New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Why do some OVZ providers not like ntpd?
This discussion has been closed.
Comments
Look like @VPSSimon is right and @rm_ is wrong
On my local CentOS5 2.6.18 OpenVZ box I used:
vzctl set CTID --capability sys_time:on --save
And that container was then able to set the system time.
Other VMs on the box were not able to do it -- got an 'operation not permitted' message when attempting to do so.
Still this is an interesting idea for the providers that don't want to run ntpd on the node. They can run it inside a VPS, thus guarding from some unknown ntpd exploits and still providing correct time to the node.
Exactly the other way round. Please slow down and read who was saying what. I meant there's no such thing as "per VPS" time on OpenVZ. One VPS when given that capability changes time for the whole node.
Also, oh I so sincerely hope VPSSimon despite his nickname having "VPS" in it, does not actually sell VPSes, i.e. not in fact a provider.
Well, sorry if I offended you. But I did read, several times.
Your one-word answers were apparently open to different interpretations.
You quoted @perennate's question:
And gave a single word answer: "Yes".
I said you were wrong, because it does not allow every VPS to set the host node's time. Only VPSs that are explicited granted the right to do so can set the host node's time.
But apparently you meant something else -- that the time adjustment made from within a VPS (that has 'sys_time:on') is reflected to all VPSs on the node. Which is an entirely different thing.
Or maybe you meant something else altogether.....
Perhaps you should slow down and write what you are thinking
And my impression was that VPSSimon suggestion is to grant sys_time:on to every VPS on the node.
OK, then I understand you. I didn't get that impression ("Restart vps..." sounded singular to me).
Sorry, yeah, I meant the VPS that were granted that capability.
Same idea in http://forum.openvz.org/index.php?t=msg&th=7893&goto=37400&#msg_37400
That is what i said, If you allow one vps to edit it; IT edits node time as it all shares one time hense i said you should sync on host node not rely on a customer syncing time., Please read my post again clearly.
I said Users should NOT give sys time privs, Run ntp on the host node only an no need to give sync ability to customers. I thought my post was clear about that,. Someone asked how it was possible so i replied with how to do it for those hosts who refuse to sync themself; Often hosts just let few users have ability to sync. However personally i say just run ntp on host node. - So im dumb for giving how to do it but clearly saying dont'. If someone asks how to do something if i know ill tell them regardless if i say it should be done or not, I was merely replying to a direct question.
And perennate was so confusing i NEVER said ALL VPS as i said THAT command is PER vps. how you read it as multiple leads me to assume you dont use openvz as the command itself is clear enough about who it applies to hense the CTID - CONTAINER ID, I.E THE VPS ID "SINGULAR"
If someone reads my post with common sense, It means all providers who wont run ntp an want to let a customer do it then that is command to let a single vps do it. Where u read it allows every vps on node to i dunno,
Sorry if you couldn't read my post which i read an understand ok when i read it back; let me put it kindergarden speak; YOU CAN ALLOW ONE VPS TO SYNC THE NODES TIME, THAT SYNCD TIME WILL EFFECT NODE TIME AS ALL VPS SHARE THE NODE TIME! TIMEZONES CAN CHANGE PER VPS BUT SYNCING WOULD CHANGE CLOCK ON HOST NODE.
Think u forgot to read the line i put "However as all VPS share same clock, Wouldn't just running sync on host node only not containers be better." - Where in that do u think i didn't explain it shares host node clock?
People just read stuff they want to without actually reading it completely. Don't have a go at me for explaining something how it is an how it works. Someone asks how to I explained how an said its better to sync on host node only not doing it via a vps like openvz suggest. So im a dick for explaining it exactly how it is ? Sweet.
Don't bash me for someone wanting to let a VPS sync ntp, He asked how i explained how to let a single vps sync the time if he didnt want to do it on node for what ever reason. My explination did not contain anything stating let all vps sync it or anything of the sort. You just all read what you want to, Just to fly off handle an throw a topic into arguments rather than actually for the reason topic was opened which is a specific question.
I'm not going to reply again in this thread I think this reply clears up the confusion for those who cba to read my first posts fully which are clear as hell.
I said every VPS, as in every VPS that was granted that capability, sorry I could've been more clear. Anyways just a misunderstanding, no need to write nine paragraphs about it
Toying with node time isn't just something you can always casually do without consequence. I know many of us are guilty of forgetting to put ntpd in startup and forgetting to restart it after a node reboot. Myself included. However, the effect of altering node time is not one to take lightly. I don't know what every client has their cron set to do. I don't know if jerking the time around is going to send someone into a critical spiral or just trigger an early backup. I don't know, and that's the problem. A provider should be careful and remember that their actions cause a domino effect.
Then set it right in the first place. Also "chkconfig ntpd on" and you don't have to manually restart it. Was that so hard?
ntpd is part of my new node setup procedure. Everyone should have one. If you just wing it by the seat of your pants ok fine. You update the kernel once in awhile don't you? Do it then if you forgot when you set up the node and are worried about time change effects. Whatever problems you think it might cause will be mitigated by the reboot.
Also, 2.6.32 CE6 based OpenVZ nodes sync the hardware clock to system clock before reboot so it's idiot proof.
I didn't say that there wasn't a way to fix it, I just said I'm guilty of making mistakes. One should not seek to reboot either. It's basically like this... if you make a mistake but everything is still standing, you shouldn't rock the boat just to fix the mistake if the mistake is not causing anyone trouble and the fix has potential to do so. You will make mistakes. Everyone does. Yourself included. It's how you react that matters, and knee jerk reactions to correct the mistake later are no better than any other mistake.
