[Freeipa-devel] [PATCH] 335 Stop and disable conflicting time&date services

Fri Dec 7 15:50:20 UTC 2012

On 12/07/2012 02:51 PM, Simo Sorce wrote:
> On Fri, 2012-12-07 at 13:14 +0100, Martin Kosek wrote:
>> On 11/15/2012 10:49 PM, Simo Sorce wrote:
>>> On Thu, 2012-11-15 at 17:33 +0100, Martin Kosek wrote:
>>>> On 11/15/2012 03:22 PM, Simo Sorce wrote:
>>>>> On Thu, 2012-11-15 at 12:34 +0100, Martin Kosek wrote:
>>>>>> Fedora 16 introduced chrony as default client time&date synchronization
>>>>>> service:
>>>>>> http://fedoraproject.org/wiki/Features/ChronyDefaultNTP
>>>>>> Thus, there may be people already using chrony as their time and date
>>>>>> synchronization service before installing IPA.
>>>>>>
>>>>>> However, installing IPA server or client on such machine may lead to
>>>>>> unexpected behavior, as the IPA installer would configure ntpd and leave
>>>>>> the machine with both ntpd and chronyd enabled. However, since the OS
>>>>>> does not allow both chronyd and ntpd to be running concurrently and chronyd
>>>>>> has the precedence, ntpd would not be run on that system at all.
>>>>>>
>>>>>> Make sure, that user is warned when trying to install IPA on such
>>>>>> system and is given a possibility to either not to let IPA configure
>>>>>> ntpd at all or to let the installer stop and disable chronyd.
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/2974
>>>>>
>>>>> This looks a bit backwards to me.
>>>>>
>>>>> The IPA server can only configure ntpd because it configures it to serve
>>>>> time to the clients. So on a server force_ntpd should be the default and
>>>>> the install should automatically shutdown crony.
>>>>
>>>> I considered that option too, but it simply just did not seem very "polite" to
>>>> silently stop and disable chrony with some custom user time&date
>>>> synchronization configuration that user may rely on.
>>>>
>>>> Telling user what's the problem and providing him with options what to do
>>>> seemed more user friendly to me...
>>>
>>> not on the server, no you don;t get to choose there, unless you call
>>> install script with --no-ntp
>>
>> Well, IMO this is exactly what my patch does on the server side. Allows user to
>> either run the server install with --no-ntp or let it install with --force-ntpd
>> which disables other time&date services. That are the only 2 choices, I just
>> did the ntpd configuration in a polite way.
>>
>>>
>>>>>
>>>>> On clients we may give a choice, but then we should not stop, we should
>>>>> instead configure the one tool the admin wants to use and point it to
>>>>> the server, because time synchronization is critical. Not syncing time
>>>>> is basically not an option so our default behavior must be to make sure
>>>>> one of the time tool is properly configured and require a force flag if
>>>>> the admin wants to 'not' configure a time sync tool.
>>>>>
>>>>> Simo.
>>>>>
>>>>
>>>> The force flag to not configure time sync tool is already there as --no-ntp. I
>>>> already discussed this with Rob before, I was advised to rather stick with the
>>>> ntpd only for the time being. Adding Rob to CC to comment on this one.
>>>
>>> Not sure I grok what this entails, support only ntpd ?
>>
>> At this moment, yes.
>>
>>> In this case we can error out if crony is there on the client, but not
>>> on the server. On the server we just roll over crony, as crony is not an
>>> ntp server at all so it should go
>>> if the admin *really*insist in using crony then they'll have to
>>> explicitly install the server with --no-ntp
>>> note that we are not going to change crony;s configuration just turn it
>>> off and start ntpd instead.
>>>
>>> Simo.
>>>
>>
>> Do I understand this right, that you also want to add a support for chrony?
>> I.e. that ipa-client-install should be able to configure either ntpd or chronyd
>> for synchronization based on user's choice? If yes, I am OK with that and I can
>> implement it - I just wanted to make sure that this is what we want.
>>
>> In current state, ipa-client-install errors out when chrony is configured and
>> allows user to either run with --no-ntp (and thus keep the chrony running) or
>> with --force-ntpd which would disable chronyd and configure&enable ntpd.
> 
> No, that is not what I am saying.
> 
> I think these should be the actions taken:
> 
> 1. Server install (no flags).
> a. nothing is found: install ntpd as usual (unless --no-ntp is passed)
> b. ntpd is found: reconfigure it
> c.1. crony is found: disable it and reconfigure ntpd, no questions asked
> c.2. if --no-ntp is passed in then do not disable crony
> 
> 2. client install
> a. nothing is found: install ntpd as usual (unless --no-ntp is passed)
> b. ntpd is found: whatever is done now
> c.1. crony is found: warn that crony is in use, but proceed with install
> c.2. if --force-ntpd is passed then disable crony and configure ntpd
> 
> Basically in the server we imply a default of --force-ntpd, unless you
> pass --no-ntp
> 
> Simo.
> 

Ok, I see your point now. Sending an updated version.

During server installation, user is warned when running conflicting time
service. Installation then enforces ntpd configuration.

During client installation, user is also warned, but continuing in installation
omits ntpd configuration instead. But user can use --force-ntpd to force ntpd
configuration.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-335-2-stop-and-disable-conflicting-time-date-services.patch
Type: text/x-patch
Size: 15268 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121207/50fe4994/attachment.bin>