Re: State of the microserver HOWTO

2016-06-08 Thread Gary E. Miller 
Yo Eric!

On Wed, 8 Jun 2016 06:53:08 -0400
"Eric S. Raymond"  wrote:

> Gary E. Miller :
> > Same as the last one, but, see below.  
> 
> Nice.  The comments have graduated from "cruel tease" to "pretty
> informative". One hopes I shall not have to badger you quite as
> persistently to bring about this result next time.

It's the only way I know you read them.  :-)

RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588


pgpRAEHYAX8Nw.pgp
Description: OpenPGP digital signature
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-08 Thread Gary E. Miller 
Yo Frank!

On Wed, 8 Jun 2016 09:54:54 -0400
Frank Nicholas  wrote:

> > On Jun 7, 2016, at 8:34 PM, Gary E. Miller  wrote:
> > 
> > Yo Hal!
> > 
> > I agree with Hal, my descriptions are a bit long and picky for
> > the newbie howto.  Get that done, then these issues will get
> > addressed in due time.  
> 
> Please don’t remove the detail on the existing conf you are throwing
> around - the details are valuable and some might make use of them
> (me).  

I did not remove anything, I coded that from a blank file.  :-)
 
> However, this config might be too “fancy” for a newbie how to.  If
> some think the recommended config should be simpler, maybe keep this
> good, “fancy”, detailed config as an example for what’s possible if
> people want to dig deeper.

Yup, agreed.  I never intended this to replace the basic ntp.conf.

OTOH, some things, like the pool comments, should be in the basic
config.  Giving people in the USA a default config that send them to
pool servers on the other side of the planet is a bad thing.

Yes, I know the doc says otherwise, but I just tested the pool and it
gave me a chimer in Switzerland, German, Czech Republic and one in New
Jersey.

No wonder the pool ha a bad rep.

RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588


pgph59hoQ15Jn.pgp
Description: OpenPGP digital signature
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-08 Thread Frank Nicholas 

> On Jun 7, 2016, at 8:34 PM, Gary E. Miller  wrote:
> 
> Yo Hal!
> 
> I agree with Hal, my descriptions are a bit long and picky for
> the newbie howto.  Get that done, then these issues will get addressed
> in due time.

Please don’t remove the detail on the existing conf you are throwing around - 
the details are valuable and some might make use of them (me).  

However, this config might be too “fancy” for a newbie how to.  If some think 
the recommended config should be simpler, maybe keep this good, “fancy”, 
detailed config as an example for what’s possible if people want to dig deeper.

Thanks,
Frank___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-08 Thread Frank Nicholas 

> On Jun 7, 2016, at 5:52 PM, Gary E. Miller  wrote:
> 
> But remember, Eric asked for MY config, not what I think others should be
> using.  I would hope we get a collection of slightly different ntp.conf
> that are optimimized for different purposes, or levels of paranoia.

I interpreted Eric’s request was for a complete configuration file, that he 
could simply include as an example.  I thought he did not want to do an editing 
to the configuration files offered.

That’s why I made my suggestions.  Eric will have to clarify the intention of 
his request.

Thanks,
Frank
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-08 Thread Eric S. Raymond 
Gary E. Miller :
> Same as the last one, but, see below.

Nice.  The comments have graduated from "cruel tease" to "pretty informative".
One hopes I shall not have to badger you quite as persistently to bring
about this result next time.
-- 
http://www.catb.org/~esr/;>Eric S. Raymond


signature.asc
Description: Digital signature
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-07 Thread Gary E. Miller 
Yo Hal!

I agree with Hal, my descriptions are a bit long and picky for
the newbie howto.  Get that done, then these issues will get addressed
in due time.

