Re: [ntp:questions] multiple instances of NTP on different interfaces
On 2013-03-07, Abu Abdullah falcon.sh...@gmail.com wrote: On Thu, Mar 7, 2013 at 12:41 AM, E-Mail Sent to this address will be added to the BlackLists Null@blacklist.anitech-systems.invalid wrote: unruh wrote: He has gotten himself totally confused about what his real job and desires are, it seems to me. Perhaps its something like, he needs to provide ntp to the pool due to really high vendor zone useage by his appliances? Still sounds like two machines would be better than one. Both are important for us. I can conclude from all the responses that there is no an out of the box solution for the same. I need to have separate OS (or zone). Well, you are not listening. someone suggested having two versions running with one having only the local clock as server. But, you have also said that one of them was a critical internal server of time. As such, as I have said, it is stupid to have that machine serving the public for all the reasons you stated as to why you wanted two separate versions running. All of those reasons are far more cogent for running separate machines. And if you do not have the $30 for a raspberry Pi to act as the public server, then I would advise you to get the internal network up and running well first, and then go for the public server when you can spare another machine. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
Uwe Klein u...@klein-habertwedt.de wrote: Abu Abdullah wrote: On Thu, Mar 7, 2013 at 12:41 AM, E-Mail Sent to this address will be added to the BlackLists Null@blacklist.anitech-systems.invalid wrote: unruh wrote: He has gotten himself totally confused about what his real job and desires are, it seems to me. Perhaps its something like, he needs to provide ntp to the pool due to really high vendor zone useage by his appliances? Still sounds like two machines would be better than one. Both are important for us. I can conclude from all the responses that there is no an out of the box solution for the same. I need to have separate OS (or zone). Look into changeroot prisons. Some (Linux) distributions already run ntpd in a change rooted prison. Should be easy to adapt that to a dual setup. This isolates only the filesystem, not the network sockets. Het described a problem with the sharing of the network sockets. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
Rob wrote: Uwe Klein u...@klein-habertwedt.de wrote: Abu Abdullah wrote: On Thu, Mar 7, 2013 at 12:41 AM, E-Mail Sent to this address will be added to the BlackLists Null@blacklist.anitech-systems.invalid wrote: unruh wrote: He has gotten himself totally confused about what his real job and desires are, it seems to me. Perhaps its something like, he needs to provide ntp to the pool due to really high vendor zone useage by his appliances? Still sounds like two machines would be better than one. Both are important for us. I can conclude from all the responses that there is no an out of the box solution for the same. I need to have separate OS (or zone). Look into changeroot prisons. Some (Linux) distributions already run ntpd in a change rooted prison. Should be easy to adapt that to a dual setup. This isolates only the filesystem, not the network sockets. Het described a problem with the sharing of the network sockets. Is there an uncircumventable need to share? I would add a set of IP's to the loopback or link-local interface. Have instance A of ntp use 169.254.0.22 Have instance B of ntp use 169.254.0.44 as access to a common network. voila? uwe ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
unruh un...@invalid.ca wrote: On 2013-03-05, Rob nom...@example.com wrote: unruh un...@invalid.ca wrote: On 2013-03-05, Rob nom...@example.com wrote: David Woolley david@ex.djwhome.demon.invalid wrote: Abu Abdullah wrote: Does this mean ntpd is not supposed to be run in parallel? Is there any It is not seen as something anyone would want to do. I could understand why someone would want to run one instance that controls the clock, and another instance that only serves time to clients on the (inter)net and cannot control the clock. You could? I cannot. ntpd both controls the clock and serves time. Why would you want to split those? Because the users of the clock service may be able to disturb that service, e.g. by overloading it, by making it crash sending it invalid requests, etc. Some people may consider the service to keep their own clock correct to be more important than the service to tell time to others. Seeing the reply that the OP posted in the meantime, I was not too far off. He wants a separation between the internal use of NTP to sync the local and other important systems, from the service to give time to others. I think it is a reasonable wish. Certainly not something that nobody would want to do. Well, I would just put the outside service onto some inconsequential machine at a higher stratum and have it read time from an inside server. If you are worried about someone crashing it, you do not want it to be on the same machine, since that crash is liable not to crash ntpd but the whole machine anyway. Ie do not run them on the same machine if that is your worry. He has only one machine. Running separate processes on a single machine, where you can set different resource limits for the processes, is better than doing everything in a single process. Maybe best for him is to use virtualization and run all the public services in the virtual machine. Hacking a virtual machine is another step beyond disturbing an ntp process. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
