scl/kubespray
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add-managed-ntp-support (#9027)

Browse Source
This commit is contained in:
Kay Yan
2022-06-29 04:15:34 +08:00
committed by GitHub
parent d0a2ba37e8
commit 4b03f6c20f
11 changed files with 246 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -111,6 +111,7 @@ vagrant up
- [Adding/replacing a node](docs/nodes.md) - [Adding/replacing a node](docs/nodes.md)
- [Upgrades basics](docs/upgrades.md) - [Upgrades basics](docs/upgrades.md)
- [Air-Gap installation](docs/offline-environment.md) - [Air-Gap installation](docs/offline-environment.md)
- [NTP](docs/ntp.md)
- [Hardening](docs/hardening.md) - [Hardening](docs/hardening.md)
- [Roadmap](docs/roadmap.md) - [Roadmap](docs/roadmap.md)

1
docs/_sidebar.md
View File

@ -50,6 +50,7 @@
* [DNS Stack](docs/dns-stack.md) * [DNS Stack](docs/dns-stack.md)
* [Kubernetes reliability](docs/kubernetes-reliability.md) * [Kubernetes reliability](docs/kubernetes-reliability.md)
* [Local Registry](docs/kubernetes-apps/registry.md) * [Local Registry](docs/kubernetes-apps/registry.md)
* [NTP](docs/ntp.md)
* External Storage Provisioners * External Storage Provisioners
* [RBD Provisioner](docs/kubernetes-apps/rbd_provisioner.md) * [RBD Provisioner](docs/kubernetes-apps/rbd_provisioner.md)
* [CEPHFS Provisioner](docs/kubernetes-apps/cephfs_provisioner.md) * [CEPHFS Provisioner](docs/kubernetes-apps/cephfs_provisioner.md)

41
docs/ntp.md Normal file
View File

@ -0,0 +1,41 @@
# NTP synchronization
The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems. Time synchronization is important to Kubernetes and Etcd.
## Enable the NTP
To start the ntpd(or chrony) service and enable it at system boot. There are related specific variables:
```ShellSession
ntp_enabled: true
```
The NTP service would be enabled and sync time automatically.
## Custimize the NTP configure file
In the Air-Gap environment, the node cannot access the NTP server by internet. So the node can use the customized ntp server by configuring ntp file.
```ShellSession
ntp_enabled: true
ntp_manage_config: true
ntp_servers:
- "0.your-ntp-server.org iburst"
- "1.your-ntp-server.org iburst"
- "2.your-ntp-server.org iburst"
- "3.your-ntp-server.org iburst"
```
## Advanced Configure
Enable `tinker panic` is useful when running NTP in a VM environment to avoiding clock drift on VMs. It only takes effect when ntp_manage_config is true.
```ShellSession
ntp_tinker_panic: true
```
Force sync time immediately by NTP after the ntp installed, which is useful in newly installed system.
```ShellSession
ntp_force_sync_immediately: true
```

10
inventory/sample/group_vars/all/all.yml
View File

@ -120,3 +120,13 @@ kube_webhook_token_auth_url_skip_tls_verify: false
# kube_webhook_token_auth_url: https://... # kube_webhook_token_auth_url: https://...
## base64-encoded string of the webhook's CA certificate ## base64-encoded string of the webhook's CA certificate
# kube_webhook_token_auth_ca_data: "LS0t..." # kube_webhook_token_auth_ca_data: "LS0t..."
## NTP Settings
# Start the ntpd or chrony service and enable it at system boot.
ntp_enabled: false
ntp_manage_config: false
ntp_servers:
- "0.pool.ntp.org iburst"
- "1.pool.ntp.org iburst"
- "2.pool.ntp.org iburst"
- "3.pool.ntp.org iburst"

37
roles/kubernetes/preinstall/defaults/main.yml
View File

@ -62,3 +62,40 @@ pkg_install_retries: 4
# Check if access_ip responds to ping. Set false if your firewall blocks ICMP. # Check if access_ip responds to ping. Set false if your firewall blocks ICMP.
ping_access_ip: true ping_access_ip: true
## NTP Settings
# Start the ntpd or chrony service and enable it at system boot.
ntp_enabled: false
# The package to install which provides NTP functionality.
# The default is ntp for most platforms, or chrony on RHEL/CentOS 7 and later.
# The ntp_package can be one of ['ntp','chrony']
ntp_package: >-
{% if ansible_os_family == "RedHat" -%}
chrony
{%- else -%}
ntp
{%- endif -%}
# Manage the NTP configuration file.
ntp_manage_config: false
# Specify the NTP servers
# Only takes effect when ntp_manage_config is true.
ntp_servers:
- "0.pool.ntp.org iburst"
- "1.pool.ntp.org iburst"
- "2.pool.ntp.org iburst"
- "3.pool.ntp.org iburst"
# Restrict NTP access to these hosts.
# Only takes effect when ntp_manage_config is true.
ntp_restrict:
- "127.0.0.1"
- "::1"
# The NTP driftfile path
# Only takes effect when ntp_manage_config is true.
ntp_driftfile: /var/lib/ntp/ntp.drift
# Enable tinker panic is useful when running NTP in a VM environment.
# Only takes effect when ntp_manage_config is true.
ntp_tinker_panic: false
# Force sync time immediately after the ntp installed, which is useful in in newly installed system.
ntp_force_sync_immediately: false

6
roles/kubernetes/preinstall/handlers/main.yml
View File

@ -120,3 +120,9 @@
service: service:
name: systemd-resolved name: systemd-resolved
state: restarted state: restarted
- name: Preinstall | restart ntp
service:
name: "{{ ntp_service_name }}"
state: restarted
when: ntp_enabled

65
roles/kubernetes/preinstall/tasks/0081-ntp-configurations.yml Normal file
View File

@ -0,0 +1,65 @@
---
- name: Ensure NTP package
package:
name:
- "{{ ntp_package }}"
state: present
- name: Disable systemd-timesyncd
service:
name: systemd-timesyncd.service
enabled: false
state: stopped
failed_when: false
- name: Set fact NTP settings
set_fact:
ntp_config_file: >-
{% if ntp_package == "ntp" -%}
/etc/ntp.conf
{%- elif ansible_os_family in ['RedHat', 'Suse'] -%}
/etc/chrony.conf
{%- else -%}
/etc/chrony/chrony.conf
{%- endif -%}
ntp_service_name: >-
{% if ntp_package == "chrony" -%}
chronyd
{%- elif ansible_os_family == 'RedHat' -%}
ntpd
{%- else -%}
ntp
{%- endif %}
- name: Generate NTP configuration file.
template:
src: "{{ ntp_config_file | basename }}.j2"
dest: "{{ ntp_config_file }}"
mode: 0644
notify: Preinstall | restart ntp
when:
- ntp_manage_config
- name: Stop the NTP Deamon For Sync Immediately # `ntpd -gq`,`chronyd -q` requires the ntp daemon stop
service:
name: "{{ ntp_service_name }}"
state: stopped
when:
- ntp_force_sync_immediately
- name: Force Sync NTP Immediately
command: >-
timeout -k 60s 60s
{% if ntp_package == "ntp" -%}
ntpd -gq
{%- else -%}
chronyd -q
{%- endif -%}
when:
- ntp_force_sync_immediately
- name: Ensure NTP service is started and enabled
service:
name: "{{ ntp_service_name }}"
state: started
enabled: true

7
roles/kubernetes/preinstall/tasks/main.yml
View File

@ -66,6 +66,13 @@
tags: tags:
- bootstrap-os - bootstrap-os
- import_tasks: 0081-ntp-configurations.yml
when:
- not dns_late
- ntp_enabled
tags:
- bootstrap-os
- import_tasks: 0090-etchosts.yml - import_tasks: 0090-etchosts.yml
when: when:
- not dns_late - not dns_late

27
roles/kubernetes/preinstall/templates/chrony.conf.j2 Normal file
View File

@ -0,0 +1,27 @@
# {{ ansible_managed }}
# Specify one or more NTP servers.
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
{% for server in ntp_servers %}
server {{ server }}
{% endfor %}
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
{% if ntp_tinker_panic is sameas true %}
# Force time sync if the drift exceeds the threshold specified
# Usefull for VMs that can be paused and much later resumed.
makestep 1.0 -1
{% else %}
# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3
{% endif %}
# Enable kernel synchronization of the real-time clock (RTC).
rtcsync
# Specify directory for log files.
logdir /var/log/chrony

45
roles/kubernetes/preinstall/templates/ntp.conf.j2 Normal file
View File

@ -0,0 +1,45 @@
# {{ ansible_managed }}
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile {{ ntp_driftfile }}
{% if ntp_tinker_panic is sameas true %}
# Always reset the clock, even if the new time is more than 1000s away
# from the current system time. Usefull for VMs that can be paused
# and much later resumed.
tinker panic 0
{% endif %}
# Specify one or more NTP servers.
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
{% for item in ntp_servers %}
pool {{ item }}
{% endfor %}
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
# Local users may interrogate the ntp server more closely.
{% for item in ntp_restrict %}
restrict {{ item }}
{% endfor %}
# Needed for adding pool entries
restrict source notrap nomodify noquery
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor

6
tests/files/packet_almalinux8-calico.yml
View File

@ -9,3 +9,9 @@ metrics_server_enabled: true
dashboard_namespace: "kube-dashboard" dashboard_namespace: "kube-dashboard"
dashboard_enabled: true dashboard_enabled: true
loadbalancer_apiserver_type: haproxy loadbalancer_apiserver_type: haproxy
# NTP mangement
ntp_enabled: true
ntp_manage_config: true
ntp_tinker_panic: true
ntp_force_sync_immediately: true