Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make pool entry in chrony.conf as a variable #34

Open
midhuhk opened this issue May 31, 2022 · 7 comments
Open

Make pool entry in chrony.conf as a variable #34

midhuhk opened this issue May 31, 2022 · 7 comments

Comments

@midhuhk
Copy link

midhuhk commented May 31, 2022

We have recommendation from security as part of CIS to use server in chrony.conf rather than pool. Would be nice to remove the hardcoded entry "pool" in chrony.conf template .
@pa-jberanek
Copy link

I agree this would be really good. Having default['chrony']['servers'] defined in attributes/default.rb means that you can't override the servers in your own role/environment, as your own settings get merged with the default from the cookbook.

@pa-jberanek pa-jberanek mentioned this issue Feb 7, 2024
Open
1 task
@Stromweld
Copy link

if you override the value in a cookbook it should replace the hash.

@Stromweld
Copy link

Stromweld commented May 2, 2024
edited
Loading

I haven't tested but my thought is something like node.default[''chrony']['servers'] = {} in your wrapper cookbook then in your role/environment defining it should work. I'm not positive on order of evaluation from chef-client compile phase though so this may not work. The issue stems from reading in the JSON role/environment each key gets added to the hash so it doesn't replace the servers value but adds to it since the node object is a hash of hashes. In CB since it's ruby the = tells it to replace the value.

@pa-jberanek
Copy link

I haven't tested but my thought is something like node.default[''chrony']['servers'] = {} in your wrapper cookbook then in your role/environment defining it should work. I'm not positive on order of evaluation from chef-client compile phase though so this may not work. The issue stems from reading in the JSON role/environment each key gets added to the hash so it doesn't replace the servers value but adds to it since the node object is a hash of hashes. In CB since it's ruby the = tells it to replace the value.

The problem with this approach is we can't just use the cookbook recipe as-is, and have to produce our own wrapper cookbook. The alternative is maintaining a local fork of the cookbook, but this is far from ideal.

@pa-jberanek
Copy link

We did indeed end up creating a wrapper cookbook, with a recipe:

# clear out the default config templates

node.default['chrony']['servers'] = node.override['chrony']['servers']

include_recipe 'chrony::client'

@Stromweld
Copy link

removing the pool also doesn't allow the cookbook to be used as is and would still require either a wrapper cookbook, role, environment, or policyfile to define it then somewhere. Ideally this eventually would get re-written as a resource only cookbook like the rest of the sous-chefs cookbooks are moving to.

@pa-jberanek
Copy link

removing the pool also doesn't allow the cookbook to be used as is and would still require either a wrapper cookbook, role, environment, or policyfile to define it then somewhere. Ideally this eventually would get re-written as a resource only cookbook like the rest of the sous-chefs cookbooks are moving to.

Most people will already have a role/environment though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Stromweld @pa-jberanek @midhuhk