yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1940899] Re: [Feature] Please support NTS for the Chrony NTP backend

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Christian Ehrhardt  <1940899@xxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Aug 2021 15:16:08 -0000
Reply-to: Bug 1940899 <1940899@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Thanks, consider this done then.

** Changed in: cloud-init
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1940899

Title:
  [Feature] Please support NTS for the Chrony NTP backend

Status in cloud-init:
  Fix Released

Bug description:
  Hi,
  chrony did since 21.04 [1] introduce NTS support [2].
  There is an article [2] and an FAQ [3] by the upstream maintainer about NTS so that you know what it is about :-)

  Furthermore this is briefly documented in the server-guide [4] and to
  look at some code there is an MP to add it to the NTP charm [5].

  This is now becoming the usual chicken-and-egg case, there are not
  many NTS servers yet. But to make sense to enable servers we need more
  clients out there. Since 22.04 is coming and will be the first Ubuntu
  LTS with an NTS enabled chrony we realized that if e.g. a cloud wants
  not only to provide good time (they usually want locally for traffic
  and less deviation), but wants to do so securely. After all a lot of
  security is based on time (certificate validations for example).

  For a default setup there are certain concerns like "could an initial
  sync work if my HW starts with a 1980 clock time (it would not), so
  you'd want to start insecure and then enable. ALl this is supported,
  but especially cloud-providers are in a great place. Their virtual
  clocks will initially not be "too much" off which makes it quite
  likely that NTS for them will immediately work.

  That surely is the safest setup, but for that the clouds-will need the
  ability to configure NTS in chrony through cloud-init, hence this
  feature request.

  [1]: https://discourse.ubuntu.com/t/hirsute-hippo-release-notes/19221
  [2]: https://fedoramagazine.org/secure-ntp-with-nts/
  [3]: https://chrony.tuxfamily.org/faq.html#_using_nts
  [4]: https://ubuntu.com/server/docs/network-ntp
  [5]: https://code.launchpad.net/~paelzer/ntp-charm/+git/ntp-charm/+merge/404907

  P.S. We are also working on NTS enabled canonical time servers, (RT
  128750) but that has no ETA yet. But once they exist there would be
  more potential use-cases (outside of the clouds) to NTS configured via
  cloud-init.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1940899/+subscriptions

References

[Bug 1940899] [NEW] [Feature] Please support NTS for the Chrony NTP backend
From: Christian Ehrhardt , 2021-08-24