Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.22.1 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-ntpd', '6.7.0'
Learn more about managing modules with a PuppetfileDocumentation
pupmod-simp-ntpd
Table of Contents
Description
Set up ntpd in either standalone or server mode.
Setup
What ntpd affects
Manages the following:
ntp
packagentp
user/groupntpd
service- These files and directories:
/etc/ntp.conf
/etc/ntp/
/etc/ntp/keys
/etc/sysconfig/ntpd
/var/lib/ntp
Usage
class { 'ntpd': }
Reference
See the Reference Documentation for full details
Limitations
SIMP Puppet modules are generally intended for use on Red Hat Enterprise
Linux and compatible distributions, such as CentOS. Please see the
metadata.json
file for the most up-to-date list of
supported operating systems, Puppet versions, and module dependencies.
Development
Please read our Contribution Guide.
If you find any issues, they can be submitted to our JIRA.
Reference
Table of Contents
Classes
ntpd
: Set up ntpd in either standalone or server modentpd::ntpdate
: Manage the setup ofntpdate
Defined types
ntpd::allow
: Allow access to this server from a particular address or netmask
Data types
Ntpd::Discard
: ntpdiscard
optionsNtpd::Restrict
: ntprestrict
optionsNtpd::Servers
: ntp servers can be an array of servers or a hash where the keys are servers and the values are an array of options
Classes
ntpd
Set up ntpd in either standalone or server mode
- See also
- ntp.conf(5)
Parameters
The following parameters are available in the ntpd
class:
ntpd_options
servers
stratum
logconfig
broadcastdelay
default_options
default_restrict
default_restrict6
admin_hosts
admin_hosts6
discard
disable_monitor
manage_ntpdate
trusted_nets
default_restrict_rules
firewall
ntpdate_servers
ntpdate_sync_hwclock
ntpdate_retry
ntpdate_options
use_local_clock
auditd
package_ensure
extra_content
config_content
ntpd_options
Data type: String[1]
Options for the ntp daemon, put into /etc/sysconfig/ntpd
Default value: '-g'
servers
Data type: Ntpd::Servers
An array of servers or a Hash of server/option pairs providing details for the NTP servers that this system should synchronize with
-
Example
servers => { 'time.local.net' => ['iburst','minpoll 4', 'prefer'], # This one will just use $default_options 'time.other.net' => [] }
Default value: simplib::lookup('simp_options::ntp::servers', { 'default_value' => simplib::lookup('simp_options::ntpd::servers', { 'default_value' => {} }) })
stratum
Data type: Integer[0]
The stratum for this system
- This only comes into play if no external servers are defined and the stratum has to be fudged
Default value: 2
logconfig
Data type: Array[String[1]]
A list of options for refining the system log output
Default value: ['=syncall','+clockall']
broadcastdelay
Data type: Numeric
Default calibration delay
Default value: 0.004
default_options
Data type: Array[String[1]]
The default options that will be added to all servers
- Set to an empty array to disable
Default value: ['minpoll 4','maxpoll 4','iburst']
default_restrict
Data type: Array[Ntpd::Restrict]
The default IPv4 restrict
options
Default value: ['kod', 'nomodify', 'notrap', 'nopeer', 'noquery']
default_restrict6
Data type: Array[Ntpd::Restrict]
The default IPv6 restrict
options
Default value: $default_restrict
admin_hosts
Data type: Array[Simplib::IP::V4]
Hosts that are allowed unrestricted access via IPv4
Default value: ['127.0.0.1']
admin_hosts6
Data type: Array[Simplib::IP::V6]
Hosts that are allowed unrestricted access via IPv6
Default value: ['::1']
discard
Data type: Optional[Ntpd::Discard]
An optional has that can be used to set the average,minimum and
monitor options for discard
Default value: undef
disable_monitor
Data type: Boolean
Disable the monitoring facility to prevent amplification attacks using
ntpdc monlist
command when default restrict does not include the
noquery
flag
- See CVE-2013-5211 for details
Default value: true
manage_ntpdate
Data type: Boolean
Manage ntpdate settings
Default value: true
trusted_nets
Data type: Optional[Simplib::Netlist]
Setting this to an Array of networks/hostnames that you trust for
communication will enable a default ntpd::alow
entry so that remote
systems can query this system for time.
