On Sun, Mar 12, 2017 at 10:24 PM, Drew White <drew.qu...@gmail.com> wrote: > On Monday, 13 March 2017 12:36:55 UTC+11, Jean-Philippe Ouellet wrote: >> On Sun, Mar 12, 2017 at 9:19 PM, Drew White <drew.qu...@gmail.com> wrote: >> > I want to set the NTP protocol to target the parent VM and on the NetVM or >> > Sys-Firewall have that as the NTP server that feeds everything under it. >> >> No, you don't want that. > > Why don't I want what I want?
For the reasons I already stated, and that you appear to already understand. Only the ClockVM is intended to generate any NTP traffic which leaves your machine. The rest of the VMs are synchronized not via NTP, but via a qrexec service. This works even when the VMs are not networked, whereas NTP to a proxy NTP server in sys-net (or somewhere) would not. >> > Thus only one VM calls the external source at a lesser interval to do the >> > requests. >> >> That is already how it works. > > Then why does EVERY GUEST call pool.ntp.org? (unless I change it in the > template for every VM) That is not the behavior I observe on my system, confirmed by lack of output from: [user@sys-firewall ~]$ sudo tcpdump -ni eth0 'udp port ntp' Have you changed every guest on your system to do that or something? >> > How, in this system, do I perform this to get that to work please? >> >> Well, one would start by reading and understanding the relevant source: >> >> https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qubes.SetDateTime >> https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qubes.SyncNtpClock >> https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/sync-ntp-clock > > I read all that, that's why I found out how to change it in the first place, > but every time I do something like add a NewGuest and install, with it's > defaults to pool.ntp.org, it goes off and gets the NTP from an outside > source. (not very secure), so I have to keep changing it to be the local > server. I want to capture it all so only the NetVM performs that action. I get the impression that maybe you are just changing config files of services which are not running? >> > The "ClockVM" does not seem to be operating the way I would have thought a >> > "ClockVM" would. >> >> Only the ClockVM to uses NTP at all, and it sends the time back to >> dom0. The rest of the VMs get their time set by dom0 via >> qubes.SetDateTime service. > > So the ClockVM ONLY interacts with Dom0. Fair enough. Then it would be a good > addition to allow it to update each Guest. No. That would be a bad design for several reasons. Dom0 already does this periodically. This is better than what I assume you suggest (ClockVM directly invoking qubes.setDateTime in each guest) because the service invocations are implicitly rate-limited and contents filtered by dom0. It is also not desired for the ClockVM VM to even know which other VMs exist, let alone know which ones are running and need their clock set. >> There are many reasons for this, including eliminating redundant >> network traffic, and the fact that it is desirable for time to be >> correct in all VMs (including those intentionally without any network >> access). > > redundant network traffic... so every 10 minute PER GUEST, it contacts > pool.ntp.org and gets the time. That isn't redundant network traffic. Again. I do not observe this. Have you verified with an unmodified template? >> > Is there a bug in it? >> >> Lets see... >> >> https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue%20is%3Aopen%20ntp >> https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue%20is%3Aopen%20clockvm >> >> doesn't look like it! > > Well, none that have been reported by anyone other than myself when asking > questions in the first place about it. But none opened a bug about it because > it's "not a bug" even though it is, (in my personal opinion) a very big bug > to have EVERY GUEST contact pool.ntp.org every 10 minutes. wether it's a > guest that's behind a proxy, or the proxy itself, or the net vm. Things do not work as you claim they do. > This is a security concern, and a big one at that. Nope. > for all unix types, the clock VM should contact the NTP server once every 6 > hours (or on boot and then every 6 hours), and every guest should be updated > by that guest for time, unless set to otherwise update from elsewhere. Where do you get this 6 hours figure from? Neither the RFC [1] or the pool recommendations [2] suggest this. [1]: https://tools.ietf.org/html/rfc1305 [2]: http://www.pool.ntp.org/tos.html > I have my own NTP server, and yet I install things, and I just want to > capture all NTP from everything behind the NetVM and make it all get the NTP > from the NetVM. Unless it's requesting to the designated Network NTP server. So... perhaps by "I have my own NTP server" do you mean "I installed and enabled an ntp client in my default template"? That might explain some of your confusion. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_ApA%3Dz8bm1o%3DsGvThb6LB%2BxkEKJ%2BDzQvEF3GhiL2ZtOvQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
