ipaclient: New module ipaclient_setup_ntp, dropped ipaclient_ntp setting

The new module ipaclient_setup_ntp to configure and sync time with the NTP
server has been added. The irregular setting ipaclient_ntp has been removed.

The ipaclient_setup_ntp module is using either the new sync_time call or
for compatibility with older FreeIPA versions synconce_ntp.

The reference for ipaclient_ntp in REPLICA.md has been removed also.

This also fixes #55.

REPLICA.md

@@ -107,7 +107,7 @@ Variables
 **ipaclient_kinit_attempts** - Repeat the request for host Kerberos ticket X times if it fails.
  (int, optional)
 
-**ipaclient_ntp** - Set to no to not configure and enable NTP
+**ipaclient_no_ntp** - Set to yes to not configure and enable NTP
  (bool, optional)
 
 **ipaclient_mkhomedir** - Set to yes to configure PAM to create a users home directory if it does not exist.

roles/ipaclient/defaults/main.yml

@@ -2,7 +2,6 @@
 # defaults file for ipaclient
 
 ipaclient_force_join: no
-ipaclient_ntp: no
 ipaclient_mkhomedir: no
 ipaclient_kinit_attempts: 5
 ipaclient_use_otp: no

roles/ipaclient/library/ipaclient_setup_ntp.py

@@ -0,0 +1,170 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Authors:
+#   Thomas Woerner <twoerner@redhat.com>
+#
+# Based on ipa-client-install code
+#
+# Copyright (C) 2017  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+ANSIBLE_METADATA = {
+    'metadata_version': '1.0',
+    'supported_by': 'community',
+    'status': ['preview'],
+}
+
+DOCUMENTATION = '''
+---
+module: ipaclient_setup_ntp
+short description: Setup NTP for IPA client
+description:
+  Setup NTP for IPA client
+options:
+  servers:
+    description: The FQDN of the IPA servers to connect to.
+    required: false
+    type: list
+    default: []
+  domain:
+    description: The primary DNS domain of an existing IPA deployment.
+    required: false
+  realm:
+    description:  The Kerberos realm of an existing IPA deployment.
+    required: false
+  hostname:
+    description: The hostname of the machine to join (FQDN).
+    required: false
+  ca_cert_file:
+    description: A CA certificate to use.
+    required: false
+  on_master:
+    description: IPA client installation on IPA server
+    required: false
+    default: false
+    type: bool
+    default: no
+  ntp_servers:
+    description: List of NTP servers to use
+    required: false
+    type: list
+    default: []
+  ntp_pool:
+    description: ntp server pool to use
+    required: false
+  no_ntp:
+    description: Do not sync time and do not detect time servers
+    required: false
+    default: false
+    type: bool
+    default: no
+
+author:
+    - Thomas Woerner
+'''
+
+EXAMPLES = '''
+'''
+
+RETURN = '''
+'''
+
+import os
+import socket
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.ansible_freeipa.client import *
+
+def main():
+    module = AnsibleModule(
+        argument_spec = dict(
+            ### basic ###
+            ntp_servers=dict(required=False, type='list', default=None),
+            ntp_pool=dict(required=False, default=None),
+            no_ntp=dict(required=False, type='bool', default=False),
+            #force_ntpd=dict(required=False, type='bool', default=False),
+            on_master=dict(required=False, type='bool', default=False),
+            ### additional ###
+            domain=dict(required=False, default=None),
+        ),
+        supports_check_mode = True,
+    )
+
+    #module._ansible_debug = True
+    options.ntp_servers = module.params.get('ntp_servers')
+    options.ntp_pool = module.params.get('ntp_pool')
+    options.no_ntp = module.params.get('no_ntp')
+    #options.force_ntpd = module.params.get('force_ntpd')
+    options.on_master = module.params.get('on_master')
+    cli_domain = module.params.get('domain')
+
+    options.conf_ntp = not options.no_ntp
+
+    fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
+    statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
+
+    ntp_servers = [ ]
+    synced_ntp = False
+    if sync_time is not None:
+        if options.conf_ntp:
+            # Attempt to configure and sync time with NTP server (chrony).
+            synced_ntp = sync_time(options, fstore, statestore)
+        elif options.on_master:
+            # If we're on master skipping the time sync here because it was done
+            # in ipa-server-install
+            logger.info("Skipping attempt to configure and synchronize time with"
+                        " chrony server as it has been already done on master.")
+        else:
+            logger.info("Skipping chrony configuration")
+
+    elif not options.on_master and options.conf_ntp:
+        # Attempt to sync time with IPA server.
+        # If we're skipping NTP configuration, we also skip the time sync here.
+        # We assume that NTP servers are discoverable through SRV records
+        # in the DNS.
+        # If that fails, we try to sync directly with IPA server,
+        # assuming it runs NTP
+        if len(options.ntp_servers) < 1:
+            # Detect NTP servers
+            ds = ipadiscovery.IPADiscovery()
+            ntp_servers = ds.ipadns_search_srv(cli_domain, '_ntp._udp',
+                                               None, break_on_first=False)
+        else:
+            ntp_servers = options.ntp_servers
+
+        # Attempt to sync time:
+        # At first with given or dicovered time servers. If no ntp
+        # servers have been given or discovered, then with the ipa
+        # server.
+        module.log('Synchronizing time ...')
+        synced_ntp = False
+        # use user specified NTP servers if there are any
+        for s in ntp_servers:
+            synced_ntp = timeconf.synconce_ntp(s, False)
+            if synced_ntp:
+                break
+        if not synced_ntp and not ntp_servers:
+            synced_ntp = timeconf.synconce_ntp(cli_server[0], False)
+        if not synced_ntp:
+            module.warn("Unable to sync time with NTP server")
+
+    # Done
+    module.exit_json(changed=True,
+                     synced_ntp=synced_ntp)
+
+if __name__ == '__main__':
+    main()

roles/ipaclient/tasks/install.yml

@@ -45,6 +45,17 @@
     state: absent
 
 - block:
+  - name: Install - Configure NTP
+    ipaclient_setup_ntp:
+      ### basic ###
+      ntp_servers: "{{ ipaclient_ntp_servers | default(omit) }}"
+      ntp_pool: "{{ ipaclient_ntp_pool | default(omit) }}"
+      no_ntp: "{{ ipaclient_no_ntp }}"
+      #force_ntpd: "{{ ipaclient_force_ntpd }}"
+      on_master: "{{ ipaclient_on_master }}"
+      ### additional ###
+      domain: "{{ result_ipaclient_test.domain }}"
+
   - name: Install - Test if IPA client has working krb5.keytab
     ipaclient_test_keytab:
       servers: "{{ result_ipaclient_test.servers }}"