Maybe best for him is to use virtualization and run all the public services in the virtual machine. Hacking a virtual machine is another step beyond disturbing an ntp process. I hope i can avoid this option. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
On 3/5/2013 11:25 PM, Abu Abdullah wrote: On Tue, Mar 5, 2013 at 11:18 PM, Brian Utterback brian.utterb...@oracle.com mailto:brian.utterb...@oracle.com wrote: Based on what is being requested, I can suggest one way to accomplish it, but it involves using an OS feature, rather than using an NTP feature. If it is feasible to run Oracle Solaris on the system in question, you could use the Solaris Zones feature to do what you want. You could have one instance of ntpd running in one zone with one set of interfaces which controls the system clock and have another instance in a separate zone configured with the other set of interfaces configured with the LOCAL refclock only so it never tries to change the clock, but will instead serve time only. There is an interlock mechanism in the ntpd configuration on Solaris to prevent ntpd from running in a zone but there is an override to the interlock if you really want to do it and you know what you are doing. Just a thought. Thanks Bria, we are using RedHat so I think the equivalent is KVM but right now I'm trying to find if there is an easier way. Zones are easier to use and lighter weight than KVM (single kernel image with zones), but if you need to use Red Hat then the KVM may be the closest equivalent. Brian. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2013-03-06 14:20, Brian Utterback wrote: On 3/5/2013 11:25 PM, Abu Abdullah wrote: Thanks Bria, we are using RedHat so I think the equivalent is KVM but right now I'm trying to find if there is an easier way. Zones are easier to use and lighter weight than KVM (single kernel image with zones), but if you need to use Red Hat then the KVM may be the closest equivalent. Brian. The closest equivalent under Linux-based systems like Red Hat would be LXC, OpenVZ or vservers, not KVM. LXC being the newest option and the only one in the mainline kernel. I haven't explored a solution to this problem further but LXC on Linux or Zones on SunOS is one way to partition the machine further while still avoiding virtualization, possibly useful with NTPd. The disclaimer being that I haven't tried NTPd inside either of them, always running it on the hypervisor on Linux or the global zone on Solaris. // jwalck -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJRN1HaAAoJEFwg9i9GDX+nW6YP/RsP5KWRxy5vH8Y3fTxZGakU duY/Ewd4y82B8gEt8B0+Uqnna/phe1GtuRaYCP8C8XJQQzMim82EwK6d+FA+gQiw oypIPXw3yXjBZsJCo2YXbD8T7SWosTL95aGIAnUDAlfxqYKs1HFH7kgV7/yRvuOU A36isfgu3WtTmPI+O/Y1w6hedWkbtPIk12SG2JfgpYvvhOVrycV+hjFQee0FODsx UbHfVo4IbmAn+0CTBx8nRxlwjXLvcZQS9cJ5fJv7vt/0KOSXYHSxwo1h2DkVTNIB LgmHbHdS7bZEMWh6o2FXbI1Apc/FJU6ZF2yn/16aaxkkh7kpD1KTzC5oUQXUqGvD ic8IwLXaht+VyW+NV+ASBOd3NoZw5jHhUIt34F6gRDho3gfqJAyTeEwxHMnau7oy lC/4sU7R2CgkLRpfGr1ZJP5YJw1Eo0viw25yF49BNF9coxK60VAOYyGMsSiqy7XD z+4EiqgpEnFguzKoyZt5d4QToVJHL4Y59XK8XWCe9xHb7q/XJ+hhYM4BQ64x8GO3 gSzbC80zfFGu3s+9T9Rf1YWK+PhWUaiyI1MqEnh2DSJVIspS06+ZLrSRmtpN7Lum ii1Qq5Pwl2EJgMfRPkbHvebVOaKCQPXHr4M0KCrQKJIP9yd1l1LFwnGnFXVyZU1U qqaAphz6OtbOg/L8phfN =shvl -END PGP SIGNATURE- ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
On 2013-03-06, Rob nom...@example.com wrote: unruh un...@invalid.ca wrote: On 2013-03-05, Rob nom...@example.com wrote: unruh un...@invalid.ca wrote: On 2013-03-05, Rob nom...@example.com wrote: David Woolley david@ex.djwhome.demon.invalid wrote: Abu Abdullah wrote: Does this mean ntpd is not supposed to be run in parallel? Is there any It is not seen as something anyone would want to do. I could understand why someone would want to run one instance that controls the clock, and another instance that only serves time to clients on the (inter)net and cannot control the clock. You could? I cannot. ntpd both controls the clock and serves time. Why would you want to split those? Because the users of the clock service may be able to disturb that service, e.g. by overloading it, by making it crash sending it invalid requests, etc. Some people may consider the service to keep their own clock correct to be more important than the service to tell time to others. Seeing the reply that the OP posted in the meantime, I was not too far off. He wants a separation between the internal use of NTP to sync the local and other important systems, from the service to give time to others. I think it is a reasonable wish. Certainly not something that nobody would want to do. Well, I would just put the outside service onto some inconsequential machine at a higher stratum and have it read time from an inside server. If you are