Time synchronization in guest OS for Hosted Engine VM (for Kerberos)
Hello oVirt guru`s! I want to configure Kerberos authentication (via MS Active Directory) for the oVirt portal. So I need to properly configure the time synchronization for my Hosted Engine VM. I set up chronyd service in a HE VM for time synchronization from Active Directory domain controllers: # cat /etc/chrony.conf | grep ^[^#\;] server 10.1.0.9 iburst server 10.1.6.8 iburst stratumweight 0 driftfile /var/lib/chrony/drift rtcsync makestep 10 3 bindcmdaddress 127.0.0.1 keyfile /etc/chrony.keys commandkey 1 generatecommandkey noclientlog logchange 0.5 logdir /var/log/chrony # chronyc tracking Reference ID : 10.1.0.9 (kom-dc01.holding.com) Stratum : 4 Ref time (UTC) : Mon Sep 26 17:40:16 2016 System time : 0.000437915 seconds slow of NTP time Last offset : -0.000789918 seconds RMS offset : 0.001730987 seconds Frequency : 13.612 ppm slow Residual freq : -0.009 ppm Skew : 0.166 ppm Root delay : 0.078126 seconds Root dispersion : 0.126046 seconds Update interval : 1031.9 seconds Leap status : Normal It looks workable. But I think that the service may conflict with the kvm-clock # cat /sys/devices/system/clocksource/clocksource0/current_clocksource kvm-clock # dmesg | grep -i clock [ 0.000000] kvm-clock: Using msrs 4b564d01 and 4b564d00 [ 0.000000] kvm-clock: cpu 0, msr 2:3ff84001, primary cpu clock [ 0.000000] kvm-clock: using sched offset of 6567130420 cycles [ 0.538339] kvm-clock: cpu 1, msr 2:3ff84041, secondary cpu clock [ 0.571323] acpi PNP0A03:00: _OSC: OS supports [ASPM ClockPM Segments MSI] [ 0.663452] Switching to clocksource kvm-clock [ 1.065348] rtc_cmos 00:00: setting system clock to 2016-09-25 16:16:04 UTC (1474820164) [ 1.988543] tsc: Refined TSC clocksource calibration: 3166.733 MHz [ 16.792347] Adjusting kvm-clock more than 11% (9437295 vs 9311354) Do I need to turn off kvm-clock in virtual machine properties? And how to do it? Please explain the best practice.
Why not use ntp? Yaniv Dary Technical Product Manager Red Hat Israel Ltd. 34 Jerusalem Road Building A, 4th floor Ra'anana, Israel 4350109 Tel : +972 (9) 7692306 8272306 Email: ydary@redhat.com IRC : ydary On Tue, Sep 27, 2016 at 4:51 PM, <aleksey.maksimov@it-kb.ru> wrote:
No ideas? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
I think that the NTP-client (chrony) in guest OS may conflict with the kvm-clock (vm guest OS time sync from vm-host). Do I need to turn off kvm-clock in virtual machine properties? And how to do it? What is not clear in my question? 27.09.2016, 18:24, "aleksey.maksimov@it-kb.ru" <aleksey.maksimov@it-kb.ru>:
I wrote that I had set up the NTP client. The question is not that..
27.09.2016, 17:56, "Yaniv Dary" <ydary@redhat.com>:
Why not use ntp?
You can do that from the edit VM dialog. Yaniv Dary Technical Product Manager Red Hat Israel Ltd. 34 Jerusalem Road Building A, 4th floor Ra'anana, Israel 4350109 Tel : +972 (9) 7692306 8272306 Email: ydary@redhat.com IRC : ydary On Tue, Sep 27, 2016 at 6:31 PM, <aleksey.maksimov@it-kb.ru> wrote:
I think that the NTP-client (chrony) in guest OS may conflict with the kvm-clock (vm guest OS time sync from vm-host). Do I need to turn off kvm-clock in virtual machine properties? And how to do it?
What is not clear in my question?
