Default Ubuntu configuration violates the ntp pool policy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
chrony (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
I was made aware by chrony upstream (Thanks Miroslav), that the current default we have in Bionic is violating the ntp pool projects policy.
The default config has:
pool 0.ubuntu.
pool 1.ubuntu.
pool 2.ubuntu.
pool 3.ubuntu.
This could be a problem as the client will use 16 servers from the
pool, which is against their policy from [1]:
So don't use more than four time servers in your
all you will gain is extra load on the volunteer time servers.
I'd suggest to either keep only one pool line (preferrably the one
starting with 2 as it provides also IPv6 addresses), or replace "pool"
with "server".
Please note that "pool" works differently in ntpd and chronyd. ntpd
counts all servers together (their number is limited by the tos
maxclock setting), but chronyd handles each pool as an independent set
of up to (by default) four servers.
We discussed on that a bit already, mostly what would be better.
1. I thought about reading the man page at least it seems it seems that only "pool" has the
feature of "trying different sources until it finds some working".
I'm afraid with 4 server entries that might not work as well in terms of reliability.
But it turns out that a server specified with "server" is functionally equivalent to a pool
with maxsources equal to 1. chronyd will try to replace it with
another address if it becomes unrechable, falseticker, etc.
2. I wondered having just one line as a pool, isn't that vulnerable to dns attacks/outages
more easily?
That would be rare but true, so more entries might be better
3. there is one drawback of
server 0.ubuntu.
server 1.ubuntu.
server 2.ubuntu.
server 3.ubuntu.
The maximum number of used IPv6 servers would be limited to one as currently only 2.ubuntu... serves ipv6.
But the fix for that is to finally make them available as intended - I'll bump the original bug on this.
Changed in chrony (Ubuntu): | |
status: | New → In Progress |
FYI - the more ipv6 bug for ubuntu pools is bug 715141