Set up time management through NTP
The following sets up a local NTP server that synchronizes with pool.ntp.org andclients that synchronize with your local NTP server. See bottom of this exampleif you don't want to build a server, but use a "brute force" method (repeatedntpdate syncs).
This example demonstrates you can have a lot of low-level detailed control if you want it.
bundleagentsystem_time_ntp{vars:linux::"cache_dir"string=>"$(sys.workdir)/cache";# Cache directory for NTP config files"ntp_conf"string=>"/etc/ntp.conf";# Target file for NTP configuration"ntp_server"string=>"172.16.12.161";"ntp_network"string=>"172.16.12.0";# IP address and netmask of your local NTP server"ntp_mask"string=>"255.255.255.0";"ntp_pkgs"slist=>{"ntp"};# NTP packages to be installed to ensure service# Define a class for the NTP serverclasses:any::"ntp_hosts"or=>{classmatch(canonify("ipv4_$(ntp_server)"))};# Ensure that the NTP packages are installedpackages:ubuntu::"$(ntp_pkgs)"comment=>"setup NTP",package_policy=>"add",package_method=>generic;# Ensure existence of file and directory for NTP drift learning statisticsfiles:linux::"/var/lib/ntp/ntp.drift"comment=>"Enable ntp service",create=>"true";"/var/log/ntpstats/."comment=>"Create a statistic directory",perms=>mog("644","ntp","ntp"),create=>"true";ntp_hosts::# Build the cache configuration file for the NTP server"/var/cfengine/cache/ntp.conf"comment=>"Build$(this.promiser) cache file for NTP server",create=>"true",edit_defaults=>empty,edit_line=>restore_ntp_master("$(ntp_network)","$(ntp_mask)");centos.ntp_hosts::# Copy the cached configuration file to its target destination"$(ntp_conf)"comment=>"Ensure$(this.promiser) in a perfect condition",copy_from=>local_cp("$(cache_dir)/ntp.conf"),classes=>if_repaired("refresh_ntpd_centos");ubuntu.ntp_hosts::"$(ntp_conf)"comment=>"Ensure$(this.promiser) in a perfect condition",copy_from=>local_cp("$(cache_dir)/ntp.conf"),classes=>if_repaired("refresh_ntpd_ubuntu");!ntp_hosts::# Build the cache configuration file for the NTP client"$(cache_dir)/ntp.conf"comment=>"Build$(this.promiser) cache file for NTP client",create=>"true",edit_defaults=>empty,edit_line=>restore_ntp_client("$(ntp_server)");centos.!ntp_hosts::# Copy the cached configuration file to its target destination"$(ntp_conf)"comment=>"Ensure$(this.promiser) in a perfect condition",copy_from=>local_cp("$(cache_dir)/ntp.conf"),classes=>if_repaired("refresh_ntpd_centos");ubuntu.!ntp_hosts::"$(ntp_conf)"comment=>"Ensure$(this.promiser) in a perfect condition",copy_from=>local_cp("$(cache_dir)/ntp.conf"),classes=>if_repaired("refresh_ntpd_ubuntu");# Set classes (conditions) for to restart the NTP daemon if there have been any changes to configurationprocesses:centos::"ntpd.*"restart_class=>"refresh_ntpd_centos";ubuntu::"ntpd.*"restart_class=>"refresh_ntpd_ubuntu";# Restart the NTP daemon if the configuration has changedcommands:refresh_ntpd_centos::"/etc/init.d/ntpd restart";refresh_ntpd_ubuntu::"/etc/init.d/ntp restart";}#######################################################bundleedit_linerestore_ntp_master(network,mask){vars:"list"string=>"####################################### ntp.conf-masterdriftfile /var/lib/ntp/ntp.driftstatsdir /var/log/ntpstats/statistics loopstats peerstats clockstatsfilegen loopstats file loopstats type day enablefilegen peerstats file peerstats type day enablefilegen clockstats file clockstats type day enable# Use public servers from the pool.ntp.org project.# Please consider joining the pool (http://www.pool.ntp.org/join.html).# Consider changing the below servers to a location near you for better time# e.g. server 0.europe.pool.ntp.org, or server 0.no.pool.ntp.org etc.server 0.centos.pool.ntp.orgserver 1.centos.pool.ntp.orgserver 2.centos.pool.ntp.org# Permit time synchronization with our time source, but do not# permit the source to query or modify the service on this system.restrict -4 default kod nomodify notrap nopeer noqueryrestrict -6 default kod nomodify notrap nopeer noquery# Permit all access over the loopback interface. This could# be tightened as well, but to do so would effect some of# the administrative functions.restrict 127.0.0.1restrict ::1# Hosts on local network are less restricted.restrict$(network) mask$(mask) nomodify notrap";insert_lines:"$(list)";}#######################################################bundleedit_linerestore_ntp_client(serverip){vars:"list"string=>"####################################### This file is protected by cfengine ######################################## ntp.conf-clientdriftfile /var/lib/ntp/ntp.driftstatsdir /var/log/ntpstats/statistics loopstats peerstats clockstatsfilegen loopstats file loopstats type day enablefilegen peerstats file peerstats type day enablefilegen clockstats file clockstats type day enable# Permit time synchronization with our time source, but do not# permit the source to query or modify the service on this system.restrict -4 default kod nomodify notrap nopeer noqueryrestrict -6 default kod nomodify notrap nopeer noquery# Permit all access over the loopback interface. This could# be tightened as well, but to do so would effect some of# the administrative functions.restrict 127.0.0.1restrict ::1server$(serverip)restrict$(serverip) nomodify";insert_lines:"$(list)";}This policy can be found in/var/cfengine/share/doc/examples/example_ntp.cf
If you don't want to build a server, you might do like this:
bundleagenttime_management{vars:any::"ntp_server"string=>"no.pool.ntp.org";commands:any::"/usr/sbin/ntpdate$(ntp_server)"contain=>silent;}This is a hard reset of the time, it corrects it immediately. This may cause problemsif there are large deviations in time and you are using time sensitive software on yoursystem. An NTP daemon setup as shown above, on the other hand, slowly adapts the timeto avoid causing disruption. In addition, the NTP daemon can be configured to learn yoursystem's time drift and automatically adjust for it without having to be in touch withthe server at all times.
