Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-07 Thread unruh
On 2013-03-07, Abu Abdullah falcon.sh...@gmail.com wrote:
 On Thu, Mar 7, 2013 at 12:41 AM, E-Mail Sent to this address will be added
 to the BlackLists Null@blacklist.anitech-systems.invalid wrote:

 unruh wrote:
  He has gotten himself totally confused about what his
   real job and desires are, it seems to me.

 Perhaps its something like, he needs to provide ntp to the
  pool due to really high vendor zone useage by his appliances?

 Still sounds like two machines would be better than one.


 Both are important for us. I can conclude from all the responses that there
 is no an out of the box solution for the same. I need to have separate OS
 (or zone).

Well, you are not listening. someone suggested having two versions
running with one having only the local clock as server. 
But, you have also said that one of them was a critical internal server
of time. As such, as I have said, it is stupid to have that machine
serving the public for all the reasons you stated as to why you wanted
two separate versions running. All of those reasons are far more cogent
for running separate machines. 
And if you do not have the $30 for a raspberry Pi to act as the public
server, then I would advise you to get the internal network up and
running well first, and then go for the public server when you can spare
another machine. 


___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-07 Thread Rob
Uwe Klein u...@klein-habertwedt.de wrote:
 Abu Abdullah wrote:
 On Thu, Mar 7, 2013 at 12:41 AM, E-Mail Sent to this address will be added
 to the BlackLists Null@blacklist.anitech-systems.invalid wrote:
 
 
unruh wrote:

He has gotten himself totally confused about what his
 real job and desires are, it seems to me.

Perhaps its something like, he needs to provide ntp to the
 pool due to really high vendor zone useage by his appliances?

Still sounds like two machines would be better than one.

 
 
 Both are important for us. I can conclude from all the responses that there
 is no an out of the box solution for the same. I need to have separate OS
 (or zone).

 Look into changeroot prisons.
 Some (Linux) distributions already run ntpd in a change rooted prison.
 Should be easy to adapt that to a dual setup.

This isolates only the filesystem, not the network sockets.
Het described a problem with the sharing of the network sockets.

___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-07 Thread Uwe Klein

Rob wrote:

Uwe Klein u...@klein-habertwedt.de wrote:


Abu Abdullah wrote:


On Thu, Mar 7, 2013 at 12:41 AM, E-Mail Sent to this address will be added
to the BlackLists Null@blacklist.anitech-systems.invalid wrote:




unruh wrote:



He has gotten himself totally confused about what his
real job and desires are, it seems to me.


Perhaps its something like, he needs to provide ntp to the
pool due to really high vendor zone useage by his appliances?

Still sounds like two machines would be better than one.




Both are important for us. I can conclude from all the responses that there
is no an out of the box solution for the same. I need to have separate OS
(or zone).


Look into changeroot prisons.
Some (Linux) distributions already run ntpd in a change rooted prison.
Should be easy to adapt that to a dual setup.



This isolates only the filesystem, not the network sockets.
Het described a problem with the sharing of the network sockets.


Is there an uncircumventable need to share?

I would add a set of IP's to the loopback or link-local interface.
Have instance A of ntp use 169.254.0.22
Have instance B of ntp use 169.254.0.44
as access to a common network.

voila?

uwe

___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-06 Thread Rob
unruh un...@invalid.ca wrote:
 On 2013-03-05, Rob nom...@example.com wrote:
 unruh un...@invalid.ca wrote:
 On 2013-03-05, Rob nom...@example.com wrote:
 David Woolley david@ex.djwhome.demon.invalid wrote:
 Abu Abdullah wrote:

 
 Does this mean ntpd is not supposed to be run in parallel? Is there any

 It is not seen as something anyone would want to do.

 I could understand why someone would want to run one instance that
 controls the clock, and another instance that only serves time to
 clients on the (inter)net and cannot control the clock.

 You could? I cannot. ntpd both controls the clock and serves time. Why
 would you want to split those?

 Because the users of the clock service may be able to disturb that
 service, e.g. by overloading it, by making it crash sending it invalid
 requests, etc.  Some people may consider the service to keep their own
 clock correct to be more important than the service to tell time to
 others.