worried about someone crashing it, you do not want it to be on the same machine, since that crash is liable not to crash ntpd but the whole machine anyway. Ie do not run them on the same machine if that is your worry. He has only one machine. Running separate processes on a single machine, where you can set different resource limits for the processes, is better than doing everything in a single process. Maybe best for him is to use virtualization and run all the public services in the virtual machine. Hacking a virtual machine is another step beyond disturbing an ntp process. He needs to figure out what his priorities are. I suspect it is providing time to the internal machines. That is what he should concentrate on. That is his business. Providing time to the rest of the world (eg via the pool I assume) is a secondary job, and in fact is probably not part of the job at all. He does NOT have just one machine. He is providing time to other machines which means he has more than one. He should NOT be running a public server on a machine which is critical to his business. That should be run on machines that do not matter, for all the reasons that have been stated. If he does not have a spare machine, he should not be providing time to the public. If thre MUST be a public machine because some of his company's machines cannot use the internal time server, he should set up a firewall to only accept those IP addresses. He has gotten himself totally confused about what his real job and desires are, it seems to me. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
unruh wrote: He has gotten himself totally confused about what his real job and desires are, it seems to me. Perhaps its something like, he needs to provide ntp to the pool due to really high vendor zone useage by his appliances? Still sounds like two machines would be better than one. -- E-Mail Sent to this address blackl...@anitech-systems.com will be added to the BlackLists. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
On Thu, Mar 7, 2013 at 12:41 AM, E-Mail Sent to this address will be added to the BlackLists Null@blacklist.anitech-systems.invalid wrote: unruh wrote: He has gotten himself totally confused about what his real job and desires are, it seems to me. Perhaps its something like, he needs to provide ntp to the pool due to really high vendor zone useage by his appliances? Still sounds like two machines would be better than one. Both are important for us. I can conclude from all the responses that there is no an out of the box solution for the same. I need to have separate OS (or zone). ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
Abu Abdullah wrote: Does this mean ntpd is not supposed to be run in parallel? Is there any It is not seen as something anyone would want to do. option to disable adjusting the system clock? I believe there is, but that instance would become a pure server. The time that ntpd serves is always that in the local system clock. As someone already said, you need explain the overall goal, not the particular step that you think might achieve it. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
David Woolley david@ex.djwhome.demon.invalid wrote: Abu Abdullah wrote: Does this mean ntpd is not supposed to be run in parallel? Is there any It is not seen as something anyone would want to do. I could understand why someone would want to run one instance that controls the clock, and another instance that only serves time to clients on the (inter)net and cannot control the clock. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
option to disable adjusting the system clock? I believe there is, but that instance would become a pure server. The time that ntpd serves is always that in the local system clock. I would appreciate if you can provide it so at least i can get rid of these warnings. As someone already said, you need explain the overall goal, not the particular step that you think might achieve it. We have a requirement for NTP service for two different networks: public (not important, can have outages), private (important). we are trying to have separate process for each network in case high load come from the public domain (or for any security issue). We will have more control on the public NTP where we can set the resources for it at the OS level. in addition, at any point of time we can migrate the private NTP to a dedicated machine (currently we have only one machine) once the hardware is not capable to handle both. In this case we will not have to change the NTP IPs in the clients configurations (private). ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
