add chrony

2018-08-17 09:18:55 +08:00 · 2018-08-17 09:18:55 +08:00 · 67ca82d723
parent 91812bba9f
commit 67ca82d723
16 changed files with 278 additions and 8 deletions
--- a/01.prepare.yml
+++ b/01.prepare.yml
@ -1,4 +1,9 @@
-# 在deploy节点生成CA相关证书，以及kubedns.yaml配置文件
+# 集群内时间同步
+- hosts: all
+  roles:
+  - { role: chrony, when: "hostvars[groups.deploy[0]]['NTP_ENABLED'] == 'yes'" }
+
+# 在deploy节点生成CA相关证书
 - hosts: deploy
  roles:
  - deploy
--- a/20.addnode.yml
+++ b/20.addnode.yml
@ -1,5 +1,6 @@
 - hosts: new-node
  roles:
+  - { role: chrony, when: "hostvars[groups.deploy[0]]['NTP_ENABLED'] == 'yes'" } 
  - prepare
  - docker
  - kube-node
--- a/21.addmaster.yml
+++ b/21.addmaster.yml
@ -8,6 +8,7 @@

 - hosts: new-master 
  roles:
+  - { role: chrony, when: "hostvars[groups.deploy[0]]['NTP_ENABLED'] == 'yes'" } 
  - prepare
  - docker
  - kube-master
--- a/90.setup.yml
+++ b/90.setup.yml
@ -1,5 +1,9 @@
+# 集群内时间同步
+- hosts: all
+  roles:
+  - { role: chrony, when: "hostvars[groups.deploy[0]]['NTP_ENABLED'] == 'yes'" }
+
 # 在deploy节点生成CA相关证书，以供整个集群使用
-# 以及初始化kubedns.yaml配置文件
 - hosts: deploy
  roles:
  - deploy
--- a/example/hosts.allinone.example
+++ b/example/hosts.allinone.example
@ -1,6 +1,6 @@
 # 部署节点：运行ansible 脚本的节点
 [deploy]
-192.168.1.1
+192.168.1.1 NTP_ENABLED=no

 # etcd集群请提供如下NODE_NAME，注意etcd集群必须是1,3,5,7...奇数个节点
 [etcd]
--- a/example/hosts.m-masters.example
+++ b/example/hosts.m-masters.example
@ -1,6 +1,6 @@
 # 部署节点：运行这份 ansible 脚本的节点
 [deploy]
-192.168.1.1
+192.168.1.1 NTP_ENABLED=no

 # etcd集群请提供如下NODE_NAME，注意etcd集群必须是1,3,5,7...奇数个节点
 [etcd]
--- a/example/hosts.s-master.example
+++ b/example/hosts.s-master.example
@ -1,6 +1,6 @@
 # 部署节点：运行ansible 脚本的节点
 [deploy]
-192.168.1.1
+192.168.1.1 NTP_ENABLED=no

