On 22.11.2016 13:06, Petr Spacek wrote:
On 22.11.2016 12:15, David Kupka wrote:
Hello everyone!
Is it worth to keep configuring NTP in FreeIPA?
In usual environment there're no special requirements for time synchronization
and the distribution default (be it ntpd, chrony or anything else) will just
work. Any tampering with the configuration can't make it any better.
In environment with special requirements (network disconnected from public
internet, nodes disconnected from topology for longer time, ...) time
synchronization must be taken care of accordingly by system administrator and
FreeIPA simply can't help here.
Also there are problems and weird behavior with the current FreeIPA installers:
* ipa-client-install replaces all servers in /etc/ntp.conf with the ones
specified by user or resolved from DNS. If none were provided nor resolved the
FreeIPA server specified/resolved during installation it used. This leads in
just single server in the configuration and no time synchronization when this
server is down/decommissioned.
* ipa-client-install replaces the NTP configuration. If there was any parts
previously edited by system administrator it's lost.
* ipa-server-install adds {0-4}.$PLATFORM.pool.ntp.org to /etc/ntp.conf.
What's the point in doing that? These servers're already in the configuration
file installed with ntp package.
I have NTP-related WIP patches that solve some of the issues but in general I
would prefer to remove the whole thing together with documenting "Please make
sure that time on all FreeIPA servers and clients is synchronized. On most
distributions this was already done during system installation."
Can we mark NTP options deprecated in 4.5 and remove them and stop touching
any time syncing service in 4.6?
Considering that default config is just fine for normal cases, and given how
poorly integrated it is into FreeIPA, I agree with David. FreeIPA should get
out of configuration management business.
+1
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
