n - Windows nodes\n\n- `ntp['service']`\n\n - String, the service to act on\n - Default, ntp, NTP, or ntpd, depending on platform\n\n- `ntp['varlibdir']`\n\n - String, the path to /var/lib files such as the driftfile.\n - Default, platform-specific location. Not applicable for Windows nodes\n\n- `ntp['driftfile']`\n\n - String, the path to the frequency file.\n - Default, platform-specific location.\n\n- `ntp['conffile']`\n\n - String, the path to the ntp configuration file.\n - Default, platform-specific location.\n\n- `ntp['statsdir']`\n\n - String, the directory path for files created by the statistics facility.\n - Default, platform-specific location. Not applicable for Windows nodes\n\n- `ntp['conf_owner'] and ntp['conf_group']`\n\n - String, the owner and group of the sysconf directory files, such as /etc/ntp.conf.\n - Default, platform-specific root:root or root:wheel.\n\n- `ntp['var_owner'] and ntp['var_group']`\n\n - String, the owner and group of the /var/lib directory files, such as /var/lib/ntp.\n - Default, platform-specific ntp:ntp or root:wheel. Not applicable for Windows nodes\n\n- `ntp['leapfile']`\n\n - String, the path to the ntp leapfile.\n - Default, /etc/ntp.leapseconds.\n\n- `ntp['package_url']`\n\n - String, the URL to the the Meinberg NTPd client installation package.\n - Default, Meinberg site download URL\n - Windows platform only\n\n- `ntp['vs_runtime_url']`\n\n - String, the URL to the the Visual Studio C++ 2008 runtime libraries that are required for the Meinberg NTP client.\n - Default, Microsoft site download URL\n - Windows platform only\n\n- `ntp['vs_runtime_productname']`\n\n - String, the installation name of the Visual Studio C++ Runtimes file.\n - Default, \"Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022\"\n - Windows platform only\n\n- `ntp['sync_hw_clock']`\n\n - Boolean, determines if the ntpdate command is issued to sync the hardware clock\n - Default, false\n - Not applicable for Windows nodes\n\n- `ntp['apparmor_enabled']`\n\n - Boolean, enables configuration of apparmor if set to true\n - Defaults to false and will make no provisions for apparmor.\n - If a platform has apparmor enabled (currently Ubuntu) default will become true.\n\n- `ntp['use_cmos']`\n\n - Boolean, uses a high stratum undisciplined clock for machines with real CMOS clock.\n - Defaults to true unless a platform appears to be virtualized according to Ohai.\n\n## Usage\n\n### default recipe\n\nSet up the ntp attributes in a role. For example in a base.rb role applied to all nodes:\n\n```ruby\nname 'base'\ndescription 'Role applied to all systems'\ndefault_attributes(\n 'ntp' => {\n 'servers' => ['time0.int.example.org', 'time1.int.example.org']\n }\n)\n```\n\nThen in an ntpserver.rb role that is applied to NTP servers (e.g., time.int.example.org):\n\n```ruby\nname 'ntp_server'\ndescription 'Role applied to the system that should be an NTP server.'\ndefault_attributes(\n 'ntp' => {\n 'servers' => ['0.pool.ntp.org', '1.pool.ntp.org'],\n 'peers' => ['time0.int.example.org', 'time1.int.example.org'],\n 'restrictions' => ['10.0.0.0 mask 255.0.0.0 nomodify notrap']\n }\n)\n```\n\nThe timeX.int.example.org used in these roles should be the names or IP addresses of internal NTP servers. Then simply add ntp, or `ntp::default` to your run_list to apply the ntp daemon's configuration.\n\n### windows_client recipe\n\nWindows only. Apply on a Windows host to install the Meinberg NTPd client.\n\n### mac_os_x_client recipe\n\nMac OS X only. Apply on a Mac OS X host to configure NTP.\n\n## License & Authors\n\n- Author:: Joshua Timberman ([joshua@chef.io](mailto:joshua@chef.io))\n- Contributor:: Eric G. Wolfe ([wolfe21@marshall.edu](mailto:wolfe21@marshall.edu))\n- Contributor:: Fletcher Nichol ([fletcher@nichol.ca](mailto:fletcher@nichol.ca))\n- Contributor:: Tim Smith ([tsmith@chef.io](mailto:tsmith@chef.io))\n- Contributor:: Charles Johnson ([charles@chef.io](mailto:charles@chef.io))\n- Contributor:: Brad Knowles ([bknowles@momentumsi.com](mailto:bknowles@momentumsi.com))\n\n```text\nCopyright 2009-2016, Chef Software, Inc.\nCopyright 2012, Eric G. Wolfe\nCopyright 2012, Fletcher Nichol\nCopyright 2012, Webtrends, Inc.\nCopyright 2013, Limelight Networks, Inc.\nCopyright 2013, Brad Knowles\nCopyright 2013, Brad Beam\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n```\n","maintainer":"Chef Software, Inc.","maintainer_email":"cookbooks@chef.io","license":"Apache-2.0","platforms":{"amazon":">= 0.0.0","centos":">= 0.0.0","debian":">= 0.0.0","fedora":">= 0.0.0","freebsd":">= 0.0.0","gentoo":">= 0.0.0","redhat":">= 0.0.0","scientific":">= 0.0.0","solaris2":">= 0.0.0","oracle":">= 0.0.0","ubuntu":">= 0.0.0","windows":">= 0.0.0","mac_os_x":">= 0.0.0"},"dependencies":{},"recommendations":{},"suggestions":{},"conflicting":{},"providing":{},"replacing":{},"attributes":{},"groupings":{},"recipes":{"ntp":"Installs and configures ntp either as a server or client"},"source_url":"https://github.com/chef-cookbooks/ntp","issues_url":"https://github.com/chef-cookbooks/ntp/issues","chef_version":[[">= 12.1"]],"ohai_version":[]} \ No newline at end of file diff --git a/cookbooks/ntp/recipes/apparmor.rb b/cookbooks/ntp/recipes/apparmor.rb new file mode 100644 index 0000000..e5b19db --- /dev/null +++ b/cookbooks/ntp/recipes/apparmor.rb @@ -0,0 +1,30 @@ +# +# Cookbook:: ntp +# Recipe:: apparmor +# Author:: Scott Lampert () +# +# Copyright:: 2013-2017, Scott Lampert +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +service 'apparmor' do + action :nothing +end + +cookbook_file '/etc/apparmor.d/usr.sbin.ntpd' do + source 'usr.sbin.ntpd.apparmor' + owner 'root' + group 'root' + mode '0644' + notifies :restart, 'service[apparmor]' +end diff --git a/cookbooks/ntp/recipes/default.rb b/cookbooks/ntp/recipes/default.rb new file mode 100644 index 0000000..7b61f75 --- /dev/null +++ b/cookbooks/ntp/recipes/default.rb @@ -0,0 +1,129 @@ +# +# Cookbook:: ntp +# Recipe:: default +# Author:: Joshua Timberman () +# Author:: Tim Smith () +# +# Copyright:: 2009-2017, Chef Software, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +::Chef::Resource.send(:include, Opscode::Ntp::Helper) + +case node['platform_family'] +when 'windows' + include_recipe 'ntp::windows_client' +when 'mac_os_x' + include_recipe 'ntp::mac_os_x_client' + # On OS X we only support simple client config and nothing more + return 0 +else + + node['ntp']['packages'].each do |ntppkg| + package ntppkg + end + + package 'Remove ntpdate' do + package_name 'ntpdate' + action :remove + only_if { node['platform_family'] == 'debian' && node['platform_version'].to_i >= 16 } + end + + [node['ntp']['varlibdir'], node['ntp']['statsdir']].each do |ntpdir| + directory ntpdir do + owner node['ntp']['var_owner'] + group node['ntp']['var_group'] + mode '0755' + end + end + + cookbook_file node['ntp']['leapfile'] do + owner node['ntp']['conf_owner'] + group node['ntp']['conf_group'] + mode '0644' + source 'ntp.leapseconds' + notifies :restart, "service[#{node['ntp']['service']}]" + end + + include_recipe 'ntp::apparmor' if node['ntp']['apparmor_enabled'] +end + +if node['ntp']['servers'].empty? + node.default['ntp']['servers'] = [ + '0.pool.ntp.org', + '1.pool.ntp.org', + '2.pool.ntp.org', + '3.pool.ntp.org', + ] + Chef::Log.debug 'No NTP servers specified, using default ntp.org server pools' +end + +if node['ntp']['listen'].nil? && !node['ntp']['listen_network'].nil? + if node['ntp']['listen_network'] == 'primary' + node.normal['ntp']['listen'] = node['ipaddress'] + else + require 'ipaddr' + net = IPAddr.new(node['ntp']['listen_network']) + + node['network']['interfaces'].each do |_iface, addrs| + addrs['addresses'].each do |ip, params| + addr = IPAddr.new(ip) if params['family'].eql?('inet') || params['family'].eql?('inet6') + node.normal['ntp']['listen'] = addr if net.include?(addr) + end + end + end +end + +node.default['ntp']['tinker']['panic'] = 0 if node['virtualization'] && + node['virtualization']['role'] == 'guest' && + node['ntp']['disable_tinker_panic_on_virtualization_guest'] + +template node['ntp']['conffile'] do + source 'ntp.conf.erb' + owner node['ntp']['conf_owner'] + group node['ntp']['conf_group'] + mode '0644' + notifies :restart, "service[#{node['ntp']['service']}]" unless node['ntp']['conf_restart_immediate'] + notifies :restart, "service[#{node['ntp']['service']}]", :immediately if node['ntp']['conf_restart_immediate'] + variables( + lazy { { ntpd_supports_native_leapfiles: ntpd_supports_native_leapfiles } } + ) +end + +if node['ntp']['sync_clock'] && !platform_family?('windows') + execute "Stop #{node['ntp']['service']} in preparation for ntpdate" do + command node['platform_family'] == 'freebsd' ? '/usr/bin/true' : '/bin/true' + action :run + notifies :stop, "service[#{node['ntp']['service']}]", :immediately + end + + execute 'Force sync system clock with ntp server' do + command node['platform_family'] == 'freebsd' ? 'ntpd -q' : "ntpd -q -u #{node['ntp']['var_owner']}" + action :run + notifies :start, "service[#{node['ntp']['service']}]" + end +end + +execute 'Force sync hardware clock with system clock' do + command 'hwclock --systohc' + action :run + only_if { node['ntp']['sync_hw_clock'] && !(platform_family?('windows') || platform_family?('freebsd')) } +end + +service node['ntp']['service'] do + supports status: true, restart: true + action [:enable, :start] + timeout 120 if platform_family?('windows') + retries 3 + retry_delay 5 +end diff --git a/cookbooks/ntp/recipes/mac_os_x_client.rb b/cookbooks/ntp/recipes/mac_os_x_client.rb new file mode 100644 index 0000000..a08dc05 --- /dev/null +++ b/cookbooks/ntp/recipes/mac_os_x_client.rb @@ -0,0 +1,32 @@ +# +# Cookbook:: ntp +# Recipe:: mac_os_x_client +# Author:: Antek S. Baranski () +# +# Copyright:: 2016-2017, Roblox, Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Do not continue if trying to run the Mac OS X recipe on non-OS X platform +return 'The ntp::mac_os_x_client recipe only supports Mac OS X' unless platform_family?('mac_os_x') + +# Mac OS X 10.11+ does not allow for many NTP settings +execute 'systemsetup -setnetworktimeserver' do + command "systemsetup -setnetworktimeserver #{node['ntp']['servers'][0]}" + not_if "systemsetup -getnetworktimeserver | grep -F #{node['ntp']['servers'][0]}" +end + +execute 'systemsetup -setusingnetworktime' do + command 'systemsetup -setusingnetworktime on' + not_if 'systemsetup -getusingnetworktime | grep On' +end diff --git a/cookbooks/ntp/recipes/windows_client.rb b/cookbooks/ntp/recipes/windows_client.rb new file mode 100644 index 0000000..98a7213 --- /dev/null +++ b/cookbooks/ntp/recipes/windows_client.rb @@ -0,0 +1,45 @@ +# +# Cookbook:: ntp +# Recipe:: windows_client +# Author:: Tim Smith () +# +# Copyright:: 2012-2017, Webtrends, Inc +# Copyright:: 2013-2017, Limelight Networks, Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Do not continue if trying to run the Windows recipe on non-Windows platform +return 'The ntp::windows_client recipe only supports Windows' unless platform_family?('windows') + +directory 'C:/NTP/etc' do + inherits true + action :create + recursive true +end + +cookbook_file 'C:/NTP/ntp.ini' do + source 'ntp.ini' + inherits true + action :create +end + +unless File.exist?('C:/NTP/bin/ntpd.exe') + remote_file "#{Chef::Config[:file_cache_path]}/ntpd.exe" do + source node['ntp']['package_url'] + end + + execute 'ntpd_install' do + command "#{Chef::Config[:file_cache_path]}\\ntpd.exe /USEFILE=C:\\NTP\\ntp.ini" + returns [0, 2] + end +end diff --git a/cookbooks/ntp/templates/default/ntp.conf.erb b/cookbooks/ntp/templates/default/ntp.conf.erb new file mode 100644 index 0000000..23b6d2b --- /dev/null +++ b/cookbooks/ntp/templates/default/ntp.conf.erb @@ -0,0 +1,102 @@ +# Auto-generated by Chef. +# Local modifications will be overwritten. +# +<%# Windows OHAI does not support determining if a host is a guest %> +<% unless node['platform'] == 'windows' -%> +<%-%>tinker <%= node['ntp']['tinker'].flatten.join(' ') %> +<%-%>statsdir <%= node['ntp']['statsdir'] %> +<% if @ntpd_supports_native_leapfiles -%> +<%-%>leapfile <%= node['ntp']['leapfile'] %> +<% end -%> +<% end -%> +driftfile <%= node['ntp']['driftfile'] %> +<% if node['ntp']['logfile'] -%> +<%-%>logfile <%= node['ntp']['logfile'] %> +<% end -%> + +<%# Enable logs only if statistics option is defined %> +<% if node['ntp']['statistics'] -%> +<%-%>statistics loopstats peerstats clockstats +<%-%>filegen loopstats file loopstats type day enable +<%-%>filegen peerstats file peerstats type day enable +<%-%>filegen clockstats file clockstats type day enable +<% end -%> + +<%# If the ignore attribute is set on the node, then apply it %> +<% unless node['ntp']['ignore'].nil? -%> +<% Array(node['ntp']['ignore']).each do |ignore| -%> +interface ignore <%= ignore %> +<% end -%> +<% end -%> + +<%# If the listen attribute is set on the node, then apply it %> +<% unless node['ntp']['listen'].nil? -%> +<% Array(node['ntp']['listen']).each do |listen| -%> +interface listen <%= listen %> +<% end -%> +<%# The service must always listen on localhost %> +<% unless Array(node['ntp']['listen']).include? '127.0.0.1' -%> +interface listen 127.0.0.1 +<% end -%> +<% end -%> + +<% if node['ntp']['monitor'] -%> +enable monitor +<% else -%> +disable monitor +<% end -%> + +<%# If ntp.peers is not empty %> +<% unless node['ntp']['peers'].empty? -%> +<% node['ntp']['peers'].sort.each do |ntppeer| -%> +<%# Don't peer with ourself %> +<% if node['ipaddress'] != ntppeer && node['fqdn'] != ntppeer -%> +<% -%>peer <%= ntppeer %><% if key = node['ntp']['peer']['key'] -%> key <%= key %><% end -%><% if node['ntp']['peer']['use_iburst'] -%> iburst<% end -%><% if node['ntp']['peer']['use_burst'] -%> burst<% end -%> minpoll <%= node['ntp']['peer']['minpoll'] %> maxpoll <%= node['ntp']['peer']['maxpoll'] %> +<% -%>restrict <%= ntppeer %> nomodify +<% end -%> +<% end -%> +<% end -%> + +<%# Whether this is a client or server, we want upstream servers. %> +<%# We should guard the servers array against deep merge. %> +<%# This should keep authoritative local servers from being included twice. %> +<% ( node['ntp']['servers'] - node['ntp']['peers'] ).sort.each do |ntpserver| -%> +<%# Loop through defined servers, but don't try to upstream ourself %> +<% if node['ipaddress'] != ntpserver and node['fqdn'] != ntpserver -%> +<% -%>server <%= ntpserver %><% if node['ntp']['server']['use_iburst'] -%> iburst<% end -%><% if node['ntp']['server']['use_burst'] -%> burst<% end -%> minpoll <%= node['ntp']['server']['minpoll'] %> maxpoll <%= node['ntp']['server']['maxpoll'] %><% if node['ntp']['server']['prefer'] == ntpserver -%> prefer<% end -%> +<% -%>restrict <%= ntpserver %> nomodify notrap noquery +<% end -%> +<% end -%> + +restrict default <%= node['ntp']['restrict_default'] %> +restrict 127.0.0.1<%if node['ntp']['localhost']['noquery'] -%> noquery<% end -%> +restrict -6 default <%= node['ntp']['restrict_default'] %> +restrict -6 ::1<%if node['ntp']['localhost']['noquery'] -%> noquery<% end -%> + +<%# If this is a server with additional LAN restriction lines, put them here %> +<% unless node['ntp']['restrictions'].empty? -%> +<% node['ntp']['restrictions'].each do |restriction| -%> +<% -%>restrict <%= restriction %> +<% end -%> +<% end -%> + +<%# It is best practice to use a high stratum undisciplined clock, if you have a real CMOS clock %> +<%# Except cases where you have a low stratum server, or a virtualized system without a real CMOS clock %> +<% if node['ntp']['use_cmos'] -%> +<% -%>server 127.127.1.0 # local clock +<% -%>fudge 127.127.1.0 stratum 10 +<% end -%> + +<% if node['ntp']['orphan']['enabled'] -%> +tos orphan <%= node['ntp']['orphan']['stratum'] %> +<% end -%> + +<% if node['ntp']['keys'] -%> +keys <%= node['ntp']['keys'] %> +<% end -%> +<% if node['ntp']['trustedkey'] -%> +trustedkey <%= node['ntp']['trustedkey'] %> +<% end -%> +<% if node['ntp']['requestkey'] -%> +requestkey <%= node['ntp']['requestkey'] %> +<% end -%>