Add seed code for ansible-role-ntp

[ta/ansible-role-ntp.git] / 0001-initial.patch

diff --git a/handlers/main.yml b/handlers/main.yml
index d18df56..6b58a86 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,3 +1,14 @@
 ---
+- name: add ntp keys
+  ntp:
+    auth_type: "{{ time.auth_type }}"
+    ntpservers: "{{ ntp_config_server }}"
+    hosts: "{{ hosts }}"
+    filepath: "{{ time.serverkeys_path }}"
+
+- name: create redundant fallback ntp servers
+  fallback_ntp_servers:
+    hosts: "{{ hosts }}"
+
 - name: restart ntp
   service: name={{ ntp_service_name }} state=restarted
diff --git a/library/fallback_ntp_servers.py b/library/fallback_ntp_servers.py
new file mode 100644
index 0000000..7d7907e
--- /dev/null
+++ b/library/fallback_ntp_servers.py
@@ -0,0 +1,73 @@
+#!/bin/python
+# Copyright (C) 2017 Nokia
+# All rights reserved
+
+from ansible.module_utils.basic import AnsibleModule
+import socket
+
+DOCUMENTATION = '''
+module: fallback_ntp_servers
+short_description: adding peers and fallback option
+description: Adding peers and an optional fallback option to the controllers.
+author: nokia.com
+options:
+    option-name: hosts
+    description: a list of controller hostnames
+    type: list
+'''
+
+def get_hostname():
+    return socket.gethostname().split('.')[0]
+
+def get_controllers(hosts):
+    controllers = []
+    for item in hosts:
+        if "controller" in hosts[item]['service_profiles']:
+            controllers.append(item)
+    return controllers
+
+def is_installation_host(hosts):
+    hostname = get_hostname()
+    try:
+        if hosts[hostname]['installation_host']:
+            return True
+    except KeyError:
+        return False
+    return False
+
+def add_peers(hosts):
+    hosts.remove(get_hostname())
+    with open("/etc/ntp.conf") as cnf:
+        content = cnf.readlines()
+    for index, line in enumerate(content):
+        if "server" in line:
+            for peer in hosts:
+                content.insert(index, "peer  %s\n" % peer)
+            break
+    with open("/etc/ntp.conf", "w") as cnf:
+        for line in content:
+            cnf.write(line)
+
+def add_fallback(hosts):
+    if is_installation_host(hosts):
+        with open("/etc/ntp.conf") as cnf:
+            content = cnf.readlines()
+        for index, line in enumerate(content):
+            if "peer" in line:
+                content.insert(index, "fudge  127.127.1.0  stratum  10\n")
+                break
+        with open("/etc/ntp.conf", "w") as cnf:
+            for line in content:
+                cnf.write(line)
+
+def main():
+    module_args = dict(hosts=dict(type='dict', required=True))
+    module = AnsibleModule(argument_spec=module_args)
+    controllers = get_controllers(module.params['hosts'])
+    if get_hostname() in controllers:
+        add_peers(controllers)
+        add_fallback(module.params['hosts'])
+    module.exit_json(msg="configured")
+
+if __name__ == "__main__":
+    main()
diff --git a/library/ntp.py b/library/ntp.py
new file mode 100644
index 0000000..cef833e
--- /dev/null
+++ b/library/ntp.py
@@ -0,0 +1,476 @@
+#!/bin/python
+# Copyright (C) 2018 Nokia
+# All rights reserved
+
+import re
+import os
+from subprocess import check_output, CalledProcessError
+from ansible.module_utils.basic import AnsibleModule
+import socket
+import yaml
+import random
+import string
+import requests
+from urlparse import urlparse
+
+DOCUMENTATION = '''
+module: ntp
+short_description: configuring authentication
+description: Configuring the authentication of NTP servers.
