Re: [Freeipa-users] Use of LOCAL clock in ntpd configuration

[Martin Kosek]

On 02/15/2013 07:23 PM, Chuck Lever wrote:
...
 (I also note that ipa-client-install does not disable chronyd, but I've 
 only tried the client install script on Fedora 16).
 

Hello Chuck,

I would just like to comment that we address chronyd/ntpd in FreeIPA in Fedora
18. We do check if chronyd is already installed and when you do
ipa-server-install, we warn user and disable it later so that we can deploy the
ntpd service.

When installing IPA on client and chronyd is configured, we let it configured
and do not deploy ntpd unless you use --force-ntpd flag.

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Use of LOCAL clock in ntpd configuration

[Rob Crittenden]

Chuck Lever wrote:

Hi-

First-time FreeIPA user here.

I've installed FreeIPA on Fedora 18 and have some Fedora 16 IPA clients.  
ipa-server-install on Fedora 18 and ipa-client-install on Fedora 16 both 
add the following stanza to /etc/ntp.conf:

server 127.127.1.0 # local clock
fudge  127.127.1.0 stratum 10

This sets up an additional time source based on the local system's hardware 
clock.

According to http://www.ntp.org/ntpfaq/NTP-s-refclk.htm


The LCL is no reference clock in reality; instead it simply refers to the 
system time on the current machine. Therefore it should never be used, except 
when the system time is synchronized by some means not visible by xntpd.


synchronized by some means not visible by xntpd means a GPS card or an atomic 
clock, hardware which most systems do not have available.  In my experience, including a 
local time source on typical PC hardware is a recipe for inaccurate timekeeping.  It can 
be especially problematic in a virtual environment.

Including a local source might make sense for IPA servers, but only if the 
source is externally synchronized.  At first I thought maybe the ntp 
configurator script had found some evidence of external synchronization on my 
server hardware, but then the same stanza appeared on my IPA clients, both of 
which are VMware Fusion guests.


It was meant as a fallback. It may not make sense to have that anymore, 
on either the client or the server. It is probably worth revisiting, 
this was added in 2007-ish when the world was very different.



As soon as the local clock source was added on my IPA server, its ntp clock 
offset was skewed by a second and a half from the network servers it was 
tracking, and it became worse until I removed the local source.

It seems to me that adding a local source automatically is a bad idea.  Anyone 
know why the IPA installers add this source?


Some VMs don't play very nice with ntp. Things seem to be better lately. 
Our documentation still recommends against configuring ntpd on VMs 
(though this can introduce other issues b/c we still attempt to sync the 
time against a non-existent time server during client enrollment).



(I also note that ipa-client-install does not disable chronyd, but I've only 
tried the client install script on Fedora 16).


It will in the next release.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users