 Seeing the reply that the OP posted in the meantime, I was not too far
 off.  He wants a separation between the internal use of NTP to sync
 the local and other important systems, from the service to give time
 to others.

 I think it is a reasonable wish.  Certainly not something that nobody
 would want to do.

 Well, I would just put the outside service onto some inconsequential
 machine at a higher stratum and have it read time from an inside server. 
 If you are worried about someone crashing it, you do not want it to be
 on the same machine, since that crash is liable not to crash ntpd but
 the whole machine anyway. 

 Ie do not run them on the same machine if that is your worry.

He has only one machine.
Running separate processes on a single machine, where you can set different
resource limits for the processes, is better than doing everything in
a single process.

Maybe best for him is to use virtualization and run all the public services
in the virtual machine.  Hacking a virtual machine is another step beyond
disturbing an ntp process.

___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-06 Thread Abu Abdullah

 Maybe best for him is to use virtualization and run all the public services
 in the virtual machine.  Hacking a virtual machine is another step beyond
 disturbing an ntp process.


I hope i can avoid this option.
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-06 Thread Brian Utterback

On 3/5/2013 11:25 PM, Abu Abdullah wrote:


On Tue, Mar 5, 2013 at 11:18 PM, Brian Utterback 
brian.utterb...@oracle.com mailto:brian.utterb...@oracle.com wrote:


Based on what is being requested, I can suggest one way to
accomplish it, but it involves using an OS feature, rather than
using an NTP feature.

If it is feasible to run Oracle Solaris on the system in question,
you could use the Solaris Zones feature to do what you want. You
could have one instance of ntpd running in one zone with one set
of interfaces which controls the system clock and have another
instance in a separate zone configured with the other set of
interfaces configured with the LOCAL refclock only so it never
tries to change the clock, but will instead serve time only. There
is an interlock mechanism in the ntpd configuration on Solaris to
prevent ntpd from running in a zone but there is an override to
the interlock if you really want to do it and you know what you
are doing.

Just a thought.


Thanks Bria, we are using RedHat so I think the equivalent is KVM but 
right now I'm trying to find if there is an easier way.


Zones are easier to use and lighter weight than KVM (single kernel image 
with zones), but if you need to use Red Hat then the KVM may be the 
closest equivalent.


Brian.
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-06 Thread Jonatan Walck
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 2013-03-06 14:20, Brian Utterback wrote:
 On 3/5/2013 11:25 PM, Abu Abdullah wrote:
 Thanks Bria, we are using RedHat so I think the equivalent is KVM
 but right now I'm trying to find if there is an easier way.
 
 Zones are easier to use and lighter weight than KVM (single kernel
 image with zones), but if you need to use Red Hat then the KVM may
 be the closest equivalent.
 
 Brian.

The closest equivalent under Linux-based systems like Red Hat would be
LXC, OpenVZ or vservers, not KVM. LXC being the newest option and the
only one in the mainline kernel.

I haven't explored a solution to this problem further but LXC on Linux
or Zones on SunOS is one way to partition the machine further while
still avoiding virtualization, possibly useful with NTPd. The
disclaimer being that I haven't tried NTPd inside either of them,
always running it on the hypervisor on Linux or the global zone on
Solaris.