In article CAD678-DQ-nMVJP5EPsb+0i699S_VrDsB2yzNkE4c=Btv=ny...@mail.gmail.com, Abu Abdullah falcon.sh...@gmail.com wrote: option to disable adjusting the system clock? I believe there is, but that instance would become a pure server. The time that ntpd serves is always that in the local system clock. I would appreciate if you can provide it so at least i can get rid of these warnings. As someone already said, you need explain the overall goal, not the particular step that you think might achieve it. We have a requirement for NTP service for two different networks: public (not important, can have outages), private (important). we are trying to have separate process for each network in case high load come from the public domain (or for any security issue). We will have more control on the public NTP where we can set the resources for it at the OS level. in addition, at any point of time we can migrate the private NTP to a dedicated machine (currently we have only one machine) once the hardware is not capable to handle both. In this case we will not have to change the NTP IPs in the clients configurations (private). Be aware that if the hope is that the private network be immune to hacking from the public network, or immune to leakage of information from private to public, there cannot be a computer common to both networks. There are hardware solutions to this dilemma, specifically GPS receivers with built-in isolated NTP servers, each server with its own dedicated ethernet port. Joe Gwinn ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
Abu Abdullah wrote: BlackLists wrote: Abu Abdullah wrote: I tried running multiple instances with the following configuration to avoid listening to the same local interface by the two instances: interface ignore lo lo0 ? loopback address, but it seems it only disables lo on ipv6. I'm not sure if the ipv4 localhost is hardcoded into ntpd. Yes, I meant try interface ignore lo0 instead of interface ignore lo. For that matter try interface ignore ipv4? What version of ntpd are you running 4.2.7p359? BTW, I think you are chasing a lost cause. -- E-Mail Sent to this address blackl...@anitech-systems.com will be added to the BlackLists. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
Abu Abdullah wrote: In this case we will not have to change the NTP IPs in the clients configurations (private). Use names, instead of IPs? -- E-Mail Sent to this address blackl...@anitech-systems.com will be added to the BlackLists. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
On 2013-03-05, Rob nom...@example.com wrote: David Woolley david@ex.djwhome.demon.invalid wrote: Abu Abdullah wrote: Does this mean ntpd is not supposed to be run in parallel? Is there any It is not seen as something anyone would want to do. I could understand why someone would want to run one instance that controls the clock, and another instance that only serves time to clients on the (inter)net and cannot control the clock. You could? I cannot. ntpd both controls the clock and serves time. Why would you want to split those? ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
On 2013-03-05, Abu Abdullah falcon.sh...@gmail.com wrote: On Mon, Mar 4, 2013 at 11:12 PM, E-Mail Sent to this address will be added to the BlackLists Null@blacklist.anitech-systems.invalid wrote: Abu Abdullah wrote: I'm trying to run two instances of ntp They are going to fight each other to discipline the system clock? Does this mean ntpd is not supposed to be run in parallel? Is there any option to disable adjusting the system clock? Yes. it does mean that. You seem to have gotten yourself confused. What are you trying to accomplish? each with different interface. I want to have instance for each network. Why? I tried running multiple instances with the following configuration to avoid listening to the same local interface by the two instances: interface ignore lo lo0 ? loopback address, but it seems it only disables lo on ipv6. I'm not sure if the ipv4 localhost is hardcoded into ntpd. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
Be aware that if the hope is that the private network be immune to hacking from the public network, or immune to leakage of information from private to public, there cannot be a computer common to both networks. There are hardware solutions to this dilemma, specifically GPS receivers with built-in isolated NTP servers, each server with its own dedicated ethernet port. I understand this but at least we need to utilize the hardware at this point of time until we reach a conclusion of using another hardware. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
Yes, I meant try interface ignore lo0 instead of interface ignore lo. For that matter try interface ignore ipv4? I will try this What version of ntpd are you running 4.2.7p359? Not this one. I'm not on the machine now but it was the latest code one week back, maybe 4.2.7p357 BTW, I think you are chasing a lost cause. from the responses i start to think that this scenario is not supposed to be implemented and I'm trying to figure out why (and to find another solution). ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
each with different interface. I want to have instance for each network. Why? mentioned it before We have a requirement for NTP service for two different networks: public (not important, can have outages), private (important). we are trying to have separate process for each network in case high load come from the public domain (or for any security issue). We will have more control on the public NTP where we can set the resources for it at the OS level. in addition, at any point of time we can migrate the private NTP to a dedicated machine (currently we have only one machine) once the hardware is not capable to handle both. In this case we will not have to change the NTP IPs in the clients configurations (private). ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
