Merge branch 'chrony' into 'master'

Improve time robustness by switching to chrony, trustworthy time sources and NTS

See merge request !860

roles/chrony/files/chrony.conf

+#######################################################################
+#######################################################################
+### SPECIFY YOUR NTP SERVERS
+# Most computers using chrony will send measurement requests to one or
+# more 'NTP servers'.  You will probably find that your Internet Service
+# Provider or company have one or more NTP servers that you can specify.
+# Failing that, there are a lot of public NTP servers.  There is a list
+# you can access at http://support.ntp.org/bin/view/Servers/WebHome or
+# you can use servers from the pool.ntp.org project.
+
+# https://www.netnod.se/nts/network-time-security
+server gbg1.nts.netnod.se iburst nts
+server gbg2.nts.netnod.se iburst nts
+server lul1.nts.netnod.se iburst nts
+server lul2.nts.netnod.se iburst nts
+server mmo1.nts.netnod.se iburst nts
+server mmo2.nts.netnod.se iburst nts
+server sth1.nts.netnod.se iburst nts
+server sth2.nts.netnod.se iburst nts
+server svl1.nts.netnod.se iburst nts
+server svl2.nts.netnod.se iburst nts
+# https://www.ptb.de/cms/en/ptb/fachabteilungen/abtq/gruppe-q4/ref-q42/time-synchronization-of-computers-using-the-network-time-protocol-ntp.html
+server ptbtime1.ptb.de iburst nts
+server ptbtime2.ptb.de iburst nts
+server ptbtime3.ptb.de iburst nts
+server ptbtime4.ptb.de iburst nts
+
+#######################################################################
+### AVOIDING POTENTIALLY BOGUS CHANGES TO YOUR CLOCK
+#
+# To avoid changes being made to your computer's gain/loss compensation
+# when the measurement history is too erratic, you might want to enable
+# one of the following lines.  The first seems good with servers on the
+# Internet, the second seems OK for a LAN environment.
+
+maxupdateskew 100
+! maxupdateskew 5
+
+# If you want to increase the minimum number of selectable sources
+# required to update the system clock in order to make the
+# synchronisation more reliable, uncomment (and edit) the following
+# line.
+
+minsources 2
+
+#######################################################################
+### FILENAMES ETC
+# Chrony likes to keep information about your computer's clock in files.
+# The 'driftfile' stores the computer's clock gain/loss rate in parts
+# per million.  When chronyd starts, the system clock can be tuned
+# immediately so that it doesn't gain or lose any more time.  You
+# generally want this, so it is uncommented.
+
+driftfile /var/lib/chrony/drift
+
+# chronyd can save the measurement history for the servers to files when
+# it exits.  This is useful in 2 situations:
+#
+# 1. If you stop chronyd and restart it with the '-r' option (e.g. after
+# an upgrade), the old measurements will still be relevant when chronyd
+# is restarted.  This will reduce the time needed to get accurate
+# gain/loss measurements.
+#
+# 2. On Linux, if you use the RTC support and start chronyd with
+# '-r -s' on bootup, measurements from the last boot will still be
+# useful (the real time clock is used to 'flywheel' chronyd between
+# boots).
+#
+# Uncomment the following line to use this.
+
+dumpdir /var/lib/chrony
+
+# The system timezone database usually comes with a list of leap seconds and
+# corresponding TAI-UTC offsets.  chronyd can use it to set the offset of the
+# system TAI clock and have an additional source of leap seconds.
+
+leapseclist /usr/share/zoneinfo/leap-seconds.list
+
+#######################################################################
+### INITIAL CLOCK CORRECTION
+# This option is useful to quickly correct the clock on start if it's
+# off by a large amount.  The value '1.0' means that if the error is less
+# than 1 second, it will be gradually removed by speeding up or slowing
+# down your computer's clock until it is correct.  If the error is above
+# 1 second, an immediate time jump will be applied to correct it.  The
+# value '3' means the step is allowed only in the first three updates of
+# the clock.  Some software can get upset if the system clock jumps
+# (especially backwards), so be careful!
+
+makestep 1.0 3
+
+#######################################################################
+### LOGGING
+# If you want to log information about the time measurements chronyd has
+# gathered, you might want to enable the following lines.  You probably
+# only need this if you really enjoy looking at the logs, you want to
+# produce some graphs of your system's timekeeping performance, or you
+# need help in debugging a problem.
+
+logdir /var/log/chrony
+! log measurements statistics tracking
+
+# If you have real time clock support enabled (see below), you might want
+# this line instead:
+
+log measurements statistics tracking rtc
+
+#######################################################################
+### REPORTING BIG CLOCK CHANGES
+# Perhaps you want to know if chronyd suddenly detects any large error
+# in your computer's clock.  This might indicate a fault or a problem
+# with the server(s) you are using, for example.
+#
+# The next option causes a message to be written to syslog when chronyd
+# has to correct an error above 0.5 seconds (you can use any amount you
+# like).
+
+logchange 0.5
+
+#######################################################################
+### REAL TIME CLOCK
+# Your RTC can be set to keep Universal Coordinated Time (UTC) or local
+# time.  (Local time means UTC +/- the effect of your timezone.)  If you
+# use UTC, chronyd will function correctly even if the computer is off
+# at the epoch when you enter or leave summer time (aka daylight saving
+# time).  However, if you dual boot your system with Microsoft Windows,
+# that will work better if your RTC maintains local time.  You take your
+# pick!
+
+rtconutc
+
+# By default chronyd assumes that the enhanced RTC device is accessed as
+# /dev/rtc.  If it's accessed somewhere else on your system (e.g. you're
+# using devfs), uncomment and edit the following line.
+
+! rtcdevice /dev/misc/rtc
+
+# Alternatively, if not using the -s option, this directive can be used
+# to enable a mode in which the RTC is periodically set to the system
+# time, with no tracking of its drift.
+
+rtcsync
+
+#######################################################################
+### LOCKING CHRONYD INTO RAM
+# This directive tells chronyd to use the mlockall() syscall to lock itself
+# into RAM so that it will never be paged out.  This should result in reduced
+# latency.  You don't need it unless you really have a requirement
+# for extreme clock stability.  Works only on Linux.  Note that the "-m"
+# command-line switch will also enable this feature.
+
+lock_all

roles/chrony/files/chronyd

+OPTIONS=-r

roles/chrony/handlers/main.yml

+- name: Restart chronyd
+  service: name=chronyd state=restarted

roles/chrony/tasks/main.yml

+- name: Install chrony
+  pacman: name=chrony state=present
+
+- name: Create sysconfig directory for chronyd environment file
+  file: path=/etc/sysconfig state=directory owner=root group=root mode=755
+
+- name: Install chrony configuration
+  copy: src={{ item.src }} dest={{ item.dest }} owner=root group=root mode=0644
+  loop:
+   - { src: chronyd, dest: /etc/sysconfig/chronyd }
+   - { src: chrony.conf, dest: /etc/chrony.conf }
+  notify: Restart chronyd
+
+- name: Start and enable chronyd
+  service: name=chronyd enabled=yes state=started

roles/common/meta/main.yml

+dependencies:
+  - role: chrony

roles/common/tasks/main.yml

@@ -26,9 +26,6 @@
 - name: Start and enable auditd
   service: name=auditd enabled=yes state=started
 
-- name: Start and enable systemd-timesyncd
-  service: name=systemd-timesyncd enabled=yes state=started
-
 - name: Install smart
   pacman: name=smartmontools state=present
   when: ansible_virtualization_role == "host"