Re: [chrony-users] Chrony Client Support for different ports to the same server?
Hi Miroslav, On Tue, January 28, 2025 2:35 am, Miroslav Lichvar wrote: > On Mon, Jan 27, 2025 at 06:28:42PM -0500, Derek Atkins wrote: >> I was able to get it working using NAT from a localhost address out to >> the >> server. I'm working on integrating that approach into the code. > > Note that in the case when both ports work this effectively doubles > the weight of the single server in the source selection algorithm. > If it was serving incorrect time and there two other sources (4 IP > addresses in total), chronyd would not be able to reject it and fail > to synchronize. > > If you don't use any other sources, it shouldn't be a problem. Thank you. In my case, each client will /only/ be using my server(s). There may be multiple servers in place, but the client will always be configured the same for each server. If one server is doubled, then ALL servers will be doubled. I think it is unlikely that the network will be configured to double one server and not others -- either 123 is blocked to all or not. Glad to hear this doubling wont be an issue :) Thank you all! -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-users] Chrony Client Support for different ports to the same server?
On Mon, Jan 27, 2025 at 06:28:42PM -0500, Derek Atkins wrote: > I was able to get it working using NAT from a localhost address out to the > server. I'm working on integrating that approach into the code. Note that in the case when both ports work this effectively doubles the weight of the single server in the source selection algorithm. If it was serving incorrect time and there two other sources (4 IP addresses in total), chronyd would not be able to reject it and fail to synchronize. If you don't use any other sources, it shouldn't be a problem. -- Miroslav Lichvar -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-users] Chrony Client Support for different ports to the same server?
Hi all, On Mon, January 27, 2025 6:22 pm, Dave Hart wrote: > On Mon, Jan 27, 2025 at 5:41 PM wrote: [snip] I was able to get it working using NAT from a localhost address out to the server. I'm working on integrating that approach into the code. Thank you, all. -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-users] Chrony Client Support for different ports to the same server?
On Mon, Jan 27, 2025 at 5:41 PM wrote: > On Mon, Jan 27, 2025 at 12:29:36PM -0500, Derek Atkins wrote: > > > While I am in control of the server, I am not in control of the > > server IP Addresses, so I could not guarantee a 2nd address. > > If IPv6 is enabled, typically you have at least 2^64 addresses > available. I've seen subnets where SLAAC is not available, only single-IP DHCPv6. One could likely work around this with enough effort, of course. Cheers, Dave Hart
Re: [chrony-users] Chrony Client Support for different ports to the same server?
and Derek, as you know, it is MY fault! AT&T STILL won't give me dedicated IPv6 addressing and the reverse ip6.arpa. But they had the process for paying for a block of IPv4 addresses and it was hard, but we got the reverse ip.arpa set up. So I am stuck, as so many others, in this world of IPv4 that I personally helped sustain On 1/27/25 12:48, Derek Atkins wrote: Hi Ian, On Mon, January 27, 2025 12:41 pm, infection.many...@aceecat.org wrote: On Mon, Jan 27, 2025 at 12:29:36PM -0500, Derek Atkins wrote: While I am in control of the server, I am not in control of the server IP Addresses, so I could not guarantee a 2nd address. If IPv6 is enabled, typically you have at least 2^64 addresses available. Alas, it's IPv4. Thanks, -derek -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-users] Chrony Client Support for different ports to the same server?
Hi Ian, On Mon, January 27, 2025 12:41 pm, infection.many...@aceecat.org wrote: > On Mon, Jan 27, 2025 at 12:29:36PM -0500, Derek Atkins wrote: > >> While I am in control of the server, I am not in control of the >> server IP Addresses, so I could not guarantee a 2nd address. > > If IPv6 is enabled, typically you have at least 2^64 addresses > available. Alas, it's IPv4. Thanks, -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-users] Chrony Client Support for different ports to the same server?
Hi Rob, On Mon, January 27, 2025 12:24 pm, Rob Janssen wrote: > You could also consider to use 2 IP addresses for the same server. > When the server cannot really get 2 addresses, you could translate the > second to the first > in a NAT rule in the client device. Thanks for the suggestion. While I am in control of the server, I am not in control of the server IP Addresses, so I could not guarantee a 2nd address. As for using NAT locally; that is certainly an interesting idea. I'd have to think about that and how to number it properly (but automatically) so as not to interfere with actual devices. > > Rob -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-users] Chrony Client Support for different ports to the same server?
You could also consider to use 2 IP addresses for the same server. When the server cannot really get 2 addresses, you could translate the second to the first in a NAT rule in the client device. Rob -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-users] Chrony Client Support for different ports to the same server?
Hi, Thank you for the rapid response.. On Mon, January 27, 2025 10:21 am, Miroslav Lichvar wrote: > On Mon, Jan 27, 2025 at 07:55:48AM -0500, Derek Atkins wrote: >> I have a configuration of >> server a.b.c.d >> server a.b.c.d port 4123 [snip] > > Each IP address can be used only once as a source. The first one wins. > In the system log you should see an error message about duplicated > address, at least with more recent chrony versions. > > The sources are identified by IP address, not IP address+port. It's a > design limitation which cannot be easily fixed without incompatible > changes in the management protocol as exposed by chronyc. I was afraid of that. I did eventually find the comment in ntp_sources.c and, when exploring that code, it looked like a port number was not always available when looking up a slot. >> Alternatively, is there some test I can run to see if a port gets a >> valid >> response? Like "chronyd test a.b.c.d port 123" and use an exit-code to >> determine if it got a response or not? > > chronyd -Q -t 1 "server $IP_ADDR port $PORT maxsamples 1" Thanks for this. I guess I'll have to change my auto-configuration process to use this. Thanks! > > -- > Miroslav Lichvar -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-users] Chrony Client Support for different ports to the same server?
On Mon, Jan 27, 2025 at 07:55:48AM -0500, Derek Atkins wrote: > I have a configuration of > server a.b.c.d > server a.b.c.d port 4123 > > However the second configuration is ignored and not used; I only see > packets going out to port 123, not port 4123. Is this a bug, or is there > some way to get chrony to fallback if it does not receive responses on > 123? Each IP address can be used only once as a source. The first one wins. In the system log you should see an error message about duplicated address, at least with more recent chrony versions. The sources are identified by IP address, not IP address+port. It's a design limitation which cannot be easily fixed without incompatible changes in the management protocol as exposed by chronyc. > Alternatively, is there some test I can run to see if a port gets a valid > response? Like "chronyd test a.b.c.d port 123" and use an exit-code to > determine if it got a response or not? chronyd -Q -t 1 "server $IP_ADDR port $PORT maxsamples 1" -- Miroslav Lichvar -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
