[openstack-dev] [openstack-ansible] To NTP, or not to NTP, that is the question

Jay Pipes jaypipes at gmail.com
Fri Sep 18 16:38:56 UTC 2015


On 09/18/2015 11:04 AM, Ian Cordasco wrote:
> On 9/18/15, 08:03, "Major Hayden" <major at mhtx.net> wrote:
>
>> Hey there,
>>
>> I start working on a bug[1] last night about adding a managed NTP
>> configuration to openstack-ansible hosts.  My patch[2] gets chrony up and
>> running with configurable NTP servers, but I'm still struggling to meet
>> the "Proposal" section of the bug where the author has asked for
>> non-infra physical nodes to get their time from the infra nodes.  I can't
>> figure out how to make it work for AIO builds when one physical host is
>> part of all of the groups. ;)
>>
>> I'd argue that time synchronization is critical for a few areas:
>>
>>   1) Security/auditing when comparing logs
>>   2) Troubleshooting when comparing logs
>>   3) I've been told swift is time-sensitive
>>   4) MySQL/Galera don't like time drift
>>
>> However, there's a strong argument that this should be done by deployers,
>> and not via openstack-ansible.  I'm still *very* new to the project and
>> I'd like to hear some feedback from other folks.
>
> Personally, I fall into the camp of "this is a deployer concern".
> Specifically, there is already an ansible-galaxy role to enable NTP on
> your deployment hosts (https://galaxy.ansible.com/list#/roles/464) which
> *could* be expanded to do this very work that you're talking about. Using
> specialized roles to achieve this (and contributing back to the larger
> ansible community) seems like a bigger win than trying to reimplement some
> of this in OSA instead of reusing other roles that already exist.
>
> Compare it to a hypothetical situation where Keystone wrote its own
> backing libraries to implement Fernet instead of using the cryptography
> library. In that case there would be absolutely no argument that Keystone
> should use cryptography (even if it uses cffi and has bindings to OpenSSL
> which our infra team doesn't like and some deployers find difficult to
> manage when using pure-python deployment tooling). Why should OSA be any
> different from another OpenStack project?

Have to agree with Ian here. NTP, as Major wrote, is a critical piece of 
the deployment puzzle, but I don't think it's necessary to put anything 
in OSA specifically to configure NTP. As Ian wrote, better to contribute 
to upstream ansible-galaxy playbooks/roles that do this well.

Best,
-jay



More information about the OpenStack-dev mailing list