It's about assessing the problem, identifying the risks, and determining the most appropriate solution at the time. At that exact moment, the most appropriate solution may very well be to do nothing for the time being. At next reboot, sure. You try rebooting a node just because you feel like it and keeping clients around. One might be complaining about the clock, what about the other 40 that aren't?
It's not just as easy as "Well this fixes it, it needs to be fixed, so you better do it now." That's not how things really work in production. Sometimes, often, not always.
There is only one right way to do it: set the correct time automatically via NTP on the host and don't allow a client to change the time other clients are using. End of the discussion
I have several OpenVZ VMs where the time is off several minutes or even around an hour (wrong timezone settings on the host, making it impossible to get the correct time incl. timezone on the VM). This is so easy, I am wondering why so many hosts fail at this easy one.
I have not read this entire thread, but I did just receive a ticket about incorrect time on an OpenVZ VPS which made me think to go ahead and see what this thread is about. What's odd is that I do have ntp running and the host node's clock is correct. I'm guessing the OP is a client, maybe the same client who just sent in that ticket; but we of course run NTP in our server setup script and have it chkconfig'd on when we reboot.
@Nick_A tell him to fix his timezone then.
It doesn't look like a timezone issue.
So you don't update your kernel unless there is a problem? Even for the security updates???
I have cancelled OpenVZ VPS's before because the time was never right..cough burstnet...cough.
Not sure what you are talking about. OpenVZ VM's cannot set time. They can only set timezone which is not the same thing. Therefore OVZ VM's have no need for ntpd either. It does not matter what timezone the Node is set at either. Again, because timezone is not the same as time which I believe uses UTC internally.
If you don't know that then you don't know how to set the time correctly every time all the time.
First you determine the timezone your node is set at then you set the date/time of that timezone on the system clock and then you sync the hwclock to it. Now UTC is set to the correct time on the Node and the VM's and will remain that way after reboot. Set the timezones on the VM's to whatever you want. You can set/change the timezone on the node to whatever you want too. The two have no effect on each other.
Please scroll up.
Suggestions for sysadmins:
Run ntpd on your OVZ nodes;
If security of an Internet-connected daemon on the host node troubles you, create a small VM with the privilege for managing the clock. vzenter and kill/uninstall all services, install ntpd. No-one is granted access to this VM except you -- the sysadmin.
On the node or in the privileged VM, configure ntp to use a set of reliable/stable stratum 2 timeservers.
On the node or in the privileged VM, use iptables to restrict traffic on port 123 to those timeservers.
If your node's time is substantially out-of-sync, take Jarland's advice and don't willy-nilly change it. Make a plan, possibly involving a reboot and client notification, and follow through. But please do it.
Correct on the first question, the second I would answer with "A security problem is a problem."
I think you misunderstood and assumed that I run around forgetting ntpd on all my servers and giving clients the middle finger over it.
I would never stick with a provider if they couldn't even remember to set the time correctly on their node. To me that is a very basic thing and if they can't be bothered to get that right it would make me wonder what else they don't have right. I guess that's just me.
So you're looking for a provider that never makes mistakes? Look for ones with a tendency to lie then.
Like WHT signature spam without the signature. Wonder when the offer thread is coming...
If you didn't set the time then that means there are a lot of things you didn't look at which would have reminded you. Forgetting to set the time is a mistake like forgetting to put your underwear on in the morning is a mistake. At some point you should have noticed.
That's an awful lot of assumptions. I'm glad you think ntpd is the single thread from which everything else unravels and anyone who makes that mistake alone is clueless and careless, but you're just incorrect. I'm just saying that you clearly shouldn't use any service if that mistake there defines "unacceptable" to you. You're looking for perfection that doesn't exist, or stating a preference for people who lie.
More likely, you're posting to talk down others about minor mistakes and talk yourself up to build a post history that you want to come before your big offer debut. Best of luck with that. You've strangely decided to position yourself as a likely candidate to make mistakes and then not tell your clients about it. Because there's no way in hell you'll be the first one to never make a mistake, but now the first time you do I'm going to be publicly appalled at how horrible your services must be and post a bunch of assumptions about how you must handle everything else. Why? Because I'm a dick, and I don't forget everything.
You got me there. Can't get anything past you guys.
For a limited time. 2.99euro servers. 32GB. /27 IP's. 2x1TB SSD's on LSI MegaRaid. Supermicro hardware.....and a pony. Comes in brown or grey...the pony that is.
Seriously, I've got nothing to prove. Call it a pet peeve of mine but if an admin cannot remember or be bothered to do something as simple as set the time properly on their server it's going to make me go hmmmm.
That seems like an awful lot of trouble just to set up ntpd. Is ntpd really such a security issue?
Agree, it's hard to run every service in a separate VM, especially when other things are much more likely to be exploited.
Looking for support techs, looking for a dedicated server with a /27 and stating justification to be vps. You are about to start making offers here soon. Good time for you to start tooting your own horn, which you seem to be doing. Word of advice, be humble and don't build yourself up to be something you can't live up to. Or maybe you really think you can, in which case the humbling will follow, or the deceit and the bad reviews, either way. This road isn't untraveled son, it's all been done before.
Who am I to question your psychic abilities.
I guess I am a supergenius because I know how to set the time properly on a server. I pitty you mere mortals struggling with such tasks. They will probably write books about me.
@Liam, @mpkossen please close this thread.