On 3/5/2013 9:37 AM, unruh wrote: ntpd both controls the clock and serves time. Why would you want to split those? Because they want to do funny things with the service, like serve time with a offset, while keeping the local machine as close to UTC as possible? I've had many people ask me about that, as they'd like to try exploits on those that don't have enough Byzantine Generals. -- E-Mail Sent to this address blackl...@anitech-systems.com will be added to the BlackLists. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
unruh un...@invalid.ca wrote: On 2013-03-05, Rob nom...@example.com wrote: David Woolley david@ex.djwhome.demon.invalid wrote: Abu Abdullah wrote: Does this mean ntpd is not supposed to be run in parallel? Is there any It is not seen as something anyone would want to do. I could understand why someone would want to run one instance that controls the clock, and another instance that only serves time to clients on the (inter)net and cannot control the clock. You could? I cannot. ntpd both controls the clock and serves time. Why would you want to split those? Because the users of the clock service may be able to disturb that service, e.g. by overloading it, by making it crash sending it invalid requests, etc. Some people may consider the service to keep their own clock correct to be more important than the service to tell time to others. Seeing the reply that the OP posted in the meantime, I was not too far off. He wants a separation between the internal use of NTP to sync the local and other important systems, from the service to give time to others. I think it is a reasonable wish. Certainly not something that nobody would want to do. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
Based on what is being requested, I can suggest one way to accomplish it, but it involves using an OS feature, rather than using an NTP feature. If it is feasible to run Oracle Solaris on the system in question, you could use the Solaris Zones feature to do what you want. You could have one instance of ntpd running in one zone with one set of interfaces which controls the system clock and have another instance in a separate zone configured with the other set of interfaces configured with the LOCAL refclock only so it never tries to change the clock, but will instead serve time only. There is an interlock mechanism in the ntpd configuration on Solaris to prevent ntpd from running in a zone but there is an override to the interlock if you really want to do it and you know what you are doing. Just a thought. On 3/5/2013 1:07 PM, Abu Abdullah wrote: each with different interface. I want to have instance for each network. Why? mentioned it before We have a requirement for NTP service for two different networks: public (not important, can have outages), private (important). we are trying to have separate process for each network in case high load come from the public domain (or for any security issue). We will have more control on the public NTP where we can set the resources for it at the OS level. in addition, at any point of time we can migrate the private NTP to a dedicated machine (currently we have only one machine) once the hardware is not capable to handle both. In this case we will not have to change the NTP IPs in the clients configurations (private). ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
Abu Abdullah wrote: from the responses i start to think that this scenario is not supposed to be implemented and I'm trying to figure out why (and to find another solution). Why? Because its not what 99.% do with ntpd. IIRC, www.cubinlab.ee.unimelb.edu.au/radclock/ advertises that it does something like I'm guessing your looking for? -- E-Mail Sent to this address blackl...@anitech-systems.com will be added to the BlackLists. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
Rob wrote: I could understand why someone would want to run one instance that controls the clock, and another instance that only serves time to clients on the (inter)net and cannot control the clock. One would normally simply set suitable access restrictions for un-named clients. I think the defaults are probably adequate. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
Richard B. Gilbert wrote: The two NTP processes cannot serve identical times; there will be a difference between the two instances! They will both serve the same time, which is the time in the local system clock. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
On 3/4/2013 11:13 PM, Abu Abdullah wrote: On Mon, Mar 4, 2013 at 11:12 PM, E-Mail Sent to this address will be added to the BlackLists Null@blacklist.anitech-systems.invalid wrote: Abu Abdullah wrote: I'm trying to run two instances of ntp What problem are you trying to solve? The two NTP processes cannot serve identical times; there will be a difference between the two instances! They are going to fight each other to discipline the system clock? Quite probably! snip ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
Abu Abdullah wrote: option to disable adjusting the system clock? I believe there is, but that instance would become a pure server. The time that ntpd serves is always that in the local system clock. I would appreciate if you can provide it so at least i can get rid of these warnings. Thinking more clearly, you actually have to go out of your way before ntpd will accept times from anyone. You just need the local clock driver prevent the root dispersion tending to infinity. You might need to disable the kernel time discipline. However your warnings are not about conflicts for the local clock. As someone already said, you need explain the overall goal, not the particular step that you think might achieve it. We have a requirement for NTP service for two different networks: public (not important, can have outages), private (important). we are trying to have separate process for each network in case high load come from the public domain (or for any security issue). We will have more control on the public NTP where we can set the resources for it at the OS level. in ntpd uses very few processor resources, and most of what it uses are when operating in client or peer mode; as a server it pretty much just reads the local system clock and bounces the packet back. If you are overloaded, it is the network card that will suffer. addition, at any point of time we can migrate the private NTP to a dedicated machine (currently we have only one machine) once the hardware is not capable to handle both. In this case we will not have to change the NTP IPs in the clients configurations (private). ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
David Woolley david@ex.djwhome.demon.invalid wrote: Rob wrote: I could understand why someone would want to run one instance that controls the clock, and another instance that only serves time to clients on the (inter)net and cannot control the clock. One would normally simply set suitable access restrictions for un-named clients. I think the defaults are probably adequate. The point is that it is not important what you (and unruh) think. Here on the newsgroup the answer to all questions is always you don't want to do that or this is not possible and that is right. This usually without considering the situation of the poster in more detail, and often with information that dates from the distant past. Today the handling of internet traffic is different from set access restrictions in the program. You need to consider situations where the program is faulty and does not handle access restrictions correctly, or external users find other ways of disturbing systems that the system designer has never thought about. Denying that is foolish. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
On 2013-03-05, Rob nom...@example.com wrote: unruh un...@invalid.ca wrote: On 2013-03-05, Rob nom...@example.com wrote: David Woolley david@ex.djwhome.demon.invalid wrote: Abu Abdullah wrote: Does this mean ntpd is not supposed to be run in parallel? Is there any It is not seen as something anyone would want to do. I could understand why someone would want to run one instance that controls the clock, and another instance that only serves time to clients on the (inter)net and cannot control the clock. You could? I cannot. ntpd both controls the clock and serves time. Why would you want to split those? Because the users of the clock service may be able to disturb that service, e.g. by overloading it, by making it crash sending it invalid requests, etc. Some people may consider the service to keep their own clock correct to be more important than the service to tell time to others. Seeing the reply that the OP posted in the meantime, I was not too far off. He wants a separation between the internal use of NTP to sync the local and other important systems, from the service to give time to others. I think it is a reasonable wish. Certainly not something that nobody would want to do. Well, I would just put the outside service onto some inconsequential machine at a higher stratum and have it read time from an inside server. If you are worried about someone crashing it, you do not want it to be on the same machine, since that crash is liable not to crash ntpd but the whole machine anyway. Ie do not run them on the same machine if that is your worry. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
On 2013-03-05, Rob nom...@example.com wrote: David Woolley david@ex.djwhome.demon.invalid wrote: Rob wrote: I could understand why someone would want to run one instance that controls the clock, and another instance that only serves time to clients on the (inter)net and cannot control the clock. One would normally simply set suitable access restrictions for un-named clients. I think the defaults are probably adequate. The point is that it is not important what you (and unruh) think. Here on the newsgroup the answer to all questions is always you don't want to do that or this is not possible and that is right. The point is that he has a problem he wants to solve. He is telling us what his solution is and saying it does not seem to work, without telling us what the problem is. We are telling him that if we knew the problem, we might be able to offer solutions he had not thought of. This usually without considering the situation of the poster in more detail, and often with information that dates from the distant past. So that is why we ask for more detail. Today the handling of internet traffic is different from set access restrictions in the program. You need to consider situations where the program is faulty and does not handle access restrictions correctly, or external users find other ways of disturbing systems that the system designer has never thought about. Yes, but if that is the worry, then he should not be running a public service at all on his mission critical machine. doing that is stupid for precisely the reasons you list. Denying that is foolish. noone is denying it. What we are commenting on his his solution to a unknown problem. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
On 3/5/2013 4:59 PM, Rob wrote: This usually without considering the situation of the poster in more detail, and often with information that dates from the distant past. SYNTAX ERROR. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
On 3/5/2013 4:41 PM, Richard B. Gilbert wrote: The two NTP processes cannot serve identical times; there will be a difference between the two instances! A single instance (on a single interface) can't (or more properly, won't) serve identical times, since requests by nature occur at different times. Conversely, with multiple interfaces, identical times might be served by either single or multiple instances, depending on the relative timing of the incoming requests. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
On Tue, Mar 5, 2013 at 11:18 PM, Brian Utterback brian.utterb...@oracle.com wrote: Based on what is being requested, I can suggest one way to accomplish it, but it involves using an OS feature, rather than using an NTP feature. If it is feasible to run Oracle Solaris on the system in question, you could use the Solaris Zones feature to do what you want. You could have one instance of ntpd running in one zone with one set of interfaces which controls the system clock and have another instance in a separate zone configured with the other set of interfaces configured with the LOCAL refclock only so it never tries to change the clock, but will instead serve time only. There is an interlock mechanism in the ntpd configuration on Solaris to prevent ntpd from running in a zone but there is an override to the interlock if you really want to do it and you know what you are doing. Just a thought. Thanks Bria, we are using RedHat so I think the equivalent is KVM but right now I'm trying to find if there is an easier way. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
In this case we will not have to change the NTP IPs in the clients configurations (private). Use names, instead of IPs? My mistake, in all cases we will not need to change the IP since we can connect the private domain through a different IP than the public one. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
[ntp:questions] multiple instances of NTP on different interfaces
Hi, I'm trying to run two instances of ntp each with different interface. I want to have instance for each network. I tried running multiple instances with the following configuration to avoid listening to the same local interface by the two instances: interface ignore lo interface ignore wildcard interface ignore all interface listen interface Still I'm receiving: ntpd[2382]: bind(16) AF_INET 127.0.0.1#123 flags 0x5 failed: Address already in use ntpd[2382]: unable to create socket on lo (0) for 127.0.0.1#123 ntpd[2382]: failed to init interface for address 127.0.0.1 Please advise. does ntp support running multiple instances on different interfaces? ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
Abu Abdullah wrote: I'm trying to run two instances of ntp They are going to fight each other to discipline the system clock? each with different interface. I want to have instance for each network. I tried running multiple instances with the following configuration to avoid listening to the same local interface by the two instances: interface ignore lo lo0 ? -- E-Mail Sent to this address blackl...@anitech-systems.com will be added to the BlackLists. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] multiple instances of NTP on different interfaces
On Mon, Mar 4, 2013 at 11:12 PM, E-Mail Sent to this address will be added to the BlackLists Null@blacklist.anitech-systems.invalid wrote: Abu Abdullah wrote: I'm trying to run two instances of ntp They are going to fight each other to discipline the system clock? Does this mean ntpd is not supposed to be run in parallel? Is there any option to disable adjusting the system clock? each with different interface. I want to have instance for each network. I tried running multiple instances with the following configuration to avoid listening to the same local interface by the two instances: interface ignore lo lo0 ? loopback address, but it seems it only disables lo on ipv6. I'm not sure if the ipv4 localhost is hardcoded into ntpd. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions