Commit cd4a03a5 authored by Mike Hibler's avatar Mike Hibler

Attempt to auto-configure NTP for server machines at install time.

The template configurations in the new ntpd subdir also address the
recent NTP amplification attacks that have been going on recently.

NTP configuration is controlled by a few defs-* variables:

NTPSERVER: boss|ops|fs|<external-server-name-or-IP>
  Default: "ops"
  Normally, one of boss, ops, or fs is designated as a local NTP server
  but this can be set to a fully qualified name of some other machine.
  If NTPSERVER is set to an external server, then boss/ops/fs are made
  clients of that server just as any testbed node is.

EXTERNAL_NTPSERVER[1-4]: <external-server-name-or-IP>
  Default: "[0-3].pool.ntp.org"
  If NTPSERVER is one of boss/ops/fs, then these values are used as the
  upstream servers for the local server. These can be changed to four of
  your favorite NTP servers.

NTPDRIFTFILE: <path>
  Default: "/var/db/ntp.drift"
  If NTPSERVER is one of boss/ops/fs, then this is the name of the drift
  file for the local server.
parent 7869737c
#!/usr/bin/perl -w
#
# Copyright (c) 2004-2013 University of Utah and the Flux Group.
# Copyright (c) 2004-2014 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -196,9 +196,9 @@ my $XENVM = 0;
# Node to use as ntp server for inner nodes and other inner servers.
# This node will use the outside "ntp1" server as its server.
#
# XXX this has never been tested with anything but "boss".
# XXX this has never been tested with anything but "boss" and "ops".
#
my $NTPSERVER = "boss";
my $NTPSERVER = "ops";
#
# Defaults for configuration attributes (options).
......@@ -1124,13 +1124,6 @@ sub SetupFsNode()
mysystem("cp -pf /etc/syslog.conf /etc/syslog.conf.old ; ".
"cp /tmp/syslog.conf /etc/syslog.conf");
#
# If not us, fixup our ntp.conf file to talk to the inner ntp server.
#
if ($NTPSERVER ne "fs") {
mysystem("sed -i '.orig' -E -e 's/^server .*/server $NTPSERVER/' /etc/ntp.conf");
}
#
# Create a defs file. Note that this will move to boss at some point.
#
......@@ -1729,13 +1722,6 @@ sub SetupOpsNode($)
mysystem("cp -pf /etc/syslog.conf /etc/syslog.conf.old ; ".
"cp /tmp/syslog.conf /etc/syslog.conf");
#
# If not us, fixup our ntp.conf file to talk to the inner ntp server.
#
if ($NTPSERVER ne "ops") {
mysystem("sed -i '.orig' -E -e 's/^server .*/server $NTPSERVER/' /etc/ntp.conf");
}
#
# Create a defs file. Note that this will move to boss at some point.
#
......@@ -2449,13 +2435,6 @@ sub SetupBossNode($)
mysystem("cp -pf /etc/syslog.conf /etc/syslog.conf.old ; ".
"cp /tmp/syslog.conf /etc/syslog.conf");
#
# If not us, fixup our ntp.conf file to talk to the inner ntp server.
#
if ($NTPSERVER ne "boss") {
mysystem("sed -i '.orig' -E -e 's/^server .*/server $NTPSERVER/' /etc/ntp.conf");
}
#
# Create a defs file. Note that this will move to boss at some point.
#
......@@ -3126,6 +3105,11 @@ sub CreateDefsFile($)
};
/^NTPSERVER$/ && do {
print OUTDEFS "NTPSERVER=${NTPSERVER}\n";
# make sure the inner NTP server uses the outer NTP server
print OUTDEFS "EXTERNAL_NTPSERVER1=ntp1.${outer_domain}\n";
print OUTDEFS "EXTERNAL_NTPSERVER2=ntp1.${outer_domain}\n";
print OUTDEFS "EXTERNAL_NTPSERVER3=ntp1.${outer_domain}\n";
print OUTDEFS "EXTERNAL_NTPSERVER4=ntp1.${outer_domain}\n";
last SWITCH;
};
/^TESTBED_NETWORK$/ && do {
......