On Tue, 07 Jun 2016 17:21:50 -0700
Hal Murray  wrote:

> e...@thyrsus.com said:
> > My plan was to encourage you to elaborate - *and explain* - your
> > favorite odd features for your local config, then work with you to
> > prune it back to someting we might ship.   
> 
> You are letting Gary suck you down ratholes.
> 
> I think you need to think hard about what your goals are and make
> sure they are correctly and fully described in the first paragraph to
> two.
> 
> That will help the rest of us provide appropriate feedback.
> 
> Are you trying to setup a good-enough server that requires minimal
> knowledge and minimal care?  (Even that requires some sysadmin
> attention to track updates.  That should probably be included on the
> security area.)
> 
> Are you trying to setup a server appropriate for the pool?
> 
> Are you trying to setup a server for geeks to play with?  (lots of
> logging and stats)
> 
> 
> What level of geeky detail do you want to dicsuss?  The ARP timeout
> is a good example.
> 




RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588


pgpSujN7x0Zvv.pgp
Description: OpenPGP digital signature
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-07 Thread Hal Murray 

e...@thyrsus.com said:
> My plan was to encourage you to elaborate - *and explain* - your favorite
> odd features for your local config, then work with you to prune it back to
> someting we might ship. 

You are letting Gary suck you down ratholes.

I think you need to think hard about what your goals are and make sure they 
are correctly and fully described in the first paragraph to two.

That will help the rest of us provide appropriate feedback.

Are you trying to setup a good-enough server that requires minimal knowledge 
and minimal care?  (Even that requires some sysadmin attention to track 
updates.  That should probably be included on the security area.)

Are you trying to setup a server appropriate for the pool?

Are you trying to setup a server for geeks to play with?  (lots of logging 
and stats)


What level of geeky detail do you want to dicsuss?  The ARP timeout is a good 
example.

-- 
These are my opinions.  I hate spam.



___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-07 Thread Mike 

On 06/07/2016 07:39 PM, Hal Murray wrote:

bellyac...@gmail.com said:

Thanks for that.  Is that documented somewhere that I've missed or
overlooked?  Or is this buried in the code somewhere that will be harder
for someone such as myself to understand, figure out?

I didn't find it in the documentation.  It's in the code: write_stats in
ntpd/ntp_util.c
Okay, I'll see if I can understand anything there.  It's likely way 
above me...


Mike
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-07 Thread Hal Murray 

bellyac...@gmail.com said:
> Thanks for that.  Is that documented somewhere that I've missed or
> overlooked?  Or is this buried in the code somewhere that will be harder
> for someone such as myself to understand, figure out? 

I didn't find it in the documentation.  It's in the code: write_stats in 
ntpd/ntp_util.c


-- 
These are my opinions.  I hate spam.



___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-07 Thread Gary E. Miller 
Yo Eric!

On Tue, 7 Jun 2016 18:48:42 -0400
"Eric S. Raymond"  wrote:

> > > My plan was to encourage you to elaborate - *and explain* - your
> > > favorite odd features for your local config, then work with you to
> > > prune it back to someting we might ship.  
> > 
> > Howz it look now?  
> 
> When asking that question, it is always a good idea to enclose a
> copy. ;-)

Same as the last one, but, see below.

RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588


# My RasPi 2/Adafruit HAT config.
# contributor: Gary E. Miller

Re: State of the microserver HOWTO

2016-06-07 Thread Mike 

On 06/07/2016 07:02 PM, Hal Murray wrote:

bellyac...@gmail.com said:

things have stabilized.  The something on the order of once an hour or  so
from there on out.
Have I misunderstood that?

I think that's right, but there is another layer that suppresses writes if
drift hasn't changed much.  The idea is to reduce wear on flash systems.



Hal,

Thanks for that.  Is that documented somewhere that I've missed or 
overlooked?  Or is this buried in the code somewhere that will be harder 
for someone such as myself to understand, figure out?


Mike

___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-07 Thread Hal Murray 

bellyac...@gmail.com said:
> things have stabilized.  The something on the order of once an hour or  so
> from there on out.

> Have I misunderstood that? 

I think that's right, but there is another layer that suppresses writes if 
drift hasn't changed much.  The idea is to reduce wear on flash systems.


-- 
These are my opinions.  I hate spam.



___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-07 Thread Eric S. Raymond 
Gary E. Miller :
> On Tue, 7 Jun 2016 18:37:02 -0400
> "Eric S. Raymond"  wrote:
> 
> > Gary E. Miller :
> > > But remember, Eric asked for MY config, not what I think others
> > > should be using.  I would hope we get a collection of slightly
> > > different ntp.conf that are optimimized for different purposes, or
> > > levels of paranoia.  
> > 
> > We've has a slight miscommunication.  I'm soliciting potential
> > replacements for the ntp.conf shipped with the Microserver HOWTO.
> 
> Well then, I prefer my interpretation.
> 
> I would like to keep the comments on ARP, and local nets, but that
> is too advanced for the basic howto.  Maybe appendix?