- Overview
- Getting started
- Reference
- Components
- Functions
- accessedbefore
- accumulated
- ago
- and
- basename
- bundlesmatching
- bundlestate
- callstack_callers
- callstack_promisers
- canonify
- canonifyuniquely
- cf_version_after
- cf_version_at
- cf_version_before
- cf_version_between
- cf_version_maximum
- cf_version_minimum
- changedbefore
- classesmatching
- classfiltercsv
- classify
- classmatch
- concat
- countclassesmatching
- countlinesmatching
- data_expand
- data_readstringarray
- data_readstringarrayidx
- data_regextract
- data_sysctlvalues
- datastate
- difference
- dirname
- diskfree
- escape
- eval
- every
- execresult
- execresult_as_data
- expandrange
- file_hash
- fileexists
- filesexist
- filesize
- filestat
- filter
- findfiles
- findfiles_up
- findprocesses
- format
- getclassmetatags
- getenv
- getfields
- getgid
- getindices
- getuid
- getuserinfo
- getusers
- getvalues
- getvariablemetatags
- grep
- groupexists
- hash
- hash_to_int
- hashmatch
- host2ip
- hostinnetgroup
- hostrange
- hostsseen
- hostswithclass
- hubknowledge
- ifelse
- int
- intersection
- ip2host
- iprange
- irange
- isdir
- isexecutable
- isgreaterthan
- isipinsubnet
- islessthan
- islink
- isnewerthan
- isplain
- isreadable
- isvariable
- join
- lastnode
- laterthan
- ldaparray
- ldaplist
- ldapvalue
- length
- lsdir
- makerule
- maparray
- mapdata
- maplist
- max
- mean
- mergedata
- min
- network_connections
- none
- not
- now
- nth
- on
- or
- packagesmatching
- packageupdatesmatching
- parseintarray
- parsejson
- parserealarray
- parsestringarray
- parsestringarrayidx
- parseyaml
- peerleader
- peerleaders
- peers
- processexists
- product
- randomint
- read_module_protocol
- readcsv
- readdata
- readenvfile
- readfile
- readintarray
- readintlist
- readjson
- readrealarray
- readreallist
- readstringarray
- readstringarrayidx
- readstringlist
- readtcp
- readyaml
- regarray
- regcmp
- regex_replace
- regextract
- registryvalue
- regldap
- regline
- reglist
- remoteclassesmatching
- remotescalar
- returnszero
- reverse
- rrange
- selectservers
- shuffle
- some
- sort
- splayclass
- splitstring
- storejson
- strcmp
- strftime
- string
- string_downcase
- string_head
- string_length
- string_mustache
- string_replace
- string_reverse
- string_split
- string_tail
- string_trim
- string_upcase
- sublist
- sum
- sysctlvalue
- translatepath
- type
- unique
- url_get
- usemodule
- userexists
- validdata
- validjson
- variablesmatching
- variablesmatching_as_data
- variance
- version_compare
- Language concepts
- Masterfiles Policy Framework
- promises.cf
- .no-distrib/
- update.cf
- standalone_self_upgrade.cf
- cfe_internal/
- cfe_internal/CFE_cfengine.cf
- cfe_internal/core/
- cfe_internal/core/watchdog
- cfe_internal/core/watchdog/watchdog.cf
- cfe_internal/enterprise/
- cfe_internal/enterprise/federation/
- cfe_internal/enterprise/federation/federation.cf
- cfe_internal/recommendations.cf
- cfe_internal/update/
- cfe_internal/update/cfe_internal_dc_workflow.cf
- cfe_internal/update/cfe_internal_update_from_repository.cf
- cfe_internal/update/lib.cf
- cfe_internal/update/systemd_units.cf
- cfe_internal/update/update_bins.cf
- cfe_internal/update/update_policy.cf
- cfe_internal/update/update_processes.cf
- controls/
- controls/cf_agent.cf
- controls/cf_execd.cf
- controls/cf_hub.cf
- controls/cf_monitord.cf
- controls/cf_runagent.cf
- controls/cf_serverd.cf
- controls/def.cf
- controls/def_inputs.cf
- controls/reports.cf
- controls/update_def.cf
- controls/update_def_inputs.cf
- inventory/
- inventory/any.cf
- inventory/debian.cf
- inventory/freebsd.cf
- inventory/generic.cf
- inventory/linux.cf
- inventory/lsb.cf
- inventory/macos.cf
- inventory/os.cf
- inventory/redhat.cf
- inventory/suse.cf
- inventory/windows.cf
- lib/
- lib/autorun.cf
- lib/bundles.cf
- lib/cfe_internal.cf
- lib/cfe_internal_hub.cf
- lib/cfengine_enterprise_hub_ha.cf
- lib/commands.cf
- lib/common.cf
- lib/databases.cf
- lib/edit_xml.cf
- lib/event.cf
- lib/examples.cf
- lib/feature.cf
- lib/files.cf
- lib/guest_environments.cf
- lib/monitor.cf
- lib/packages.cf
- lib/paths.cf
- lib/processes.cf
- lib/reports.cf
- lib/services.cf
- lib/stdlib.cf
- lib/storage.cf
- lib/testing.cf
- lib/users.cf
- lib/vcs.cf
- modules/
- modules/mustache/
- modules/packages/
- modules/packages/vendored/
- modules/promises/
- modules/promises/cfengine.py
- modules/promises/cfengine.sh
- services/
- services/autorun/
- services/main.cf
- Macros
- Promise types
- Special variables
- All promise and body types
- Release notes
- Web UI
- Settings
- Health
- Hosts
- Alerts and notifications
- Custom actions for alerts
- Enterprise reporting
- Federated reporting
- Measurements app
- Hub administration
- Decommissioning hosts
- Extending Mission Portal
- Extending query builder in Mission Portal
- Adjusting schedules
- Backup and restore
- Configure a custom LDAP port
- Custom LDAPs certificate
- Custom SSL certificate
- Enable plain http
- Lookup license info
- Policy deployment
- Public key distribution
- Re-installing Enterprise hub
- Regenerate self signed SSL certificate
- Reset administrative credentials
- Debugging Mission Portal
- License
- Examples and tutorials
- Example snippets
- General examples
- Administration examples
- Measuring examples
- Software administration examples
- Commands, scripts, and execution examples
- File and directory examples
- File template examples
- Interacting with directory services
- Database examples
- Network examples
- System security examples
- System information examples
- System administration examples
- System file examples
- Windows registry examples
- File permissions
- User management examples
- Common promise patterns
- Aborting execution
- Change detection
- Check filesystem space
- Copy single files
- Create files and directories
- Customize message of the day
- Distribute ssh keys
- Ensure a process is not running
- Ensure a service is enabled and running
- Find the MAC address
- Install packages
- Mount NFS filesystem
- Restart a process
- Set up name resolution with DNS
- Set up sudo
- Set up time management through NTP
- Updating from a central policy server
- Tutorials
- JSON and YAML support in CFEngine
- Installing CFEngine Enterprise agent
- Managing local users
- Managing network time protocol
- Managing processes and services
- Package management
- Writing CFEngine policy
- Distributing files from a central location
- File editing
- Reporting and remediation of security vulnerabilities
- Masterfiles Policy Framework upgrade
- Tags for variables, classes, and bundles
- Custom inventory
- Dashboard alerts
- Integrating alerts with PagerDuty
- Integrating alerts with ticketing systems
- Integrating with Sumo Logic
- Rendering files with Mustache templates
- Reporting
- File comparison
- High availability
- Writing and serving policy
- Example snippets
- Resources
- FAQ
- Why knowledge management?
- Requesting a CFEngine Enterprise License
- Uninstalling / reinstalling
- Agent output email
- Debugging slow queries
- Enterprise Report Filtering
- Enterprise report collection
- Enterprise reporting database
- How can I tell what classes and variables are defined?
- How do I find the public key for a given host
- How do I fix trust after an IP change?
- How do I fix undefined body errors?
- How do I integrate custom policy?
- How do I pass a data type variable?
- Manual execution
- Mustache templating
- Unable to log into Mission Portal
- Users
- What is promise locking?
- Why are remote agents not updating?
- Why are some files inside masterfiles not being updated/distributed?
- Why does CFEngine install into /var/cfengine instead of following the FHS?
- Bootstrapping
- Tuning PostgreSQL
- What did CFEngine do?
- External resources
- Additional topics
- Best practices
- FAQ
- API
- Enterprise API examples
- Enterprise API reference
- Actions API
- Build API
- CMDB API
- Changes REST API
- Federated reporting configuration API
- File changes API
- Health diagnostic API
- Host REST API
- Import & export API
- Import & export compliance report API
- Inventory API
- LDAP authentication API
- Personal groups API
- Query REST API
- SQL schema
- SSH keys API
- Shared groups API
- Status and settings REST API
- Two-factor authentication API
- Users and access-control REST API
- VCS settings API
- Web RBAC API