[Freeipa-devel] [PATCH] 335 Stop and disable conflicting time&date services

Fri Dec 7 13:51:42 UTC 2012

On Fri, 2012-12-07 at 13:14 +0100, Martin Kosek wrote:
> On 11/15/2012 10:49 PM, Simo Sorce wrote:
> > On Thu, 2012-11-15 at 17:33 +0100, Martin Kosek wrote:
> >> On 11/15/2012 03:22 PM, Simo Sorce wrote:
> >>> On Thu, 2012-11-15 at 12:34 +0100, Martin Kosek wrote:
> >>>> Fedora 16 introduced chrony as default client time&date synchronization
> >>>> service:
> >>>> http://fedoraproject.org/wiki/Features/ChronyDefaultNTP
> >>>> Thus, there may be people already using chrony as their time and date
> >>>> synchronization service before installing IPA.
> >>>>
> >>>> However, installing IPA server or client on such machine may lead to
> >>>> unexpected behavior, as the IPA installer would configure ntpd and leave
> >>>> the machine with both ntpd and chronyd enabled. However, since the OS
> >>>> does not allow both chronyd and ntpd to be running concurrently and chronyd
> >>>> has the precedence, ntpd would not be run on that system at all.
> >>>>
> >>>> Make sure, that user is warned when trying to install IPA on such
> >>>> system and is given a possibility to either not to let IPA configure
> >>>> ntpd at all or to let the installer stop and disable chronyd.
> >>>>
> >>>> https://fedorahosted.org/freeipa/ticket/2974
> >>>
> >>> This looks a bit backwards to me.
> >>>
> >>> The IPA server can only configure ntpd because it configures it to serve
> >>> time to the clients. So on a server force_ntpd should be the default and
> >>> the install should automatically shutdown crony.
> >>
> >> I considered that option too, but it simply just did not seem very "polite" to
> >> silently stop and disable chrony with some custom user time&date
> >> synchronization configuration that user may rely on.
> >>
> >> Telling user what's the problem and providing him with options what to do
> >> seemed more user friendly to me...
> > 
> > not on the server, no you don;t get to choose there, unless you call
> > install script with --no-ntp
> 
> Well, IMO this is exactly what my patch does on the server side. Allows user to
> either run the server install with --no-ntp or let it install with --force-ntpd
> which disables other time&date services. That are the only 2 choices, I just
> did the ntpd configuration in a polite way.
> 
> > 
> >>>
> >>> On clients we may give a choice, but then we should not stop, we should
> >>> instead configure the one tool the admin wants to use and point it to
> >>> the server, because time synchronization is critical. Not syncing time
> >>> is basically not an option so our default behavior must be to make sure
> >>> one of the time tool is properly configured and require a force flag if
> >>> the admin wants to 'not' configure a time sync tool.
> >>>
> >>> Simo.
> >>>
> >>
> >> The force flag to not configure time sync tool is already there as --no-ntp. I
> >> already discussed this with Rob before, I was advised to rather stick with the
> >> ntpd only for the time being. Adding Rob to CC to comment on this one.
> > 
> > Not sure I grok what this entails, support only ntpd ?
> 
> At this moment, yes.
> 
> > In this case we can error out if crony is there on the client, but not
> > on the server. On the server we just roll over crony, as crony is not an
> > ntp server at all so it should go
> > if the admin *really*insist in using crony then they'll have to
> > explicitly install the server with --no-ntp
> > note that we are not going to change crony;s configuration just turn it
> > off and start ntpd instead.
> > 
> > Simo.
> > 
> 
> Do I understand this right, that you also want to add a support for chrony?
> I.e. that ipa-client-install should be able to configure either ntpd or chronyd
> for synchronization based on user's choice? If yes, I am OK with that and I can
> implement it - I just wanted to make sure that this is what we want.
> 
> In current state, ipa-client-install errors out when chrony is configured and
> allows user to either run with --no-ntp (and thus keep the chrony running) or
> with --force-ntpd which would disable chronyd and configure&enable ntpd.

No, that is not what I am saying.

I think these should be the actions taken:

1. Server install (no flags).
a. nothing is found: install ntpd as usual (unless --no-ntp is passed)
b. ntpd is found: reconfigure it
c.1. crony is found: disable it and reconfigure ntpd, no questions asked
c.2. if --no-ntp is passed in then do not disable crony

2. client install
a. nothing is found: install ntpd as usual (unless --no-ntp is passed)
b. ntpd is found: whatever is done now
c.1. crony is found: warn that crony is in use, but proceed with install
c.2. if --force-ntpd is passed then disable crony and configure ntpd

Basically in the server we imply a default of --force-ntpd, unless you
pass --no-ntp

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York