OpenVZ Forum


Home » Mailing lists » Users » NTP Server in einer virtuellen Umgebung
NTP Server in einer virtuellen Umgebung [message #44487] Sun, 11 December 2011 15:09 Go to next message
Daniel Bauer is currently offline  Daniel Bauer
Messages: 37
Registered: February 2006
Member
From: *parallels.com
Hi @all,

I've a VPS for my internal LAN, which should also be used as a NTP
server.
The HN has already syncronized the time by de.pool.ntp.org, so the time
is also ok inside the VPS.
The NTP server inside the VPS stalled, ntpq -p shows:

remote refid st t when poll reach delay offset
jitter
============================================================ ==================
localhost .INIT. 16 l - 64 0 0.000 0.000
0.000


my /etc/ntp.conf looks like this:

driftfile /var/lib/ntp/ntp.drift

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

server 127.0.0.1
fudge 127.0.0.1 stratum 12

restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

restrict 127.0.0.1
restrict ::1

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap


does anybody knows a solution?

Thanks
Daniel
Re: NTP Server in einer virtuellen Umgebung [message #44488 is a reply to message #44487] Sun, 11 December 2011 18:58 Go to previous messageGo to next message
Daniel Pittman is currently offline  Daniel Pittman
Messages: 26
Registered: January 2007
Junior Member
From: *parallels.com
On Sun, Dec 11, 2011 at 07:09, Daniel Bauer <mlist@dsb-gmbh.de> wrote:

> I've a VPS for my internal LAN, which should also be used as a NTP server.
> The HN has already syncronized the time by de.pool.ntp.org, so the time is
> also ok inside the VPS.
> The NTP server inside the VPS stalled, ntpq -p shows:

You don't need NTP inside the container, just on the HN. The VE can't
set the time anyhow.

Daniel
--
♲ Made with 100 percent post-consumer electrons
Re: NTP Server in einer virtuellen Umgebung [message #44489 is a reply to message #44488] Sun, 11 December 2011 19:36 Go to previous messageGo to next message
MailingListe is currently offline  MailingListe
Messages: 29
Registered: May 2008
Junior Member
From: *parallels.com
Zitat von Daniel Pittman <daniel@rimspace.net>:

> On Sun, Dec 11, 2011 at 07:09, Daniel Bauer <mlist@dsb-gmbh.de> wrote:
>
>> I've a VPS for my internal LAN, which should also be used as a NTP server.
>> The HN has already syncronized the time by de.pool.ntp.org, so the time is
>> also ok inside the VPS.
>> The NTP server inside the VPS stalled, ntpq -p shows:
>
> You don't need NTP inside the container, just on the HN. The VE can't
> set the time anyhow.

Not really true. You need special capabilities assigned to the VE to
let it manage your system clock. So if you need ntp inside the VE you
should do something like "vzctl set <VEID> --capability sys_time:on",
install ntp inside the VE and deinstall it on the HN.

Regards

Andreas
  • Attachment: smime.p7s
    (Size: 6.03KB, Downloaded 141 times)
Re: NTP Server in einer virtuellen Umgebung [message #44492 is a reply to message #44489] Sun, 11 December 2011 21:18 Go to previous messageGo to next message
Daniel Bauer is currently offline  Daniel Bauer
Messages: 37
Registered: February 2006
Member
From: *parallels.com
From: <lst_hoe02@kwsoft.de>
> Zitat von Daniel Pittman <daniel@rimspace.net>:
>
>> On Sun, Dec 11, 2011 at 07:09, Daniel Bauer <mlist@dsb-gmbh.de>
>> wrote:
>>
>>> I've a VPS for my internal LAN, which should also be used as a NTP
>>> server.
>>> The HN has already syncronized the time by de.pool.ntp.org, so the
>>> time is
>>> also ok inside the VPS.
>>> The NTP server inside the VPS stalled, ntpq -p shows:
>>
>> You don't need NTP inside the container, just on the HN. The VE
>> can't
>> set the time anyhow.
>
> Not really true. You need special capabilities assigned to the VE to
> let it manage your system clock. So if you need ntp inside the VE you
> should do something like "vzctl set <VEID> --capability sys_time:on",
> install ntp inside the VE and deinstall it on the HN.

