On Monday, 13 March 2017 13:44:17 UTC+11, Jean-Philippe Ouellet wrote: > On Sun, Mar 12, 2017 at 10:24 PM, Drew White <drew.qu...@gmail.com> wrote: > > On Monday, 13 March 2017 12:36:55 UTC+11, Jean-Philippe Ouellet wrote: > >> On Sun, Mar 12, 2017 at 9:19 PM, Drew White <drew.qu...@gmail.com> wrote: > >> > I want to set the NTP protocol to target the parent VM and on the NetVM > >> > or Sys-Firewall have that as the NTP server that feeds everything under > >> > it. > >> > >> No, you don't want that. > > > > Why don't I want what I want? > > For the reasons I already stated, and that you appear to already > understand. Only the ClockVM is intended to generate any NTP traffic > which leaves your machine. > > The rest of the VMs are synchronized not via NTP, but via a qrexec > service. This works even when the VMs are not networked, whereas NTP > to a proxy NTP server in sys-net (or somewhere) would not. Question: Why does it not work properly then?
> >> > Thus only one VM calls the external source at a lesser interval to do > >> > the requests. > >> > >> That is already how it works. > > > > Then why does EVERY GUEST call pool.ntp.org? (unless I change it in the > > template for every VM) > > That is not the behavior I observe on my system, confirmed by lack of > output from: > > [user@sys-firewall ~]$ sudo tcpdump -ni eth0 'udp port ntp' > > Have you changed every guest on your system to do that or something? Nope, I altered the sync-ntp-clock file. I changed it from pool.ntp.org to the local server in each guest. Then every guest I changed stopped trying to get the time via ntp from pool.ntp.org. Until I changed that in each guest, it kept doing it EVERY 10 MINUTES from EVERY Guest that was running. So that was about 15 requests every 10 minutes. Sometimes more. One request for every guest. Thus, it kept running /usr/sbin/ntpdate pool.ntp.org Until I changed that, it was futile. > >> > How, in this system, do I perform this to get that to work please? > >> > >> Well, one would start by reading and understanding the relevant source: > >> > >> https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qubes.SetDateTime > >> https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qubes.SyncNtpClock > >> https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/sync-ntp-clock > > > > I read all that, that's why I found out how to change it in the first > > place, but every time I do something like add a NewGuest and install, with > > it's defaults to pool.ntp.org, it goes off and gets the NTP from an outside > > source. (not very secure), so I have to keep changing it to be the local > > server. I want to capture it all so only the NetVM performs that action. > > I get the impression that maybe you are just changing config files of > services which are not running? Actually, it all came back to sync-ntp-clock file, as I said in previous. I looked for other config files first, and nothing changed no matter what I changed. the system wasn't getting the NTP from the server or the router, or discovering the NTP server on it's own, I found it hard-coded there. > >> > The "ClockVM" does not seem to be operating the way I would have thought > >> > a "ClockVM" would. > >> > >> Only the ClockVM to uses NTP at all, and it sends the time back to > >> dom0. The rest of the VMs get their time set by dom0 via > >> qubes.SetDateTime service. > > > > So the ClockVM ONLY interacts with Dom0. Fair enough. Then it would be a > > good addition to allow it to update each Guest. > > No. That would be a bad design for several reasons. Dom0 already does > this periodically. This is better than what I assume you suggest > (ClockVM directly invoking qubes.setDateTime in each guest) because > the service invocations are implicitly rate-limited and contents > filtered by dom0. It is also not desired for the ClockVM VM to even > know which other VMs exist, let alone know which ones are running and > need their clock set. I was more thinking the ClockVM (CVM) gets the time, then Dom0 gets the time, then Dom0 updates everything, it would all be via Dom0, but the CVM gets the time initially, and if it has a difference in the NTP compared to the time set in the CVM it then proceeds to update each guests time without calling an external NTP server, and keeps it all inside the Guest regime. > >> There are many reasons for this, including eliminating redundant > >> network traffic, and the fact that it is desirable for time to be > >> correct in all VMs (including those intentionally without any network > >> access). > > > > redundant network traffic... so every 10 minute PER GUEST, it contacts > > pool.ntp.org and gets the time. That isn't redundant network traffic. > > Again. I do not observe this. Have you verified with an unmodified template? Yes, brand new installation. > >> > Is there a bug in it? > >> > >> Lets see... > >> > >> https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue%20is%3Aopen%20ntp > >> https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue%20is%3Aopen%20clockvm > >> > >> doesn't look like it! > > > > Well, none that have been reported by anyone other than myself when asking > > questions in the first place about it. But none opened a bug about it > > because it's "not a bug" even though it is, (in my personal opinion) a very > > big bug to have EVERY GUEST contact pool.ntp.org every 10 minutes. wether > > it's a guest that's behind a proxy, or the proxy itself, or the net vm. > > Things do not work as you claim they do. Well, we need to modify it so it does then? > > This is a security concern, and a big one at that. > > Nope. > > > for all unix types, the clock VM should contact the NTP server once every 6 > > hours (or on boot and then every 6 hours), and every guest should be > > updated by that guest for time, unless set to otherwise update from > > elsewhere. > > Where do you get this 6 hours figure from? Neither the RFC [1] or the > pool recommendations [2] suggest this. > > [1]: https://tools.ietf.org/html/rfc1305 > [2]: http://www.pool.ntp.org/tos.html > > > I have my own NTP server, and yet I install things, and I just want to > > capture all NTP from everything behind the NetVM and make it all get the > > NTP from the NetVM. Unless it's requesting to the designated Network NTP > > server. > > So... perhaps by "I have my own NTP server" do you mean "I installed > and enabled an ntp client in my default template"? That might explain > some of your confusion. No, NTP server, not on this PC, on the actual physical network. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4dc39c9f-c1c4-4144-8905-1248619c5791%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
