[Freeipa-devel] NTP in FreeIPA

Fri Nov 25 15:38:07 UTC 2016

On Fri, 2016-11-25 at 10:34 -0500, Simo Sorce wrote:
> On Tue, 2016-11-22 at 15:05 +0100, Jan Cholasta wrote:
> > On 22.11.2016 13:06, Petr Spacek wrote:
> > > On 22.11.2016 12:15, David Kupka wrote:
> > >> Hello everyone!
> > >>
> > >> Is it worth to keep configuring NTP in FreeIPA?
> > >>
> > >> In usual environment there're no special requirements for time synchronization
> > >> and the distribution default (be it ntpd, chrony or anything else) will just
> > >> work. Any tampering with the configuration can't make it any better.
> > >>
> > >> In environment with special requirements (network disconnected from public
> > >> internet, nodes disconnected from topology for longer time, ...) time
> > >> synchronization must be taken care of accordingly by system administrator and
> > >> FreeIPA simply can't help here.
> > >>
> > >> Also there are problems and weird behavior with the current FreeIPA installers:
> > >>
> > >> * ipa-client-install replaces all servers in /etc/ntp.conf with the ones
> > >> specified by user or resolved from DNS. If none were provided nor resolved the
> > >> FreeIPA server specified/resolved during installation it used. This leads in
> > >> just single server in the configuration and no time synchronization when this
> > >> server is down/decommissioned.
> > >>
> > >> * ipa-client-install replaces the NTP configuration. If there was any parts
> > >> previously edited by system administrator it's lost.
> > >>
> > >> * ipa-server-install adds {0-4}.$PLATFORM.pool.ntp.org to /etc/ntp.conf.
> > >> What's the point in doing that? These servers're already in the configuration
> > >> file installed with ntp package.
> > >>
> > >> I have NTP-related WIP patches that solve some of the issues but in general I
> > >> would prefer to remove the whole thing together with documenting "Please make
> > >> sure that time on all FreeIPA servers and clients is synchronized. On most
> > >> distributions this was already done during system installation."
> > >>
> > >> Can we mark NTP options deprecated in 4.5 and remove them and stop touching
> > >> any time syncing service in 4.6?
> > >
> > > Considering that default config is just fine for normal cases, and given how
> > > poorly integrated it is into FreeIPA, I agree with David. FreeIPA should get
> > > out of configuration management business.
> > 
> > +1
> 
> Just FYI, when we integrated NTP the plan was to eventually get NTPD
> compiled on the server (and on the client) to generate/check signatures
> on time packets. We never got around to do it, and at some point we
> decided to wait as daemons werre in flux in some distributions and IETF
> had efforts to provide some more standardized way to provide packet
> signatures (we were planning to use the GSS based signature format
> developed by Microsoft and used in AD).
> 
> When we get back to signing packets we may have to get back in the
> business of configuring the clients to check in with the right
> servers ...
> 
> So I am in 2 minds if we should completely remove it, but I am ok not
> touching it by default for now in ipa-client-install, ie adding a
> --ntp-conf=off|on or some such and default to off.

Forgot to add, the other reason for us to configure NTP was to make sure
servers and clients had the same time. It was very commo back then to
have issues with Virtualized environments.

So ... if we do this (stop configuring NTP) then we MUST (IMO) add some
code to the installer that checks if the server and client agree on the
time (with a few minutes clock skew) and then LOUDLY warn the user if
they do not and suggest they configure NTP properly (and offer them to
enable the option to do it ourselves perhaps).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York