......@@ -655,8 +655,8 @@ TBROBOCOPSEMAIL_NOSLASH
TBROBOCOPSEMAIL
TBOPSEMAIL_NOSLASH
TBOPSEMAIL
EC2META_ENABLE
BROWSER_CONSOLE_ENABLE
EC2META_ENABLE
NOSITECHECKIN
SPEWFROMOPS
FIREWALL_OPS_LOCALRULETMPL
......@@ -744,6 +744,11 @@ TESTBED_NETMASK
EXTERNAL_TESTBED_NETWORK
TESTBED_NETWORK
TBLOGFACIL
NTPDRIFTFILE
EXTERNAL_NTPSERVER4
EXTERNAL_NTPSERVER3
EXTERNAL_NTPSERVER2
EXTERNAL_NTPSERVER1
NTPSERVER
NFSTRACESUPPORT
OPSDBSUPPORT
......@@ -4914,6 +4919,12 @@ done
......@@ -4996,6 +5007,11 @@ NFSTRACESUPPORT=0
TBLOGFACIL="local5"
BOSSEVENTPORT=16505
NTPSERVER="ops"
EXTERNAL_NTPSERVER1="0.pool.ntp.org"
EXTERNAL_NTPSERVER2="1.pool.ntp.org"
EXTERNAL_NTPSERVER3="2.pool.ntp.org"
EXTERNAL_NTPSERVER4="3.pool.ntp.org"
NTPDRIFTFILE="/var/db/ntp.drift"
UNIFIED_BOSS_AND_OPS=0
DISABLE_NAMED_SETUP=0
FRISEBEEMCASTADDR="234.5.6"
......@@ -5262,10 +5278,31 @@ cat >>confdefs.h <<_ACEOF
#define FRISEBEENUMPORTS "$FRISEBEENUMPORTS"
_ACEOF
cat >>confdefs.h <<_ACEOF
#define NTPSERVER "$NTPSERVER"
_ACEOF
cat >>confdefs.h <<_ACEOF
#define EXTERNAL_NTPSERVER1 "$EXTERNAL_NTPSERVER1"
_ACEOF
cat >>confdefs.h <<_ACEOF
#define EXTERNAL_NTPSERVER2 "$EXTERNAL_NTPSERVER2"
_ACEOF
cat >>confdefs.h <<_ACEOF
#define EXTERNAL_NTPSERVER3 "$EXTERNAL_NTPSERVER3"
_ACEOF
cat >>confdefs.h <<_ACEOF
#define EXTERNAL_NTPSERVER4 "$EXTERNAL_NTPSERVER4"
_ACEOF
cat >>confdefs.h <<_ACEOF
#define NTPDRIFTFILE "$NTPDRIFTFILE"
_ACEOF
if test $OPSDBSUPPORT -eq 1; then
cat >>confdefs.h <<_ACEOF
......@@ -6672,6 +6709,8 @@ outfiles="$outfiles Makeconf GNUmakefile \
flash/GNUmakefile \
dhcpd/dhcpd.conf.template dhcpd/GNUmakefile \
dhcpd/dhcpd.conf.subboss.template \
ntpd/GNUmakefile \
ntpd/ntp.conf-client ntpd/ntp.conf-server ntpd/ntp.conf-external \
install/GNUmakefile install/installvars.pm install/emulab-install \
install/ops-install install/boss-install install/fs-install \
install/load-descriptors install/dump-descriptors \
......
#
# Copyright (c) 2000-2013 University of Utah and the Flux Group.
# Copyright (c) 2000-2014 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -188,6 +188,11 @@ AC_SUBST(BUGDBSUPPORT)
AC_SUBST(OPSDBSUPPORT)
AC_SUBST(NFSTRACESUPPORT)
AC_SUBST(NTPSERVER)
AC_SUBST(EXTERNAL_NTPSERVER1)
AC_SUBST(EXTERNAL_NTPSERVER2)
AC_SUBST(EXTERNAL_NTPSERVER3)
AC_SUBST(EXTERNAL_NTPSERVER4)
AC_SUBST(NTPDRIFTFILE)
AC_SUBST(TBLOGFACIL)
AC_SUBST(TESTBED_NETWORK)
AC_SUBST(EXTERNAL_TESTBED_NETWORK)
......@@ -353,6 +358,11 @@ NFSTRACESUPPORT=0
TBLOGFACIL="local5"
BOSSEVENTPORT=16505
NTPSERVER="ops"
EXTERNAL_NTPSERVER1="0.pool.ntp.org"
EXTERNAL_NTPSERVER2="1.pool.ntp.org"
EXTERNAL_NTPSERVER3="2.pool.ntp.org"
EXTERNAL_NTPSERVER4="3.pool.ntp.org"
NTPDRIFTFILE="/var/db/ntp.drift"
UNIFIED_BOSS_AND_OPS=0
DISABLE_NAMED_SETUP=0
FRISEBEEMCASTADDR="234.5.6"
......@@ -510,7 +520,13 @@ AC_DEFINE_UNQUOTED(BOSSEVENTPORT, "$BOSSEVENTPORT")
AC_DEFINE_UNQUOTED(FRISEBEEMCASTADDR, "$FRISEBEEMCASTADDR")
AC_DEFINE_UNQUOTED(FRISEBEEMCASTPORT, "$FRISEBEEMCASTPORT")
AC_DEFINE_UNQUOTED(FRISEBEENUMPORTS, "$FRISEBEENUMPORTS")
AC_DEFINE_UNQUOTED(NTPSERVER, "$NTPSERVER")
AC_DEFINE_UNQUOTED(EXTERNAL_NTPSERVER1, "$EXTERNAL_NTPSERVER1")
AC_DEFINE_UNQUOTED(EXTERNAL_NTPSERVER2, "$EXTERNAL_NTPSERVER2")
AC_DEFINE_UNQUOTED(EXTERNAL_NTPSERVER3, "$EXTERNAL_NTPSERVER3")
AC_DEFINE_UNQUOTED(EXTERNAL_NTPSERVER4, "$EXTERNAL_NTPSERVER4")
AC_DEFINE_UNQUOTED(NTPDRIFTFILE, "$NTPDRIFTFILE")
if test $OPSDBSUPPORT -eq 1; then
AC_DEFINE_UNQUOTED(OPSDBSUPPORT, 1)
......@@ -1207,6 +1223,8 @@ outfiles="$outfiles Makeconf GNUmakefile \
flash/GNUmakefile \
dhcpd/dhcpd.conf.template dhcpd/GNUmakefile \
dhcpd/dhcpd.conf.subboss.template \
ntpd/GNUmakefile \
ntpd/ntp.conf-client ntpd/ntp.conf-server ntpd/ntp.conf-external \
install/GNUmakefile install/installvars.pm install/emulab-install \
install/ops-install install/boss-install install/fs-install \
install/load-descriptors install/dump-descriptors \
......
......@@ -136,6 +136,9 @@ NAMED_FORWARDERS=""
VPUBADDR_BASE=none
VPUBADDR_BITLEN=none
# XXX backward compat for anyone using this defs file
NTPDRIFTFILE="/etc/ntp.drift"
#
# Google Maps API key, for user map
#
......
......@@ -233,6 +233,35 @@ DHCPD_DYNRANGE="10.1.34.200 10.1.34.219"
#
NAMED_FORWARDERS="1.1.1.1 1.1.2.1"
