50367fbe35
This change converts our filewall deployment practice to use the tripleo-ansible firewall role. This change creates a new "firewall_rules" object which is queried using YAQL from the "FirewallRules" resource. A new parameter has been added allowing users to input additional firewall rules as needed. The new parameter is `ExtraFirewallRules` and will be merged on top of the YAQL interface. Depends-On: Ie5d0f51d7efccd112847d3f1edf5fd9cdb1edeed Change-Id: I1be209a04f599d1d018e730c92f1fc8dd9bf884b Signed-off-by: Kevin Carter <kecarter@redhat.com>
158 lines
5.6 KiB
YAML
158 lines
5.6 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
Chrony time service deployment using ansible, this YAML file
|
|
creates the interface between the HOT template
|
|
and the ansible role that actually installs
|
|
and configure chronyd.
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
NtpServer:
|
|
default: ['0.pool.ntp.org', '1.pool.ntp.org', '2.pool.ntp.org', '3.pool.ntp.org']
|
|
description: NTP servers list. Defaulted to a set of pool.ntp.org servers
|
|
in order to have a sane default for Pacemaker deployments when
|
|
not configuring this parameter by default.
|
|
type: comma_delimited_list
|
|
NtpPool:
|
|
default: []
|
|
description: NTP pool list. Defaults to [], so only NtpServer is used by
|
|
default.
|
|
type: comma_delimited_list
|
|
ChronyGlobalServerOptions:
|
|
default: ''
|
|
description: Default server options for the configured NTP servers in
|
|
chrony.conf. If this is specified, NtpIburstEnable, MaxPoll,
|
|
and MinPoll are ignored.
|
|
type: string
|
|
ChronyGlobalPoolOptions:
|
|
default: ''
|
|
description: Default pool options for the configured NTP pools in
|
|
chrony.conf. If this is specified, NtpIburstEnable, MaxPoll,
|
|
and MinPoll are ignored.
|
|
type: string
|
|
NtpIburstEnable:
|
|
default: true
|
|
description: Specifies whether to enable the iburst option for every NTP
|
|
peer. If iburst is enabled, when the ntp server is unreachable
|
|
ntp will send a burst of eight packages instead of one. This
|
|
is designed to speed up the initial syncrhonization.
|
|
type: boolean
|
|
MaxPoll:
|
|
description: Specify maximum poll interval of upstream servers for NTP
|
|
messages, in seconds to the power of two.
|
|
The maximum poll interval defaults to 10 (1,024 s).
|
|
Allowed values are 4 to 17.
|
|
type: number
|
|
default: 10
|
|
constraints:
|
|
- range: { min: 4, max: 17 }
|
|
MinPoll:
|
|
description: Specify minimum poll interval of upstream servers for NTP
|
|
messages, in seconds to the power of two.
|
|
The minimum poll interval defaults to 6 (64 s).
|
|
Allowed values are 4 to 17.
|
|
type: number
|
|
default: 6
|
|
constraints:
|
|
- range: { min: 4, max: 17 }
|
|
EnablePackageInstall:
|
|
default: 'false'
|
|
description: Set to true to enable package installation at deploy time
|
|
type: boolean
|
|
ChronyAclRules:
|
|
default: ['deny all']
|
|
description: Access Control List of NTP clients. By default no clients
|
|
are permitted.
|
|
type: comma_delimited_list
|
|
|
|
conditions:
|
|
chrony_global_server_settings_is_empty: {equals: [{get_param: ChronyGlobalServerOptions}, '']}
|
|
chrony_global_pool_settings_is_empty: {equals: [{get_param: ChronyGlobalPoolOptions}, '']}
|
|
ntp_iburst: {equals: [{get_param: NtpIburstEnable}, true]}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role chrony using composable timesync services.
|
|
value:
|
|
service_name: chrony
|
|
firewall_rules:
|
|
'105 ntp':
|
|
dport: 123
|
|
proto: udp
|
|
host_prep_tasks:
|
|
- name: Populate service facts (chrony)
|
|
service_facts: # needed to make yaml happy
|
|
- name: Disable NTP before configuring Chrony
|
|
service:
|
|
name: ntpd
|
|
state: stopped
|
|
enabled: no
|
|
when: "'ntpd.service' in ansible_facts.services"
|
|
- name: Install, Configure and Run Chrony
|
|
include_role:
|
|
name: chrony
|
|
- name: Ensure chrony has been restarted
|
|
meta: flush_handlers
|
|
- name: Ensure system is NTP time synced
|
|
command: chronyc makestep
|
|
ansible_group_vars:
|
|
chrony_role_action: all
|
|
chrony_ntp_servers: {get_param: NtpServer}
|
|
chrony_ntp_pools: {get_param: NtpPool}
|
|
chrony_global_server_settings:
|
|
if:
|
|
- chrony_global_server_settings_is_empty
|
|
- str_replace:
|
|
template: IBURST minpoll MINPOLL maxpoll MAXPOLL
|
|
params:
|
|
IBURST:
|
|
if:
|
|
- ntp_iburst
|
|
- iburst
|
|
- ''
|
|
MINPOLL: { get_param: MinPoll }
|
|
MAXPOLL: { get_param: MaxPoll }
|
|
- {get_param: ChronyGlobalServerOptions}
|
|
chrony_global_pool_settings:
|
|
if:
|
|
- chrony_global_pool_settings_is_empty
|
|
- str_replace:
|
|
template: IBURST minpoll MINPOLL maxpoll MAXPOLL
|
|
params:
|
|
IBURST:
|
|
if:
|
|
- ntp_iburst
|
|
- iburst
|
|
- ''
|
|
MINPOLL: { get_param: MinPoll }
|
|
MAXPOLL: { get_param: MaxPoll }
|
|
- {get_param: ChronyGlobalPoolOptions}
|
|
chrony_manage_package: {get_param: EnablePackageInstall}
|
|
chrony_acl_rules: {get_param: ChronyAclRules}
|