On 22.11.2016 12:15, David Kupka wrote:
> Hello everyone!
> Is it worth to keep configuring NTP in FreeIPA?
> In usual environment there're no special requirements for time synchronization
> and the distribution default (be it ntpd, chrony or anything else) will just
> work. Any tampering with the configuration can't make it any better.
> In environment with special requirements (network disconnected from public
> internet, nodes disconnected from topology for longer time, ...) time
> synchronization must be taken care of accordingly by system administrator and
> FreeIPA simply can't help here.
> Also there are problems and weird behavior with the current FreeIPA 
> installers:
> * ipa-client-install replaces all servers in /etc/ntp.conf with the ones
> specified by user or resolved from DNS. If none were provided nor resolved the
> FreeIPA server specified/resolved during installation it used. This leads in
> just single server in the configuration and no time synchronization when this
> server is down/decommissioned.
> * ipa-client-install replaces the NTP configuration. If there was any parts
> previously edited by system administrator it's lost.
> * ipa-server-install adds {0-4}.$PLATFORM.pool.ntp.org to /etc/ntp.conf.
> What's the point in doing that? These servers're already in the configuration
> file installed with ntp package.
> I have NTP-related WIP patches that solve some of the issues but in general I
> would prefer to remove the whole thing together with documenting "Please make
> sure that time on all FreeIPA servers and clients is synchronized. On most
> distributions this was already done during system installation."
> Can we mark NTP options deprecated in 4.5 and remove them and stop touching
> any time syncing service in 4.6?

Considering that default config is just fine for normal cases, and given how
poorly integrated it is into FreeIPA, I agree with David. FreeIPA should get
out of configuration management business.

Petr^2 Spacek

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to