// jwalck

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJRN1HaAAoJEFwg9i9GDX+nW6YP/RsP5KWRxy5vH8Y3fTxZGakU
duY/Ewd4y82B8gEt8B0+Uqnna/phe1GtuRaYCP8C8XJQQzMim82EwK6d+FA+gQiw
oypIPXw3yXjBZsJCo2YXbD8T7SWosTL95aGIAnUDAlfxqYKs1HFH7kgV7/yRvuOU
A36isfgu3WtTmPI+O/Y1w6hedWkbtPIk12SG2JfgpYvvhOVrycV+hjFQee0FODsx
UbHfVo4IbmAn+0CTBx8nRxlwjXLvcZQS9cJ5fJv7vt/0KOSXYHSxwo1h2DkVTNIB
LgmHbHdS7bZEMWh6o2FXbI1Apc/FJU6ZF2yn/16aaxkkh7kpD1KTzC5oUQXUqGvD
ic8IwLXaht+VyW+NV+ASBOd3NoZw5jHhUIt34F6gRDho3gfqJAyTeEwxHMnau7oy
lC/4sU7R2CgkLRpfGr1ZJP5YJw1Eo0viw25yF49BNF9coxK60VAOYyGMsSiqy7XD
z+4EiqgpEnFguzKoyZt5d4QToVJHL4Y59XK8XWCe9xHb7q/XJ+hhYM4BQ64x8GO3
gSzbC80zfFGu3s+9T9Rf1YWK+PhWUaiyI1MqEnh2DSJVIspS06+ZLrSRmtpN7Lum
ii1Qq5Pwl2EJgMfRPkbHvebVOaKCQPXHr4M0KCrQKJIP9yd1l1LFwnGnFXVyZU1U
qqaAphz6OtbOg/L8phfN
=shvl
-END PGP SIGNATURE-
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-06 Thread unruh
On 2013-03-06, Rob nom...@example.com wrote:
 unruh un...@invalid.ca wrote:
 On 2013-03-05, Rob nom...@example.com wrote:
 unruh un...@invalid.ca wrote:
 On 2013-03-05, Rob nom...@example.com wrote:
 David Woolley david@ex.djwhome.demon.invalid wrote:
 Abu Abdullah wrote:

 
 Does this mean ntpd is not supposed to be run in parallel? Is there any

 It is not seen as something anyone would want to do.

 I could understand why someone would want to run one instance that
 controls the clock, and another instance that only serves time to
 clients on the (inter)net and cannot control the clock.

 You could? I cannot. ntpd both controls the clock and serves time. Why
 would you want to split those?

 Because the users of the clock service may be able to disturb that
 service, e.g. by overloading it, by making it crash sending it invalid
 requests, etc.  Some people may consider the service to keep their own
 clock correct to be more important than the service to tell time to
 others.

 Seeing the reply that the OP posted in the meantime, I was not too far
 off.  He wants a separation between the internal use of NTP to sync
 the local and other important systems, from the service to give time
 to others.

 I think it is a reasonable wish.  Certainly not something that nobody
 would want to do.

 Well, I would just put the outside service onto some inconsequential
 machine at a higher stratum and have it read time from an inside server. 
 If you are worried about someone crashing it, you do not want it to be
 on the same machine, since that crash is liable not to crash ntpd but
 the whole machine anyway. 

 Ie do not run them on the same machine if that is your worry.

 He has only one machine.
 Running separate processes on a single machine, where you can set different
 resource limits for the processes, is better than doing everything in
 a single process.

 Maybe best for him is to use virtualization and run all the public services
 in the virtual machine.  Hacking a virtual machine is another step beyond
 disturbing an ntp process.

He needs to figure out what his priorities are. I suspect it is
providing time to the internal machines. That is what he should
concentrate on. That is his business. Providing time to the rest of the
world (eg via the pool I assume) is a secondary job, and in fact is
probably not part of the job at all. He does NOT have just one machine.
He is providing time to other machines which means he has more than one. 

He should NOT be running a public server on a machine which is critical
to his business. That should be run on machines that do not matter, for
all the reasons that have been stated. If he does not have a spare
machine, he should not be providing time to the public. If thre MUST be
a public machine because some of his company's machines cannot use the
internal time server, he should set up a firewall to only accept those
IP addresses. 

He has gotten himself totally confused about what his real job and
desires are, it seems to me. 

___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-06 Thread E-Mail Sent to this address will be added to the BlackLists
unruh wrote:
 He has gotten himself totally confused about what his
  real job and desires are, it seems to me.

Perhaps its something like, he needs to provide ntp to the
 pool due to really high vendor zone useage by his appliances?

Still sounds like two machines would be better than one.

-- 
E-Mail Sent to this address blackl...@anitech-systems.com
  will be added to the BlackLists.