27.09.2016, 18:24, "aleksey.maksimov@it-kb.ru" <aleksey.maksimov@it-kb.ru
: I wrote that I had set up the NTP client. The question is not that..
27.09.2016, 17:56, "Yaniv Dary" <ydary@redhat.com>:
Why not use ntp?
On 27 Sep 2016, at 17:57, aleksey.maksimov@it-kb.ru wrote:
Yaniv, I do not understand how to do it. You can tell steps how to do it?
27.09.2016, 18:53, "Yaniv Dary" <ydary@redhat.com>:
You can do that from the edit VM dialog.
I don't think you can Aleksey, I don't understand what issue you have. Time is getting desynchronized? How did you configure your ntp client? Does it behave the same on different hypervisor? What is the hypervisor OS? Thanks, michal
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Michal, please, read my first message. I have 3 times wrote that the NTP client works for me. The question is not that. The question is how to disable kvm-clock for a virtual machine? Do I have to do it at all? If you want, how to do it correctly? My hypervisors OS - CentOS 7.2 27.09.2016, 19:39, "Michal Skrivanek" <mskrivan@redhat.com>:
On 27 Sep 2016, at 17:57, aleksey.maksimov@it-kb.ru wrote:
Yaniv, I do not understand how to do it. You can tell steps how to do it?
27.09.2016, 18:53, "Yaniv Dary" <ydary@redhat.com>:
You can do that from the edit VM dialog.
I don't think you can
Aleksey, I don't understand what issue you have. Time is getting desynchronized? How did you configure your ntp client? Does it behave the same on different hypervisor? What is the hypervisor OS?
Thanks, michal
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 27 Sep 2016, at 18:57, aleksey.maksimov@it-kb.ru wrote:
Michal, please, read my first message. I have 3 times wrote that the NTP client works for me. The question is not that. The question is how to disable kvm-clock for a virtual machine?
What leads you to think you have to do that? Why?
Do I have to do it at all? If you want, how to do it correctly?
My hypervisors OS - CentOS 7.2
Thanks
27.09.2016, 19:39, "Michal Skrivanek" <mskrivan@redhat.com>:
On 27 Sep 2016, at 17:57, aleksey.maksimov@it-kb.ru wrote:
Yaniv, I do not understand how to do it. You can tell steps how to do it?
27.09.2016, 18:53, "Yaniv Dary" <ydary@redhat.com>:
You can do that from the edit VM dialog.
I don't think you can
Aleksey, I don't understand what issue you have. Time is getting desynchronized? How did you configure your ntp client? Does it behave the same on different hypervisor? What is the hypervisor OS?
Thanks, michal
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
I'm afraid that in the future OS time may get out of sync because of kvm-clock And as a result Kerberos may stop working I hope I explained clearly 27.09.2016, 19:59, "Michal Skrivanek" <mskrivan@redhat.com>:
On 27 Sep 2016, at 18:57, aleksey.maksimov@it-kb.ru wrote:
Michal, please, read my first message. I have 3 times wrote that the NTP client works for me. The question is not that. The question is how to disable kvm-clock for a virtual machine?
What leads you to think you have to do that? Why?
On 27 Sep 2016, at 19:12, aleksey.maksimov@it-kb.ru wrote:
I'm afraid that in the future OS time may get out of sync because of kvm-clock And as a result Kerberos may stop working I hope I explained clearly
Sorry, not really. You said you set up ntpd/chrony correctly. So how can the time get out of sync? Why do you think it can be because of kvmclock anyway? Do you refer to some specific bug?
27.09.2016, 19:59, "Michal Skrivanek" <mskrivan@redhat.com>:
On 27 Sep 2016, at 18:57, aleksey.maksimov@it-kb.ru wrote:
Michal, please, read my first message. I have 3 times wrote that the NTP client works for me. The question is not that. The question is how to disable kvm-clock for a virtual machine?
What leads you to think you have to do that? Why?
No. At the moment I have no sync-time errors. I'm just asking hypothetically 27.09.2016, 20:22, "Michal Skrivanek" <mskrivan@redhat.com>:
On 27 Sep 2016, at 19:12, aleksey.maksimov@it-kb.ru wrote:
I'm afraid that in the future OS time may get out of sync because of kvm-clock And as a result Kerberos may stop working I hope I explained clearly
Sorry, not really. You said you set up ntpd/chrony correctly. So how can the time get out of sync? Why do you think it can be because of kvmclock anyway? Do you refer to some specific bug?
On 27 Sep 2016, at 19:26, aleksey.maksimov@it-kb.ru wrote:
No. At the moment I have no sync-time errors. I'm just asking hypothetically
kvmclock is the most accurate clock in Linux guests. Once you hit a bug we can take a look at something, but until then I do not see a reason to modify anything
27.09.2016, 20:22, "Michal Skrivanek" <mskrivan@redhat.com>:
On 27 Sep 2016, at 19:12, aleksey.maksimov@it-kb.ru wrote:
I'm afraid that in the future OS time may get out of sync because of kvm-clock And as a result Kerberos may stop working I hope I explained clearly
Sorry, not really. You said you set up ntpd/chrony correctly. So how can the time get out of sync? Why do you think it can be because of kvmclock anyway? Do you refer to some specific bug?
--Sig_/TUWmnFEJa_n_v8qGNXuhObh Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Tue, 27 Sep 2016 13:22:29 -0400 (EDT) Michal wrote: MS> > On 27 Sep 2016, at 19:12, aleksey.maksimov@it-kb.ru wrote: MS> >=20 MS> > I'm afraid that in the future OS time may get out of sync because of = kvm-clock MS> > And as a result Kerberos may stop working MS> > I hope I explained clearly =20 MS>=20 MS> Sorry, not really. You said you set up ntpd/chrony correctly. So how ca= n the time get out of sync? Why do you think it can be because of kvmclock = anyway? Do you refer to some specific bug? I'd guess that it's a misunderstanding of what kvmclock is. Someone guessing based on the name might think that it keeps the vm time in sync with the host. Which might lead one to think it would conflict with ntp (two different things trying to manage time). If you know that kvmclock is essentially just a way to monitor the passage of time (tick-tock-tick-tock) using the host's timer, then it makes sense that you need also need ntp to tweak the current time to adjust for the minor drift inherit in any clock. Robert --=20 Senior Software Engineer @ Parsons --Sig_/TUWmnFEJa_n_v8qGNXuhObh Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlfrsysACgkQ7/fVLLY1mnhMXgCfbzyHji6THaKG6Fw7qefTm1lu PyAAmwRkM62aK+s7b/eK0hF8lEOofaY3 =iLc2 -----END PGP SIGNATURE----- --Sig_/TUWmnFEJa_n_v8qGNXuhObh--
Robert, you're right. Thanks for clarifying. 28.09.2016, 15:10, "Robert Story" <rstory@tislabs.com>:
On Tue, 27 Sep 2016 13:22:29 -0400 (EDT) Michal wrote: MS> > On 27 Sep 2016, at 19:12, aleksey.maksimov@it-kb.ru wrote: MS> > MS> > I'm afraid that in the future OS time may get out of sync because of kvm-clock MS> > And as a result Kerberos may stop working MS> > I hope I explained clearly MS> MS> Sorry, not really. You said you set up ntpd/chrony correctly. So how can the time get out of sync? Why do you think it can be because of kvmclock anyway? Do you refer to some specific bug?
I'd guess that it's a misunderstanding of what kvmclock is. Someone guessing based on the name might think that it keeps the vm time in sync with the host. Which might lead one to think it would conflict with ntp (two different things trying to manage time).
If you know that kvmclock is essentially just a way to monitor the passage of time (tick-tock-tick-tock) using the host's timer, then it makes sense that you need also need ntp to tweak the current time to adjust for the minor drift inherit in any clock.
Robert
-- Senior Software Engineer @ Parsons
participants (4)
-
aleksey.maksimov@it-kb.ru -
Michal Skrivanek -
Robert Story -
Yaniv Dary