From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: Migrating from ntp to chrony - challenge Date: Thu, 17 Jun 2021 23:41:42 +0200 Message-ID: <1963afb8-1c7e-5670-21f4-dea30f59956d@ipfire.org> In-Reply-To: <3C7671DC-C106-4FDE-9194-557DD46A857C@gmail.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3635128346039480826==" List-Id: --===============3635128346039480826== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Jon, On 17/06/2021 21:05, Jon Murphy wrote: > Here was the website I came across. =C2=A0Sorry I did not reference this be= fore... > > " > > > 14.1.2.=C2=A0Choosing Between NTP Daemons > > * > *Chrony*=C2=A0should be considered for all systems which are frequently= suspended or otherwise intermittently disconnected and reconnected to a netw= ork. Mobile and virtual systems for example. > * > The |NTP|=C2=A0daemon (|ntpd|) should be considered for systems which a= re normally kept permanently on. Systems which are required to use broadcast = or multicast |IP|, or to perform authentication of packets with the |Autokey|= =C2=A0protocol, should consider using |ntpd|. *Chrony*=C2=A0only supports sym= metric key authentication using a message authentication code (MAC) with MD5,= SHA1 or stronger hash functions, whereas |ntpd|=C2=A0also supports the |Auto= key|=C2=A0authentication protocol which can make use of the PKI system. |Auto= key|=C2=A0is described in RFC 5906. > > " > From: > https://docs.fedoraproject.org/en-US/Fedora/24/html/System_Administrators_G= uide/ch-Configuring_NTP_Using_the_chrony_Suite.html > You can also look at the chrony website https://chrony.tuxfamily.org/index.html https://chrony.tuxfamily.org/comparison.html > I am guessing we don=E2=80=99t do autokey! > No we don't. See this article from 2015 about autokey and it's now 2021. https://www.nwtime.org/network-time-security-nts-replacing-autokey/ Regards, Adolf > Jon > >> On Jun 17, 2021, at 11:23 AM, Michael Tremer > wrote: >> >> Hello, >> >>> On 17 Jun 2021, at 16:26, Jon Murphy > wrote: >>> >>> I=E2=80=99d like to challenge! >>> >>> (This post was recently moved from the IPFire Community to the Developmen= t Mailing List) >>> I saw this in the agenda from last week: >>> >>> <80392284118cf74d1a1176de8762f1da431444d3_2_517x148.png> >>> Screen Shot 2021-06-16 at 11.42.49 AM >>> 1738=C3=97500 51.1 KB >>> >>> >>> I thought chrony was more for desktops & laptops. Devices that power down= and might have a big time jump. And NTP was more for servers or devices that= run full-time. >> >> Yeah, I suppose that was true. Chrony used to be a client only, so it coul= d not share its time with the network. That functionality was however added a= nd it can also read from local time sources now. >> >> I would say that they can be used interchangeably today. Some obscure feat= ures might be missing from chrony, but it should absolutely cover our use cas= e. >> >>> The current NTP in IPFire can be easily changed from polling (one per hou= r / once per day) to non-polling by making a few simple changes to a config f= ile: >>> >>> disable >>> monitor >>> >>> restrict >>> default nomodify notrap nopeer >>> >>> restrict 127.0.0.1 >>> server =C2=A0$NTP_ADDR_1 >>> prefer >>> >>> server =C2=A0$NTP_ADDR_2 >>> server =C2=A0127.127.1.0 >>> fudge =C2=A0=C2=A0127.127.1.0 stratum 10 >>> driftfile >>> /etc/ntp/drift >>> >>> $NTP_ADDR_1 and _2 are the Primary NTP server and Secondary NTP server fr= om the https://ipfire:444/cgi-bin/time.cgi webgui page. >>> >>> And by changing the https://ipfire:444/cgi-bin/time.cgi Synchronization to Manually >> >> This would have been useful, but the change to chrony was proposed and I w= ould like that because ntp was full of CVEs recently whereas chrony has a way= more modern code base which hopefully is well reviewed and does not introduc= e anything bad. >> >>> Anyway, my thought is to make some changes to the current NTP service ins= tead of implementing something new=E2=80=A6 >> >> So far this is an item that Peter put on his to-do list, but I am not sure= if anything was done about it, yet. >> >> -Michael >> >>> >>> Jon >>> >>> --------------------------- >>> >>> TL;DR >>> >>> >>> When NTP is configured differently (Manually polling enabled) it will =E2= =80=9Ccorrect=E2=80=9D on it own: >>> >>> Oct =C2=A06 21:40:01 ipfire ntpdate: Updated drift file. =C2=A0Drift is 0= .000 PPM at Tue Oct =C2=A06 21:35:43 CDT 2020 >>> Oct =C2=A06 23:20:01 ipfire ntpdate: Updated drift file. =C2=A0Drift is -= 18.986 PPM at Tue Oct =C2=A06 23:16:05 CDT 2020 >>> Oct =C2=A07 00:20:01 ipfire ntpdate: Updated drift file. =C2=A0Drift is -= 140.863 PPM at Wed Oct =C2=A07 00:16:04 CDT 2020 >>> Oct =C2=A07 01:20:01 ipfire ntpdate: Updated drift file. =C2=A0Drift is -= 210.676 PPM at Wed Oct =C2=A07 01:16:04 CDT 2020 >>> Oct =C2=A07 02:20:01 ipfire ntpdate: Updated drift file. =C2=A0Drift is -= 347.531 PPM at Wed Oct =C2=A07 02:16:04 CDT 2020 >>> Oct =C2=A07 03:20:01 ipfire ntpdate: Updated drift file. =C2=A0Drift is -= 407.147 PPM at Wed Oct =C2=A07 03:16:04 CDT 2020 >>> Oct =C2=A07 04:20:01 ipfire ntpdate: Updated drift file. =C2=A0Drift is -= 414.606 PPM at Wed Oct =C2=A07 04:16:04 CDT 2020 >>> Oct =C2=A07 05:20:01 ipfire ntpdate: Updated drift file. =C2=A0Drift is -= 414.826 PPM at Wed Oct =C2=A07 05:16:04 CDT 2020 >>> >>> More into: >>> >>> https://community.ipfire.org/t/odd-ntp-offset-issues-continued/492 >>> >>> >> > --===============3635128346039480826==--