___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-06 Thread Abu Abdullah
On Thu, Mar 7, 2013 at 12:41 AM, E-Mail Sent to this address will be added
to the BlackLists Null@blacklist.anitech-systems.invalid wrote:

 unruh wrote:
  He has gotten himself totally confused about what his
   real job and desires are, it seems to me.

 Perhaps its something like, he needs to provide ntp to the
  pool due to really high vendor zone useage by his appliances?

 Still sounds like two machines would be better than one.


Both are important for us. I can conclude from all the responses that there
is no an out of the box solution for the same. I need to have separate OS
(or zone).
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread David Woolley

Abu Abdullah wrote:



Does this mean ntpd is not supposed to be run in parallel? Is there any


It is not seen as something anyone would want to do.


option to disable adjusting the system clock?


I believe there is, but that instance would become a pure server.  The 
time that ntpd serves is always that in the local system clock.


As someone already said, you need explain the overall goal, not the 
particular step that you think might achieve it.



___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread Rob
David Woolley david@ex.djwhome.demon.invalid wrote:
 Abu Abdullah wrote:

 
 Does this mean ntpd is not supposed to be run in parallel? Is there any

 It is not seen as something anyone would want to do.

I could understand why someone would want to run one instance that
controls the clock, and another instance that only serves time to
clients on the (inter)net and cannot control the clock.

___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread Abu Abdullah

 option to disable adjusting the system clock?


 I believe there is, but that instance would become a pure server.  The
 time that ntpd serves is always that in the local system clock.


I would appreciate if you can provide it so at least i can get rid of these
warnings.



 As someone already said, you need explain the overall goal, not the
 particular step that you think might achieve it.


We have a requirement for NTP service for two different networks: public
(not important, can have outages), private (important). we are trying to
have separate process for each network in case high load come from the
public domain (or for any security issue). We will have more control on the
public NTP where we can set the resources for it at the OS level. in
addition, at any point of time we can migrate the private NTP to a
dedicated machine (currently we have only one machine) once the hardware is
not capable to handle both. In this case we will not have to change the NTP
IPs in the clients configurations (private).
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread Joe Gwinn
In article
CAD678-DQ-nMVJP5EPsb+0i699S_VrDsB2yzNkE4c=Btv=ny...@mail.gmail.com,
Abu Abdullah falcon.sh...@gmail.com wrote:

 
  option to disable adjusting the system clock?
 
 
  I believe there is, but that instance would become a pure server.  The
  time that ntpd serves is always that in the local system clock.
 
 
 I would appreciate if you can provide it so at least i can get rid of these
 warnings.
 
 
 
  As someone already said, you need explain the overall goal, not the
  particular step that you think might achieve it.
 
 
 We have a requirement for NTP service for two different networks: public
 (not important, can have outages), private (important). we are trying to
 have separate process for each network in case high load come from the
 public domain (or for any security issue). We will have more control on the
 public NTP where we can set the resources for it at the OS level. in
 addition, at any point of time we can migrate the private NTP to a
 dedicated machine (currently we have only one machine) once the hardware is
 not capable to handle both. In this case we will not have to change the NTP
 IPs in the clients configurations (private).

Be aware that if the hope is that the private network be immune to
hacking from the public network, or immune to leakage of information
from private to public, there cannot be a computer common to both
networks.  

There are hardware solutions to this dilemma, specifically GPS
receivers with built-in isolated NTP servers, each server with its own
dedicated  ethernet port.

Joe Gwinn

___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread E-Mail Sent to this address will be added to the BlackLists
Abu Abdullah wrote:
 BlackLists wrote:
 Abu Abdullah wrote:
 I tried running multiple instances with the following
  configuration to avoid listening to the same local
  interface by the two instances:
 interface ignore lo

 lo0 ?

 loopback address, but it seems it only disables lo on ipv6.
 I'm not sure if the ipv4 localhost is hardcoded into ntpd.

Yes, I meant try interface ignore lo0
 instead of interface ignore lo.

For that matter try interface ignore ipv4?


What version of ntpd are you running 4.2.7p359?


BTW, I think you are chasing a lost cause.

