From 72ee7dac7c2471efec145d04158e801379b5fa3a Mon Sep 17 00:00:00 2001
From: Jeffrey Zhang <zhang.lei.fly@gmail.com>
Date: Sun, 18 Jun 2017 20:59:28 +0800
Subject: [PATCH] Support multi local chrony servers

In the old implementation, if there is no external ntp server, only one
local chrony server is supported. If multi chrony-server is configured,
chrony client can not sync with them.

In the new implementation
* use VIP to connect chrony-server, which ensure multi local chrony
  servers are supported.
* chrony servers depend on VIP. So chrony-server group should be
  the same with haproxy group.
* prevent chrony client sync from itself.
* Change owner to chrony:kolla for chrony log folder
* fix keysfile path
* use chrony user for centos and ubuntu image
* fix permission issue for /var/lib/chrony folder

Closes-Bug: #1705200
Change-Id: I6e85fda9824b5ddc7a96895425c5932a3566c27e
---
 ansible/inventory/all-in-one                  |  2 +-
 ansible/inventory/multinode                   |  2 +-
 ansible/roles/chrony/templates/chrony.conf.j2 | 20 ++++++++++++-------
 ansible/roles/chrony/templates/chrony.json.j2 | 12 +++++++++++
 ...epends-on-keepalived-27c60fbd1471cc29.yaml |  6 ++++++
 5 files changed, 33 insertions(+), 9 deletions(-)
 create mode 100644 releasenotes/notes/move-chrony-server-group-depends-on-keepalived-27c60fbd1471cc29.yaml

diff --git a/ansible/inventory/all-in-one b/ansible/inventory/all-in-one
index 04f8b01313..fb157242cd 100644
--- a/ansible/inventory/all-in-one
+++ b/ansible/inventory/all-in-one
@@ -21,7 +21,7 @@ localhost       ansible_connection=local
 # You can explicitly specify which hosts run each project by updating the
 # groups in the sections below. Common services are grouped together.
 [chrony-server:children]
-control
+haproxy
 
 [chrony:children]
 network
diff --git a/ansible/inventory/multinode b/ansible/inventory/multinode
index 66ff970d6a..4cd55e27c2 100644
--- a/ansible/inventory/multinode
+++ b/ansible/inventory/multinode
@@ -41,7 +41,7 @@ monitoring
 # You can explicitly specify which hosts run each project by updating the
 # groups in the sections below. Common services are grouped together.
 [chrony-server:children]
-control
+haproxy
 
 [chrony:children]
 control
diff --git a/ansible/roles/chrony/templates/chrony.conf.j2 b/ansible/roles/chrony/templates/chrony.conf.j2
index ece9a40190..592d65958e 100644
--- a/ansible/roles/chrony/templates/chrony.conf.j2
+++ b/ansible/roles/chrony/templates/chrony.conf.j2
@@ -1,13 +1,16 @@
-{% for host in groups['chrony-server'] %}
-{% if inventory_hostname != host %}
-server {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }} iburst
-{% endif %}
-{% endfor %}
+{% set keyfile = '/etc/chrony.keys' if kolla_base_distro in ['centos', 'oraclelinux', 'redhat'] else '/etc/chrony/chrony.keys' %}
+
+server {{ kolla_internal_vip_address }} iburst
+{# NOTE(jeffrey4l): external_ntp_servers may be None here #}
+{% if external_ntp_servers %}
 {% for ntp_server in external_ntp_servers %}
 server {{ ntp_server }} iburst
 {% endfor %}
+{% endif %}
 
-keyfile /etc/chrony/chrony.keys
+user chrony
+
+keyfile {{ keyfile }}
 
 commandkey 1
 
@@ -26,13 +29,16 @@ dumpdir /var/lib/chrony
 
 {% if inventory_hostname in groups['chrony-server'] %}
 allow all
+# prevent chrony sync from self
+deny {{ kolla_internal_vip_address }}
+deny {{ api_interface_address }}
 local stratum 10
 {% else %}
 port 0
 deny all
 {% endif %}
 
-bindaddress {{ api_interface_address }}
+bindaddress {{ kolla_internal_vip_address }}
 
 logchange 0.5
 
diff --git a/ansible/roles/chrony/templates/chrony.json.j2 b/ansible/roles/chrony/templates/chrony.json.j2
index 03f3ee9c7a..9322451f33 100644
--- a/ansible/roles/chrony/templates/chrony.json.j2
+++ b/ansible/roles/chrony/templates/chrony.json.j2
@@ -7,5 +7,17 @@
             "owner": "chrony",
             "perm": "0600"
         }
+    ],
+    "permissions": [
+        {
+            "path": "/var/log/kolla/chrony",
+            "owner": "chrony:kolla",
+            "recurse": true
+        },
+        {
+            "path": "/var/lib/chrony",
+            "owner": "chrony:chrony",
+            "recurse": true
+        }
     ]
 }
diff --git a/releasenotes/notes/move-chrony-server-group-depends-on-keepalived-27c60fbd1471cc29.yaml b/releasenotes/notes/move-chrony-server-group-depends-on-keepalived-27c60fbd1471cc29.yaml
new file mode 100644
index 0000000000..4edde34b17
--- /dev/null
+++ b/releasenotes/notes/move-chrony-server-group-depends-on-keepalived-27c60fbd1471cc29.yaml
@@ -0,0 +1,6 @@
+---
+upgrade:
+  - |
+    chrony server high available is implemented. And it depends on VIP now.
+    chrony-server group is moved to network node in default and must be the
+    same with haproxy group.