Puppet Setup NTP Server

Question: While troubleshooting one of the issue on app servers in Stratos Datacenter DevOps team identified the root cause that the time isn't synchronized properly among all app servers which cause issues sometimes. So team has decided to use a specific time server for all app servers so that they all remain in sync. This task needs to be done using Puppet so as per details mentioned below please compete the task:

Create a puppet programming file news.pp under /etc/puppetlabs/code/environments/production/manifests directory on puppet master node i.e on Jump Server. Within the programming file define a custom class ntpconfig to install and configure ntp server on all app servers.

Also add NTP Server server 3.pool.ntp.org' in default configuration file on all app servers.

Please note that do not try to start/restart/stop ntp service as we already have a scheduled restart for this service tonight and we don't want these changes to be applied right now.

Note: Please perform this task using news.pp only, do not try to create any separate inventory file.

Please Note:-  Perform the below commands based on your question server,  user name & other details that might differ. So please read the task carefully before executing it. All the Best 👍

Solution:  

1. List the existing module and install the NTP module

root@jump_host /# puppet module list /etc/puppetlabs/code/environments/production/modules (no modules installed) /etc/puppetlabs/code/modules (no modules installed) /opt/puppetlabs/puppet/modules (no modules installed) root@jump_host /# root@jump_host /# puppet module install puppetlabs-ntp Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ... Notice: Downloading from https://forgeapi.puppet.com ... Notice: Installing -- do not interrupt ... /etc/puppetlabs/code/environments/production/modules └─┬ puppetlabs-ntp (v9.0.1)   └── puppetlabs-stdlib (v7.1.0) root@jump_host /# root@jump_host /# puppet module list /etc/puppetlabs/code/environments/production/modules ├── puppetlabs-ntp (v9.0.1) └── puppetlabs-stdlib (v7.1.0) /etc/puppetlabs/code/modules (no modules installed) /opt/puppetlabs/puppet/modules (no modules installed) root@jump_host /#

2. Go through the folder mentioned in the task and create puppet files

 

root@jump_host /# cd /etc/puppetlabs/code/environments/production/manifests/ root@jump_host /etc/puppetlabs/code/environments/production/manifests# ll total 0 root@jump_host /etc/puppetlabs/code/environments/production/manifests# vi news.pp root@jump_host /etc/puppetlabs/code/environments/production/manifests# cat news.pp class { 'ntp':   servers => [ 'server 3.pool.ntp.org' ],                                                }       class ntpconfig {   include ntp }     node 'stapp01.stratos.xfusioncorp.com' {   include ntpconfig }   node 'stapp02.stratos.xfusioncorp.com' {   include ntpconfig }   node 'stapp03.stratos.xfusioncorp.com' {   include ntpconfig } root@jump_host /etc/puppetlabs/code/environments/production/manifests#

3. Validate the puppet files by the below command

root@jump_host /etc/puppetlabs/code/environments/production/manifests# puppet parser validate news.pp root@jump_host /etc/puppetlabs/code/environments/production/manifests#

4. Login on all  App server  (stapp01, stapp02, stapp03 ) & switch to root  user 

root@jump_host /# ssh tony@stapp01 The authenticity of host 'stapp01 (172.16.238.10)' can't be established. ECDSA key fingerprint is SHA256:w9cDRojDoclOxdu1W23Ns2HPyANPrDzhk9VfqtTDoJQ. ECDSA key fingerprint is MD5:a8:3b:55:35:c2:5c:56:76:c8:d0:78:13:7a:4d:8b:e1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'stapp01,172.16.238.10' (ECDSA) to the list of known hosts. tony@stapp01's password: [tony@stapp01 ~]$ sudo su - We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:     #1) Respect the privacy of others.     #2) Think before you type.     #3) With great power comes great responsibility. [sudo] password for tony: [root@stapp01 ~]#

5. Run Puppet agent to pull the configuration from puppet server 

[root@stapp01 ~]# puppet resource service ntpd service { 'ntpd':   ensure   => 'stopped',   enable   => 'false',   provider => 'systemd', } [root@stapp01 ~]# [root@stapp01 ~]# puppet agent -tv Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Notice: /File[/opt/puppetlabs/puppet/cache/lib/facter]/ensure: created Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/functions/parsehocon.rb]/ensure: defined ]/ensure: created Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/provider/file_line/ruby.rb]/ensure: defined content as '{md5}370afd0f0bf25ad4724239d3938673f1' Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/type]/ensure: created Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/type/anchor.rb]/ensure: defined content as '{md5}d19f9394153302da140961a5c24ca7f0' Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/type/file_line.rb]/ensure: defined content as '{md5}69161b0bff6e25c4d42b47ee376afe2d' Info: Retrieving locales Notice: /File[/opt/puppetlabs/puppet/cache/locales/ja]/ensure: created Notice: /File[/opt/puppetlabs/puppet/cache/locales/ja/puppetlabs-ntp.po]/ensure: defined content as '{md5}7265ff57e178feb7a65835f7cf271e2c' Info: Loading facts Info: Caching catalog for stapp01.stratos.xfusioncorp.com Info: Applying configuration version '1626415526' Notice: /Stage[main]/Ntp::Install/Package[ntp]/ensure: created Notice: /Stage[main]/Ntp::Config/File[/etc/ntp.conf]/content: --- /etc/ntp.conf       2019-11-27 16:47:41.000000000 +0000 +++ /tmp/puppet-file20210716-197-y7af87 2021-07-16 06:05:50.348000000 +0000 @@ -1,58 +1,30 @@ -# For more information about this file, see the man pages -# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). +# ntp.conf: Managed by puppet. +# +# Enable next tinker options: +# panic - keep ntpd from panicking in the event of a large clock skew +# when a VM guest is suspended and resumed; +# stepout - allow ntpd change offset faster +tinker panic 0 +disable monitor   -driftfile /var/lib/ntp/drift +statsdir /var/log/ntpstats    # Permit time synchronization with our time source, but do not  # permit the source to query or modify the service on this system. -restrict default nomodify notrap nopeer noquery - -# Permit all access over the loopback interface.  This could -# be tightened as well, but to do so would effect some of -# the administrative functions. -restrict 127.0.0.1 -restrict ::1 - -# Hosts on local network are less restricted. -#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap - -# Use public servers from the pool.ntp.org project. -# Please consider joining the pool (http://www.pool.ntp.org/join.html). -server 0.centos.pool.ntp.org iburst -server 1.centos.pool.ntp.org iburst -server 2.centos.pool.ntp.org iburst -server 3.centos.pool.ntp.org iburst - -#broadcast 192.168.1.255 autokey       # broadcast server -#broadcastclient                       # broadcast client -#broadcast 224.0.1.1 autokey           # multicast server -#multicastclient 224.0.1.1             # multicast client -#manycastserver 239.255.254.254                # manycast server -#manycastclient 239.255.254.254 autokey # manycast client - -# Enable public key cryptography. -#crypto - -includefile /etc/ntp/crypto/pw +restrict default kod nomodify notrap nopeer noquery +restrict -6 default kod nomodify notrap nopeer noquery +restrict 127.0.0.1 +restrict -6 ::1 + +# Set up servers for ntpd with next options: +# server - IP address or DNS name of upstream NTP server +# burst - send a burst of eight packets instead of the usual one. +# iburst - allow send sync packages faster if upstream unavailable +# prefer - select preferrable server +# minpoll - set minimal update frequency +# maxpoll - set maximal update frequency +# noselect - do not sync with this server +server server 3.pool.ntp.org   -# Key file containing the keys and key identifiers used when operating -# with symmetric key cryptography. -keys /etc/ntp/keys - -# Specify the key identifiers which are trusted. -#trustedkey 4 8 42 - -# Specify the key identifier to use with the ntpdc utility. -#requestkey 8 - -# Specify the key identifier to use with the ntpq utility. -#controlkey 8 - -# Enable writing of statistics records. -#statistics clockstats cryptostats loopstats peerstats - -# Disable the monitoring facility to prevent amplification attacks using ntpdc -# monlist command when default restrict does not include the noquery flag. See -# CVE-2013-5211 for more details. -# Note: Monitoring will not be disabled with the limited restriction flag. -disable monitor +# Driftfile. +driftfile /var/lib/ntp/drift   Info: Computing checksum on file /etc/ntp.conf Info: /Stage[main]/Ntp::Config/File[/etc/ntp.conf]: Filebucketed /etc/ntp.conf to puppet with sum dc9e5754ad2bb6f6c32b954c04431d0a Notice: /Stage[main]/Ntp::Config/File[/etc/ntp.conf]/content: content changed '{md5}dc9e5754ad2bb6f6c32b954c04431d0a' to '{md5}fef82a8e50c12ca40b54011f89a37732' Notice: /Stage[main]/Ntp::Config/File[/etc/ntp/step-tickers]/content: --- /etc/ntp/step-tickers       2019-11-27 16:47:41.000000000 +0000 +++ /tmp/puppet-file20210716-197-106nhao        2021-07-16 06:05:50.412000000 +0000 @@ -1,3 +1,3 @@  # List of NTP servers used by the ntpdate service.   -0.centos.pool.ntp.org +server 3.pool.ntp.org   Info: Computing checksum on file /etc/ntp/step-tickers Info: /Stage[main]/Ntp::Config/File[/etc/ntp/step-tickers]: Filebucketed /etc/ntp/step-tickers to puppet with sum 9b77b3b3eb41daf0b9abb8ed01c5499b Notice: /Stage[main]/Ntp::Config/File[/etc/ntp/step-tickers]/content: content changed '{md5}9b77b3b3eb41daf0b9abb8ed01c5499b' to '{md5}57d25e120b0c1104a46d794513175cdd' Info: Class[Ntp::Config]: Scheduling refresh of Class[Ntp::Service] Info: Class[Ntp::Service]: Scheduling refresh of Service[ntp] Notice: /Stage[main]/Ntp::Service/Service[ntp]/ensure: ensure changed 'stopped' to 'running' Info: /Stage[main]/Ntp::Service/Service[ntp]: Unscheduling refresh on Service[ntp] Notice: Applied catalog in 23.14 seconds [root@stapp01 ~]# [root@stapp01 ~]#

6. Validate the task by resource service

[root@stapp01 ~]# puppet resource service ntpd service { 'ntpd':   ensure   => 'running',   enable   => 'true',   provider => 'systemd', } [root@stapp01 ~]#

Please Note:- I have shown only for stapp01. 

You have to do this in all app server stapp01,stapp02, stapp03. 

7.  Click on Finish & Confirm to complete the task successfully

Happy Learning!!!!

Apart from this if you need more clarity,  I have made a  tutorial video on this, 

please go through and share your comments. Like and share the knowledge