+author: nokia.com
+options:
+    option-name: auth_type
+        description: the authentication type used by the server
+        type: string
+        choices: crypto, symmetric, none
+        default: crypto
+    option-name: hosts
+        description: a list of the controllers, in order to decide if the script is executed on controller or compute host
+        type: list
+    option-name: ntpservers
+        description: a list the NTP servers
+        type: list
+    option-name: filepath
+        description: the url of the required keys
+        type: string
+        default: empty string
+'''
+
+def get_hostname():
+    return socket.gethostname().split('.')[0]
+
+def get_controllers(hosts):
+    controllers = []
+    for item in hosts:
+        if "controller" in hosts[item]['service_profiles']:
+            controllers.append(item)
+    return controllers
+
+crypto_keys_dir = "/etc/ntp/crypto"
+crypto_parameter_file = crypto_keys_dir + "/params"
+symmetric_key_file = "/etc/ntp/keys"
+
+class KeyAuthDisabled(Exception):
+    pass
+
+class SymmetricKeyNotFound(Exception):
+    pass
+
+class NtpCryptoKeyHandler(object):
+    supported_types = {"iff": "ntpkey_iffkey_", "mv": "ntpkey_mvta_", "mvta": "ntpkey_mvta_", "gq": "ntpkey_gqkey_"}
+
+    def del_key(self, server, type):
+        filename = "%s/%s" % (crypto_keys_dir, self._get_filename(type, server))
+        os.remove(filename)
+        with open("/etc/ntp.conf") as cnf:
+            content = cnf.readlines()
+        regex = re.compile("\Aserver\s+%s\s+autokey" % server)
+        for index, line in enumerate(content):
+            if re.match(regex, line) is not None:
+                content.pop(index)
+                content.insert(index, "server %s\n" % server)
+        with open("/etc/ntp.conf", "w") as cnf:
+            for line in content:
+                cnf.write(line)
+
+    def add_key(self, servers):
+        self._remove_symmetric_keys()
+        self._enable_crypto_auth()
+        self._copy_keys(servers)
+        self._remove_old_client_keys(servers)
+        self._create_client_key()
+        self.set_key_permissions()
+
+    def update_client_certificate(self):
+        passwd = self._create_client_password()
+        os.system("cd %s; ntp-keygen -q %s" % (crypto_keys_dir, passwd))
+
+    def _enable_crypto_auth(self):
+        self._create_client_password()
+        with open("/etc/ntp.conf") as cnf:
+            content = cnf.readlines()
+        includefile_is_correct = False
+        keysdir_is_correct = False
+        for index, line in enumerate(content):
+            if line.startswith("crypto"):
+                content.pop(index)
+            elif line.startswith("includefile"):
+                self.replace_line_in_ntpconf(line, content, index, "includefile", crypto_parameter_file)
+                includefile_is_correct = True
+            elif line.startswith("keysdir"):
+                self.replace_line_in_ntpconf(line, content, index, "keysdir", crypto_keys_dir)
+                keysdir_is_correct = True
+        if not includefile_is_correct:
+            content.append("includefile %s\n" % crypto_parameter_file)
+        if not keysdir_is_correct:
+            content.append("keysdir %s\n" % crypto_keys_dir)
+        with open("/etc/ntp.conf", "w") as cnf:
+            for line in content:
+                cnf.write(line)
+
+    def replace_line_in_ntpconf(self, line, filecontent, index, linestarting, lineparameter):
+        if line.split()[1] != lineparameter:
+            filecontent.pop(index)
+            filecontent.insert(index, "%s %s\n" % (linestarting, lineparameter))
+
+    def _create_client_password(self):
+        if not os.path.exists(crypto_parameter_file):
+            os.mknod(crypto_parameter_file)
+        with open(crypto_parameter_file) as param:
+            content = param.readlines()
+        for line in content:
+            match = re.match(re.compile("\Acrypto\s+pw\s+"), line)
+            if match is not None:
+                return line.split(None, 2)[2]
+        randstr = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(32)])
+        content.append("crypto pw %s\n" % randstr)
+        with open(crypto_parameter_file, "w") as param:
+            for line in content:
+                param.write(line)
+        return randstr
+
+    def _remove_symmetric_keys(self):
+        with open(symmetric_key_file, "w") as obj:
+            obj.truncate()
+
+    def _remove_old_client_keys(self, servers):
+        present_files = os.listdir(crypto_keys_dir)
+        possible_needed_files = [os.path.basename(crypto_parameter_file), os.path.basename(symmetric_key_file)]
+        for srv in servers:
