From 67ca82d723bdd5bddf1ca8f6749f7fed1d5b9fc7 Mon Sep 17 00:00:00 2001 From: gjmzj Date: Fri, 17 Aug 2018 09:18:55 +0800 Subject: [PATCH] add chrony --- 01.prepare.yml | 7 ++- 20.addnode.yml | 1 + 21.addmaster.yml | 1 + 90.setup.yml | 6 ++- example/hosts.allinone.example | 2 +- example/hosts.m-masters.example | 2 +- example/hosts.s-master.example | 2 +- roles/chrony/chrony.yml | 3 ++ roles/chrony/defaults/main.yml | 7 +++ roles/chrony/tasks/main.yml | 43 +++++++++++++++ roles/chrony/templates/client-centos.conf.j2 | 44 +++++++++++++++ roles/chrony/templates/client-ubuntu.conf.j2 | 56 +++++++++++++++++++ roles/chrony/templates/server-centos.conf.j2 | 49 +++++++++++++++++ roles/chrony/templates/server-ubuntu.conf.j2 | 57 ++++++++++++++++++++ roles/lb/defaults/main.yml | 4 +- tools/init_vars.yml | 2 + 16 files changed, 278 insertions(+), 8 deletions(-) create mode 100644 roles/chrony/chrony.yml create mode 100644 roles/chrony/defaults/main.yml create mode 100644 roles/chrony/tasks/main.yml create mode 100644 roles/chrony/templates/client-centos.conf.j2 create mode 100644 roles/chrony/templates/client-ubuntu.conf.j2 create mode 100644 roles/chrony/templates/server-centos.conf.j2 create mode 100644 roles/chrony/templates/server-ubuntu.conf.j2 diff --git a/01.prepare.yml b/01.prepare.yml index 26fef8b..0663f71 100644 --- a/01.prepare.yml +++ b/01.prepare.yml @@ -1,4 +1,9 @@ -# 在deploy节点生成CA相关证书,以及kubedns.yaml配置文件 +# 集群内时间同步 +- hosts: all + roles: + - { role: chrony, when: "hostvars[groups.deploy[0]]['NTP_ENABLED'] == 'yes'" } + +# 在deploy节点生成CA相关证书 - hosts: deploy roles: - deploy diff --git a/20.addnode.yml b/20.addnode.yml index ac7d80a..27e1eaf 100644 --- a/20.addnode.yml +++ b/20.addnode.yml @@ -1,5 +1,6 @@ - hosts: new-node roles: + - { role: chrony, when: "hostvars[groups.deploy[0]]['NTP_ENABLED'] == 'yes'" } - prepare - docker - kube-node diff --git a/21.addmaster.yml b/21.addmaster.yml index 4cb7e4c..7983bd4 100644 --- a/21.addmaster.yml +++ b/21.addmaster.yml @@ -8,6 +8,7 @@ - hosts: new-master roles: + - { role: chrony, when: "hostvars[groups.deploy[0]]['NTP_ENABLED'] == 'yes'" } - prepare - docker - kube-master diff --git a/90.setup.yml b/90.setup.yml index 0b4362c..81befa0 100644 --- a/90.setup.yml +++ b/90.setup.yml @@ -1,5 +1,9 @@ +# 集群内时间同步 +- hosts: all + roles: + - { role: chrony, when: "hostvars[groups.deploy[0]]['NTP_ENABLED'] == 'yes'" } + # 在deploy节点生成CA相关证书,以供整个集群使用 -# 以及初始化kubedns.yaml配置文件 - hosts: deploy roles: - deploy diff --git a/example/hosts.allinone.example b/example/hosts.allinone.example index d31894a..b439d64 100644 --- a/example/hosts.allinone.example +++ b/example/hosts.allinone.example @@ -1,6 +1,6 @@ # 部署节点:运行ansible 脚本的节点 [deploy] -192.168.1.1 +192.168.1.1 NTP_ENABLED=no # etcd集群请提供如下NODE_NAME,注意etcd集群必须是1,3,5,7...奇数个节点 [etcd] diff --git a/example/hosts.m-masters.example b/example/hosts.m-masters.example index d838613..c24ee19 100644 --- a/example/hosts.m-masters.example +++ b/example/hosts.m-masters.example @@ -1,6 +1,6 @@ # 部署节点:运行这份 ansible 脚本的节点 [deploy] -192.168.1.1 +192.168.1.1 NTP_ENABLED=no # etcd集群请提供如下NODE_NAME,注意etcd集群必须是1,3,5,7...奇数个节点 [etcd] diff --git a/example/hosts.s-master.example b/example/hosts.s-master.example index 173601b..f661f7e 100644 --- a/example/hosts.s-master.example +++ b/example/hosts.s-master.example @@ -1,6 +1,6 @@ # 部署节点:运行ansible 脚本的节点 [deploy] -192.168.1.1 +192.168.1.1 NTP_ENABLED=no # etcd集群请提供如下NODE_NAME,请注意etcd集群必须是1,3,5,7...