But that's not what I want.

I want the HN to be a NTP client, so that all (HN + VE) have a valid
time.
This works already.

I want the VE to be a NTP server for the local LAN, without beeing a NTP
Client.
That doesn't work.

Why?
No VE and also no LAN client have access to the HN.
I've 3 subnets with 3 gatesways (VE), all gateways should be a NTP
server and couln't be a NTP client.

Thanks
Daniel
Re: NTP Server in einer virtuellen Umgebung [message #44511 is a reply to message #44492] Mon, 12 December 2011 12:07 Go to previous messageGo to next message
MailingListe is currently offline  MailingListe
Messages: 29
Registered: May 2008
Junior Member
From: *parallels.com
Zitat von Daniel Bauer <mlist@dsb-gmbh.de>:

> From: <lst_hoe02@kwsoft.de>
>> Zitat von Daniel Pittman <daniel@rimspace.net>:
>>
>>> On Sun, Dec 11, 2011 at 07:09, Daniel Bauer <mlist@dsb-gmbh.de> wrote:
>>>
>>>> I've a VPS for my internal LAN, which should also be used as a NTP server.
>>>> The HN has already syncronized the time by de.pool.ntp.org, so the time is
>>>> also ok inside the VPS.
>>>> The NTP server inside the VPS stalled, ntpq -p shows:
>>>
>>> You don't need NTP inside the container, just on the HN. The VE can't
>>> set the time anyhow.
>>
>> Not really true. You need special capabilities assigned to the VE to
>> let it manage your system clock. So if you need ntp inside the VE you
>> should do something like "vzctl set <VEID> --capability sys_time:on",
>> install ntp inside the VE and deinstall it on the HN.
>
> But that's not what I want.
>
> I want the HN to be a NTP client, so that all (HN + VE) have a valid time.
> This works already.
>
> I want the VE to be a NTP server for the local LAN, without beeing a
> NTP Client.
> That doesn't work.

NTP by default only works as server if it has a valid timesource. By
default it does not use the "local clock" because its unreliable. On
the other hand NTP always try to adjust the local clock if it has a
valid timesource. This does not work in a VE if you don't set the
capability to adjust the clock, NTP will even run as "root" if it is
not able to adjust the local clock with the intended user.

If you insist on your network design your options are:
- Let the VE NTP get the time from the HN and let it run as root on the VE
- Try to hack NTP use the local clock as timesource and not try to update

Regards

Andreas
  • Attachment: smime.p7s
    (Size: 6.03KB, Downloaded 139 times)
Re: NTP Server in einer virtuellen Umgebung - SOLVED [message #44524 is a reply to message #44511] Mon, 12 December 2011 18:54 Go to previous messageGo to next message
Daniel Bauer is currently offline  Daniel Bauer
Messages: 37
Registered: February 2006
Member
From: *parallels.com
From: <lst_hoe02@kwsoft.de>
> Zitat von Daniel Bauer <mlist@dsb-gmbh.de>:
>
>> From: <lst_hoe02@kwsoft.de>
>>> Zitat von Daniel Pittman <daniel@rimspace.net>:
>>>
>>>> On Sun, Dec 11, 2011 at 07:09, Daniel Bauer <mlist@dsb-gmbh.de>
>>>> wrote:
>>>>
>>>>> I've a VPS for my internal LAN, which should also be used as a NTP
>>>>> server.
>>>>> The HN has already syncronized the time by de.pool.ntp.org, so the
>>>>> time is
>>>>> also ok inside the VPS.
>>>>> The NTP server inside the VPS stalled, ntpq -p shows:
>>>>
>>>> You don't need NTP inside the container, just on the HN. The VE
>>>> can't
>>>> set the time anyhow.
>>>
>>> Not really true. You need special capabilities assigned to the VE to
>>> let it manage your system clock. So if you need ntp inside the VE
>>> you
>>> should do something like "vzctl set <VEID> --capability
>>> sys_time:on",
>>> install ntp inside the VE and deinstall it on the HN.
>>
>> But that's not what I want.
>>
>> I want the HN to be a NTP client, so that all (HN + VE) have a valid
>> time.
>> This works already.
>>
>> I want the VE to be a NTP server for the local LAN, without beeing a
>> NTP Client.
>> That doesn't work.
>
> NTP by default only works as server if it has a valid timesource. By
> default it does not use the "local clock" because its unreliable. On
> the other hand NTP always try to adjust the local clock if it has a
> valid timesource. This does not work in a VE if you don't set the
> capability to adjust the clock, NTP will even run as "root" if it is
> not able to adjust the local clock with the intended user.
>
> If you insist on your network design your options are:
> - Let the VE NTP get the time from the HN and let it run as root on
> the
> VE
> - Try to hack NTP use the local clock as timesource and not try to
> update