Quite likely.

> > My plan was to encourage you to elaborate - *and explain* - your
> > favorite odd features for your local config, then work with you to
> > prune it back to someting we might ship.
> 
> Howz it look now?

When asking that question, it is always a good idea to enclose a copy. ;-)
-- 
http://www.catb.org/~esr/;>Eric S. Raymond


signature.asc
Description: Digital signature
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-07 Thread Hal Murray 

bellyac...@gmail.com said:
> The logfile set to /var/log/ntpd.log is root:root.  I'm not getting  errors
> there, gathering that it was opened before privileges were dropped. 

I think that will break if/when we fix ntpd to cooperate with logrotate or 
newsyslog.

The stats files roll over occasionally.  (I use daily.)  So those will break 
if you wait until midnight (UTC).


-- 
These are my opinions.  I hate spam.



___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-07 Thread Gary E. Miller 
Yo Mike!

On Tue, 7 Jun 2016 18:35:13 -0400
Mike  wrote:

> > I opened a bug:
> >
> > https://gitlab.com/NTPsec/ntpsec/issues/76
> >  
> Gary,
> 
> I'm not seeing that once I set the ownership to nobody.
> 
> mike@3142:/var/lib/ntp $ ls -al
> total 12
> drwxr-xr-x  2 nobody root4096 Jun  7 18:13 .
> drwxr-xr-x 31 root   root4096 Jun  4 22:51 ..
> -rw---  1 nobody nogroup8 Jun  7 18:13 ntp.drift

Ugh.  ntpd should run as user ntp, not nobody.  The trend used to
be to have all daemons run as nobody, but then one currupted daemon
running as nobody could control all the other daemons running as nobody.

If the howto say to run as nobody it is bad.

> mike@3142:/var/lib/ntp $
> 
> mike@3142:/var/lib/ntp $ ntpq --version
> ntpd 0.9.4-44652aa Jun  5 2016 02:26:08
> 
> Ntpd writes the drift file and no errors are logged.

Hal says the driftfile is not written on shutdown, so my tests
are not valid.  Or they point to a different sort of bug...

RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588


pgpCzdyxrE5gg.pgp
Description: OpenPGP digital signature
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-07 Thread Gary E. Miller 
Yo Hal!

On Tue, 07 Jun 2016 15:24:36 -0700
Hal Murray  wrote:

> > I made it nobody, mod 777, and still no luck  
> 
> I'm not sure what "no luck" means.

# ls -l /var/lib/ntp/
total 0


> It doesn't get written at shutdown.

Well, that would be dumb not to.  It also means my tests of the
parameter are not valid...

>  I think ntp-classic used to do
> that a long time ago.  I remember some comments about fixing it.  I
> don't remember the reasoning.

Chronyd uses the date stamp on the driftfile as a check against bad
RTC on startup.  Chrony also puts the error bounds in the driftfile.

RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588


pgpwMykGFIar8.pgp
Description: OpenPGP digital signature
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-07 Thread Mike 

On 06/07/2016 04:47 PM, Gary E. Miller wrote:

Yo Mike!

On Tue, 7 Jun 2016 16:27:45 -0400
Mike  wrote:


If you do ship the one supplied now I just found one thing that will
need a fix.

# Drift file etc.
driftfile /var/lib/ntp/ntp.drift

Ntpd is running as user nobody, whom can't write to that directory.

Gack, confirmed.  And it is worse.  I made that directory owned
by nobody, mode 755.  Same problem.  Then I tried mode 777, same
problem.

There was an error in the logs from when the directory did not exist.

That would explain some of my startup glitching.