奇数个节点 [etcd] diff --git a/roles/chrony/chrony.yml b/roles/chrony/chrony.yml new file mode 100644 index 0000000..ea2d3c1 --- /dev/null +++ b/roles/chrony/chrony.yml @@ -0,0 +1,3 @@ +- hosts: all + roles: + - { role: chrony, when: "hostvars[groups.deploy[0]]['NTP_ENABLED'] == 'yes'" } diff --git a/roles/chrony/defaults/main.yml b/roles/chrony/defaults/main.yml new file mode 100644 index 0000000..8a6089e --- /dev/null +++ b/roles/chrony/defaults/main.yml @@ -0,0 +1,7 @@ +# 设置时间源服务器 +ntp_server: "ntp1.aliyun.com" + +# 设置允许内部时间同步的网络段,比如"10.0.0.0/8",默认全部允许 +local_network: "0.0.0.0/0" + + diff --git a/roles/chrony/tasks/main.yml b/roles/chrony/tasks/main.yml new file mode 100644 index 0000000..b4308e7 --- /dev/null +++ b/roles/chrony/tasks/main.yml @@ -0,0 +1,43 @@ +- name: apt更新缓存刷新 + apt: update_cache=yes cache_valid_time=72000 + when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int >= 16 + +- name: 安装 chrony + package: name=chrony state=latest + +- block: + - name: 配置 chrony server + template: src=server-centos.conf.j2 dest=/etc/chrony.conf + when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" + + - name: 配置 chrony server + template: src=server-ubuntu.conf.j2 dest=/etc/chrony/chrony.conf + when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int >= 16 + + - name: 启动 chrony server + service: name=chronyd state=restarted enabled=yes + when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" + + - name: 启动 chrony server + service: name=chrony state=restarted enabled=yes + when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int >= 16 + when: 'inventory_hostname == groups.deploy[0]' + +- block: + - name: 配置 chrony client + template: src=client-centos.conf.j2 dest=/etc/chrony.conf + when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" + + - name: 配置 chrony client + template: src=client-ubuntu.conf.j2 dest=/etc/chrony/chrony.conf + when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int >= 16 + + - name: 启动 chrony client + service: name=chronyd state=restarted enabled=yes + when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" + + - name: 启动 chrony client + service: name=chrony state=restarted enabled=yes + when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int >= 16 + when: 'inventory_hostname != groups.deploy[0]' + diff --git a/roles/chrony/templates/client-centos.conf.j2 b/roles/chrony/templates/client-centos.conf.j2 new file mode 100644 index 0000000..2c8f1f0 --- /dev/null +++ b/roles/chrony/templates/client-centos.conf.j2 @@ -0,0 +1,44 @@ +# Use public servers from the pool.ntp.org project. +server {{ groups.deploy[0] }} iburst + +# Ignor source level +stratumweight 0 + +# Record the rate at which the system clock gains/losses time. +driftfile /var/lib/chrony/drift + +# Allow the system clock to be stepped in the first three updates +# if its offset is larger than 1 second. +makestep 1.0 3 + +# Enable kernel synchronization of the real-time clock (RTC). +rtcsync + +# Enable hardware timestamping on all interfaces that support it. +#hwtimestamp * + +# Increase the minimum number of selectable sources required to adjust +# the system clock. +#minsources 2 + +# Allow NTP client access from local network. +allow {{ local_network }} + +# +bindcmdaddress 127.0.0.1 +bindcmdaddress ::1 + +# Serve