Tibor Dudlák via FreeIPA-devel wrote:
Hello FreeIPA-devel listfellow beings!
I would like to continue the discussion started in [1], and find
itssolution.
While using the Single-Sign-on authentication provided via anMIT
Kerberos KDC there must not be any significant clock skew between
server and clients so a time synchronization service is required.
Red Hat Enterprise Linux is about to deprecate ntpd service and will
support chronyd instead. This will happen in release 8 and by this time
we should agree on some changes in IPA-whether to remove or replace the
already used ntpd service. I would like to sum up thischange in a design
page but there shouldbe an agreementfirst.
IPA,as is,checks the system configuration and if there is anNTP service
configured and running then it forces ntpd, meaning it disablesany other
NTP service. It also altersits configuration, and restartsthe NTP
service instance.
We may now want to consider, as the time sync servicechange is required,
to NOT configureaservice that is not a part oftheidentity management
such as NTP, and leave it to system/IPA administrators.
IPA install script may only check wheterthere is an NTP service running
and if not, it wouldask the administrator to configure it before the IPA
installation.
Upgrade of IPA might be more complicated because there will be thentpd
service entry in LDAP,and the service will be up and running. I would
suggest that we do not remove any working ntpd service already
configured but only disown it from IPA's LDAP tree.
I will be glad for any input from you people and hopefully there will be
an acceptable solution for this soon :)
Thanks!
[1]
https://www.redhat.com/archives/freeipa-devel/2016-November/msg00807.html
A few comments on
https://www.freeipa.org/page/V4/ntpd_deprecation/chronyd_support
This is mostly off the top of my head so don't take verbatim please :-)
Time is also important for 389-ds replication.
"ntpd is being deprecated in Fedora28 therefore IPA should deprecate it
as well."
nit: add space between Fedora and 28
s/should/must
Drop "On the other hand " and "a"
Under Use Cases I think I'd expand on the text a bit.
The use of the IPA time service is optional. If the infrastructure
already has access to time, either internally or via the Internet, then
the -N option can be used if desired. This will disable the IPA NTP service.
IPA by default enables a time service and this is used by clients. The
benefits of this were seen as:
- Clients and the server will be in the same stratum so should avoid
issues (even if the time is wildly off otherwise).
- For closed networks this may be the only time service available
I don't understand the statement about -N and --force-ntp. I think you
mean that for a server install -N will not configure a time service?
I'm not sure what --force-ntp is supposed to do, isn't it force-ntpd? It
is mentioned later that it will be deprecated. If ntpd isn't available
then how can one force it?
Design
Are you sure that changes made via chronyc are written to configuration
files? I didn't get that impression from the man page.
You make a mention of other platforms but there is little mention of
where this will be abstracted. There is already some abstraction for
NTP_*, is that what you are talking about? Just continuing the use of that?
Strictly speaking, Fedora is not a Red Hat product.
CLI
Table looks nice!
I don't see that ipa-server-install or ipa-replica-install have a
force-ntp option.
For -N I think it is more straightforward to say "IPA will not configure
a local time service"
--force-ntp is --force-ntpd on clients
Are any changes planned for --ntp-server?
Upgrades
I think IPA masters just need to restore the ntp files it changed on
install and disable the service. rpm -V will confirm that we got it
right except perhaps the time of the files.
I'm not sure I understand the last 2 steps. It will try to sync time and
if that fails setup chrony? What if it succeeds?
What differences will there be on client vs servers?
rob