#
# NTP server configuration:
#
# NTPSERVER: boss|ops|fs|<external-server-name-or-IP>
# Default: "ops"
# Normally, one of boss, ops, or fs is designated as a local NTP server
# but this can be set to a fully qualified name of some other machine.
# If NTPSERVER is set to an external server, then boss/ops/fs are made
# clients of that server just as any testbed node is.
#
# EXTERNAL_NTPSERVER[1-4]: <external-server-name-or-IP>
# Default: "[0-3].pool.ntp.org"
# If NTPSERVER is one of boss/ops/fs, then these values are used as the
# upstream servers for the local server. These can be changed to four of
# your favorite NTP servers.
#
# NTPDRIFTFILE: <path>
# Default: "/var/db/ntp.drift"
# If NTPSERVER is one of boss/ops/fs, then this is the name of the drift
# file for the local server.
#
#NTPSERVER="ops"
#EXTERNAL_NTPSERVER1="0.pool.ntp.org"
#EXTERNAL_NTPSERVER2="1.pool.ntp.org"
#EXTERNAL_NTPSERVER3="2.pool.ntp.org"
#EXTERNAL_NTPSERVER4="3.pool.ntp.org"
#NTPDRIFTFILE="/var/db/ntp.drift"
#
# Windows support. Turn this on if you think you might want to use WindowsXP
# or Windows7 images on your experimental nodes. Note though, that Utah cannot
......
......@@ -238,7 +238,7 @@ if ($single) {
elsif ($server eq "boss") {
@files = ('sperl', 'usersgroups', 'dirs', 'tftp',
'boss/ports', 'boss/portfix', 'boss/patches', 'cracklib',
'apache', 'boss/rcfiles', 'boss/rcconf', 'boss/syslog',
'apache', 'boss/rcfiles', 'ntpd', 'boss/rcconf', 'boss/syslog',
'boss/database', 'etchosts', 'resolvetest',
'exports', 'nfsmounts', 'boss/mibs', 'boss/crontab', 'sudoers',
'samba', 'boss/ssh', 'boss/hostkeys',
......@@ -259,13 +259,13 @@ elsif ($server eq "boss") {
}
elsif ($server eq "fs") {
@files = ('sperl', 'usersgroups', 'dirs',
'fs/ports', 'fs/portfix', 'ops/rcconf',
'fs/ports', 'fs/portfix', 'ntpd', 'ops/rcconf',
'etchosts', 'resolvetest', 'ops/syslog', 'exports', 'quotas',
'sudoers', 'samba', 'ops/ssh');
}
elsif ($server eq "ops") {
@files = ('sperl', 'usersgroups', 'dirs', 'etchosts', 'resolvetest',
'ops/ports', 'ops/portfix', 'ops/patches', 'ops/rcconf',
'ops/ports', 'ops/portfix', 'ops/patches', 'ntpd', 'ops/rcconf',
'ops/sendmail', 'ops/syslog', 'exports', 'nfsmounts',
'ops/crontab', 'sudoers', 'samba', 'ops/ssh', 'capture',
'ops/rcfiles', 'apache', 'ops/database', 'ops/mailman',
......
#!/usr/bin/perl -w
#
# Copyright (c) 2003-2013 University of Utah and the Flux Group.
# Copyright (c) 2003-2014 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -172,6 +172,7 @@ $FSNODE_IP = '@FSNODE_IP@';
$CONTROL_NETWORK = "@CONTROL_NETWORK@";
$CONTROL_NETMASK = "@CONTROL_NETMASK@";
$PUBLIC_NETMASK = "@PUBLIC_NETMASK@";
$NTPSERVER = "@NTPSERVER@";
$LOGFACIL = '@TBLOGFACIL@';
$QUOTA_FSLIST = '@FS_WITH_QUOTAS@';
$OURTIMEZONE = "@OURTIMEZONE@";
......
#
# The template
#
use strict;
use libinstall;
use installvars;
sub Install($$$)
{
my ($server, $isupdate, $impotent) = @_;
Phase "ntp", "Setting up NTP", sub {
my $config;
if ($NTPSERVER eq "boss") {
if (ISBOSSNODE($server)) {
$config = "server";
} else {
$config = "client";
}
} elsif ($NTPSERVER eq "ops") {
if (ISOPSNODE($server)) {
$config = "server";
} else {
$config = "client";
}
} elsif ($NTPSERVER eq "fs") {
if (ISFSNODE($server)) {
$config = "server";
} else {
$config = "client";
}
} else {
$config = "external server";
}
Phase "ntpconf", "Installing NTP $config config file", sub {
if (ISBOSSNODE($server)) {
ExecQuietFatal("$GMAKE -C $TOP_OBJDIR/ntpd install");
}
elsif (ISOPSNODE($server)) {
ExecQuietFatal("$GMAKE -C $TOP_OBJDIR/ntpd control-install");
}
elsif (ISFSNODE($server)) {
ExecQuietFatal("$GMAKE -C $TOP_OBJDIR/ntpd fs-install");
}
};
};
return 0;
}
# Local Variables:
# mode:perl
# End:
......@@ -60,6 +60,13 @@ sub Install($$$)
qq|pubsubd_flags="-T 10"|);
}
# Turn on NTP.
if ($FBSD_MAJOR < 6) {
push(@adds, qq|xntpd_enable="YES"|);
} else {
push(@adds, qq|ntpd_enable="YES"|);
}
# Turn on firewall.
if ($FIREWALL_OPS) {
push(@adds, qq|firewall_enable="YES"|);
......
#
# Copyright (c) 2014 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
# This file is part of the Emulab network testbed software.
#
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
#
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
# License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
#
# }}}
#
#
# For installation only.
#
SRCDIR = @srcdir@
TESTBED_SRCDIR = @top_srcdir@
OBJDIR = ..
SUBDIR = ntpd
NTPSERVER = @NTPSERVER@
include $(OBJDIR)/Makeconf
CONFIG_FILES = ntp.conf-client ntp.conf-server ntp.conf-external
ifeq ($(NTPSERVER),boss)
BOSS_FILE=ntp.conf-server
OPS_FILE=ntp.conf-client
FS_FILE=ntp.conf-client
else
ifeq ($(NTPSERVER),ops)
BOSS_FILE=ntp.conf-client
OPS_FILE=ntp.conf-server
FS_FILE=ntp.conf-client
else
ifeq ($(NTPSERVER),fs)
$(error we do not support NTP server on FS node right now)
else
BOSS_FILE=ntp.conf-external
OPS_FILE=ntp.conf-external
FS_FILE=ntp.conf-external
endif
endif
endif
#
# Force dependencies to make sure configure regenerates if the .in file
# is changed.
#
all: $(CONFIG_FILES)
include $(TESTBED_SRCDIR)/GNUmakerules
#
# Well, this is awkward. Make sure we don't try to install anything from
# a dev tree both because it doesn't make any sense and because it would
# clobber the "real" version.
#
ifeq ($(TBROOT),/usr/testbed)
install: $(BOSS_FILE)
mv -f $(DESTDIR)/etc/ntp.conf $(DESTDIR)/etc/ntp.conf.bak
$(INSTALL_DATA) $(BOSS_FILE) $(DESTDIR)/etc/ntp.conf
control-install: $(OPS_FILE)
mv -f $(DESTDIR)/etc/ntp.conf $(DESTDIR)/etc/ntp.conf.bak
$(INSTALL_DATA) $(OPS_FILE) $(DESTDIR)/etc/ntp.conf
fs-install: $(FS_FILE)
mv -f $(DESTDIR)/etc/ntp.conf $(DESTDIR)/etc/ntp.conf.bak
$(INSTALL_DATA) $(FS_FILE) $(DESTDIR)/etc/ntp.conf
else
install control-install fs-install:
@echo "Cannot install NTP config in dev tree"
endif
clean:
rm -f $(CONFIG_FILES)
#
# Generic Emulab NTP client configuration.
#
server ntp1 iburst
restrict default ignore
restrict ntp1 nomodify nopeer noquery notrap
restrict 127.0.0.1
driftfile @NTPDRIFTFILE@
#
# Generic Emulab external NTP configuration.
#
server @NTPSERVER@ iburst
restrict default ignore
restrict @NTPSERVER@ nomodify nopeer noquery notrap
restrict 127.0.0.1
driftfile @NTPDRIFTFILE@
#
# Generic Emulab NTP server configuration.
#
# Our servers
server @EXTERNAL_NTPSERVER1@ iburst
server @EXTERNAL_NTPSERVER2@ iburst
server @EXTERNAL_NTPSERVER3@ iburst
server @EXTERNAL_NTPSERVER4@ iburst
# Restrict access to servers and clients but not localhost
restrict default nomodify nopeer noquery notrap
restrict 127.0.0.1
driftfile @NTPDRIFTFILE@
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment