From bf7c04d13f3c456c4d7fd29c30e83cfb6d66712a Mon Sep 17 00:00:00 2001 From: "KAVVA, JAGAN MOHAN REDDY (jk330k)" Date: Wed, 10 Feb 2021 16:14:39 -0600 Subject: [PATCH] Add chrony config Chrony is a flexible implementation of the Network Time Protocol (NTP). It is used to synchronize the system clock from different NTP servers. Change-Id: I09486b8cd083074a9f5bfe7023d50ef86a782032 --- .../ephemeral/replacements/networking.yaml | 41 ++++++++++++++++++ manifests/function/ephemeral/secret.yaml | 37 ++++++++++++++++ .../function/k8scontrol/controlplane.yaml | 43 ++++++++++++++++--- .../k8scontrol/replacements/networking.yaml | 36 ++++++++++++++++ .../workers-capm3/kubeadmconfigtemplate.yaml | 36 ++++++++++++++++ .../replacements/networking.yaml | 40 +++++++++++++++++ 6 files changed, 227 insertions(+), 6 deletions(-) diff --git a/manifests/function/ephemeral/replacements/networking.yaml b/manifests/function/ephemeral/replacements/networking.yaml index 13c700ef9..30559b7f4 100644 --- a/manifests/function/ephemeral/replacements/networking.yaml +++ b/manifests/function/ephemeral/replacements/networking.yaml @@ -49,3 +49,44 @@ replacements: name: ephemeral-bmc-secret kind: Secret fieldrefs: ["stringData.userData%REPLACEMENT_POD_CIDR%"] +# Replace the k8s controlplane NTP servers +- source: + objref: + kind: NetworkCatalogue + name: networking + fieldref: spec.ntp.servers[0] + target: + objref: + name: ephemeral-bmc-secret + kind: Secret + fieldrefs: ["stringData.userData%REPLACEMENT_NTP_SERVER1%"] +- source: + objref: + kind: NetworkCatalogue + name: networking + fieldref: spec.ntp.servers[1] + target: + objref: + name: ephemeral-bmc-secret + kind: Secret + fieldrefs: ["stringData.userData%REPLACEMENT_NTP_SERVER2%"] +- source: + objref: + kind: NetworkCatalogue + name: networking + fieldref: spec.ntp.servers[2] + target: + objref: + name: ephemeral-bmc-secret + kind: Secret + fieldrefs: ["stringData.userData%REPLACEMENT_NTP_SERVER3%"] +- source: + objref: + kind: NetworkCatalogue + name: networking + fieldref: spec.ntp.servers[3] + target: + objref: + name: ephemeral-bmc-secret + kind: Secret + fieldrefs: ["stringData.userData%REPLACEMENT_NTP_SERVER4%"] diff --git a/manifests/function/ephemeral/secret.yaml b/manifests/function/ephemeral/secret.yaml index 2e6abbcd7..2e71ce448 100644 --- a/manifests/function/ephemeral/secret.yaml +++ b/manifests/function/ephemeral/secret.yaml @@ -34,6 +34,43 @@ stringData: - kubeadm init --config /tmp/kubeadm.yaml - mkdir -p /opt/metal3-dev-env/ironic/html/images write_files: + - path: "/etc/chrony/chrony.conf" + permissions: '0644' + owner: root:root + content: | + # This directive specify the location of the file containing ID/key pairs for + # NTP authentication. + keyfile /etc/chrony/chrony.keys + + # This directive specify the file into which chronyd will store the rate + # information. + driftfile /var/lib/chrony/chrony.drift + + # Uncomment the following line to turn logging on. + #log tracking measurements statistics + + # Log files location. + logdir /var/log/chrony + + # Stop bad estimates upsetting machine clock. + maxupdateskew 100.0 + + # This directive enables kernel synchronisation (every 11 minutes) of the + # real-time clock. Note that it can’t be used along with the 'rtcfile' directive. + rtcsync + + # Step the system clock instead of slewing it if the adjustment is larger than + # one second, but only in the first three clock updates. + makestep 1 3 + + server REPLACEMENT_NTP_SERVER1 iburst + server REPLACEMENT_NTP_SERVER2 iburst + server REPLACEMENT_NTP_SERVER3 iburst + server REPLACEMENT_NTP_SERVER4 iburst + + #Enable Chrony to operate as an NTP server for local applications e.g. Prometheus. + allow 