From 8b875ad228294c8954bca1b647b401e1cb29b4b7 Mon Sep 17 00:00:00 2001 From: Marcin Dulinski Date: Wed, 22 Nov 2023 09:17:15 +0000 Subject: [PATCH] Fixed chrony configuration options Signed-off-by: Marcin Dulinski --- defaults/main.yml | 3 +++ templates/etc/chrony.conf.j2 | 22 ++++++++++++---------- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0bc0137..ff21216 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -449,6 +449,9 @@ rhel9cis_time_synchronization_servers: - 2.pool.ntp.org - 3.pool.ntp.org rhel9cis_chrony_server_options: "minpoll 8" +rhel9cis_chrony_server_rtcsync: false +rhel9cis_chrony_server_makestep: "1.0 3" +rhel9cis_chrony_server_minsources: 2 ### 2.2 Special Purposes ##### Service configuration booleans set true to keep service diff --git a/templates/etc/chrony.conf.j2 b/templates/etc/chrony.conf.j2 index 54c1b6c..a1837a9 100644 --- a/templates/etc/chrony.conf.j2 +++ b/templates/etc/chrony.conf.j2 @@ -1,4 +1,4 @@ -## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! +## {{ ansible_managed }} # This the default chrony.conf file for the Debian chrony package. After # editing this file use the command 'invoke-rc.d chrony restart' to make @@ -27,19 +27,21 @@ server {{ server }} {{ rhel9cis_chrony_server_options }} # password is generated by a random process at install time. You may # change it if you wish. -keyfile /etc/chrony/chrony.keys +keyfile /etc/chrony.keys -# Set runtime command key. Note that if you change the key (not the -# password) to anything other than 1 you will need to edit -# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony -# and /etc/cron.weekly/chrony as these scripts use it to get the password. +# Record the rate at which the system clock gains/losses time. +driftfile /var/lib/chrony/drift -commandkey 1 +# Allow the system clock to be stepped in the first three updates +# if its offset is larger than 1 second. +makestep {{ rhel9cis_chrony_server_makestep }} -# I moved the driftfile to /var/lib/chrony to comply with the Debian -# filesystem standard. +# Enable kernel synchronization of the real-time clock (RTC). +{% if not rhel9cis_chrony_server_rtcsync %}#{% endif %}rtcsync -driftfile /var/lib/chrony/chrony.drift +# Increase the minimum number of selectable sources required to adjust +# the system clock. +minsources {{ rhel9cis_chrony_server_minsources }} # Comment this line out to turn off logging.