time even if not synchronized to a time source. +#local stratum 10 + +# Specify file containing keys for NTP authentication. +keyfile /etc/chrony.keys + +# Specify directory for log files. +logdir /var/log/chrony + +# Select which information is logged. +#log measurements statistics tracking + +# +logchange 1 diff --git a/roles/chrony/templates/client-ubuntu.conf.j2 b/roles/chrony/templates/client-ubuntu.conf.j2 new file mode 100644 index 0000000..142a746 --- /dev/null +++ b/roles/chrony/templates/client-ubuntu.conf.j2 @@ -0,0 +1,56 @@ +# Use public servers from the pool.ntp.org project. +pool {{ groups.deploy[0] }} iburst + +# Look here for the admin password needed for chronyc. The initial +# password is generated by a random process at install time. You may +# change it if you wish. +keyfile /etc/chrony/chrony.keys + +# This directive sets the key ID used for authenticating user commands via the +# 'chronyc' program at run time. +commandkey 1 + +# I moved the driftfile to /var/lib/chrony to comply with the Debian +# filesystem standard. +driftfile /var/lib/chrony/chrony.drift + +# Comment this line out to turn off logging. +#log tracking measurements statistics +logdir /var/log/chrony + +# Stop bad estimates upsetting machine clock. +maxupdateskew 100.0 + +# Dump measurements when daemon exits. +#dumponexit + +# Specify directory for dumping measurements. +dumpdir /var/lib/chrony + +# This directive lets 'chronyd' to serve time even if unsynchronised to any +# NTP server. +#local stratum 10 + +# This directive designates subnets (or nodes) from which NTP clients are allowed +# to access to 'chronyd'. +allow {{ local_network }} + +# This directive forces `chronyd' to send a message to syslog if it +# makes a system clock adjustment larger than a threshold value in seconds. +logchange 1 + +# This directive defines an email address to which mail should be sent +# if chronyd applies a correction exceeding a particular threshold to the +# system clock. + +# mailonchange root@localhost 0.5 + +# This directive tells 'chronyd' to parse the 'adjtime' file to find out if the +# real-time clock keeps local time or UTC. It overrides the 'rtconutc' directive. + +hwclockfile /etc/adjtime + +# This directive enables kernel synchronisation (every 11 minutes) of the +# real-time clock. Note that it can’t be used along with the 'rtcfile' directive. + +rtcsync diff --git a/roles/chrony/templates/server-centos.conf.j2 b/roles/chrony/templates/server-centos.conf.j2 new file mode 100644 index 0000000..261edc3 --- /dev/null +++ b/roles/chrony/templates/server-centos.conf.j2 @@ -0,0 +1,49 @@ +# Use public servers from the pool.ntp.org project. +server {{ ntp_server }} iburst +server 0.centos.pool.ntp.org iburst +server 1.centos.pool.ntp.org iburst +server 2.centos.pool.ntp.org iburst +server 3.centos.pool.ntp.org iburst + +# Ignor source level +stratumweight 0 + +# Record the rate at which the system clock gains/losses time. +driftfile /var/lib/chrony/drift + +# Allow the system clock to be stepped in the first three updates +# if its offset is larger than 1 second. +makestep 1.0 3 + +# Enable kernel synchronization of the real-time clock (RTC). +rtcsync + +# Enable hardware timestamping on all interfaces that support it. +#hwtimestamp * + +# Increase the minimum number of selectable sources required to adjust +# the system clock. +#minsources 2 + +# Allow NTP client access from local network. +allow {{ local_network }} + +# +bindcmdaddress 127.0.0.1 +bindcmdaddress ::1 + +# Serve time even if not synchronized to a time source. +local stratum 10 + +# Specify file containing keys for NTP authentication. +keyfile /etc/chrony.keys + +# Specify directory for log files. +logdir /var/log/chrony + +# Select which information is logged. +#log measurements statistics tracking + +# +noclientlog +logchange 1 diff --git a/roles/chrony/templates/server-ubuntu.conf.j2 b/roles/chrony/templates/server-ubuntu.conf.j2 new file mode 100644 index 0000000..41fd4da --- /dev/null +++ b/roles/chrony/templates/server-ubuntu.conf.j2 @@ -0,0 +1,57 @@ +# Use public servers from the pool.ntp.org project. +pool {{ ntp_server }} iburst +pool 2.debian.pool.ntp.org iburst + +# Look here for the admin password needed for chronyc. The initial +# password is generated by a random process at install time. You may +# change it if you wish. +keyfile /etc/chrony/chrony.keys + +# This directive sets the key ID used for authenticating user commands via the +# 'chronyc' program at run time. +commandkey 1 + +# I moved the driftfile to /var/lib/chrony to comply with the Debian +# filesystem standard. +driftfile /var/lib/chrony/chrony.drift + +# Comment this line out to turn off logging. +#log tracking measurements statistics +logdir /var/log/chrony + +# Stop bad estimates upsetting machine clock. +maxupdateskew 100.0 + +# Dump measurements when daemon exits. +#dumponexit + +# Specify directory for dumping measurements. +dumpdir /var/lib/chrony + +# This directive lets 'chronyd' to serve time even if unsynchronised to any +# NTP server. +local stratum 10 + +# This directive designates subnets (or nodes) from which NTP clients are allowed +# to access to 'chronyd'. +allow {{ local_network }} + +# This directive forces `chronyd' to send a message to syslog if it +# makes a system clock adjustment larger than a threshold value in seconds. +logchange 1 + +# This directive defines an email address to which mail should be sent +# if chronyd applies a correction exceeding a particular threshold to the +# system clock. + +# mailonchange root@localhost 0.5 + +# This directive tells 'chronyd' to parse the 'adjtime' file to find out if the +# real-time clock keeps local time or UTC. It overrides the 'rtconutc' directive. + +hwclockfile /etc/adjtime + +# This directive enables kernel synchronisation (every 11 minutes) of the +# real-time clock. Note that it can’t be used along with the 'rtcfile' directive. + +rtcsync diff --git a/roles/lb/defaults/main.yml b/roles/lb/defaults/main.yml index 69b9986..9862ee1 100644 --- a/roles/lb/defaults/main.yml +++ b/roles/lb/defaults/main.yml @@ -1,7 +1,5 @@ # 区分多个instance的VRRP组播,同网段不能重复,取值在0-255之间 -# 可以直接指定数字,如ROUTER_ID: 111 -# 取100~200间的随机数 -#ROUTER_ID: "{{ 200 | random(100, 1) }}" +# 因项目已设置vrrp报文单播模式,所以这个ROUTER_ID 即便同网段里面有重复也没关系 ROUTER_ID: 111 # haproxy负载均衡算法,常见如下: diff --git a/tools/init_vars.yml b/tools/init_vars.yml index 1b1267a..f405890 100644 --- a/tools/init_vars.yml +++ b/tools/init_vars.yml @@ -7,6 +7,7 @@ file: name={{ base_dir }}/roles/{{ item }}/vars state=directory with_items: - calico + - chrony - cilium - cluster-addon - cluster-restore @@ -25,6 +26,7 @@ force: "yes" with_items: - calico + - chrony - cilium - cluster-addon - cluster-restore