[openstack-dev] [openstack-ansible] To NTP, or not to NTP, that is the question

Jim Meyer jim at geekdaily.org
Sat Sep 19 22:03:44 UTC 2015


> On Sep 18, 2015, at 9:38 AM, Jay Pipes <jaypipes at gmail.com> wrote:
> 
>> On 09/18/2015 11:04 AM, Ian Cordasco wrote:
>>> On 9/18/15, 08:03, "Major Hayden" <major at mhtx.net> wrote:
>>> 
>>> Hey there,
>>> 
>>> I start working on a bug[1] last night about adding a managed NTP
>>> configuration to openstack-ansible hosts.  My patch[2] gets chrony up and
>>> running with configurable NTP servers, but I'm still struggling to meet
>>> the "Proposal" section of the bug where the author has asked for
>>> non-infra physical nodes to get their time from the infra nodes.  I can't
>>> figure out how to make it work for AIO builds when one physical host is
>>> part of all of the groups. ;)
>>> 
>>> I'd argue that time synchronization is critical for a few areas:
>>> 
>>>  1) Security/auditing when comparing logs
>>>  2) Troubleshooting when comparing logs
>>>  3) I've been told swift is time-sensitive
>>>  4) MySQL/Galera don't like time drift
>>> 
>>> However, there's a strong argument that this should be done by deployers,
>>> and not via openstack-ansible.  I'm still *very* new to the project and
>>> I'd like to hear some feedback from other folks.
>> 
>> Personally, I fall into the camp of "this is a deployer concern".
>> Specifically, there is already an ansible-galaxy role to enable NTP on
>> your deployment hosts (https://galaxy.ansible.com/list#/roles/464) which
>> *could* be expanded to do this very work that you're talking about. Using
>> specialized roles to achieve this (and contributing back to the larger
>> ansible community) seems like a bigger win than trying to reimplement some
>> of this in OSA instead of reusing other roles that already exist.
>> 
>> Compare it to a hypothetical situation where Keystone wrote its own
>> backing libraries to implement Fernet instead of using the cryptography
>> library. In that case there would be absolutely no argument that Keystone
>> should use cryptography (even if it uses cffi and has bindings to OpenSSL
>> which our infra team doesn't like and some deployers find difficult to
>> manage when using pure-python deployment tooling). Why should OSA be any
>> different from another OpenStack project?
> 
> Have to agree with Ian here. NTP, as Major wrote, is a critical piece of the deployment puzzle, but I don't think it's necessary to put anything in OSA specifically to configure NTP. As Ian wrote, better to contribute to upstream ansible-galaxy playbooks/roles that do this well.

I have a nuanced agreement with this which borders on disagreement. 

An agreed-upon time tick is as crucial to a distributed system as oxygen is to a human. It's not only those components that care, it's the humans who have to understand and operate it. As such, an OpenStack cloud should come with a time source that all services listen to; even if it's wildly off from the real world, the value of all services sharing the same tick is immeasurable. For me, it's part of "batteries included."

I'd argue that we should pick a tool and configuration for this by default and allow others to change it. And, while I love Major*, I don't think the deployment tools are the right place for this.

--j

* and I do. Been too long, Major. We should fix that. =]


More information about the OpenStack-dev mailing list