First Last Prev Next    This bug is not in your last search results.
Bug 47939 - (chrony) Replace ntpd by chrony (or systemd-timesyncd) [on Memberservers only]
(chrony)
Replace ntpd by chrony (or systemd-timesyncd) [on Memberservers only]
Status: NEW
Product: UCS
Classification: Unclassified
Component: NTP
UCS 4.4
Other Linux
: P5 normal with 2 votes (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
: 49270 (view as bug list)
Depends on:
Blocks: 51498
  Show dependency treegraph
 
Reported: 2018-10-09 20:44 CEST by Arvid Requate
Modified: 2024-03-15 19:14 CET (History)
5 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019071721000917, 2019070421000709
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2018-10-09 20:44:25 CEST 
We should consider replacing ntpd by chrony:

https://chrony.tuxfamily.org/faq.html#_how_does_code_chrony_code_compare_to_code_ntpd_code
Comment 1 Stephan Hendl 2019-04-09 15:16:47 CEST 
What about enabling the "timesyncd" provided by systemd (/etc/systemd/timesyncd.conf). For member servers it should be suitable and has less overhead like ntpd.

The file can be easily filled with ucr variables.
Comment 2 Philipp Hahn univentionstaff 2019-05-13 10:15:34 CEST 
*** Bug 49270 has been marked as a duplicate of this bug. ***
Comment 3 Philipp Hahn univentionstaff 2019-05-13 10:39:53 CEST 
NTP is stable and serves our purpose. It also provides the signed NTP service for Windows clients, which I have not checked the alternatives for.
Comment 4 Stephan Hendl 2019-05-13 10:53:33 CEST 
systemd-timesyncd should be sufficent for memebrservers, not for DCs, especially not for samba4 DCs.
Comment 5 Stephan Hendl 2019-07-17 16:36:01 CEST 
Any new hints here? Recently I tried to remove ntp and install systemd-timesyncd and got lots of removed packages due to reverse dependencies:

ntp
 → univention-role-server-common
    → univention-server-master|backup|slave|member
    → univention-bind
    → univention-role-common
       → univention-appcenter
          → univention-appcenter-docker

Unfortunately setting "ucr set ntp/autostart=no" does not work because systemd-timesyncd won't install as long as ntp is installed, regardless if it is runnung or not.

@Arvid: Do you have experiences with chrony? Same behavior?
Comment 6 Arvid Requate univentionstaff 2019-07-17 18:47:13 CEST 
I adjust the subject of the bug to reflect the modified taget of the discussion.
Comment 7 Philipp Hahn univentionstaff 2022-01-21 17:35:43 CET 
There's a discussion in Debian <https://lists.debian.org/debian-devel/2022/01/msg00172.html> on the future of src:ntp, which is in no good state. There's a more secure successor <https://docs.ntpsec.org/>, which is a 99% drop-in replacement <https://docs.ntpsec.org/latest/ntpsec.html#incompatible>. Debian 11 Bookworm will probably switch to it. RedHat already switched Fedora to it: <https://fedoraproject.org/wiki/Changes/NtpReplacement>

There's an old security comparison of ntp, NTPsec and chrony by LF from 2017: <https://www.coreinfrastructure.org/blogs/securing-network-time/> Chrony wins

systemd-timesyncd only implements SNTP protocol (RFC4330) client mode, NOT full NTPv4 protocol (RFC5905)


Looking at the original comparison now at <https://chrony.tuxfamily.org/comparison.html> Chrony looks like the clear winner for now as it supports both server and client.
It also can be combined with Samba for signed NTP: <https://wiki.samba.org/index.php/Time_Synchronisation#With_chrony>

Chrony also supports PTP-KVM, which makes it ideal for VMs: <https://opensource.com/article/17/6/timekeeping-linux-vms> (requires Linux-4.11 on Host - UCS-4.4 only has 4.9)
First Last Prev Next    This bug is not in your last search results.