-- 
E-Mail Sent to this address blackl...@anitech-systems.com
  will be added to the BlackLists.

___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread E-Mail Sent to this address will be added to the BlackLists
Abu Abdullah wrote:
 In this case we will not have to change the NTP
  IPs in the clients configurations (private).

Use names, instead of IPs?


-- 
E-Mail Sent to this address blackl...@anitech-systems.com
  will be added to the BlackLists.

___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread unruh
On 2013-03-05, Rob nom...@example.com wrote:
 David Woolley david@ex.djwhome.demon.invalid wrote:
 Abu Abdullah wrote:

 
 Does this mean ntpd is not supposed to be run in parallel? Is there any

 It is not seen as something anyone would want to do.

 I could understand why someone would want to run one instance that
 controls the clock, and another instance that only serves time to
 clients on the (inter)net and cannot control the clock.

You could? I cannot. ntpd both controls the clock and serves time. Why
would you want to split those?

___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread unruh
On 2013-03-05, Abu Abdullah falcon.sh...@gmail.com wrote:
 On Mon, Mar 4, 2013 at 11:12 PM, E-Mail Sent to this address will be added
 to the BlackLists Null@blacklist.anitech-systems.invalid wrote:

 Abu Abdullah wrote:
  I'm trying to run two instances of ntp

 They are going to fight each other to discipline the system clock?


 Does this mean ntpd is not supposed to be run in parallel? Is there any
 option to disable adjusting the system clock?

Yes. it does mean that. 
You seem to have gotten yourself confused. What are you trying to
accomplish?





   each with different interface.
I want to have instance for each network.

Why?

  I tried running multiple instances with the following
   configuration to avoid listening to the same local
   interface by the two instances:
  interface ignore lo

 lo0 ?


 loopback address, but it seems it only disables lo on ipv6. I'm not sure if
 the ipv4 localhost is hardcoded into ntpd.

___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread Abu Abdullah

 Be aware that if the hope is that the private network be immune to
 hacking from the public network, or immune to leakage of information
 from private to public, there cannot be a computer common to both
 networks.

 There are hardware solutions to this dilemma, specifically GPS
 receivers with built-in isolated NTP servers, each server with its own
 dedicated  ethernet port.


I understand this but at least we need to utilize the hardware at this
point of time until we reach a conclusion of using another hardware.
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread Abu Abdullah

 Yes, I meant try interface ignore lo0
  instead of interface ignore lo.

 For that matter try interface ignore ipv4?



I will try this




 What version of ntpd are you running 4.2.7p359?


Not this one. I'm not on the machine now but it was the latest code one
week back, maybe 4.2.7p357



 BTW, I think you are chasing a lost cause.



from the responses i start to think that this scenario is not supposed to
be implemented and I'm trying to figure out why (and to find another
solution).
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread Abu Abdullah
 
each with different interface.
 I want to have instance for each network.

 Why?


mentioned it before



 We have a requirement for NTP service for two different networks: public
 (not important, can have outages), private (important). we are trying to
 have separate process for each network in case high load come from the
 public domain (or for any security issue). We will have more control on the
 public NTP where we can set the resources for it at the OS level. in
 addition, at any point of time we can migrate the private NTP to a
 dedicated machine (currently we have only one machine) once the hardware is
 not capable to handle both. In this case we will not have to change the NTP
 IPs in the clients configurations (private).


___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread E-Mail Sent to this address will be added to the BlackLists
On 3/5/2013 9:37 AM, unruh wrote:
 ntpd both controls the clock and serves time.
 Why would you want to split those?

Because they want to do funny things with the service,
 like serve time with a offset,
 while keeping the local machine as close to UTC as possible?

I've had many people ask me about that, as they'd like to
 try exploits on those that don't have enough Byzantine Generals.

-- 
E-Mail Sent to this address blackl...@anitech-systems.com
  will be added to the BlackLists.

___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread Rob
unruh un...@invalid.ca wrote:
 On 2013-03-05, Rob nom...@example.com wrote:
 David Woolley david@ex.djwhome.demon.invalid wrote:
 Abu Abdullah wrote:

 
 Does this mean ntpd is not supposed to be run in parallel? Is there any

 It is not seen as something anyone would want to do.

