Re: [systemd-devel] Time synchronization over HTTP?

[Lennart Poettering]

On Mon, 27.06.16 10:34, Kai Hendry (hen...@webconverger.com) wrote:

> Hi there,
> 
> I had a quick look at
> https://github.com/systemd/systemd/tree/master/src/timesync to try work
> out if /usr/lib/systemd/systemd-timesyncd had some sort of fallback if
> ntp UDP port 123 traffic is blocked.
> 
> This happens all too often with my deployments of Webconverger and I was
> wondering if asking for HTTP based time synchronization was a sane thing
> to ask for from systemd.
> 
> An example implementation can be found here:
> https://github.com/ccrisan/motioneyeos/blob/master/board/common/overlay/etc/init.d/S50date#L31

I figure having something like this makes some sense. There was a plan
to add something like an http-based ping scheme to networkd, so that
networkd can do captive portal detection natively, and at the same
time acquire some useful data from the ping server, for example a
suggested default timezone/language/location and so on, via some http
request or so. NetworkManager, Firefox, and so on all implement that
on their own these days, to limit degrees, and even ConnMan has been
doing this for quite some time. It's a bit of a privacy issue, as when
this is enabled there's an instant ping to some central server
attempted, but I still think for many setups having this makes a ton
of sense.

I figure using this as also as crappy fallback if NTP doesn't work and
hasn't worked in a while definitely makes sense.

I am not convinced however to reuse some HTTP server for this that
isn't actually explicitly set up for this scheme, and thus is known to
provide correct times. For example, making clients sync their clocks
to www.google.com appears a questionnable idea to me.

So yeah, I like the idea, but doing this properly is not trivial I
figure, in particular if we want to take the privacy issue into
account and provide a at least a bit of anonymity for clients.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Time synchronization over HTTP?

[Reindl Harald]

Am 28.06.2016 um 05:20 schrieb Kai Hendry:

On Mon, 27 Jun 2016, at 08:33 PM, Reindl Harald wrote:

normally service level agreemnets contain basic prerequisites and if the
are ignored the customers has to pay a penalty in case of support cases


You live in a different world to me.


you are doing something wrong when other idiot admins with a "only 
80/443 syndrome" don't realize that at least 53 and 123 are important 
ports for basic services becomne your problem



Just going to follow up with a blog I found on the matter of “time over
HTTPS”:
http://phk.freebsd.dk/time/20151129.html

Though he considers this method for sanity checking atm.
https://twitter.com/bsdphk/status/747346942351544320

So it doesn't really validate my proposal as an authoritative source.


because HTTP is simply the wrong protocol and when you try to understand 
how the NTP protocol works you will realize that too




signature.asc
Description: OpenPGP digital signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Time synchronization over HTTP?

[Kai Hendry]

On Mon, 27 Jun 2016, at 08:33 PM, Reindl Harald wrote:
> normally service level agreemnets contain basic prerequisites and if the 
> are ignored the customers has to pay a penalty in case of support cases

You live in a different world to me.



Just going to follow up with a blog I found on the matter of “time over
HTTPS”:
http://phk.freebsd.dk/time/20151129.html

Though he considers this method for sanity checking atm.
https://twitter.com/bsdphk/status/747346942351544320

So it doesn't really validate my proposal as an authoritative source.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Time synchronization over HTTP?

[Reindl Harald]

Am 27.06.2016 um 08:30 schrieb Kai Hendry:

On Mon, 27 Jun 2016, at 01:03 PM, Mantas Mikulėnas wrote:

(I also have a strong dislike for network admins who cling to their "HTTP
only" firewall policies... I don't see why NTP is a 'lesser' protocol
than
HTTP and DNS, both of which require either the respective ports or a
local
proxy in order to work. Timesyncd already supports picking up local NTP
servers from DHCP, afaik.)


I'm with you, and I've fought this problem for a while. But the typical
confusing "connection untrusted" due to bad time customer support
requests is costing me too much


no, your own doing wrong costs you too much

normally service level agreemnets contain basic prerequisites and if the 
are ignored the customers has to pay a penalty in case of support cases


it's not your job to work around idiot administrators, write a invoice 
to their management with a clear reason and they will start to learn 
their job or be gone - but don't fuckup default setups with by design 
silly ideas like NTP over HTTP




signature.asc
Description: OpenPGP digital signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Time synchronization over HTTP?

[Kai Hendry]

On Mon, 27 Jun 2016, at 01:03 PM, Mantas Mikulėnas wrote:
> Who would host the sync server? Or would you just point it at a random
> site
> and hope its operators don't mind? It's already bad enough that systemd
> defaults to Google's private NTP servers, IMHO.

Reminds me of the "Am I on the Internet?" problem. Yeah, most people
default to google.com as that example does:
https://github.com/ccrisan/motioneyeos/blob/master/board/common/overlay/etc/init.d/S50date#L21

> (I also have a strong dislike for network admins who cling to their "HTTP
> only" firewall policies... I don't see why NTP is a 'lesser' protocol
> than
> HTTP and DNS, both of which require either the respective ports or a
> local
> proxy in order to work. Timesyncd already supports picking up local NTP
> servers from DHCP, afaik.)

I'm with you, and I've fought this problem for a while. But the typical
confusing "connection untrusted" due to bad time customer support
requests is costing me too much.

Cheers,
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Time synchronization over HTTP?

[Kai Hendry]

On Mon, 27 Jun 2016, at 10:42 AM, Reindl Harald wrote:
> are you aware that in case of many machines you should setp *one* ntpd 
> and the other machines only acess this internal host to take away load 
> from pool.ntp.org which would also solve the problem access port 123 
> outside your network from all the other deployments?

Yes I am, but the administrators who deploy Webconverger don't do this
sadly.

I heard from someone that some routers do this automatically, but
anyway, it doesn't help me come up with a general solution.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Time synchronization over HTTP?

[Mantas Mikulėnas]

On Mon, Jun 27, 2016 at 5:34 AM, Kai Hendry  wrote:

> Hi there,
>
> I had a quick look at
> https://github.com/systemd/systemd/tree/master/src/timesync to try work
> out if /usr/lib/systemd/systemd-timesyncd had some sort of fallback if
> ntp UDP port 123 traffic is blocked.
>
> This happens all too often with my deployments of Webconverger and I was
> wondering if asking for HTTP based time synchronization was a sane thing
> to ask for from systemd.
>
> An example implementation can be found here:
>
> https://github.com/ccrisan/motioneyeos/blob/master/board/common/overlay/etc/init.d/S50date#L31


Who would host the sync server? Or would you just point it at a random site
and hope its operators don't mind? It's already bad enough that systemd
defaults to Google's private NTP servers, IMHO.

(I also have a strong dislike for network admins who cling to their "HTTP
only" firewall policies... I don't see why NTP is a 'lesser' protocol than
HTTP and DNS, both of which require either the respective ports or a local
proxy in order to work. Timesyncd already supports picking up local NTP
servers from DHCP, afaik.)

-- 
Mantas Mikulėnas 
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] Time synchronization over HTTP?

[Kai Hendry]

Hi there,

I had a quick look at
https://github.com/systemd/systemd/tree/master/src/timesync to try work
out if /usr/lib/systemd/systemd-timesyncd had some sort of fallback if
ntp UDP port 123 traffic is blocked.

This happens all too often with my deployments of Webconverger and I was
wondering if asking for HTTP based time synchronization was a sane thing
to ask for from systemd.

An example implementation can be found here:
https://github.com/ccrisan/motioneyeos/blob/master/board/common/overlay/etc/init.d/S50date#L31

Many thanks,
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Time synchronization over HTTP?

[Reindl Harald]

Am 27.06.2016 um 04:34 schrieb Kai Hendry:

I had a quick look at
https://github.com/systemd/systemd/tree/master/src/timesync to try work
out if /usr/lib/systemd/systemd-timesyncd had some sort of fallback if
ntp UDP port 123 traffic is blocked.

This happens all too often with my deployments of Webconverger and I was
wondering if asking for HTTP based time synchronization was a sane thing
to ask for from systemd.

An example implementation can be found here:
https://github.com/ccrisan/motioneyeos/blob/master/board/common/overlay/etc/init.d/S50date#L31


are you aware that in case of many machines you should setp *one* ntpd 
and the other machines only acess this internal host to take away load 
from pool.ntp.org which would also solve the problem access port 123 
outside your network from all the other deployments?





signature.asc
Description: OpenPGP digital signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel