[Freeipa-devel] NTP in FreeIPA
Jan Cholasta
jcholast at redhat.com
Tue Nov 22 14:05:38 UTC 2016
On 22.11.2016 13:06, Petr Spacek wrote:
> On 22.11.2016 12:15, David Kupka wrote:
>> Hello everyone!
>>
>> Is it worth to keep configuring NTP in FreeIPA?
>>
>> In usual environment there're no special requirements for time synchronization
>> and the distribution default (be it ntpd, chrony or anything else) will just
>> work. Any tampering with the configuration can't make it any better.
>>
>> In environment with special requirements (network disconnected from public
>> internet, nodes disconnected from topology for longer time, ...) time
>> synchronization must be taken care of accordingly by system administrator and
>> FreeIPA simply can't help here.
>>
>> Also there are problems and weird behavior with the current FreeIPA installers:
>>
>> * ipa-client-install replaces all servers in /etc/ntp.conf with the ones
>> specified by user or resolved from DNS. If none were provided nor resolved the
>> FreeIPA server specified/resolved during installation it used. This leads in
>> just single server in the configuration and no time synchronization when this
>> server is down/decommissioned.
>>
>> * ipa-client-install replaces the NTP configuration. If there was any parts
>> previously edited by system administrator it's lost.
>>
>> * ipa-server-install adds {0-4}.$PLATFORM.pool.ntp.org to /etc/ntp.conf.
>> What's the point in doing that? These servers're already in the configuration
>> file installed with ntp package.
>>
>> I have NTP-related WIP patches that solve some of the issues but in general I
>> would prefer to remove the whole thing together with documenting "Please make
>> sure that time on all FreeIPA servers and clients is synchronized. On most
>> distributions this was already done during system installation."
>>
>> Can we mark NTP options deprecated in 4.5 and remove them and stop touching
>> any time syncing service in 4.6?
>
> Considering that default config is just fine for normal cases, and given how
> poorly integrated it is into FreeIPA, I agree with David. FreeIPA should get
> out of configuration management business.
+1
--
Jan Cholasta
More information about the Freeipa-devel
mailing list