Hello,
Hoping folks here may have an answer for this. We are using puppet inside of Satellite via RedHat packaging (my previous experience is not with the Satellite layer). We have a module:
class ntpd(
$tinker_panic = 0,
$restrict1 = "default ignore",
$restrict2 = '127.0.0.1',
$driftfile = '/var/lib/ntp/drift',
$broadcastdelay = '0.008',
$timeserver1 = '129.65.xx.x',
$timeserver1_options = 'burst iburst',
$timeserver1_restrict_mask = '255.255.255.255',
$timeserver1_restrict_options = 'nomodify notrap noquery',
$timeserver2 = '129.65.xx.xxx',
$timeserver2_options = 'burst iburst',
$timeserver2_restrict_mask = '255.255.255.255',
$timeserver2_restrict_options = 'nomodify notrap noquery',) {
package { 'ntp':
ensure => installed,
}
package { 'chrony':
ensure => absent,
}
if $hostname =~ /^p-x(xx|nn)/ {
file { '/etc/ntp.conf':
owner => 'root',
group => 'root',
mode => '644',
source => "puppet:///modules/ntpd/ntp.conf.$hostname",
require => Package['ntp'],
notify => Service['ntpd'],
}
} else {
file { '/etc/ntp.conf':
owner => 'root',
group => 'root',
mode => '644',
content => template('ntpd/ntp.conf.erb'),
require => Package['ntp'],
notify => Service['ntpd'],
}
}
service { 'ntpd':
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
}
}
Contents of template:
tinker panic <%= @tinker_panic %>
restrict <%= @restrict1 %>
restrict <%= @restrict2 %>
driftfile <%= @driftfile %>
broadcastdelay <%= @broadcastdelay %>
restrict <%= @timeserver1 %> mask <%= @timeserver1_restrict_mask %><%= @timeserver1_restrict_options %>
server <%= @timeserver1 %><%= @timeserver1_options %>
restrict <%= @timeserver2 %> mask <%= @timeserver2_restrict_mask %><%= @timeserver2_restrict_options %>
server <%= @timeserver2 %><%= @timeserver2_options %>
For CIS hardening efforts, we need to have a completely different module and are also trying to streamline rollout so both modules can co-exist in same content_view (using Satellite w/ Foreman (https://www.theforeman.org)).
Our other module is this:
class cis_ntpd {
if $::operatingsystemmajrelease == '6' {
file_line { 'restrict-4':
ensure => present,
path => '/etc/ntp.conf',
line => "restrict -4 default kod nomodify notrap nopeer noquery",
match => '^restrict -4 default kod nomodify notrap nopeer noquery$'
}
file_line { 'restrict-6':
ensure => present,
path => '/etc/ntp.conf',
line => "restrict -6 default kod nomodify notrap nopeer noquery",
match => '^restrict -6 default kod nomodify notrap nopeer noquery$',
} else {
notice ("not a match")
}
}
}
Ideally, we would like to notify the other module and have the service restart, however the other module is maintaining content based on the template, and this is changing the same source file, so we are thinking it will be looping....
Can this be solved with include and notifications.... Any solutions and content updates are welcome, but want to not touch the first module named "ntpd." Please kindly forgive formatting issue, as the markup for code inserting on this site is not ideal.
Thanks for your help in advance!
↧