I opened a bug:

https://gitlab.com/NTPsec/ntpsec/issues/76


Gary,

I'm not seeing that once I set the ownership to nobody.

mike@3142:/var/lib/ntp $ ls -al
total 12
drwxr-xr-x  2 nobody root4096 Jun  7 18:13 .
drwxr-xr-x 31 root   root4096 Jun  4 22:51 ..
-rw---  1 nobody nogroup8 Jun  7 18:13 ntp.drift
mike@3142:/var/lib/ntp $

mike@3142:/var/lib/ntp $ ntpq --version
ntpd 0.9.4-44652aa Jun  5 2016 02:26:08

Ntpd writes the drift file and no errors are logged.

Mike
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-07 Thread Mike 

On 06/07/2016 05:57 PM, Hal Murray wrote:

Ntpd is running as user nobody, whom can't write to that directory.

Hopefully that is user ntp rather than nobody.

The file permissions need to be setup for log files as well as the drift file.



The HOWTO setsup ntpd to run as nobody:nogroup.

The logfile set to /var/log/ntpd.log is root:root.  I'm not getting 
errors there, gathering that it was opened before privileges were dropped.


Mike

___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-07 Thread Gary E. Miller 
Yo Hal!

On Tue, 07 Jun 2016 14:57:37 -0700
Hal Murray  wrote:

> > Ntpd is running as user nobody, whom can't write to that
> > directory.  
> 
> Hopefully that is user ntp rather than nobody.

I made it nobody, mod 777, and still no luck

RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588


pgpfAwGIUWdhj.pgp
Description: OpenPGP digital signature
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-07 Thread Hal Murray 
> Ntpd is running as user nobody, whom can't write to that directory.

Hopefully that is user ntp rather than nobody.

The file permissions need to be setup for log files as well as the drift file.


-- 
These are my opinions.  I hate spam.



___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-07 Thread Gary E. Miller 
Yo Frank!

Good input, net ntp.conf below.

On Tue, 7 Jun 2016 17:04:21 -0400
Frank Nicholas  wrote:

> > On Jun 7, 2016, at 4:52 PM, Gary E. Miller  wrote:
> > 
> > peer 204.17.205.1 maxpoll 5 # catbert
> > peer 204.17.205.17 maxpoll 5 # pi2
> > #peer 204.17.205.23 maxpoll 5 # pi3
> > peer 204.17.205.27 maxpoll 5 # kong
> > peer 204.17.205.30 maxpoll 5
> > peer [2001:470:e815::8] maxpoll 5 # spider  
> 
> You are using IP addresses, instead of names resolved by DNS.

I never use DNS in the ntp.conf file.  Well, maybe in the case
I try out the pool.  Since I use DNSSEC on my DNS, there is sortof
a chicken and egg problem.

> This
> might confuse some.

Clearly, the second complaint today on this list.

I really want to include some local peers to demonstrate the ARP
issue.

>  Maybe either explain the logic or change the
> conf file to use DNS resolved names.  Most of the How To users will
> not/should not be using IP addresses - they won’t know what ones to
> use or why and won’t have other “local” sources to use.

I just added a section on the pool.

But remember, Eric asked for MY config, not what I think others should be
using.  I would hope we get a collection of slightly different ntp.conf
that are optimimized for different purposes, or levels of paranoia.

RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588

# My RasPi 2/Adafruit HAT config.
# contributor: Gary E. Miller

Re: State of the microserver HOWTO

2016-06-07 Thread Frank Nicholas 

> On Jun 7, 2016, at 4:52 PM, Gary E. Miller  wrote:
> 
> peer 204.17.205.1 maxpoll 5 # catbert
> peer 204.17.205.17 maxpoll 5 # pi2
> #peer 204.17.205.23 maxpoll 5 # pi3
> peer 204.17.205.27 maxpoll 5 # kong
> peer 204.17.205.30 maxpoll 5
> peer [2001:470:e815::8] maxpoll 5 # spider

You are using IP addresses, instead of names resolved by DNS.  This might 
confuse some.  Maybe either explain the logic or change the conf file to use 
DNS resolved names.  Most of the How To users will not/should not be using IP 
addresses - they won’t know what ones to use or why and won’t have other 
“local” sources to use.

Thanks,
Frank
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-07 Thread Gary E. Miller 
Yo Eric!

A small adjustment to my ntp.conf.

I added the issue number for the tartup glitch.

Comments welcome.


RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588


# My RasPi 2/Adafruit HAT config.
# contributor: Gary E. Miller

Re: State of the microserver HOWTO

2016-06-07 Thread Gary E. Miller 
Yo Mike!

On Tue, 7 Jun 2016 16:27:45 -0400
Mike  wrote:

> If you do ship the one supplied now I just found one thing that will 
> need a fix.
> 
> # Drift file etc.
> driftfile /var/lib/ntp/ntp.drift
> 
> Ntpd is running as user nobody, whom can't write to that directory.

Gack, confirmed.  And it is worse.  I made that directory owned
by nobody, mode 755.  Same problem.  Then I tried mode 777, same
problem.

There was an error in the logs from when the directory did not exist.

That would explain some of my startup glitching.

I opened a bug:

https://gitlab.com/NTPsec/ntpsec/issues/76

RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588


pgpPhwj47f94V.pgp
Description: OpenPGP digital signature
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-07 Thread Mike 

On 06/06/2016 07:27 PM, Eric S. Raymond wrote:


Please send me configurations.  This is a last blocker on releasing
version 1.0 of the HOWTO and I don't want to wait too long. If I don't
get a suitable replacement in a reasonable time I will shrug and ship
the flawed one.  If nobody cared enough to correct it, it can't be bad
enough not to ship.
If you do ship the one supplied now I just found one thing that will 
need a fix.


# Drift file etc.
driftfile /var/lib/ntp/ntp.drift

Ntpd is running as user nobody, whom can't write to that directory.

Mike

___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-07 Thread Gary E. Miller 
Yo Achim!

On Tue, 07 Jun 2016 21:13:56 +0200
Achim Gratz  wrote:

> Gary E. Miller writes:
> > "On startup ntpd will take the first time it gets to set the system
> > clock. If this first time is an imprecise clock, say derived from
> > NMEA, then ntpd may takes days to restabilize.
> >
> > The first time ntpd acquires will tend to be the ones higher up in
> > the file with the lowest maxpoll.
> >
> > So to work around this ntpd glitch put your best time sources high
> > in the ntp.conf file, with your shortest maxpoll and your worst one
> > at the bottom with higher maxpolls."  
> 
> This is quite likely wishful thinking.

Nope, and I'ver got the data to prove it.

>  Provided that DNS is working
> as it should,

I never use DNS in my ntp.conf files.  Too many problems.

> all servers get mobilized essentially at the same time
> (you can check the logs in which order they get contacted)

Yup, done that.  The ones higher in the ntp.conf file, and the ones
with the smaller maxpoll tend to get called sooner than the rest.

Not always, but usually.

> and the
> first one to actually pass the quality filters is the one that sets
> the time.

Or rather, some small subset of the quality filters.  It does not
appear the full clustering/grouping thing is done before selecting 
the one winner.

> I don't know about GPS, but with DCF77 all network clocks
> have stabilized before I get the first reading from the stratum 0
> clock no matter where I put these entries in the config file.

With my PPS at the top of the file and minpoll 4 the PPS almost always
wins the race.  This with gps already running and stable.

> Maxpoll settings don't kick in until much later.

I see it as soon as I start ntpd.

> The quality filters
> do prefer local peers over remote ones,

Not that I can see.  Only if they have lower jitter.  So the PPS
usually gets used, but not the NMEA.  If I'm not careful the PPS
can get outvoted my local network chimers.

> it'll usually lock to my
> router first before the stratum 1 servers from the PTB kick in a few
> seconds later (I've hard-configured these since they are the ones
> providing the time for DCF77).

Sounds like you are not using the mode 28 refclock.  I find it perfoms
better than the other refclocks with PPS.  It certainly does not have the
startup issue you mention.

RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588


pgp6vYKCwR6fY.pgp
Description: OpenPGP digital signature
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-07 Thread Eric S. Raymond 
Gary E. Miller :
> > Assume I've never read that list, or anything else about NTP other
> > than the HOWTO itself.  Remember who we're teaching!
> 
> You want me to do all the work?!?  You're the writer.  :-)

Yes, which is why I know how error-prone and crazy-making for both of
us it would be to do this by micropatching.  Trust me, I'll be doing plenty
of work, some of which you won't be positioned to notice.

> > Complete config with improved header comment, please.  Having me edit
> > in stuff every time someone needs to correct or amplify an explanation
> > will not scale and *will* drive me bugfuck crazy.
> 
> See below.  Not sure what you want in the header.

Well, to start with, something like:

"This configuration uses the shared-memory refclock (28), which is assumed
to have gpsd on the other end.  Unit 0 is the in-band data, Unit 1 the PPS."

Then explain the ordering to avoid startup glitch and the ARP problem, noting
that these are arguably due to bugs and the startup glitch should be fixed in
a future release.

What is mode 16 doing?  What are flag1 and flag2 doing?
How was the 0.450 fudge derived?
-- 
http://www.catb.org/~esr/;>Eric S. Raymond


signature.asc
Description: Digital signature
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-06 Thread Gary E. Miller 
Yo Eric!

On Mon, 6 Jun 2016 20:32:07 -0400
"Eric S. Raymond"  wrote:

> Gary E. Miller :
> > Yo Eric!
> > 
> > On Mon, 6 Jun 2016 19:54:22 -0400
> > "Eric S. Raymond"  wrote:
> >   
> > > 1. How does ordering the refclocks in that way reduce startup
> > > glitches? As written this is a maddening, uninformative tease
> > > equivalent to mumbling "magic happens here".  Please reply via a
> > > config with a better header comment.  
> > 
> > As recently discussed on devel@ntpsec.org  
> 
> Assume I've never read that list, or anything else about NTP other
> than the HOWTO itself.  Remember who we're teaching!

You want me to do all the work?!?  You're the writer.  :-)

> Complete config with improved header comment, please.  Having me edit
> in stuff every time someone needs to correct or amplify an explanation
> will not scale and *will* drive me bugfuck crazy.

See below.  Not sure what you want in the header.

RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588


# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift


# Enable this if you want statistics to be logged.
statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable


logfile /var/log/ntpd.log  
logconfig =syncall +clockall +peerall +sysall

# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: 
#server 0.debian.pool.ntp.org iburst
#server 1.debian.pool.ntp.org iburst
#server 2.debian.pool.ntp.org iburst
#server 3.debian.pool.ntp.org iburst


# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page 

# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
#restrict -4 default kod notrap nomodify nopeer noquery
#restrict -6 default kod notrap nomodify nopeer noquery
#
## Local users may interrogate the ntp server more closely.
#restrict 127.0.0.1
#restrict ::1

restrict default nomodify notrap nopeer noquery
restrict -6 default nomodify notrap nopeer noquery
restrict 127.0.0.1 mask 255.255.255.0
restrict 204.17.205.0 mask 255.255.255.0
restrict -6 [2001:470:e815::]/64
restrict -6 ::1


# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust


# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

# SHM for PPS and gpsd
server 127.127.28.1 prefer minpoll 4 maxpoll 4
fudge 127.127.28.1 refid PPS

# #20 GPS direct
server 127.127.20.0 mode 16 minpoll 4 maxpoll 4
fudge 127.127.20.0 flag1 1 flag2 0 refid GPS2

peer 204.17.205.1
peer 204.17.205.8 maxpoll 5 # spidey
peer 204.17.205.23 maxpoll 5 # pi3
peer 204.17.205.27
peer 204.17.205.30

# SHM for gpsd
server 127.127.28.0 minpoll 4 maxpoll 4
fudge 127.127.28.0 time1 0.450  refid GPS



pgpb5pz63zegp.pgp
Description: OpenPGP digital signature
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-06 Thread Gary E. Miller 
Yo Eric!

On Mon, 6 Jun 2016 19:54:22 -0400
"Eric S. Raymond"  wrote:

> 1. How does ordering the refclocks in that way reduce startup
> glitches? As written this is a maddening, uninformative tease
> equivalent to mumbling "magic happens here".  Please reply via a
> config with a better header comment.

As recently discussed on devel@ntpsec.org
But let me take a stab at it.

"On startup ntpd will take the first time it gets to set the system clock.
If this first time is an imprecise clock, say derived from NMEA, then
ntpd may takes days to restabilize.

