Description of problem: novnc console failed to connect in case websocket proxy configured on host other than engine, due to clocks of engine host and websocket proxy server no synced. fkobzik: "The machine with engine was 40 seconds ahead of the host. So engine issues a ticket that is not yet valid on the host..." Version-Release number of selected component (if applicable): is30
IIRC there was an infra request to NTP sync everything...is it still planned? Even just reporting host clocks would be great to see they are out of sync I don't think we should fix this specific case as there are quite likely other races like this.
But the problem is that we tolerate some drift (120 secs by default) but only "to the future". We have 0 tolerance to the past. And even if we have all host in sync using NTP, small drift still can be present which cause the ticket to be invalid.
yeah, but if you're NTP-synced it should never exceed the RTT you need for getting the ticket, acting on it in the backend(blazing fast!), and then send it
We can have 5 seconds tolerance into the past, no need more than that in sane environment. Clock synchronization is a must. Even in disconnected environment, ntpd can be installed at engine machine to sync the entire environment.
(In reply to Alon Bar-Lev from comment #4) +1 there should be an infra feature to alert on nonsychronized hosts
Verified on ovirt-engine 3.5 -rc1. Set host, on which runs the web socket to 1 minute behind engine, and see that noVNC console fail to connect. Then sync time back, and see that the noVNC console is working OK.
Barak, I'm actually still interested in the answer;-) Are there any plans to manage time keeping between hosts&engine?
This is actually under discussion, The original feature was to enable as a part of the engine setup (whether to install and configure ntpd) and than configure all hypervisors to sync with it. There were various issues with such an implementetion: - it looks like the ntp config should be per DC, as DC may be remote that will influence sync - post installation this can not be changed without redeploying each DC and ... Currently we explore the option of integration with foreman(through puppet) to configure the hypervisor's ntp. The time sync influence mostly the migration ...
RHEV-M 3.5.0 has been released