Puppet Class: ntpd

Defined in:
manifests/init.pp

Summary

Set up ntpd in either standalone or server mode

Overview

Parameters:

  • ntpd_options (String[1]) (defaults to: '-g')

    Options for the ntp daemon, put into ‘/etc/sysconfig/ntpd`

  • servers (Ntpd::Servers) (defaults to: simplib::lookup('simp_options::ntp::servers', { 'default_value' => simplib::lookup('simp_options::ntpd::servers', { 'default_value' => {} }) }))

    An array of servers or a Hash of server/option pairs providing details for the NTP servers that this system should synchronize with

    • Example

      “‘ servers => 

      'time.local.net' => ['iburst','minpoll 4', 'prefer'],
# This one will just use $default_options
'time.other.net' => []

      “‘

  • stratum (Integer[0]) (defaults to: 2)

    The stratum for this system

    • This only comes into play if no external servers are defined and the stratum has to be fudged

  • logconfig (Array[String[1]]) (defaults to: ['=syncall','+clockall'])

    A list of options for refining the system log output

  • broadcastdelay (Numeric) (defaults to: 0.004)

    Default calibration delay

  • default_options (Array[String[1]]) (defaults to: ['minpoll 4','maxpoll 4','iburst'])

    The default options that will be added to all servers

    • Set to an empty array to disable

  • default_restrict (Array[Ntpd::Restrict]) (defaults to: ['kod', 'nomodify', 'notrap', 'nopeer', 'noquery'])

    The default IPv4 “restrict“ options

  • default_restrict6 (Array[Ntpd::Restrict]) (defaults to: $default_restrict)

    The default IPv6 “restrict“ options

  • admin_hosts (Array[Simplib::IP::V4]) (defaults to: ['127.0.0.1'])

    Hosts that are allowed unrestricted access via IPv4

  • admin_hosts6 (Array[Simplib::IP::V6]) (defaults to: ['::1'])

    Hosts that are allowed unrestricted access via IPv6

  • discard (Optional[Ntpd::Discard]) (defaults to: undef)

    An optional has that can be used to set the average,minimum and monitor options for “discard“

  • disable_monitor (Boolean) (defaults to: true)

    Disable the monitoring facility to prevent amplification attacks using “ntpdc monlist“ command when default restrict does not include the “noquery“ flag

    • See CVE-2013-5211 for details

  • manage_ntpdate (Boolean) (defaults to: true)

    Manage ntpdate settings

  • trusted_nets (Optional[Simplib::Netlist]) (defaults to: undef)

    Setting this to an Array of networks/hostnames that you trust for communication will enable a default “ntpd::alow“ entry so that remote systems can query this system for time.

  • default_restrict_rules (Optional[Array[Ntpd::Restrict]]) (defaults to: undef)

    Set to an Array of “restrict“ rules of your choosing

    • Has no effect if “$trusted_nets“ is not set

  • firewall (Boolean) (defaults to: simplib::lookup('simp_options::firewall', { 'default_value' => false}))

    Enable management of the firewall in relation to inbound communication

    • Has no effect if “$trusted_nets“ is not set

  • ntpdate_servers (Ntpd::Servers) (defaults to: $servers)

    NTP servers that are used in the ntpdate script at startup

  • ntpdate_sync_hwclock (Boolean) (defaults to: true)

    Set to ‘true` to sync hw clock after successful ntpdate. Set in `/etc/sysconfig/ntpdate`

  • ntpdate_retry (Integer[0]) (defaults to: 2)

    Number of retries before giving up. Set in ‘/etc/sysconfig/ntpdate`

  • ntpdate_options (String[1]) (defaults to: '-p 2')

    Options for ntpdate. Set in ‘/etc/sysconfig/ntpdate`

  • use_local_clock (Boolean) (defaults to: true)

    Set the server and fudge list to the local clock in ntp.conf

  • auditd (Boolean) (defaults to: simplib::lookup('simp_options::auditd', { 'default_value' => false}))

    Enable auditd monitoring of the ntp configuration files

    • This probably isn’t needed in most cases since Puppet controls these files, but some systems require it

  • package_ensure (String) (defaults to: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }))

    ‘ensure` parameter for the `ntp` package

  • extra_content (Optional[String[1]]) (defaults to: undef)

    An unvalidated String that will be appended to the configuration file

  • config_content (Optional[String[1]]) (defaults to: undef)

    The entire content of the configuration file. ALL OTHER ntpd CONFIGURATION OPTIONS WILL BE IGNORED.

    • NOTE: Calls to “ntpd::allow“ will still add “restrict“ lines to the configuration.

