[Freeipa-devel] NTP in FreeIPA
Martin Basti
mbasti at redhat.com
Fri Nov 25 08:12:51 UTC 2016
On 24.11.2016 20:31, Gabe Alford wrote:
> On Thu, Nov 24, 2016 at 9:14 AM, Martin Basti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>> wrote:
>
>
>
> On 24.11.2016 16:11, Gabe Alford wrote:
>> On Thu, Nov 24, 2016 at 1:29 AM, Martin Basti <mbasti at redhat.com
>> <mailto:mbasti at redhat.com>> wrote:
>>
>>
>>
>> On 24.11.2016 07:06, David Kupka wrote:
>>
>> On 22/11/16 23:15, Gabe Alford wrote:
>>
>> I would say that it is worth keeping in FreeIPA. I
>> know myself and some
>> customers use its functionality by having the clients
>> sync to the IPA
>> servers and have the servers sync to the NTP source.
>> This way if the NTP
>> source ever gets disrupted for long periods of time
>> (which has happened in
>> my environment) the client time drifts with the
>> authentication source. This
>> is the way that AD often works and is configured.
>>
>>
>> Hello Gabe,
>> I agree that it's common practice to synchronize all
>> nodes in network with single source in order to have the
>> same time and save bandwidth. Also I understand that it's
>> comfortable to let FreeIPA installer take care of it.
>> But I don't think FreeIPA should do it IMO this is job
>> for Ansible or similar tool. Also the problem is that in
>> some situations FreeIPA installer makes it worse.
>>
>> Example:
>>
>> 1. Install FreeIPA server (ipa1.example.org
>> <http://ipa1.example.org>)
>> 2. Install FreeIPA client on all nodes in network
>> 3. Install replica (ipa2.example.org
>> <http://ipa2.example.org>) of FreeIPA server to increase
>> redundancy
>>
>>
>> Why not have NTP look at a _srv_records?
>
> Do ntpclients support this natively? I just found some ugly hacks
> for chrony, i.e extra service that is dynamically changing config
> file.
> But yes this may be way too, but dirty.
>
>
> You are right. It is an ugly. I wonder if we can push to make it not
> so ugly so that _srv_ is used for both Chrony and NTP which IMO makes
> those two products better. If not and the desire is truly to get rid
> of chrony/ntp configuration on the client side, what about adding
> Chrony and NTP configuration to ipa-advise?
And I realized that this may be applicable only if IPA is installed with
integrated DNS, when IPA automatically updates system services DNS
records. With external DNS we will bother admins to create SRV records,
so it is the same as creating DHCP configuration.
we can add it to ipa-advise.
Martin^2
>> Now all the clients have ipa1.example.org
>> <http://ipa1.example.org> as the only server in
>> /etc/ntp.conf. If the first FreeIPA server becomes
>> unreachable all clients will be able to contact KDC on
>> the other server thanks to DNS autodiscovery in libkrb5
>> but will be unable to synchronize time.
>>
>>
>> This can be resolved by DHCP configured NTP. When NTP server
>> changed, you just change DHCPd config and hosts conf will be
>> synced.
>> We may keep NTP on IPA server side configured, but I'm voting
>> for removing it from clients and document+endorse people to
>> use DHCP (anyway distros have always enabled some time
>> synchronization so it should naturally work without even in
>> small deployments)
>>
>>
>> If NTP is still configured on the IPA server, this may be less of
>> an issue. Not everyone has/is/will be using ansible. Also in
>> secure environments, DHCP
>> is not allowed/used at all.
>>
>> Also NTP is somehow incompatible with containers, usually
>> containers have time synchronized from host, and by default
>> IPA client container don't do NTP configuration.
>>
>>
>> Isn't that what the --no-ntp option in the client is for anyway?
>>
>>
>> Let deprecate it in 4.5
>>
>> Martin^2
>>
>>
>>
>>
>> On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholasta
>> <jcholast at redhat.com <mailto:jcholast at redhat.com>> wrote:
>>
>> On 22.11.2016 13:06, Petr Spacek wrote:
>>
>> On 22.11.2016 12:15, David Kupka wrote:
>>
>> Hello everyone!
>>
>> Is it worth to keep configuring NTP in
>> FreeIPA?
>>
>> In usual environment there're no special
>> requirements for time
>> synchronization
>> and the distribution default (be it ntpd,
>> chrony or anything else) will
>> just
>> work. Any tampering with the
>> configuration can't make it any better.
>>
>> In environment with special requirements
>> (network disconnected from
>> public
>> internet, nodes disconnected from
>> topology for longer time, ...) time
>> synchronization must be taken care of
>> accordingly by system
>> administrator and
>> FreeIPA simply can't help here.
>>
>> Also there are problems and weird
>> behavior with the current FreeIPA
>> installers:
>>
>> * ipa-client-install replaces all servers
>> in /etc/ntp.conf with the ones
>> specified by user or resolved from DNS.
>> If none were provided nor
>> resolved the
>> FreeIPA server specified/resolved during
>> installation it used. This
>> leads in
>> just single server in the configuration
>> and no time synchronization when
>> this
>> server is down/decommissioned.
>>
>> * ipa-client-install replaces the NTP
>> configuration. If there was any
>> parts
>> previously edited by system administrator
>> it's lost.
>>
>> * ipa-server-install adds
>> {0-4}.$PLATFORM.pool.ntp.org
>> <http://PLATFORM.pool.ntp.org> to
>> /etc/ntp.conf.
>> What's the point in doing that? These
>> servers're already in the
>> configuration
>> file installed with ntp package.
>>
>> I have NTP-related WIP patches that solve
>> some of the issues but in
>> general I
>> would prefer to remove the whole thing
>> together with documenting "Please
>> make
>> sure that time on all FreeIPA servers and
>> clients is synchronized. On
>> most
>> distributions this was already done
>> during system installation."
>>
>> Can we mark NTP options deprecated in 4.5
>> and remove them and stop
>> touching
>> any time syncing service in 4.6?
>>
>>
>> Considering that default config is just fine
>> for normal cases, and given
>> how
>> poorly integrated it is into FreeIPA, I agree
>> with David. FreeIPA should
>> get
>> out of configuration management business.
>>
>>
>> +1
>>
>> --
>> Jan Cholasta
>>
>>
>> --
>> Manage your subscription for the Freeipa-devel
>> mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> <https://www.redhat.com/mailman/listinfo/freeipa-devel>
>> Contribute to FreeIPA:
>> http://www.freeipa.org/page/Contribute/Code
>> <http://www.freeipa.org/page/Contribute/Code>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20161125/79814d87/attachment.htm>
More information about the Freeipa-devel
mailing list