More ntp servers #4448
More ntp servers #4448
Conversation
christoph-zededa
commented
Nov 26, 2024
•
christoph-zededa
commented
- allow setting more than one NTP server
- allow setting NTP servers by domain (instead of just ip)
- allow ignoring NTP servers from DHCP server
github-actions
bot
requested review from
eriknordmark,
milan-zededa,
OhmSpectator,
rouming and
uncleDecart
christoph-zededa
force-pushed
the
more_ntp_servers
branch
4 times, most recently
from
2b8af39 to
6d83fea
Compare
christoph-zededa
force-pushed
the
more_ntp_servers
branch
4 times, most recently
from
6c070b3 to
94174f9
Compare
christoph-zededa
force-pushed
the
more_ntp_servers
branch
from
94174f9 to
f3dafaa
Compare
| @@ -103,6 +137,7 @@ func (z *zedrouter) getNIPortConfig( | |||
| if port == nil { | |||
| continue | |||
| } | |||
| basicNTPServerIPs, _ := types.GetNTPServers(*z.deviceNetworkStatus, port.IfName) | |||
There was a problem hiding this comment.
I think it would be less confusing if getNIPortConfig didn't set NTPServers at all (not even the already resolved IPs) and would leave this to attachNTPServersToPortConfigs.
Then also please add a comment for getNIPortConfig mentioning that NTP servers are set separately.
christoph-zededa
force-pushed
the
more_ntp_servers
branch
from
5f34b33 to
a8b0329
Compare
christoph-zededa
force-pushed
the
more_ntp_servers
branch
4 times, most recently
from
8ff6cd8 to
cabff85
Compare
christoph-zededa
force-pushed
the
more_ntp_servers
branch
3 times, most recently
from
5e5507d to
abba1ec
Compare
christoph-zededa
force-pushed
the
more_ntp_servers
branch
from
abba1ec to
d401cde
Compare
|
Argh, I will try to review it soon... |
christoph-zededa
force-pushed
the
more_ntp_servers
branch
from
e9050d6 to
148acfe
Compare
| ntpServers = append(ntpServers, ip) | ||
| continue | ||
| } | ||
| dnsResponses, err := devicenetwork.ResolveWithPortsLambda( |
There was a problem hiding this comment.
How long time can this call take? Any risk of a watchdog due to it?
There was a problem hiding this comment.
The timeout is specified here: https://github.com/lf-edge/eve/blob/master/pkg/pillar/devicenetwork/dns.go#L35
Last week I tested the code with more than 10 unreachable NTP servers and I did not notice the watchdog to get triggered.
Do we run zedrouter without watchdog? - https://github.com/lf-edge/eve/blob/master/pkg/pillar/cmd/zedrouter/zedrouter.go#L175 as I don't see a agentbase.WithWatchdog(...).
There was a problem hiding this comment.
We kick of the main watchdog for each agent in device-steps.sh
touch "$WATCHDOG_FILE/$AGENT.touch"
Wouldn't the delay be if there are potentially unreachable/slow DNS servers and there are 10 NTP servers configured with a domain name that needs to be resolved?
There was a problem hiding this comment.
I think, now I understand (better) how this works.
I added a call to pubSub.StillRunning(...): https://github.com/lf-edge/eve/compare/2a16d63887c83fbe4ffe5bec74b3a435b0f7f5f2..b9a29770fc4d1103a007ba1bbe3286172047bf4f
pkg/pillar/devicenetwork/dns.go
Outdated
| func ResolveCacheWrap(resolve func(string, net.IP, net.IP) ([]DNSResponse, error)) func(domain string, dnsServerIP net.IP, srcIP net.IP) ([]DNSResponse, error) { | ||
| return func(domain string, dnsServerIP net.IP, srcIP net.IP) ([]DNSResponse, error) { | ||
|
|
||
| dnsResponses, found := resolveCache[domain] |
There was a problem hiding this comment.
Do we resolve these globally?
Suppose wwan0 is a walled garden and it has a DNS server on 10.10.10.10 and eth0 is a different walled garden. Then if the configured ntp server domainname is ntp.corp for both wwan0 and eth0 don't we need to ensure that we do the DNS lookup out the correct network interface?
IP addresses and globally unique and visible domain names don't have that issue, but resolving domain names can't assume that.
There was a problem hiding this comment.
In the end chronyd and dnsmasq do not care about the different interfaces, do they?
There was a problem hiding this comment.
I made the map key a combination of domain and source ip.
There was a problem hiding this comment.
dnsmasq is for the applications doing DNS resolution. We configure chronyd with IP addresses. My concern is about the DNS resolution of the NTP server names. Note that we have been resolving the standard pool.ntp.org without worrying about walled gardens, but as we allow the users to specify domain names for NTP servers they might be using ones which are inside their walled garden(s). I'll take a look at your map approach.
There was a problem hiding this comment.
I also added a test for the map approach (perhaps that's easier to understand): https://github.com/lf-edge/eve/pull/4448/files#diff-6ecf3e43642f91236a8006c29a4a1abfe7d1ef210b6381ff39808acd3c64bd90R280
* allow setting more NTP servers through controller * allow setting NTP server by domain instead of just IP address (problem: we only resolve the domains once at the beginning) Signed-off-by: Christoph Ostarek <christoph@zededa.com>
Don't use _test for the package name of tests, because this disallows accessing private methods Signed-off-by: Christoph Ostarek <christoph@zededa.com>
which makes pillar ignore NTP servers provided by the DHCP server on that particular interface Signed-off-by: Christoph Ostarek <christoph@zededa.com>
christoph-zededa
force-pushed
the
more_ntp_servers
branch
from
148acfe to
1930504
Compare
christoph-zededa
force-pushed
the
more_ntp_servers
branch
3 times, most recently
from
57ac8b1 to
2a16d63
Compare
christoph-zededa
force-pushed
the
more_ntp_servers
branch
from
2a16d63 to
b9a2977
Compare
continuously in the background so that updated IP addresses can be used if the edge application is restarted (from controller) Signed-off-by: Christoph Ostarek <christoph@zededa.com>
This will update the network instance if the network config changes; for example during re-activation of the edge app. It is necessary as we want to resolve the IP addresses of the NTP servers again on re-activation of the edge app. Signed-off-by: Christoph Ostarek <christoph@zededa.com>
e.g. run `sudo make TAP=tap0 run` to not autoconfigure the second interface and just let it run as a tap device. You then have to bring your own dhcp server and setup everything manually. Signed-off-by: Christoph Ostarek <christoph@zededa.com>
Need to bump eve-api after following PR lf-edge/eve-api#77 Signed-off-by: Christoph Ostarek <christoph@zededa.com>
to the controller so that the controller knows that EVE can handle domain names and not just IP addresses Signed-off-by: Christoph Ostarek <christoph@zededa.com>
christoph-zededa
force-pushed
the
more_ntp_servers
branch
from
b9a2977 to
0f862e1
Compare
Sorry, I saw that too late and force-pushed ... |