See Also:

  • ntpntp.conf(5)

Author:



116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
 
# File 'manifests/init.pp', line 116

class ntpd (
  String[1]                       $ntpd_options           = '-g',
  Ntpd::Servers                   $servers                = simplib::lookup('simp_options::ntp::servers', { 'default_value' => simplib::lookup('simp_options::ntpd::servers', { 'default_value' => {} }) }),
  Integer[0]                      $stratum                = 2,
  Array[String[1]]                $logconfig              = ['=syncall','+clockall'],
  Numeric                         $broadcastdelay         = 0.004,
  Array[String[1]]                $default_options        = ['minpoll 4','maxpoll 4','iburst'],
  Array[Ntpd::Restrict]           $default_restrict       = ['kod', 'nomodify', 'notrap', 'nopeer', 'noquery'],
  Array[Ntpd::Restrict]           $default_restrict6      = $default_restrict,
  Array[Simplib::IP::V4]          $admin_hosts            = ['127.0.0.1'],
  Array[Simplib::IP::V6]          $admin_hosts6           = ['::1'],
  Optional[Ntpd::Discard]         $discard                = undef,
  Boolean                         $disable_monitor        = true,
  Boolean                         $manage_ntpdate         = true,
  Optional[Simplib::Netlist]      $trusted_nets           = undef,
  Optional[Array[Ntpd::Restrict]] $default_restrict_rules = undef,
  Boolean                         $firewall               = simplib::lookup('simp_options::firewall', { 'default_value' => false}),
  Ntpd::Servers                   $ntpdate_servers        = $servers,
  Boolean                         $ntpdate_sync_hwclock   = true,
  Integer[0]                      $ntpdate_retry          = 2,
  String[1]                       $ntpdate_options        = '-p 2',
  Boolean                         $use_local_clock        = true,
  Boolean                         $auditd                 = simplib::lookup('simp_options::auditd', { 'default_value' => false}),
  String                          $package_ensure         = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }),
  Optional[String[1]]             $extra_content          = undef,
  Optional[String[1]]             $config_content         = undef
) {

  simplib::module_metadata::assert($module_name)

  if $manage_ntpdate {
    include 'ntpd::ntpdate'
  }

  concat { '/etc/ntp.conf':
    owner          => 'root',
    group          => 'ntp',
    mode           => '0600',
    ensure_newline => true,
    warn           => true,
    require        => Package['ntp'],
    notify         => Service['ntpd']
  }

  concat::fragment { 'main_ntp_configuration':
    target  => '/etc/ntp.conf',
    content => template("${module_name}/ntp.conf.erb"),
    order   => 0,
  }

  file { '/etc/ntp':
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
    notify => Service['ntpd']
  }

  file { '/etc/ntp/keys':
    owner   => 'root',
    group   => 'root',
    mode    => '0600',
    content => "\n",
    notify  => Service['ntpd']
  }

  file { '/var/lib/ntp':
    ensure => 'directory',
    owner  => 'ntp',
    group  => 'ntp',
    mode   => '0750',
    notify => Service['ntpd']
  }

  file { '/etc/sysconfig/ntpd':
    ensure  => 'file',
    owner   => 'root',
    group   => 'root',
    mode    => '0640',
    content => "OPTIONS=\"${ntpd_options}\"\n",
    notify  => Service['ntpd']
  }

  group { 'ntp':
    ensure    => 'present',
    allowdupe => false,
    gid       => 38,
    before    => Service['ntpd']
  }

  user { 'ntp':
    ensure     => 'present',
    allowdupe  => false,
    gid        => 'ntp',
    home       => '/etc/ntp',
    membership => 'inclusive',
    shell      => '/sbin/nologin',
    uid        => 38,
    before     => Service['ntpd']
  }

  package { 'ntp':
    ensure => $package_ensure,
    before => User['ntp']
  }

  service { 'ntpd':
    ensure     => running,
    enable     => true,
    hasrestart => true,
    hasstatus  => true,
    require    => Package['ntp']
  }

  if $trusted_nets {
    ntpd::allow { "simp_default_${module_name}_allow":
      rules        => $default_restrict_rules,
      trusted_nets => $trusted_nets,
      firewall     => $firewall
    }
  }

  if $auditd {
    simplib::assert_optional_dependency($module_name, 'simp/auditd')

    include 'auditd'

    $_audit_rule = @(EOF)
      -w /etc/ntp.conf -p wa -k CFG_ntp
      -w /etc/ntp/keys -p wa -k CFG_ntp
      | EOF
    # Add the audit rules
    auditd::rule { 'ntp':
      content => $_audit_rule,
      require => [
        Concat['/etc/ntp.conf'],
        File['/etc/ntp/keys']
      ]
    }
  }
}