From 463458bf5f06f44bc06727b37cb84faaceb8f257 Mon Sep 17 00:00:00 2001
From: Justin Santa Barbara <justin@fathomdb.com>
Date: Sat, 1 Aug 2015 13:13:53 -0400
Subject: [PATCH] AWS: Install ntp daemon on all nodes

The AWS API requires a signature on method calls, including the
timestamp to prevent replay attacks.  A time drift of up to 5 minutes
between client and server is tolerated.

However, if the client clock drifts by >5 minutes, the server will start
to reject API calls (with the cryptic "AWS was not able to validate the
provided access credentials").

To prevent this happening, we install ntp on all nodes.

Fix #11371
---
 cluster/saltbase/salt/ntp/init.sls | 11 +++++++++++
 cluster/saltbase/salt/top.sls      |  3 +++
 2 files changed, 14 insertions(+)
 create mode 100644 cluster/saltbase/salt/ntp/init.sls

diff --git a/cluster/saltbase/salt/ntp/init.sls b/cluster/saltbase/salt/ntp/init.sls
new file mode 100644
index 00000000000..fa8c8a7c461
--- /dev/null
+++ b/cluster/saltbase/salt/ntp/init.sls
@@ -0,0 +1,11 @@
+ntp:
+  pkg:
+    - installed
+
+ntp-service:
+  service:
+    - running
+    - name: ntp
+    - watch:
+      - pkg: ntp
+
diff --git a/cluster/saltbase/salt/top.sls b/cluster/saltbase/salt/top.sls
index 1e730fc9155..feb31ae33e8 100644
--- a/cluster/saltbase/salt/top.sls
+++ b/cluster/saltbase/salt/top.sls
@@ -3,6 +3,9 @@ base:
     - base
     - debian-auto-upgrades
     - salt-helpers
+{% if grains.get('cloud') == 'aws' %}
+    - ntp
+{% endif %}
 
   'roles:kubernetes-pool':
     - match: grain