 # etcd集群请提供如下NODE_NAME，请注意etcd集群必须是1,3,5,7...奇数个节点
 [etcd]
--- a/roles/chrony/chrony.yml
+++ b/roles/chrony/chrony.yml
@ -0,0 +1,3 @@
+- hosts: all
+  roles:
+  - { role: chrony, when: "hostvars[groups.deploy[0]]['NTP_ENABLED'] == 'yes'" }
--- a/roles/chrony/defaults/main.yml
+++ b/roles/chrony/defaults/main.yml
@ -0,0 +1,7 @@
+# 设置时间源服务器
+ntp_server: "ntp1.aliyun.com"
+
+# 设置允许内部时间同步的网络段，比如"10.0.0.0/8"，默认全部允许
+local_network: "0.0.0.0/0"
+
+
--- a/roles/chrony/tasks/main.yml
+++ b/roles/chrony/tasks/main.yml
@ -0,0 +1,43 @@
+- name: apt更新缓存刷新
+  apt: update_cache=yes cache_valid_time=72000
+  when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int >= 16
+
+- name: 安装 chrony
+  package: name=chrony state=latest
+
+- block:
+  - name: 配置 chrony server 
+    template: src=server-centos.conf.j2 dest=/etc/chrony.conf
+    when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
+
+  - name: 配置 chrony server
+    template: src=server-ubuntu.conf.j2 dest=/etc/chrony/chrony.conf
+    when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int >= 16
+
+  - name: 启动 chrony server
+    service: name=chronyd state=restarted enabled=yes
+    when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
+  
+  - name: 启动 chrony server
+    service: name=chrony state=restarted enabled=yes
+    when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int >= 16 
+  when: 'inventory_hostname == groups.deploy[0]'
+
+- block:
+  - name: 配置 chrony client
+    template: src=client-centos.conf.j2 dest=/etc/chrony.conf
+    when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
+
+  - name: 配置 chrony client
+    template: src=client-ubuntu.conf.j2 dest=/etc/chrony/chrony.conf
+    when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int >= 16
+
+  - name: 启动 chrony client 
+    service: name=chronyd state=restarted enabled=yes
+    when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
+
+  - name: 启动 chrony client
+    service: name=chrony state=restarted enabled=yes
+    when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int >= 16
+  when: 'inventory_hostname != groups.deploy[0]'
+
--- a/roles/chrony/templates/client-centos.conf.j2
+++ b/roles/chrony/templates/client-centos.conf.j2
@ -0,0 +1,44 @@
+# Use public servers from the pool.ntp.org project.
+server {{ groups.deploy[0] }} iburst
+
+# Ignor source level
+stratumweight 0
+
+# Record the rate at which the system clock gains/losses time.
+driftfile /var/lib/chrony/drift
+
+# Allow the system clock to be stepped in the first three updates
+# if its offset is larger than 1 second.
+makestep 1.0 3
+
+# Enable kernel synchronization of the real-time clock (RTC).
+rtcsync
+
+# Enable hardware timestamping on all interfaces that support it.
+#hwtimestamp *
+
+# Increase the minimum number of selectable sources required to adjust
+# the system clock.
+#minsources 2
+
+# Allow NTP client access from local network.
+allow {{ local_network }}
+
+# 
+bindcmdaddress 127.0.0.1
+bindcmdaddress ::1
+
+# Serve time even if not synchronized to a time source.
+#local stratum 10
+
+# Specify file containing keys for NTP authentication.
+keyfile /etc/chrony.keys
+
+# Specify directory for log files.
+logdir /var/log/chrony
+
+# Select which information is logged.
+#log measurements statistics tracking
+
+#
+logchange 1
--- a/roles/chrony/templates/client-ubuntu.conf.j2
+++ b/roles/chrony/templates/client-ubuntu.conf.j2
@ -0,0 +1,56 @@
+# Use public servers from the pool.ntp.org project. 
+pool {{ groups.deploy[0] }} iburst
+
+# Look here for the admin password needed for chronyc.  The initial
+# password is generated by a random process at install time.  You may
+# change it if you wish.
+keyfile /etc/chrony/chrony.keys
+
+# This directive sets the key ID used for authenticating user commands via the
+# 'chronyc' program at run time.
+commandkey 1
+
+# I moved the driftfile to /var/lib/chrony to comply with the Debian
+# filesystem standard.
+driftfile /var/lib/chrony/chrony.drift
+
+# Comment this line out to turn off logging.
+#log tracking measurements statistics
+logdir /var/log/chrony
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# Dump measurements when daemon exits.
+#dumponexit
+
+# Specify directory for dumping measurements.
+dumpdir /var/lib/chrony
+
+# This directive lets 'chronyd' to serve time even if unsynchronised to any
+# NTP server.
+#local stratum 10
+
+# This directive designates subnets (or nodes) from which NTP clients are allowed
+# to access to 'chronyd'.
+allow {{ local_network }}
+
+# This directive forces `chronyd' to send a message to syslog if it
+# makes a system clock adjustment larger than a threshold value in seconds.
+logchange 1
+
+# This directive defines an email address to which mail should be sent
+# if chronyd applies a correction exceeding a particular threshold to the
+# system clock.
+
+# mailonchange root@localhost 0.5
+
+# This directive tells 'chronyd' to parse the 'adjtime' file to find out if the
+# real-time clock keeps local time or UTC. It overrides the 'rtconutc' directive.
+
+hwclockfile /etc/adjtime
+
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
+
+rtcsync
--- a/roles/chrony/templates/server-centos.conf.j2
+++ b/roles/chrony/templates/server-centos.conf.j2
@ -0,0 +1,49 @@
+# Use public servers from the pool.ntp.org project.
+server {{ ntp_server }} iburst
+server 0.centos.pool.ntp.org iburst
+server 1.centos.pool.ntp.org iburst
+server 2.centos.pool.ntp.org iburst
+server 3.centos.pool.ntp.org iburst
+
+# Ignor source level
+stratumweight 0
+
+# Record the rate at which the system clock gains/losses time.
+driftfile /var/lib/chrony/drift
+
+# Allow the system clock to be stepped in the first three updates
+# if its offset is larger than 1 second.
+makestep 1.0 3
+
+# Enable kernel synchronization of the real-time clock (RTC).
+rtcsync
+
+# Enable hardware timestamping on all interfaces that support it.
+#hwtimestamp *
+
+# Increase the minimum number of selectable sources required to adjust
+# the system clock.
+#minsources 2
+
+# Allow NTP client access from local network.
+allow {{ local_network }}
+
+# 
+bindcmdaddress 127.0.0.1
+bindcmdaddress ::1
+
+# Serve time even if not synchronized to a time source.
+local stratum 10
+
+# Specify file containing keys for NTP authentication.
+keyfile /etc/chrony.keys
+
+# Specify directory for log files.
+logdir /var/log/chrony
+
+# Select which information is logged.
+#log measurements statistics tracking
+
+#
+noclientlog
+logchange 1
--- a/roles/chrony/templates/server-ubuntu.conf.j2
+++ b/roles/chrony/templates/server-ubuntu.conf.j2
@ -0,0 +1,57 @@
+# Use public servers from the pool.ntp.org project. 
+pool {{ ntp_server }} iburst
+pool 2.debian.pool.ntp.org iburst
+
+# Look here for the admin password needed for chronyc.  The initial
+# password is generated by a random process at install time.  You may
+# change it if you wish.
+keyfile /etc/chrony/chrony.keys
+
+# This directive sets the key ID used for authenticating user commands via the
+# 'chronyc' program at run time.
+commandkey 1
+
+# I moved the driftfile to /var/lib/chrony to comply with the Debian
+# filesystem standard.
+driftfile /var/lib/chrony/chrony.drift
+
+# Comment this line out to turn off logging.
+#log tracking measurements statistics
+logdir /var/log/chrony
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# Dump measurements when daemon exits.
+#dumponexit
+
+# Specify directory for dumping measurements.
+dumpdir /var/lib/chrony
+
+# This directive lets 'chronyd' to serve time even if unsynchronised to any
+# NTP server.
+local stratum 10
+
+# This directive designates subnets (or nodes) from which NTP clients are allowed
+# to access to 'chronyd'.
+allow {{ local_network }}
+
+# This directive forces `chronyd' to send a message to syslog if it
+# makes a system clock adjustment larger than a threshold value in seconds.
+logchange 1
+
+# This directive defines an email address to which mail should be sent
+# if chronyd applies a correction exceeding a particular threshold to the
+# system clock.
+
+# mailonchange root@localhost 0.5
+
+# This directive tells 'chronyd' to parse the 'adjtime' file to find out if the
+# real-time clock keeps local time or UTC. It overrides the 'rtconutc' directive.
+
+hwclockfile /etc/adjtime
+
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
+
+rtcsync
--- a/roles/lb/defaults/main.yml
+++ b/roles/lb/defaults/main.yml
@ -1,7 +1,5 @@
 # 区分多个instance的VRRP组播，同网段不能重复，取值在0-255之间
-# 可以直接指定数字，如ROUTER_ID: 111 
-# 取100~200间的随机数
-#ROUTER_ID: "{{ 200 | random(100, 1) }}"
+# 因项目已设置vrrp报文单播模式，所以这个ROUTER_ID 即便同网段里面有重复也没关系
 ROUTER_ID: 111

 # haproxy负载均衡算法，常见如下：
--- a/tools/init_vars.yml
+++ b/tools/init_vars.yml
@ -7,6 +7,7 @@
    file: name={{ base_dir }}/roles/{{ item }}/vars state=directory
    with_items:
    - calico
+    - chrony
    - cilium
    - cluster-addon
    - cluster-restore
@ -25,6 +26,7 @@
      force: "yes"
    with_items:
    - calico
+    - chrony
    - cilium
    - cluster-addon
    - cluster-restore