Hi Giles:
Thanks for reporting back!
I think 1) and 3) are defniitely valid points. A
question to you about 1) - did you manually set up ntp on the server?
Because if you let OSCAR do the configuration for you, it should work...
of course OSCAR cannot 'fix' changes you have made manually.
About 3), it looks like we need to take a closer look at
the interaction between pfilter and ntp.
For 2), do you know if it is absolutely necessary to do
this even after you have changed the pfilter settings (or turn it off)?
Just wondering.
Thanks!
Bernard
Hi Bernard
From: Giles Lesser [mailto:[EMAIL PROTECTED]
Sent: Monday, June 27, 2005 16:49
To: Bernard Li; [email protected]
Subject: Re: [Oscar-users] RE: NTP fails to contact headnode
Thanks for your help with this. The problem is now solved, but I thought I would post what I found for others benefit.
There were a number of problems that had to be solved:
1) As you suggested, the ntp.conf file on the headnode had to be modified to include the line
restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
which gives the cluster nodes access to the ntpd on the headnode
2) The ntp.conf file on each of the comp. nodes had to be modified. For some reason that is unclear to me I had to remove the line restrict default ignore
to get the clients to contact the server on the headnode
3) The iptables rules established by pfilter would not allow ntpdate to run (ntpdate is called by "/etc/init.d/ntpd start" and requires additional ports to the basic ntp service). It is not clear to me why there should be a problem, as I thought that all communication was allowed over the internal NIC, but it seems that that is not the case (ntpdate from a comp. node works if I stop pfilter on the headnode, but doesn't if I start pfilter). I solved this by removing the /etc/ntp/step-tickers file on each of the comp. nodes. If this file doesn't exist then "/etc/init.d/ntpd start" doesn't try to use the ntpdate call.
I don't know why all this was necessary, as far as I am aware I just performed a perfectly standard Oscar install on RHEL 3 (WS). Hope this helps someone out there, I've learned a bit about ntp...
Thanks for your help.
Giles
My resulting /etc/ntp.conf files follow:
On the headnode...
[EMAIL PROTECTED] root]# cat /etc/ntp.conf
# Added by OSCAR package ntpconfig
# Prohibit general access to this service.
restrict default ignore
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service. Do not permit those systems to modify the
# configuration of this service. Also, do not use those
# systems as peers for synchronization.
restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
# --- OUR TIMESERVERS -----
# or remove the default restrict line
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
# restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noquery
# server mytrustedtimeserverip
restrict 130.118.24.13 mask 255.255.255.255 nomodify notrap noquery
server 130.118.24.13
# --- NTP MULTICASTCLIENT ---
#multicastclient # listen on default 224.0.1.1
# restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
# --- GENERAL CONFIGURATION ---
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
#
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /var/lib/ntp/drift
broadcastdelay 0.008
#
# Authentication delay. If you use, or plan to use someday, the
# authentication facility you should make the programs in the auth_stuff
# directory and figure out what this number should be on your machine.
#
# authenticate yes
#
# Keys file. If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
keys /etc/ntp/keys
on each comp. node....
[EMAIL PROTECTED] root]# cat /etc/ntp.conf
# Prohibit general access to this service.
# restrict default ignore
# Added by OSCAR package ntpconfig
# but modified by GL June 24, 2005
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service. Do not permit those systems to modify the
# configuration of this service. Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
# --- OUR TIMESERVERS -----
# or remove the default restrict line
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
# restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noquery
# server mytrustedtimeserverip
restrict oscar_server mask 255.255.255.255 nomodify notrap noquery
server oscar_server
# --- NTP MULTICASTCLIENT ---
#multicastclient # listen on default 224.0.1.1
# restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
# --- GENERAL CONFIGURATION ---
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
#
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /var/lib/ntp/drift
broadcastdelay 0.008
#
# Authentication delay. If you use, or plan to use someday, the
# authentication facility you should make the programs in the auth_stuff
# directory and figure out what this number should be on your machine.
#
# authenticate yes
#
# Keys file. If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
keys /etc/ntp/keys
At 10:27 AM 6/24/2005, Bernard Li wrote:
Hey Giles:
Okay I was able to take a closer look at your headnode's ntp.conf:
# Added by OSCAR package ntpconfig
# Prohibit general access to this service.
restrict default ignore
restrict 213.84.14.16 mask 255.255.255.255 nomodify notrap noquery
Did you add in the second restrict line yourself? My configuration looks like this:
# Added by OSCAR package ntpconfig
restrict 192.168.1.0 mask 255.255.255.0
Where 192.168.1.0 is my cluster subnet.
Perhaps you can try the modification and see if it goes?
Cheers,
Bernard