127.0.0.0/8 + - path: /etc/systemd/system/docker.service.d/http-proxy.conf permissions: '0644' owner: root:root diff --git a/manifests/function/k8scontrol/controlplane.yaml b/manifests/function/k8scontrol/controlplane.yaml index 705bde3bb..154425f8a 100644 --- a/manifests/function/k8scontrol/controlplane.yaml +++ b/manifests/function/k8scontrol/controlplane.yaml @@ -24,6 +24,40 @@ spec: # any adjustments and settings for docker anymore. However, if for # some reason docker has to be presented in the system, we need to # create http-proxy.conf. + - path: "/etc/chrony/chrony.conf" + content: | + # This directive specify the location of the file containing ID/key pairs for + # NTP authentication. + keyfile /etc/chrony/chrony.keys + + # This directive specify the file into which chronyd will store the rate + # information. + driftfile /var/lib/chrony/chrony.drift + + # Uncomment the following line to turn logging on. + #log tracking measurements statistics + + # Log files location. + logdir /var/log/chrony + + # Stop bad estimates upsetting machine clock. + maxupdateskew 100.0 + + # This directive enables kernel synchronisation (every 11 minutes) of the + # real-time clock. Note that it can’t be used along with the 'rtcfile' directive. + rtcsync + + # Step the system clock instead of slewing it if the adjustment is larger than + # one second, but only in the first three clock updates. + makestep 1 3 + + server REPLACEMENT_NTP_SERVER1 iburst + server REPLACEMENT_NTP_SERVER2 iburst + server REPLACEMENT_NTP_SERVER3 iburst + server REPLACEMENT_NTP_SERVER4 iburst + + #Enable Chrony to operate as an NTP server for local applications e.g. Prometheus. + allow 127.0.0.0/8 # TODO: add download sources to the versions catalogue preKubeadmCommands: # Restart docker to apply any proxy settings @@ -32,6 +66,8 @@ spec: - containerd config default | sed -r -e '/\[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc\]$/a\ SystemdCgroup = true' | tee /etc/containerd/config.toml - systemctl daemon-reload - systemctl restart containerd + - systemctl restart chrony.service + - systemctl is-active --quiet chrony.service && echo "Chrony service was restarted!" initConfiguration: nodeRegistration: name: '{{ ds.meta_data.local_hostname }}' @@ -49,12 +85,7 @@ spec: cgroup-driver: "systemd" container-runtime: remote criSocket: "unix:///run/containerd/containerd.sock" - ntp: - servers: - - 0.pool.ntp.org - - 1.pool.ntp.org - - 2.pool.ntp.org - - 3.pool.ntp.org + users: - name: deployer sshAuthorizedKeys: diff --git a/manifests/function/k8scontrol/replacements/networking.yaml b/manifests/function/k8scontrol/replacements/networking.yaml index 4d9957594..76128410d 100644 --- a/manifests/function/k8scontrol/replacements/networking.yaml +++ b/manifests/function/k8scontrol/replacements/networking.yaml @@ -54,3 +54,39 @@ replacements: objref: kind: KubeadmControlPlane fieldrefs: ["spec.kubeadmConfigSpec.ntp"] +- source: + objref: + kind: NetworkCatalogue + name: networking + fieldref: spec.ntp.servers[0] + target: + objref: + kind: KubeadmControlPlane + fieldrefs: ["spec.kubeadmConfigSpec.files[*].content%REPLACEMENT_NTP_SERVER1%"] +- source: + objref: + kind: NetworkCatalogue + name: networking + fieldref: spec.ntp.servers[1] + target: + objref: + kind: KubeadmControlPlane + fieldrefs: ["spec.kubeadmConfigSpec.files[*].content%REPLACEMENT_NTP_SERVER2%"] +- source: + objref: + kind: NetworkCatalogue + name: networking + fieldref: spec.ntp.servers[2] + target: + objref: + kind: KubeadmControlPlane + fieldrefs: ["spec.kubeadmConfigSpec.files[*].content%REPLACEMENT_NTP_SERVER3%"] +- source: + objref: + kind: NetworkCatalogue + name: networking + fieldref: spec.ntp.servers[3] + target: + objref: + kind: KubeadmControlPlane + fieldrefs: ["spec.kubeadmConfigSpec.files[*].content%REPLACEMENT_NTP_SERVER4%"] diff --git a/manifests/function/workers-capm3/kubeadmconfigtemplate.yaml b/manifests/function/workers-capm3/kubeadmconfigtemplate.yaml index 5e6b7f878..dea43107f 100644 --- a/manifests/function/workers-capm3/kubeadmconfigtemplate.yaml +++ b/manifests/function/workers-capm3/kubeadmconfigtemplate.yaml @@ -26,6 +26,40 @@ spec: # any adjustments and settings for docker anymore. However, if for # some reason docker has to be presented in the system, we need to # create http-proxy.conf. + - path: "/etc/chrony/chrony.conf" + content: | + # This directive specify the location of the file containing ID/key pairs for + # NTP authentication. + keyfile /etc/chrony/chrony.keys + + # This directive specify the file into which chronyd will store the rate + # information. + driftfile /var/lib/chrony/chrony.drift + + # Uncomment the following line to turn logging on. + #log tracking measurements statistics + + # Log files location. + logdir /var/log/chrony + + # Stop bad estimates upsetting machine clock. + maxupdateskew 100.0 + + # This directive enables kernel synchronisation (every 11 minutes) of the + # real-time clock. Note that it can’t be used along with the 'rtcfile' directive. + rtcsync + + # Step the system clock instead of slewing it if the adjustment is larger than + # one second, but only in the first three clock updates. + makestep 1 3 + + server REPLACEMENT_NTP_SERVER1 iburst + server REPLACEMENT_NTP_SERVER2 iburst + server REPLACEMENT_NTP_SERVER3 iburst + server REPLACEMENT_NTP_SERVER4 iburst + + #Enable Chrony to operate as an NTP server for local applications e.g. Prometheus. + allow 127.0.0.0/8 preKubeadmCommands: # Restart docker and containerd to apply any proxy settings - export HOME=/root @@ -33,6 +67,8 @@ spec: - containerd config default | sed -r -e '/\[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc\]$/a\ SystemdCgroup = true' | tee /etc/containerd/config.toml - systemctl daemon-reload - systemctl restart containerd + - systemctl restart chrony.service + - systemctl is-active --quiet chrony.service && echo "Chrony service was restarted!" users: - name: deployer sshAuthorizedKeys: diff --git a/manifests/function/workers-capm3/replacements/networking.yaml b/manifests/function/workers-capm3/replacements/networking.yaml index 15a4c7a3d..e2942a450 100644 --- a/manifests/function/workers-capm3/replacements/networking.yaml +++ b/manifests/function/workers-capm3/replacements/networking.yaml @@ -17,3 +17,43 @@ replacements: kind: KubeadmConfigTemplate name: worker-1 fieldrefs: ["spec.template.spec.ntp"] +- source: + objref: + kind: NetworkCatalogue + name: networking + fieldref: spec.ntp.servers[0] + target: + objref: + kind: KubeadmConfigTemplate + name: worker-1 + fieldrefs: ["spec.template.spec.files[*].content%REPLACEMENT_NTP_SERVER1%"] +- source: + objref: + kind: NetworkCatalogue + name: networking + fieldref: spec.ntp.servers[1] + target: + objref: + kind: KubeadmConfigTemplate + name: worker-1 + fieldrefs: ["spec.template.spec.files[*].content%REPLACEMENT_NTP_SERVER2%"] +- source: + objref: + kind: NetworkCatalogue + name: networking + fieldref: spec.ntp.servers[2] + target: + objref: + kind: KubeadmConfigTemplate + name: worker-1 + fieldrefs: ["spec.template.spec.files[*].content%REPLACEMENT_NTP_SERVER3%"] +- source: + objref: + kind: NetworkCatalogue + name: networking + fieldref: spec.ntp.servers[3] + target: + objref: + kind: KubeadmConfigTemplate + name: worker-1 + fieldrefs: ["spec.template.spec.files[*].content%REPLACEMENT_NTP_SERVER4%"] \ No newline at end of file