IKIM-Essen / EMCP-config

IaC configuration of the Essen Medical Computing Platform (EMCP)
BSD 2-Clause "Simplified" License
0 stars 4 forks source link

Ensure intended NTP client is used #203

Open mbargull opened 3 weeks ago

mbargull commented 3 weeks ago

@johanneskoester reported non-synced times on some nodes.

Taking a look at it, I noticed that we have chrony instead of systemd-timesyncd running. We apparently do have

to make sure systemd-timesyncd is set up. But we also have

which brings in chrony as a "recommended" dependency of freeipa-client.

A couple of things we could do:

  1. Install freeipa-client without recommended packages ( https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_module.html#parameter-install_recommends ) in case it's appropriate.
  2. In ntpclient role do things like printf '%s hold\n' ntp chrony | dpkg --set-selections or printf '\nPackage: %s\nPin: release *\nPin-Priority: -1\n' chrony ntp > /etc/apt/preferences.d/pin-no-chrony-ntp . AFAICT, the former could be done via https://docs.ansible.com/ansible/latest/collections/ansible/builtin/dpkg_selections_module.html#ansible-collections-ansible-builtin-dpkg-selections-module instead of doing it "manually".

Just going for 1. is of course not sufficient to prevent the observed failure, so 2. (or something equivalent) should be done in any case and 1. is an optional thing we might consider.

enasca commented 3 weeks ago

My fault, it didn't occur to me that on a fresh host the freeipa installation runs after the ntp role and breaks it. Sorry!

Both suggestions sound reasonable.

mbargull commented 3 weeks ago

My fault, it didn't occur to me that on a fresh host the freeipa installation runs after the ntp role and breaks it. Sorry!

No worries!


I tried the hold/pin stuff out in 22.04 and 24.04 containers.

  1. dpkg --set-selections doesn't like it if listed packages are not installed (apt-mark hold work, though). We could just go with the pinning file to also be a bit more stern about not installing the packages.
  2. For 24.04 we do have a problem though: Recent Debian/Ubuntu freeipa-client packages mark systemd-timesyncd as conflicting, see:

    So, when we'll do a 24.04 upgrade, we'll need to adjust this again. E.g., by switching to chrony -- but I haven't yet looked into which parts need to be adjusted to have that one working.

So, since we might do change it go the other way around and install chrony instead of preventing its installation, I'd say, for now let's only go with the --no-install-recommends option and revisit possible pinnings later.

enasca commented 3 weeks ago

While declaring the timesyncd package conflicting for freeipa-client altogether seems rather ham-fisted, I agree it would be better for us to just switch to chrony.

Thank you Marcel for diving into this!