Chapter 27. Configuring time synchronization by using the timesync RHEL system role
With the timesync
RHEL system role, you can manage time synchronization on multiple target machines on RHEL using Red Hat Ansible Automation Platform.
27.1. The timesync
RHEL system role
You can manage time synchronization on multiple target machines using the timesync
RHEL system role.
The timesync
role installs and configures an NTP or PTP implementation to operate as an NTP client or PTP replica in order to synchronize the system clock with NTP servers or grandmasters in PTP domains.
Note that using the timesync
role also facilitates the Migrating to chrony, because you can use the same playbook on all versions of Red Hat Enterprise Linux starting with RHEL 6 regardless of whether the system uses ntp
or chrony
to implement the NTP protocol.
-
/usr/share/ansible/roles/rhel-system-roles.timesync/README.md
file -
/usr/share/doc/rhel-system-roles/timesync/
directory
27.2. Variables of the timesync
system role
You can pass the following variable to the timesync
role:
-
timesync_ntp_servers
:
Role variable settings | Description |
---|---|
hostname: host.example.com | Hostname or address of the server |
minpoll: number | Minimum polling interval. Default: 6 |
maxpoll: number | Maximum polling interval. Default: 10 |
iburst: yes | Flag enabling fast initial synchronization. Default: no |
pool: yes | Flag indicating that each resolved address of the hostname is a separate NTP server. Default: no |
nts: yes | Flag to enable Network Time Security (NTS). Default: no. Supported only with chrony >= 4.0. |
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.timesync/README.md
file -
/usr/share/doc/rhel-system-roles/timesync/
directory
27.3. Applying the timesync
system role for a single pool of servers
The following example shows how to apply the timesync
role in a situation with just one pool of servers.
The timesync
role replaces the configuration of the given or detected provider service on the managed host. Previous settings are lost, even if they are not specified in the role variables. The only preserved setting is the choice of provider if the timesync_ntp_provider
variable is not defined.
Prerequisites
- You have prepared the control node and the managed nodes.
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudo
permissions on them.
Procedure
Create a playbook file, for example
~/playbook.yml
, with the following content:--- - name: Manage time synchronization hosts: managed-node-01.example.com roles: - rhel-system-roles.timesync vars: timesync_ntp_servers: - hostname: 2.rhel.pool.ntp.org pool: yes iburst: yes
Validate the playbook syntax:
$ ansible-playbook --syntax-check ~/playbook.yml
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
$ ansible-playbook ~/playbook.yml
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.timesync/README.md
file -
/usr/share/doc/rhel-system-roles/timesync/
directory
27.4. Applying the timesync
system role on client servers
You can use the timesync
role to enable Network Time Security (NTS) on NTP clients. Network Time Security (NTS) is an authentication mechanism specified for Network Time Protocol (NTP). It verifies that NTP packets exchanged between the server and client are not altered.
The timesync
role replaces the configuration of the given or detected provider service on the managed host. Previous settings are lost even if they are not specified in the role variables. The only preserved setting is the choice of provider if the timesync_ntp_provider
variable is not defined.
Prerequisites
- You have prepared the control node and the managed nodes.
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudo
permissions on them. -
The
chrony
NTP provider version is 4.0 or later.
Procedure
Create a playbook file, for example
~/playbook.yml
, with the following content:--- - name: Enable Network Time Security on NTP clients hosts: managed-node-01.example.com roles: - rhel-system-roles.timesync vars: timesync_ntp_servers: - hostname: ptbtime1.ptb.de iburst: yes nts: yes
ptbtime1.ptb.de
is an example of a public server. You may want to use a different public server or your own server.Validate the playbook syntax:
$ ansible-playbook --syntax-check ~/playbook.yml
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
$ ansible-playbook ~/playbook.yml
Verification
Perform a test on the client machine:
# chronyc -N authdata Name/IP address Mode KeyID Type KLen Last Atmp NAK Cook CLen ===================================================================== ptbtime1.ptb.de NTS 1 15 256 157 0 0 8 100
- Check that the number of reported cookies is larger than zero.
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.timesync/README.md
file -
/usr/share/doc/rhel-system-roles/timesync/
directory