Tibor Dudlák via FreeIPA-devel wrote:
> Hello FreeIPA-devel listfellow beings!
> 
> I would like to continue the discussion started in [1], and find
> itssolution.
> 
> While using the Single-Sign-on authentication provided via anMIT
> Kerberos KDC  there must not be any significant clock skew between
> server and clients so a time synchronization service is required.
> 
> Red Hat Enterprise Linux is about to deprecate ntpd service and will
> support chronyd instead. This will happen in release 8 and by this time
> we should agree on some changes in IPA-whether to remove or replace the
> already used ntpd service. I would like to sum up thischange in a design
> page but there shouldbe an agreementfirst.
> 
> IPA,as is,checks the system configuration and if there is anNTP service
> configured and running then it forces ntpd, meaning it disablesany other
> NTP service. It also altersits configuration, and restartsthe NTP
> service instance. 
> 
> We may now want to consider, as the time sync servicechange is required,
> to NOT configureaservice that is not a part oftheidentity management
> such as NTP, and leave it to system/IPA administrators. 
> 
> IPA install script may only check wheterthere is an NTP service running
> and if not, it wouldask the administrator to configure it before the IPA
> installation.
> 
> Upgrade of IPA might be more complicated because there will be thentpd
> service entry in LDAP,and the service will be up and running. I would
> suggest that we do not remove any working ntpd service already
> configured but only disown it from IPA's LDAP tree.
> 
> I will be glad for any input from you people and hopefully there will be
> an acceptable solution for this soon :) 
> 
> Thanks!
> 
> [1]
> https://www.redhat.com/archives/freeipa-devel/2016-November/msg00807.html

A few comments on
https://www.freeipa.org/page/V4/ntpd_deprecation/chronyd_support

This is mostly off the top of my head so don't take verbatim please :-)

Time is also important for 389-ds replication.

"ntpd is being deprecated in Fedora28 therefore IPA should deprecate it
as well."

nit: add space between Fedora and 28
s/should/must

Drop "On the other hand " and "a"

Under Use Cases I think I'd expand on the text a bit.

The use of the IPA time service is optional. If the infrastructure
already has access to time, either internally or via the Internet, then
the -N option can be used if desired. This will disable the IPA NTP service.

IPA by default enables a time service and this is used by clients. The
benefits of this were seen as:

- Clients and the server will be in the same stratum so should avoid
issues (even if the time is wildly off otherwise).
- For closed networks this may be the only time service available

I don't understand the statement about -N and --force-ntp. I think you
mean that for a server install -N will not configure a time service?

I'm not sure what --force-ntp is supposed to do, isn't it force-ntpd? It
is mentioned later that it will be deprecated. If ntpd isn't available
then how can one force it?

Design

Are you sure that changes made via chronyc are written to configuration
files? I didn't get that impression from the man page.

You make a mention of other platforms but there is little mention of
where this will be abstracted. There is already some abstraction for
NTP_*, is that what you are talking about? Just continuing the use of that?

Strictly speaking, Fedora is not a Red Hat product.

CLI

Table looks nice!

I don't see that ipa-server-install or ipa-replica-install have a
force-ntp option.

For -N I think it is more straightforward to say "IPA will not configure
a local time service"

--force-ntp is --force-ntpd on clients

Are any changes planned for --ntp-server?

Upgrades

I think IPA masters just need to restore the ntp files it changed on
install and disable the service. rpm -V will confirm that we got it
right except perhaps the time of the files.

I'm not sure I understand the last 2 steps. It will try to sync time and
if that fails setup chrony? What if it succeeds?

What differences will there be on client vs servers?

rob
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to