Univention Bugzilla – Bug 47939
Replace ntpd by chrony (or systemd-timesyncd) [on Memberservers only]
Last modified: 2024-03-15 19:14:26 CET
We should consider replacing ntpd by chrony: https://chrony.tuxfamily.org/faq.html#_how_does_code_chrony_code_compare_to_code_ntpd_code
What about enabling the "timesyncd" provided by systemd (/etc/systemd/timesyncd.conf). For member servers it should be suitable and has less overhead like ntpd. The file can be easily filled with ucr variables.
*** Bug 49270 has been marked as a duplicate of this bug. ***
NTP is stable and serves our purpose. It also provides the signed NTP service for Windows clients, which I have not checked the alternatives for.
systemd-timesyncd should be sufficent for memebrservers, not for DCs, especially not for samba4 DCs.
Any new hints here? Recently I tried to remove ntp and install systemd-timesyncd and got lots of removed packages due to reverse dependencies: ntp → univention-role-server-common → univention-server-master|backup|slave|member → univention-bind → univention-role-common → univention-appcenter → univention-appcenter-docker Unfortunately setting "ucr set ntp/autostart=no" does not work because systemd-timesyncd won't install as long as ntp is installed, regardless if it is runnung or not. @Arvid: Do you have experiences with chrony? Same behavior?
I adjust the subject of the bug to reflect the modified taget of the discussion.
There's a discussion in Debian <https://lists.debian.org/debian-devel/2022/01/msg00172.html> on the future of src:ntp, which is in no good state. There's a more secure successor <https://docs.ntpsec.org/>, which is a 99% drop-in replacement <https://docs.ntpsec.org/latest/ntpsec.html#incompatible>. Debian 11 Bookworm will probably switch to it. RedHat already switched Fedora to it: <https://fedoraproject.org/wiki/Changes/NtpReplacement> There's an old security comparison of ntp, NTPsec and chrony by LF from 2017: <https://www.coreinfrastructure.org/blogs/securing-network-time/> Chrony wins systemd-timesyncd only implements SNTP protocol (RFC4330) client mode, NOT full NTPv4 protocol (RFC5905) Looking at the original comparison now at <https://chrony.tuxfamily.org/comparison.html> Chrony looks like the clear winner for now as it supports both server and client. It also can be combined with Samba for signed NTP: <https://wiki.samba.org/index.php/Time_Synchronisation#With_chrony> Chrony also supports PTP-KVM, which makes it ideal for VMs: <https://opensource.com/article/17/6/timekeeping-linux-vms> (requires Linux-4.11 on Host - UCS-4.4 only has 4.9)