the solution was not to take localhost, but
> server 127.127.1.0
> fudge 127.127.1.0 stratum 12
now it works.

Thanks a lot
Daniel
Re: NTP Server in einer virtuellen Umgebung - SOLVED [message #44528 is a reply to message #44524] Tue, 13 December 2011 08:44 Go to previous message
MailingListe is currently offline  MailingListe
Messages: 29
Registered: May 2008
Junior Member
From: *parallels.com
Zitat von Daniel Bauer <mlist@dsb-gmbh.de>:

> From: <lst_hoe02@kwsoft.de>
>> Zitat von Daniel Bauer <mlist@dsb-gmbh.de>:
>>
>>> From: <lst_hoe02@kwsoft.de>
>>>> Zitat von Daniel Pittman <daniel@rimspace.net>:
>>>>
>>>>> On Sun, Dec 11, 2011 at 07:09, Daniel Bauer <mlist@dsb-gmbh.de>
>>>>> wrote:
>>>>>
>>>>>> I've a VPS for my internal LAN, which should also be used as a NTP
>>>>>> server.
>>>>>> The HN has already syncronized the time by de.pool.ntp.org, so the
>>>>>> time is
>>>>>> also ok inside the VPS.
>>>>>> The NTP server inside the VPS stalled, ntpq -p shows:
>>>>>
>>>>> You don't need NTP inside the container, just on the HN. The VE
>>>>> can't
>>>>> set the time anyhow.
>>>>
>>>> Not really true. You need special capabilities assigned to the VE to
>>>> let it manage your system clock. So if you need ntp inside the VE you
>>>> should do something like "vzctl set <VEID> --capability sys_time:on",
>>>> install ntp inside the VE and deinstall it on the HN.
>>>
>>> But that's not what I want.
>>>
>>> I want the HN to be a NTP client, so that all (HN + VE) have a valid
>>> time.
>>> This works already.
>>>
>>> I want the VE to be a NTP server for the local LAN, without beeing a
>>> NTP Client.
>>> That doesn't work.
>>
>> NTP by default only works as server if it has a valid timesource. By
>> default it does not use the "local clock" because its unreliable. On
>> the other hand NTP always try to adjust the local clock if it has a
>> valid timesource. This does not work in a VE if you don't set the
>> capability to adjust the clock, NTP will even run as "root" if it is
>> not able to adjust the local clock with the intended user.
>>
>> If you insist on your network design your options are:
>> - Let the VE NTP get the time from the HN and let it run as root on the
>> VE
>> - Try to hack NTP use the local clock as timesource and not try to
>> update
>
> the solution was not to take localhost, but
>> server 127.127.1.0
>> fudge 127.127.1.0 stratum 12
> now it works.

But be aware that NTP inside the VE is running as "root" in this case.
Don't every expose it to untrusted networks this way.

Regards

Andreas
  • Attachment: smime.p7s
    (Size: 6.03KB, Downloaded 149 times)
Previous Topic: NFQUEUE in VE
Next Topic: Speed problems with a custom openvz template based debian testing
Goto Forum:
  


Current Time: Sat May 26 15:37:53 GMT 2018