The first time ntpd acquires will tend to be the ones higher up in the
file with the lowest maxpoll.

So to work around this ntpd glitch put your best time sources high in
the ntp.conf file, with your shortest maxpoll and your worst one at the
bottom with higher maxpolls."

> 2. What has maxpoll got to do with ARP delays? See above...

As recently discussed on devel@ntpsec.org
But let me take a stab at it.

"The default APR timeout on Cisco switch gear may be as long as
4 hours.  On windows and Linux it may be as short as 60 seconds.

If the polling interval for a chimer is greater than 60 seconds (maxpoll 6+)
then when ntpd sends a time request to a remote ntpd daemon the OS may
be adding an ARP roundtrip to the process, delaying the return
by that much extra time.  This convinces ntpd that the remote ntpd
is further away, and has more jitter, than it actually does.

To prevent this glitch in ntpd behavior, be sure to use 'maxpoll 4' or
'maxpoll 5' on local servers and peers."

> I guess I should remark that right now I'm not very interested in
> logging or security directives.

You should be.  I'm fascinated with the graphs ddrown's scripts are
ginving me.

> If we need to add a section on those
> we will, but they're orthogonal to what really mattee for these
> examples, which is *how to configure clocks*.

What good is a refclock if you do not know 'how good' or have the data
to debug it.

You can include the logging statements with the comment:

# You want this logging, it will be usefull later.

If you add the logging early, then you have the data when you figure
out you want it.  If you wait until you want it then it is too late.

RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588


pgpOvgxrPsrqS.pgp
Description: OpenPGP digital signature
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-06 Thread Eric S. Raymond 
Gary E. Miller :
> > Please send me configurations.
> 
> See below.

Deficient in explanation. 

1. How does ordering the refclocks in that way reduce startup glitches?
As written this is a maddening, uninformative tease equivalent to
mumbling "magic happens here".  Please reply via a config with a better
header comment.

2. What has maxpoll got to do with ARP delays? See above...

I guess I should remark that right now I'm not very interested in logging
or security directives.  If we need to add a section on those we will,
but they're orthogonal to what really mattee for these examples, which
is *how to configure clocks*.
-- 
http://www.catb.org/~esr/;>Eric S. Raymond


signature.asc
Description: Digital signature
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: State of the microserver HOWTO

2016-06-06 Thread Gary E. Miller 
Yo Eric!

On Mon, 6 Jun 2016 19:27:52 -0400
"Eric S. Raymond"  wrote:

> At the moment it uses gpsd via the SHM channel and three named public
> timservers.  I'm told the latter is bad practice and should be got
> rid of.

Not bad.  A good start, but sub-optimal.  First escalate to the pool
for your country.  Then escalate to some good local chimers.

Don't let the perfect be the enemy of the good enough.

> Please send me configurations.

See below.

RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588


# My RasPi 2/Adafruit HAT config.

# we want stats
driftfile /var/lib/ntp/ntp.drift
statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable


logfile /var/log/ntpd.log  
logconfig =syncall +clockall +peerall +sysall

# we want some security
restrict default nomodify notrap nopeer noquery
restrict -6 default nomodify notrap nopeer noquery
restrict 127.0.0.1 mask 255.255.255.0
restrict 204.17.205.0 mask 255.255.255.0
restrict -6 [2001:470:e815::]/64
restrict -6 ::1


# PPS is first, to minimize ntpd startup glitches
# SHM for PPS and gpsd
server 127.127.28.1 prefer minpoll 4 maxpoll 4
fudge 127.127.28.1 refid PPS

# My other local chimers
# maxpoll 5 to avoid ARP delays every cycle
peer 204.17.205.1 maxpoll 5
peer 204.17.205.8 maxpoll 5 
peer 204.17.205.23 maxpoll 5
peer 204.17.205.27 maxpoll 5
peer 204.17.205.30 maxpoll 5

# NMEA is last, to minimize ntpd startup glitches
# SHM for gpsd
server 127.127.28.0 minpoll 4 maxpoll 4
fudge 127.127.28.0 time1 0.450  refid GPS



pgpIS6MU3Ss62.pgp
Description: OpenPGP digital signature
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel