From a8ee800f1b2122d45dbe05c7822f3eb25bd3a648 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Kuba?= Date: Wed, 7 Feb 2024 20:48:44 +0100 Subject: [PATCH 1/2] use RHEL conf for chrony MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Tomáš Kuba --- templates/chrony.conf.j2 | 107 ++++++++++----------------------------- 1 file changed, 27 insertions(+), 80 deletions(-) diff --git a/templates/chrony.conf.j2 b/templates/chrony.conf.j2 index e0c31130..6f316785 100644 --- a/templates/chrony.conf.j2 +++ b/templates/chrony.conf.j2 @@ -1,95 +1,42 @@ -## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! - -# This the default chrony.conf file for the Debian chrony package. After -# editing this file use the command 'invoke-rc.d chrony restart' to make -# your changes take effect. John Hasler 1998-2008 - -# See www.pool.ntp.org for an explanation of these servers. Please -# consider joining the project if possible. If you can't or don't want to -# use these servers I suggest that you try your ISP's nameservers. We mark -# the servers 'offline' so that chronyd won't try to connect when the link -# is down. Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc -# commands to switch it on when a dialup link comes up and off when it goes -# down. Code in /etc/init.d/chrony attempts to determine whether or not -# the link is up at boot time and set the online status accordingly. If -# you have an always-on connection such as cable omit the 'offline' -# directive and chronyd will default to online. -# -# Note that if Chrony tries to go "online" and dns lookup of the servers -# fails they will be discarded. Thus under some circumstances it is -# better to use IP numbers than host names. +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! +# Use public servers from the pool.ntp.org project. +# Please consider joining the pool (http://www.pool.ntp.org/join.html). {% for server in rhel8cis_time_synchronization_servers -%} server {{ server }} {{ rhel8cis_chrony_server_options }} {% endfor %} -# Look here for the admin password needed for chronyc. The initial -# password is generated by a random process at install time. You may -# change it if you wish. - -keyfile /etc/chrony/chrony.keys - -# Set runtime command key. Note that if you change the key (not the -# password) to anything other than 1 you will need to edit -# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony -# and /etc/cron.weekly/chrony as these scripts use it to get the password. - -commandkey 1 - -# I moved the driftfile to /var/lib/chrony to comply with the Debian -# filesystem standard. - -driftfile /var/lib/chrony/chrony.drift - -# Comment this line out to turn off logging. - -log tracking measurements statistics -logdir /var/log/chrony - -# Stop bad estimates upsetting machine clock. - -maxupdateskew 100.0 - -# Dump measurements when daemon exits. - -dumponexit +# Record the rate at which the system clock gains/losses time. +driftfile /var/lib/chrony/drift -# Specify directory for dumping measurements. +# Allow the system clock to be stepped in the first three updates +# if its offset is larger than 1 second. +makestep 1.0 3 -dumpdir /var/lib/chrony +# Enable kernel synchronization of the real-time clock (RTC). +rtcsync -# Let computer be a server when it is unsynchronised. +# Enable hardware timestamping on all interfaces that support it. +#hwtimestamp * -local stratum 10 +# Increase the minimum number of selectable sources required to adjust +# the system clock. +#minsources 2 -# Allow computers on the unrouted nets to use the server. +# Allow NTP client access from local network. +#allow 192.168.0.0/16 -#allow 10/8 -#allow 192.168/16 -#allow 172.16/12 +# Serve time even if not synchronized to a time source. +#local stratum 10 -# This directive forces `chronyd' to send a message to syslog if it -# makes a system clock adjustment larger than a threshold value in seconds. +# Specify file containing keys for NTP authentication. +keyfile /etc/chrony.keys -logchange 0.5 +# Get TAI-UTC offset and leap seconds from the system tz database. +leapsectz right/UTC -# This directive defines an email address to which mail should be sent -# if chronyd applies a correction exceeding a particular threshold to the -# system clock. - -# mailonchange root@localhost 0.5 - -# This directive tells chrony to regulate the real-time clock and tells it -# Where to store related data. It may not work on some newer motherboards -# that use the HPET real-time clock. It requires enhanced real-time -# support in the kernel. I've commented it out because with certain -# combinations of motherboard and kernel it is reported to cause lockups. - -# rtcfile /var/lib/chrony/chrony.rtc +# Specify directory for log files. +logdir /var/log/chrony -# If the last line of this file reads 'rtconutc' chrony will assume that -# the CMOS clock is on UTC (GMT). If it reads '# rtconutc' or is absent -# chrony will assume local time. The line (if any) was written by the -# chrony postinst based on what it found in /etc/default/rcS. You may -# change it if necessary. -rtconutc +# Select which information is logged. +#log measurements statistics tracking From 05231b3116ecdfda8f802b38f4c4d73b579af4f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Kuba?= Date: Thu, 15 Feb 2024 20:03:45 +0100 Subject: [PATCH 2/2] use ansible_managed variable in chrony.conf MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Tomáš Kuba --- templates/chrony.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/chrony.conf.j2 b/templates/chrony.conf.j2 index 6f316785..12581798 100644 --- a/templates/chrony.conf.j2 +++ b/templates/chrony.conf.j2 @@ -1,4 +1,4 @@ -## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! +{{ ansible_managed | comment }} # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html).