 I could understand why someone would want to run one instance that
 controls the clock, and another instance that only serves time to
 clients on the (inter)net and cannot control the clock.

 You could? I cannot. ntpd both controls the clock and serves time. Why
 would you want to split those?

Because the users of the clock service may be able to disturb that
service, e.g. by overloading it, by making it crash sending it invalid
requests, etc.  Some people may consider the service to keep their own
clock correct to be more important than the service to tell time to
others.

Seeing the reply that the OP posted in the meantime, I was not too far
off.  He wants a separation between the internal use of NTP to sync
the local and other important systems, from the service to give time
to others.

I think it is a reasonable wish.  Certainly not something that nobody
would want to do.

___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread Brian Utterback
Based on what is being requested, I can suggest one way to accomplish 
it, but it involves using an OS feature, rather than using an NTP feature.


If it is feasible to run Oracle Solaris on the system in question, you 
could use the Solaris Zones feature to do what you want. You could have 
one instance of ntpd running in one zone with one set of interfaces 
which controls the system clock and have another instance in a separate 
zone configured with the other set of interfaces configured with the 
LOCAL refclock only so it never tries to change the clock, but will 
instead serve time only. There is an interlock mechanism in the ntpd 
configuration on Solaris to prevent ntpd from running in a zone but 
there is an override to the interlock if you really want to do it and 
you know what you are doing.


Just a thought.

On 3/5/2013 1:07 PM, Abu Abdullah wrote:

  each with different interface.
   I want to have instance for each network.

Why?


mentioned it before




We have a requirement for NTP service for two different networks: public
(not important, can have outages), private (important). we are trying to
have separate process for each network in case high load come from the
public domain (or for any security issue). We will have more control on the
public NTP where we can set the resources for it at the OS level. in
addition, at any point of time we can migrate the private NTP to a
dedicated machine (currently we have only one machine) once the hardware is
not capable to handle both. In this case we will not have to change the NTP
IPs in the clients configurations (private).



___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread E-Mail Sent to this address will be added to the BlackLists
Abu Abdullah wrote:
 from the responses i start to think that this scenario
  is not supposed to be implemented and I'm trying to figure
  out why (and to find another solution).

Why?  Because its not what 99.% do with ntpd.

IIRC, www.cubinlab.ee.unimelb.edu.au/radclock/ advertises
 that it does something like I'm guessing your looking for?


-- 
E-Mail Sent to this address blackl...@anitech-systems.com
  will be added to the BlackLists.

___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread David Woolley

Rob wrote:



I could understand why someone would want to run one instance that
controls the clock, and another instance that only serves time to
clients on the (inter)net and cannot control the clock.


One would normally simply set suitable access restrictions for un-named 
clients.  I think the defaults are probably adequate.


___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread David Woolley

Richard B. Gilbert wrote:



The two NTP processes cannot serve identical times; there will be
a difference between the two instances!


They will both serve the same time, which is the time in the local 
system clock.



___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread Richard B. Gilbert

On 3/4/2013 11:13 PM, Abu Abdullah wrote:

On Mon, Mar 4, 2013 at 11:12 PM, E-Mail Sent to this address will be added
to the BlackLists Null@blacklist.anitech-systems.invalid wrote:


Abu Abdullah wrote:

I'm trying to run two instances of ntp




What problem are you trying to solve?

The two NTP processes cannot serve identical times; there will be
a difference between the two instances!

They are going to fight each other to discipline the system clock?


Quite probably!

snip


___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread David Woolley

Abu Abdullah wrote:

option to disable adjusting the system clock?
I believe there is, but that instance would become a pure server.  The
time that ntpd serves is always that in the local system clock.



I would appreciate if you can provide it so at least i can get rid of these
warnings.


Thinking more clearly, you actually have to go out of your way before 
ntpd will accept times from anyone.  You just need the local clock 
driver prevent the root dispersion tending to infinity.  You might need 
to disable the kernel time discipline.


However your warnings are not about conflicts for the local clock.