Default value: undef
default_restrict_rules
Data type: Optional[Array[Ntpd::Restrict]]
Set to an Array of restrict
rules of your choosing
- Has no effect if
$trusted_nets
is not set
Default value: undef
firewall
Data type: Boolean
Enable management of the firewall in relation to inbound communication
- Has no effect if
$trusted_nets
is not set
Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false})
ntpdate_servers
Data type: Ntpd::Servers
NTP servers that are used in the ntpdate script at startup
Default value: $servers
ntpdate_sync_hwclock
Data type: Boolean
Set to true
to sync hw clock after successful ntpdate. Set in
/etc/sysconfig/ntpdate
Default value: true
ntpdate_retry
Data type: Integer[0]
Number of retries before giving up. Set in /etc/sysconfig/ntpdate
Default value: 2
ntpdate_options
Data type: String[1]
Options for ntpdate. Set in /etc/sysconfig/ntpdate
Default value: '-p 2'
use_local_clock
Data type: Boolean
Set the local clock in the server and fudge lists
Default value: true
auditd
Data type: Boolean
Enable auditd monitoring of the ntp configuration files
- This probably isn't needed in most cases since Puppet controls these files, but some systems require it
Default value: simplib::lookup('simp_options::auditd', { 'default_value' => false})
package_ensure
Data type: String
ensure
parameter for the ntp
package
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
extra_content
Data type: Optional[String[1]]
An unvalidated String that will be appended to the configuration file
Default value: undef
config_content
Data type: Optional[String[1]]
The entire content of the configuration file. ALL OTHER ntpd CONFIGURATION OPTIONS WILL BE IGNORED.
- NOTE: Calls to
ntpd::allow
will still addrestrict
lines to the configuration.
Default value: undef
ntpd::ntpdate
Manage the setup of ntpdate
Defined types
ntpd::allow
Allow access to this server from a particular address or netmask
Parameters
The following parameters are available in the ntpd::allow
defined type:
rules
Data type: Optional[Variant[ String[1],Array[Ntpd::Restrict] ]]
A standard ntpd.conf
restrict rule (notrust
, etc...)
Default value: undef
trusted_nets
Data type: Simplib::Netlist
Networks and Hosts to allow
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1', '::1'] })
firewall
Data type: Boolean
If enabled, allow connections from trusted_nets
Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false})
Data types
Ntpd::Discard
ntp discard
options
Alias of
Struct[{
Optional[average] => Integer[0],
Optional[minimum] => Integer[0],
Optional[monitor] => Integer[1]
}]
Ntpd::Restrict
ntp restrict
options
Alias of
Enum['flake', 'ignore', 'kod', 'limited', 'lowpriotrap', 'mssntp', 'nomodify', 'non-ntpport', 'nopeer', 'noquery', 'noserve', 'notrap', 'notrust', 'ntpport', 'version']
Ntpd::Servers
ntp servers can be an array of servers or a hash where the keys are servers and the values are an array of options
Alias of
Variant[Array[String], Hash[String, Array[String]]]
- Mon Nov 29 2021 Kendall Moore kendall@sicura.us - 6.7.0
- Allow for disabling of local time source for server and fudge lists
- Wed Jun 16 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 6.6.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Wed Feb 24 2021 Trevor Vaughan tvaughan@onyxpoint.com - 6.5.2
- Fix an issue where ntp::allow::rules was not being honored
- Tue Feb 02 2021 Liz Nemsick lnemsick.simp@gmail.com - 6.5.2
- Add simp_options::ntp::servers to the default lookup list for nptd::servers.
- Mon Jan 11 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 6.5.2
- Removed EL6 support
- Thu Dec 19 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.5.1-0
- Move simp-auditd and simp-iptables to optional dependencies
- Updated REFERENCE.md
- Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 6.5.1-0
- Add support for puppetlabs-concat 6.x
- Fri Jul 05 2019 Steven Pritchard steven.pritchard@onyxpoint.com - 6.5.0-0
- Add v2 compliance_markup data
- Add support for puppetlabs-stdlib 6
- Mon Jun 24 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.4.0-0
- Drop Puppet 4 support
- Add ability for users to enable a default server capability directly from Hiera
- Fix minor typos in some templates
- Add REFERENCE.md
- Tue Mar 19 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.3.1-0
- Use simplib::nets2ddq in lieu of deprecated Puppet 3 nets2ddq
- Wed Mar 06 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.3.0-0
- Validated Puppet 6 support
- Ensure that users can change the default 'restrict' parameters
- Allow users to add arbitrary extra content to the ntpd.conf
- Allow users to define the entire ntpd.conf content
- Mon Mar 04 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.3.0-0
- Expanded the upper limit of the concat and stdlib Puppet module versions
- Updated a URL in the README.md
- Wed Nov 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.2.1-0
- Update badges in README.md
- Mon Sep 24 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.0-0
- Removed nodeset symlink
- Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.2.0-0
- Update Hiera 4 to Hiera 5
- Mon Aug 27 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.1.1-0
- Fixed bug in which ntpd::ntpd_options was not applied to ntpd::servers when ntpd::servers is an array.
- Fri Jul 13 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.1-0
- Add support for Puppet 5 and OEL
- Fri Jun 15 2018 Nick Miller nick.miller@onyxpoint.com - 6.1.1-0
- Update version range of auditd dependency in metadata.json
- Removed unneeded fixtures
- Thu Mar 08 2018 Nick Miller nick.miller@onyxpoint.com - 6.1.0-0
- Manage ntpdate via
ntpd::ntpdate
- Manage
/etc/ntp/step-tickers
- Manage
/etc/sysconfig/ntpdate
- New params ntpdate_sync_hwclock, ntpdate_retrym and ntpdate_options should cover all options from RedHat
SYNC_HWCLOCK=yes
is now set here instead of/etc/sysconfig/ntp
- Manage
- Add
$package_ensure
parameter to control thentp
package version - Move some multiline strings into variables (style recommendation)
- The module now only requires one puppet run to apply completely
- Added essential-level acceptance test
- Fri Feb 09 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.1.0-0
- Update upperbound on puppetlabs/concat version to < 5.0.0
- Wed Nov 22 2017 Steven Pritchard steven.pritchard@onyxpoint.com - 6.1.0-0
- Documentation updates
- Fri Aug 18 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.3-0
- Update concat version in metadata.json
- Thu Jul 06 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.2-0
- Update puppet dependency in metadata.json
- Tue Mar 28 2017 Nick Miller nick.miller@onyxpoint.com - 6.0.1-0
- ntpd::servers now pulls from simp_options as expected
- Fri Dec 16 2016 Jeanne Greulich jgreulich.simp@onyxpoint.com - 6.0.0-0
- Update Global Catalysts
- Strongly type parameters
- Remove trailing spaces
- Wed Nov 23 2016 Jeanne Greulich jgreulich.simp@onyxpoint.com - 5.0.0-0
- update requirement versions
- Mon Nov 21 2016 SIMP-Team https://groups.google.com/forum/#!forum/simp - 5.0.0-0
- Updated module for compliance markup API v1.0.0 compatibility.
- Tue Nov 15 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.0-0
- Updated iptables dependency version
- Fri Sep 30 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0
- Updated to use the version of 'simpcat' that does not conflict with 'puppetlabs/concat'.
- Tue Feb 23 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.1.0-10
- Added compliance function support
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-9
- migration to simplib and simpcat (lib/ only)
- Mon Jul 27 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8
- Updated the default restrict options to be more restrictive.
- Ref: https://access.redhat.com/articles/1305723
- Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-7
- Migrated to the new 'simp' environment.
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-6
- Changed puppet-server requirement to puppet
- Wed Dec 17 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-5
- NTP allow files should use DDQ format for restict entries.
- Tue Oct 07 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-4
- Removed /etc/ntp/ntpservers and added the logic into the main ntp configuration file.
- Removed /etc/ntp/step-tickers management
- Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-3
- Removed MD5 file checksums for FIPS compliance.
- Fri Jun 20 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3
- Added support for 'disable_monitor' to fix CVE-2013-5211.
- Thu Jun 12 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-2
- Ntp servers can now be passed in as an array of server names or a hash of server => 'option' pairs.
- Sat Apr 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-1
- Restructured the entire ntpd module.
- Added spec tests.
- Sat Feb 15 2014 Kendall Moore kmoore@keywcorp.com 4.1.0-0
- Converted all string booleans to native booleans.
- Tue Jan 28 2014 Kendall Moore kmoore@keywcorp.com 4.0.0-5
- Update to remove warnings about IPTables not being detected. This is a nuisance when allowing other applications to manage iptables legitimately.
- Mon Oct 07 2013 Kendall Moore kmoore@keywcorp.com 4.0.0-4
- Updated all erb templates to properly scope variables.
- Thu Jun 07 2012 Maintenance 4.0.0-3
- Ensure that Arrays in templates are flattened.
- Call facts as instance variables.
- Moved mit-tests to /usr/share/simp...
- Updated pp files to better meet Puppet's recommended style guide.
- Fri Mar 02 2012 Maintenance 4.0.0-2
- Improved test stubs.
- Mon Dec 26 2011 Maintenance 4.0.0-1
- Updated the spec file to not require a separate file list.
- Scoped all of the top level variables.
- Mon Nov 07 2011 Maintenance 4.0.0-0
- Fixed call to rsyslog restart for RHEL6.
- Tue Aug 23 2011 Maintenance - 2.0.0-2
- Updated to set $address = nil by default in ntpd::server::allow.
- Thu May 12 2011 Maintenance - 2.0.0-1
- Updated ntp configuration to properly set /etc/ntp/ntpservers as well as the ability to set server options.
- Changed all instances of defined(Class['foo']) to defined('foo') per the directions from the Puppet mailing list.
- Updated to use concat_build and concat_fragment types.
- Tue Jan 11 2011 Maintenance 2.0.0-0
- Refactored for SIMP-2.0.0-alpha release
- Fri Dec 10 2010 Maintenance - 1-3
- Ensure that the local stratus is set to 20 instead of 10.
- Added a 'networks' option to ntpd::server::allow that can take an array of DDQ entries to set the various servers.
- Added the ability to configure a standalone NTP server and properly spoof the stratum advertised. See the ntpd::stock space for example functional usage.
- Tue Oct 26 2010 Maintenance - 1-2
- Converting all spec files to check for directories prior to copy.
- Wed Jun 30 2010 Maintenance 1.0-1
- Fixed a problem in ntp.allow.erb where the 'mask' value was not being set properly.
- Fri May 21 2010 Maintenance 1.0-0
- Code refactor and doc update.
- Tue Nov 24 2009 Maintenance 0.1-10
- ntpd::server now allows an array of client networks.
Dependencies
- puppetlabs/concat (>= 6.4.0 < 8.0.0)
- puppetlabs/stdlib (>= 6.6.0 < 8.0.0)
- simp/simplib (>= 3.8.0 < 5.0.0)
pupmod-simp-ntpd - A Puppet Module for managing NTPD -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.