+            possible_needed_files = possible_needed_files + self._get_all_supported_filenames(srv['server'])
+        for f in possible_needed_files:
+            try:
+                present_files.remove(f)
+            except ValueError:
+                pass
+        for f in present_files:
+            os.remove("%s/%s" % (crypto_keys_dir, f))
+
+    def _create_client_key(self):
+        clientpassword = self._create_client_password()
+        os.system("cd %s; ntp-keygen -H -c RSA-SHA1 -p %s" % (crypto_keys_dir, clientpassword))
+
+    def _copy_keys(self, servers):
+        print "copying keys"
+        for srv in servers:
+            self._remove_old_versions_of_key(str(srv["server"]))
+            filename = self._get_filename(str(srv["key"]["type"]), str(srv["server"]))
+            if not os.path.exists(filename):
+                os.mknod(filename)
+            with open("%s/%s" % (crypto_keys_dir, filename), "w") as keyfile:
+                for key in srv["key"]["keys"]:
+                    keyfile.write("-----BEGIN ENCRYPTED PRIVATE KEY-----\n")
+                    keyfile.write("%s\n" % key)
+                    keyfile.write("-----END ENCRYPTED PRIVATE KEY-----\n")
+
+    def _get_filename(self, type, server):
+        filename = "%s%s" % (NtpCryptoKeyHandler.supported_types[type], server)
+        return filename
+
+    def _get_all_supported_filenames(self, server):
+        filenames = []
+        for type in NtpCryptoKeyHandler.supported_types:
+            filenames.append(self._get_filename(type, server))
+        return filenames
+
+    def _remove_old_versions_of_key(self, server):
+        possible_filenames = self._get_all_supported_filenames(server)
+        for key in possible_filenames:
+            try:
+                os.remove("%s/%s" % (crypto_keys_dir, key))
+            except OSError:
+                pass
+
+    def set_key_permissions(self):
+        dircontent = os.listdir(crypto_keys_dir)
+        for f in dircontent:
+            os.chmod("%s/%s" % (crypto_keys_dir, f), 0600)
+
+
+class NtpSymmetricKeyHandler(object):
+
+    def add_key(self, key, server):
+        keys_file = symmetric_key_file
+        if not self._is_symmetric_key_auth_enabled():
+            self.enable_symmetric_key_auth(keys_file)
+        else:
+            keys_file = self._get_symmetric_key_file()
+        try:
+            key_id = self._get_symmetric_key_id(key, keys_file)
+        except SymmetricKeyNotFound:
+            key_id = self._find_highest_id(keys_file) + 1
+            with open(keys_file, "a") as keys:
+                keys.write("# %s\n" % server)
+                keys.write("%s  M  %s\n" % (key_id, key))
+        self._add_trustedkey(key_id)
+        self._add_controlkey(key_id)
+        self._add_requestkey(key_id)
+
+    def _enable_key_in_ntpconf(self, old, key_id):
+        is_replaced = False
+        key_id = str(key_id)
+        with open("/etc/ntp.conf", "r") as file:
+            buff = file.readlines()
+            for index, line in enumerate(buff):
+                if (line.startswith(old)) and (key_id not in line):
+                    buff[index] = line.rstrip('\n') + "  " + str(key_id) + "\n"
+                    is_replaced = True
+                    break
+                elif (line.startswith(old)) and (key_id in line):
+                    is_replaced = True
+                    break
+        if is_replaced:
+            with open("/etc/ntp.conf", "w") as file:
+                for line in buff:
+                    file.write(line)
+        else:
+            with open("/etc/ntp.conf", "a") as file:
+                file.write("%s  %s\n" % (old, str(key_id)))
+
+    def _add_trustedkey(self, key_id):
+        self._enable_key_in_ntpconf("trustedkey", str(key_id))
+
+    def _add_controlkey(self, key_id):
+        self._enable_key_in_ntpconf("controlkey", str(key_id))
+
+    def _add_requestkey(self, key_id):
+        self._enable_key_in_ntpconf("requestkey", str(key_id))
+
+    def _find_highest_id(self, keys_file):
+        ids = []
+        with open(keys_file) as keys:
+            for o in keys.readlines():
+                id = re.findall("^[0-9]+", o)
+                if len(id) > 0:
+                    ids.append(int(id[0]))
+        ids.sort()
+        if len(ids) != 0:
+            return ids[-1]
+        else:
+            return 0
+
+    def _is_symmetric_key_auth_enabled(self):
+        with open("/etc/ntp.conf") as cnf:
+            for line in cnf.read().split('\n'):
+                if line.startswith("keys"):
+                    return True
+        return False
+
+    def _get_symmetric_key_file(self):
+        with open("/etc/ntp.conf") as cnf:
+            for line in cnf.read().split('\n'):
+                if "keys" in line:
+                    return line.split()[1]
+        raise KeyAuthDisabled()
+
+    def _get_symmetric_key_id(self, key, keysfile=symmetric_key_file):
+        with open(keysfile) as keys:
+            for line in keys.read().split('\n'):
+                if key in line:
+                    return line.split()[0]
+        raise SymmetricKeyNotFound()
+
+    def enable_symmetric_key_auth(self, keys_loc=symmetric_key_file):
+        try:
+            self._get_symmetric_key_file()
+        except KeyAuthDisabled:
+            with open("/etc/ntp.conf", "a") as cnf:
+                cnf.write("keys %s\n" % keys_loc)
+
+
+class NtpServerHandler(object):
+
+    def __init__(self, auth_type):
+        if auth_type == "symmetric":
+            self.keyhandler = NtpSymmetricKeyHandler()
+        else:
+            self.keyhandler = NtpCryptoKeyHandler()
+        self.auth_type = auth_type
+
+    def delete_other_keys(self):
+        if os.path.exists(crypto_keys_dir):
+            dircontent = os.listdir(crypto_keys_dir)
+            for f in dircontent:
+                os.remove("%s/%s" % (crypto_keys_dir, f))
+
+    def delete_server(self, server):
+        with open("/etc/ntp.conf") as conf:
+            contents = conf.readlines()
+        for index, line in enumerate(contents):
+            if server in line:
+                contents.pop(index)
+                break
+        with open("/etc/ntp.conf", "w") as conf:
+            for line in contents:
+                conf.write(line)
+        self._restart_ntpd()
+
+    def add_server(self, servers):
+        self.delete_other_keys()
+        for srv in servers:
+            if self.auth_type != "none":
+                if self.auth_type == "symmetric":
+                    self.keyhandler.add_key(srv['key'], srv['server'])
+                else:
+                    self.keyhandler.add_key(servers)
+            self._insert_server_to_config(srv['server'], self.auth_type, srv['key'])
+
+    def _restart_ntpd(self):
+        os.system("systemctl restart ntpd")
+
+    def _insert_server_to_config(self, server, auth_type, key=None):
+        if auth_type == "symmetric":
+            keyfile = self.keyhandler._get_symmetric_key_file()
+            id = self.keyhandler._get_symmetric_key_id(key, keyfile)
+            serverline = "server  " + server + "  key  " + str(id) + '\n'
+        elif auth_type == "crypto":
+            serverline = "server  " + server + "  autokey\n"
+        else:
+            serverline = "server  " + server + '\n'
+        with open("/etc/ntp.conf") as cnf:
+            contents = cnf.readlines()
+        server_was_found = False
+        for index, line in enumerate(contents):
+            if (server in line) and (line.startswith("server")):
+                contents[index] = serverline
+                server_was_found = True
+                break
+        if not server_was_found:
+            index = 0
+            for line in contents:
+                if line.startswith("server"):
+                    break
+                index += 1
+            contents.insert(index, serverline)
+        with open("/etc/ntp.conf", "w") as cnf:
+            for line in contents:
+                cnf.write(line)
+
+    def get_ntp_status(self):
+        try:
+            print check_output(["systemctl", "status", "ntpd"])
+        except CalledProcessError as e:
+            print e.output
+        try:
+            print check_output(["ntpstat", "-u"])
+        except CalledProcessError as e:
+            print e.output
+        try:
+            print check_output(["ntpq", "-c", "as"])
+        except CalledProcessError as e:
+            print e.output
+
+def find_old_crypto_keys(remaining_servers):
+    files = os.listdir(crypto_keys_dir)
+    found_keys = []
+    for f in files:
+        for s in remaining_servers:
+            if 'ntpkey_' in f and s in f:
+                with open("%s/%s" % (crypto_keys_dir, f)) as keyfcnt:
+                    content = keyfcnt.readlines()
+                    regex = re.compile("-----BEGIN ENCRYPTED PRIVATE KEY-----\n|-----END ENCRYPTED PRIVATE KEY-----\n")
+                    keycont = ''.join(content)
+                    raw_keys = re.split(regex, keycont)
+                    raw_keys = filter(None, raw_keys)
+                    if f == 'ntpkey_iffkey_%s' % s:
+                        type = 'iff'
+                    elif f == 'ntpkey_gqkey_%s' % s:
+                        type = 'gq'
+                    elif f == 'ntpkey_mvta_%s' % s:
+                        type = 'mv'
+                    else:
+                        raise Exception("Something is wrong with the filename %s/%s" % (crypto_keys_dir, f))
+                    found_keys.append({'server': s, 'key': {'type': type, 'keys': raw_keys}})
+    return found_keys
+
+
+
+def find_old_symmetric_keys(remaining_servers):
+    keyfile = NtpSymmetricKeyHandler()._get_symmetric_key_file()
+    retlist = []
+    with open(keyfile) as kf:
+        content = kf.readlines()
+    for srv in remaining_servers:
+        if "# %s" % srv in content:
+            try:
+                index = content.index("# %s" % srv)
+                key = content[index + 1].split()[2]
+                retlist.append({"server": srv, "key": key})
+            except ValueError:
+                pass
+    return retlist
+
+
+def get_ntp_servers(url, ntpservers, auth_type):
+    file_reachable = True
+    servers = []
+    if url.startswith("file://"):
+        path = url.lstrip("file://")
+        try:
+            with open(path) as f:
+                f_content = f.read()
+        except IOError:
+            file_reachable = False
+    else:
+        try:
+            r = requests.get(url)
+            if r.status_code != 200:
+                raise requests.exceptions.ConnectionError()
+            f_content = r.content
+        except requests.exceptions.ConnectionError:
+            file_reachable = False
+    if file_reachable:
+        yaml_content = yaml.load(f_content)
+        for item in yaml_content:
+            srv = item.keys()[0]
+            if srv in ntpservers:
+                element = {"server": srv, "key": item[srv]}
+                servers.append(element)
+    found_servers = [item['server'] for item in servers]
+    if len(found_servers) != len(ntpservers):
+        remaining_servers = [item for item in ntpservers if item not in found_servers]
+        if auth_type == "crypto":
+            leftover_servers = find_old_crypto_keys(remaining_servers)
+        elif auth_type == "symmetric":
+            leftover_servers = find_old_symmetric_keys(remaining_servers)
+        else:
+            raise Exception("Unknown authentication type for NTP!")
+        servers = servers + leftover_servers
+        if len(servers) != len(ntpservers):
+            raise Exception("Something must be messed up in your config. The NTP servers provided by your key file and by your configuration doesn't match!")
+    return servers
+
+
+def remove(url):
+    o = urlparse(url)
+    if o.scheme == "file":
+        os.remove(o.path)
+
+
+
+def main():
+    module_args = dict(auth_type=dict(type='str', required=True),
+                       hosts=dict(type='dict', required=True),
+                       ntpservers=dict(type='list', required=True),
+                       filepath=dict(type='str', required=True))
+    module = AnsibleModule(argument_spec=module_args)
+    controllers = get_controllers(module.params['hosts'])
+    hostname = get_hostname()
+    if hostname not in controllers:
+        remove(module.params['filepath'])
+        module.exit_json(msg="nothing to do; the script is not executed on a controller host")
+        return 0
+    if module.params['auth_type'] == "symmetric" or module.params['auth_type'] == "crypto":
+        servers = get_ntp_servers(module.params['filepath'], module.params['ntpservers'], module.params['auth_type'])
+        handler = NtpServerHandler(module.params['auth_type'])
+        handler.add_server(servers)
+    elif module.params['auth_type'] == "none":
+        pass
+    else:
+        raise Exception("Invalid authentication type: %s" % module.params['auth_type'])
+    remove(module.params['filepath'].rstrip("file://"))
+    module.exit_json(msg="all done")
+
+if __name__ == "__main__":
+    main()
+
diff --git a/tasks/main.yml b/tasks/main.yml
index 5c80a4a..cc4f4b6 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,4 +1,6 @@
 ---
+- shell: file=/etc/sysconfig/ntpdate; sed -i 's/SYNC_HWCLOCK=no/SYNC_HWCLOCK=yes/g' ${file};grep "SYNC_HWCLOCK=yes" ${file} || echo "SYNC_HWCLOCK=yes" >> ${file}
+
 - name: Add the OS specific variables
   include_vars: '{{ ansible_os_family }}.yml'
   tags: [ 'configuration', 'package', 'service', 'ntp' ]
@@ -16,9 +18,20 @@
 - name: Copy the ntp.conf template file
   template: src=ntp.conf.j2 dest=/etc/ntp.conf
   notify:
+  - add ntp keys
+  - create redundant fallback ntp servers
   - restart ntp
   tags: [ 'configuration', 'package', 'ntp' ]
 
+- name: Clear step-tickers
+  lineinfile:
+    dest: /etc/ntp/step-tickers
+    regexp: ".*"
+    state: absent
+
+- name: enable ntpdate at boot time
+  shell: chkconfig ntpdate on
+
 - name: Start/stop ntp service
   service: name={{ ntp_service_name }} state={{ ntp_service_state }} enabled={{ ntp_service_enabled }} pattern='/ntpd'
   tags: [ 'service', 'ntp' ]