As someone already said, you need explain the overall goal, not the
particular step that you think might achieve it.



We have a requirement for NTP service for two different networks: public
(not important, can have outages), private (important). we are trying to
have separate process for each network in case high load come from the
public domain (or for any security issue). We will have more control on the
public NTP where we can set the resources for it at the OS level. in


ntpd uses very few processor resources, and most of what it uses are 
when operating in client or peer mode; as a server it pretty much just 
reads the local system clock and bounces the packet back.  If you are 
overloaded, it is the network card that will suffer.



addition, at any point of time we can migrate the private NTP to a
dedicated machine (currently we have only one machine) once the hardware is
not capable to handle both. In this case we will not have to change the NTP
IPs in the clients configurations (private).


___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread Rob
David Woolley david@ex.djwhome.demon.invalid wrote:
 Rob wrote:

 
 I could understand why someone would want to run one instance that
 controls the clock, and another instance that only serves time to
 clients on the (inter)net and cannot control the clock.

 One would normally simply set suitable access restrictions for un-named 
 clients.  I think the defaults are probably adequate.

The point is that it is not important what you (and unruh) think.

Here on the newsgroup the answer to all questions is always you don't
want to do that or this is not possible and that is right.

This usually without considering the situation of the poster in more
detail, and often with information that dates from the distant past.

Today the handling of internet traffic is different from set access
restrictions in the program.  You need to consider situations where
the program is faulty and does not handle access restrictions correctly,
or external users find other ways of disturbing systems that the
system designer has never thought about.

Denying that is foolish.

___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread unruh
On 2013-03-05, Rob nom...@example.com wrote:
 unruh un...@invalid.ca wrote:
 On 2013-03-05, Rob nom...@example.com wrote:
 David Woolley david@ex.djwhome.demon.invalid wrote:
 Abu Abdullah wrote:

 
 Does this mean ntpd is not supposed to be run in parallel? Is there any

 It is not seen as something anyone would want to do.

 I could understand why someone would want to run one instance that
 controls the clock, and another instance that only serves time to
 clients on the (inter)net and cannot control the clock.

 You could? I cannot. ntpd both controls the clock and serves time. Why
 would you want to split those?

 Because the users of the clock service may be able to disturb that
 service, e.g. by overloading it, by making it crash sending it invalid
 requests, etc.  Some people may consider the service to keep their own
 clock correct to be more important than the service to tell time to
 others.

 Seeing the reply that the OP posted in the meantime, I was not too far
 off.  He wants a separation between the internal use of NTP to sync
 the local and other important systems, from the service to give time
 to others.

 I think it is a reasonable wish.  Certainly not something that nobody
 would want to do.

Well, I would just put the outside service onto some inconsequential
machine at a higher stratum and have it read time from an inside server. 
If you are worried about someone crashing it, you do not want it to be
on the same machine, since that crash is liable not to crash ntpd but
the whole machine anyway. 

Ie do not run them on the same machine if that is your worry.

___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread unruh
On 2013-03-05, Rob nom...@example.com wrote:
 David Woolley david@ex.djwhome.demon.invalid wrote:
 Rob wrote:

 
 I could understand why someone would want to run one instance that
 controls the clock, and another instance that only serves time to
 clients on the (inter)net and cannot control the clock.

 One would normally simply set suitable access restrictions for un-named 
 clients.  I think the defaults are probably adequate.

 The point is that it is not important what you (and unruh) think.

 Here on the newsgroup the answer to all questions is always you don't
 want to do that or this is not possible and that is right.

The point is that he has a problem he wants to solve. He is telling us
what his solution is and saying it does not seem to work, without
telling us what the problem is. We are telling him that if we knew the
problem, we might be able to offer solutions he had not thought of. 


 This usually without considering the situation of the poster in more
 detail, and often with information that dates from the distant past.

So that is why we ask for more detail. 


 Today the handling of internet traffic is different from set access
 restrictions in the program.  You need to consider situations where
 the program is faulty and does not handle access restrictions correctly,
 or external users find other ways of disturbing systems that the
 system designer has never thought about.

Yes, but if that is the worry, then he should not be running a public
service at all on his mission critical machine. doing that is stupid for
precisely the reasons you list. 



 Denying that is foolish.

noone is denying it.  What we are commenting on his his solution to a
unknown problem.

___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread Mike S

On 3/5/2013 4:59 PM, Rob wrote:

This usually without considering the situation of the poster in more
detail, and often with information that dates from the distant past.


SYNTAX ERROR.
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread Mike S

On 3/5/2013 4:41 PM, Richard B. Gilbert wrote:

The two NTP processes cannot serve identical times; there will be
a difference between the two instances!


A single instance (on a single interface) can't (or more properly, 
won't) serve identical times, since requests by nature occur at 
different times. Conversely, with multiple interfaces, identical times 
might be served by either single or multiple instances, depending on the 
relative timing of the incoming requests.


___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread Abu Abdullah
On Tue, Mar 5, 2013 at 11:18 PM, Brian Utterback brian.utterb...@oracle.com
 wrote:

 Based on what is being requested, I can suggest one way to accomplish it,
 but it involves using an OS feature, rather than using an NTP feature.

 If it is feasible to run Oracle Solaris on the system in question, you
 could use the Solaris Zones feature to do what you want. You could have one
 instance of ntpd running in one zone with one set of interfaces which
 controls the system clock and have another instance in a separate zone
 configured with the other set of interfaces configured with the LOCAL
 refclock only so it never tries to change the clock, but will instead serve
 time only. There is an interlock mechanism in the ntpd configuration on
 Solaris to prevent ntpd from running in a zone but there is an override to
 the interlock if you really want to do it and you know what you are doing.

 Just a thought.


Thanks Bria, we are using RedHat so I think the equivalent is KVM but right
now I'm trying to find if there is an easier way.
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-05 Thread Abu Abdullah
  In this case we will not have to change the NTP
   IPs in the clients configurations (private).

 Use names, instead of IPs?


My mistake, in all cases we will not need to change the IP since we can
connect the private domain through a different IP than the public one.
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


[ntp:questions] multiple instances of NTP on different interfaces

2013-03-04 Thread Abu Abdullah
Hi,

I'm trying to run two instances of ntp each with different interface. I
want to have instance for each network. I tried running multiple instances
with the following configuration to avoid listening to the same local
interface by the two instances:

interface ignore lo
interface ignore wildcard
interface ignore all
interface listen interface

Still I'm receiving:

ntpd[2382]: bind(16) AF_INET 127.0.0.1#123 flags 0x5 failed: Address
already in use
ntpd[2382]: unable to create socket on lo (0) for 127.0.0.1#123
ntpd[2382]: failed to init interface for address 127.0.0.1



Please advise.
does ntp support running multiple instances on different interfaces?
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-04 Thread E-Mail Sent to this address will be added to the BlackLists
Abu Abdullah wrote:
 I'm trying to run two instances of ntp

They are going to fight each other to discipline the system clock?

  each with different interface.
   I want to have instance for each network.
 I tried running multiple instances with the following
  configuration to avoid listening to the same local
  interface by the two instances:
 interface ignore lo

lo0 ?

-- 
E-Mail Sent to this address blackl...@anitech-systems.com
  will be added to the BlackLists.

___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions


Re: [ntp:questions] multiple instances of NTP on different interfaces

2013-03-04 Thread Abu Abdullah
On Mon, Mar 4, 2013 at 11:12 PM, E-Mail Sent to this address will be added
to the BlackLists Null@blacklist.anitech-systems.invalid wrote:

 Abu Abdullah wrote:
  I'm trying to run two instances of ntp

 They are going to fight each other to discipline the system clock?


Does this mean ntpd is not supposed to be run in parallel? Is there any
option to disable adjusting the system clock?




   each with different interface.
I want to have instance for each network.
  I tried running multiple instances with the following
   configuration to avoid listening to the same local
   interface by the two instances:
  interface ignore lo

 lo0 ?


loopback address, but it seems it only disables lo on ipv6. I'm not sure if
the ipv4 localhost is hardcoded into ntpd.
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions