Re: [systemd-devel] Time synchronization over HTTP?
On Mon, 27.06.16 10:34, Kai Hendry (hen...@webconverger.com) wrote: > Hi there, > > I had a quick look at > https://github.com/systemd/systemd/tree/master/src/timesync to try work > out if /usr/lib/systemd/systemd-timesyncd had some sort of fallback if > ntp UDP port 123 traffic is blocked. > > This happens all too often with my deployments of Webconverger and I was > wondering if asking for HTTP based time synchronization was a sane thing > to ask for from systemd. > > An example implementation can be found here: > https://github.com/ccrisan/motioneyeos/blob/master/board/common/overlay/etc/init.d/S50date#L31 I figure having something like this makes some sense. There was a plan to add something like an http-based ping scheme to networkd, so that networkd can do captive portal detection natively, and at the same time acquire some useful data from the ping server, for example a suggested default timezone/language/location and so on, via some http request or so. NetworkManager, Firefox, and so on all implement that on their own these days, to limit degrees, and even ConnMan has been doing this for quite some time. It's a bit of a privacy issue, as when this is enabled there's an instant ping to some central server attempted, but I still think for many setups having this makes a ton of sense. I figure using this as also as crappy fallback if NTP doesn't work and hasn't worked in a while definitely makes sense. I am not convinced however to reuse some HTTP server for this that isn't actually explicitly set up for this scheme, and thus is known to provide correct times. For example, making clients sync their clocks to www.google.com appears a questionnable idea to me. So yeah, I like the idea, but doing this properly is not trivial I figure, in particular if we want to take the privacy issue into account and provide a at least a bit of anonymity for clients. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Time synchronization over HTTP?
Am 28.06.2016 um 05:20 schrieb Kai Hendry: On Mon, 27 Jun 2016, at 08:33 PM, Reindl Harald wrote: normally service level agreemnets contain basic prerequisites and if the are ignored the customers has to pay a penalty in case of support cases You live in a different world to me. you are doing something wrong when other idiot admins with a "only 80/443 syndrome" don't realize that at least 53 and 123 are important ports for basic services becomne your problem Just going to follow up with a blog I found on the matter of “time over HTTPS”: http://phk.freebsd.dk/time/20151129.html Though he considers this method for sanity checking atm. https://twitter.com/bsdphk/status/747346942351544320 So it doesn't really validate my proposal as an authoritative source. because HTTP is simply the wrong protocol and when you try to understand how the NTP protocol works you will realize that too signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Time synchronization over HTTP?
On Mon, 27 Jun 2016, at 08:33 PM, Reindl Harald wrote: > normally service level agreemnets contain basic prerequisites and if the > are ignored the customers has to pay a penalty in case of support cases You live in a different world to me. Just going to follow up with a blog I found on the matter of “time over HTTPS”: http://phk.freebsd.dk/time/20151129.html Though he considers this method for sanity checking atm. https://twitter.com/bsdphk/status/747346942351544320 So it doesn't really validate my proposal as an authoritative source. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Time synchronization over HTTP?
Am 27.06.2016 um 08:30 schrieb Kai Hendry: On Mon, 27 Jun 2016, at 01:03 PM, Mantas Mikulėnas wrote: (I also have a strong dislike for network admins who cling to their "HTTP only" firewall policies... I don't see why NTP is a 'lesser' protocol than HTTP and DNS, both of which require either the respective ports or a local proxy in order to work. Timesyncd already supports picking up local NTP servers from DHCP, afaik.) I'm with you, and I've fought this problem for a while. But the typical confusing "connection untrusted" due to bad time customer support requests is costing me too much no, your own doing wrong costs you too much normally service level agreemnets contain basic prerequisites and if the are ignored the customers has to pay a penalty in case of support cases it's not your job to work around idiot administrators, write a invoice to their management with a clear reason and they will start to learn their job or be gone - but don't fuckup default setups with by design silly ideas like NTP over HTTP signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Time synchronization over HTTP?
On Mon, 27 Jun 2016, at 01:03 PM, Mantas Mikulėnas wrote: > Who would host the sync server? Or would you just point it at a random > site > and hope its operators don't mind? It's already bad enough that systemd > defaults to Google's private NTP servers, IMHO. Reminds me of the "Am I on the Internet?" problem. Yeah, most people default to google.com as that example does: https://github.com/ccrisan/motioneyeos/blob/master/board/common/overlay/etc/init.d/S50date#L21 > (I also have a strong dislike for network admins who cling to their "HTTP > only" firewall policies... I don't see why NTP is a 'lesser' protocol > than > HTTP and DNS, both of which require either the respective ports or a > local > proxy in order to work. Timesyncd already supports picking up local NTP > servers from DHCP, afaik.) I'm with you, and I've fought this problem for a while. But the typical confusing "connection untrusted" due to bad time customer support requests is costing me too much. Cheers, ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Time synchronization over HTTP?
On Mon, 27 Jun 2016, at 10:42 AM, Reindl Harald wrote: > are you aware that in case of many machines you should setp *one* ntpd > and the other machines only acess this internal host to take away load > from pool.ntp.org which would also solve the problem access port 123 > outside your network from all the other deployments? Yes I am, but the administrators who deploy Webconverger don't do this sadly. I heard from someone that some routers do this automatically, but anyway, it doesn't help me come up with a general solution. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Time synchronization over HTTP?
On Mon, Jun 27, 2016 at 5:34 AM, Kai Hendrywrote: > Hi there, > > I had a quick look at > https://github.com/systemd/systemd/tree/master/src/timesync to try work > out if /usr/lib/systemd/systemd-timesyncd had some sort of fallback if > ntp UDP port 123 traffic is blocked. > > This happens all too often with my deployments of Webconverger and I was > wondering if asking for HTTP based time synchronization was a sane thing > to ask for from systemd. > > An example implementation can be found here: > > https://github.com/ccrisan/motioneyeos/blob/master/board/common/overlay/etc/init.d/S50date#L31 Who would host the sync server? Or would you just point it at a random site and hope its operators don't mind? It's already bad enough that systemd defaults to Google's private NTP servers, IMHO. (I also have a strong dislike for network admins who cling to their "HTTP only" firewall policies... I don't see why NTP is a 'lesser' protocol than HTTP and DNS, both of which require either the respective ports or a local proxy in order to work. Timesyncd already supports picking up local NTP servers from DHCP, afaik.) -- Mantas Mikulėnas ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Time synchronization over HTTP?
Hi there, I had a quick look at https://github.com/systemd/systemd/tree/master/src/timesync to try work out if /usr/lib/systemd/systemd-timesyncd had some sort of fallback if ntp UDP port 123 traffic is blocked. This happens all too often with my deployments of Webconverger and I was wondering if asking for HTTP based time synchronization was a sane thing to ask for from systemd. An example implementation can be found here: https://github.com/ccrisan/motioneyeos/blob/master/board/common/overlay/etc/init.d/S50date#L31 Many thanks, ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Time synchronization over HTTP?
Am 27.06.2016 um 04:34 schrieb Kai Hendry: I had a quick look at https://github.com/systemd/systemd/tree/master/src/timesync to try work out if /usr/lib/systemd/systemd-timesyncd had some sort of fallback if ntp UDP port 123 traffic is blocked. This happens all too often with my deployments of Webconverger and I was wondering if asking for HTTP based time synchronization was a sane thing to ask for from systemd. An example implementation can be found here: https://github.com/ccrisan/motioneyeos/blob/master/board/common/overlay/etc/init.d/S50date#L31 are you aware that in case of many machines you should setp *one* ntpd and the other machines only acess this internal host to take away load from pool.ntp.org which would also solve the problem access port 123 outside your network from all the other deployments? signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel