From f5cc5cea9cfd3fac04d5e56ffb6ca446b6f61912 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Jonas=20S=C3=A4mann?= Date: Fri, 4 Sep 2020 18:36:50 +0200 Subject: [PATCH] Use chrony to lock kvm virtualized vm to host rtc Chrony uses PHC via VirtIO PTP on KVM to sync the virtial mashines time to the hosts RTC within nanoseconds. Ntpd is still used for anything else not virtualized on kvm. --- roles/ntp/handlers/main.yml | 3 +++ roles/ntp/tasks/chrony.yml | 34 ++++++++++++++++++++++++++++++ roles/ntp/tasks/main.yml | 21 +++++++++++------- roles/ntp/tasks/ntp.yml | 11 ++++++++++ roles/ntp/templates/chrony.conf.j2 | 27 ++++++++++++++++++++++++ 5 files changed, 88 insertions(+), 8 deletions(-) create mode 100644 roles/ntp/tasks/chrony.yml create mode 100644 roles/ntp/tasks/ntp.yml create mode 100644 roles/ntp/templates/chrony.conf.j2 diff --git a/roles/ntp/handlers/main.yml b/roles/ntp/handlers/main.yml index b4bf1ca..a9456d0 100644 --- a/roles/ntp/handlers/main.yml +++ b/roles/ntp/handlers/main.yml @@ -5,3 +5,6 @@ - name: Restart ntpd service: name=ntpd state=restarted + +- name: Restart chrony + service: name=chrony state=restarted diff --git a/roles/ntp/tasks/chrony.yml b/roles/ntp/tasks/chrony.yml new file mode 100644 index 0000000..f1a715a --- /dev/null +++ b/roles/ntp/tasks/chrony.yml @@ -0,0 +1,34 @@ +--- +# Use chronyd to lock time via PHC to hosts RTC + +- name: Install chrony + apt: + name: chrony + state: latest + install_recommends: no + +- name: Load kmod ptp_kvm at boot time + blockinfile: + path: /etc/modules-load.d/ptp_kvm.conf + create: yes + owner: root + mode: '0400' + block: | + # Load VirtIO PTP driver for chrony + ptp_kvm + register: load_ptp_kvm + when: + - ansible_virtualization_role == 'guest' + - ansible_virtualization_type == 'kvm' + +- name: Load kmod ptp_kvm + modprobe: + name: ptp_kvm + state: present + when: not (load_ptp_kvm is skipped) + +- name: Configure chronyd + template: + src: chrony.conf.j2 + dest: /etc/chrony/chrony.conf + notify: Restart chrony diff --git a/roles/ntp/tasks/main.yml b/roles/ntp/tasks/main.yml index 6913b3d..8b7dea3 100644 --- a/roles/ntp/tasks/main.yml +++ b/roles/ntp/tasks/main.yml @@ -1,11 +1,16 @@ --- +# Select best time source +# * on kvm sync to hypervisor rtc within nanoseconds accuracy +# * on anything else use ntpd wich supports only milliseconds accuracy -- name: Install ntp - apt: name=ntp +- name: Setup chrony + include_tasks: chrony.yml + register: ntp_use_chrony + when: + - ansible_virtualization_role == 'guest' + - ansible_virtualization_type == 'kvm' -- name: Configure ntp - template: src=ntp.conf.j2 dest=/etc/ntp.conf - notify: Restart ntp - -- name: Start the ntp service - service: name=ntp state=started enabled=yes +- name: Setup ntpd + include_tasks: ntp.yml + when: + - ntp_use_chrony is skipped diff --git a/roles/ntp/tasks/ntp.yml b/roles/ntp/tasks/ntp.yml new file mode 100644 index 0000000..6913b3d --- /dev/null +++ b/roles/ntp/tasks/ntp.yml @@ -0,0 +1,11 @@ +--- + +- name: Install ntp + apt: name=ntp + +- name: Configure ntp + template: src=ntp.conf.j2 dest=/etc/ntp.conf + notify: Restart ntp + +- name: Start the ntp service + service: name=ntp state=started enabled=yes diff --git a/roles/ntp/templates/chrony.conf.j2 b/roles/ntp/templates/chrony.conf.j2 new file mode 100644 index 0000000..f719977 --- /dev/null +++ b/roles/ntp/templates/chrony.conf.j2 @@ -0,0 +1,27 @@ +# {{ ansible_managed }} + +{% if not (load_ptp_kvm is skipped) %} +refclock PHC /dev/ptp0 poll 2 +{% elif ntp_servers is defined %} +{% for srv in ntp_servers %} +server {{ srv }} iburst +{% endfor %} +{% else %} +pool 2.debian.pool.ntp.org iburst +{% endif %} + +{% if ntp_peers is defined %} +{% for peer in ntp_peers %} +peer {{ peer }} +{% endfor %} +{% endif %} + +keyfile /etc/chrony/chrony.keys +driftfile /var/lib/chrony/chrony.drift +logdir /var/log/chrony +maxupdateskew 100.0 +rtcsync +makestep 1 3 + +# Do not allow chronyc for security reasons +cmdport 0