Document URL: https://docs.openshift.com/container-platform/4.2/installing/installing_restricted_networks/installing-restricted-networks-vsphere.html Section Number and Name: Networking requirements for user-provisioned infrastructure Describe the issue: The OpenShift nodes should set clock sync with NTP server even in a restricted network. It is better to include NTP related topics in the documentation. If a DHCP server provides NTP servers information, RHCOS's chronyd read the information and can sync the clock with the NTP servers. Suggestions for improvement: Add the NTP related statements like this: ~~~ The OpenShift nodes should set clock sync with NTP server even in a restricted network. The examples of settings for DHCP using dnsmasq: ``` $ cat /etc/dnsmasq.conf ... dhcp-option=option:ntp-server,<ntp.server.ip1>,<ntp.server.ip2> ... ``` ~~~
This PR adds the existing information about configuring crony to the restricted network installs: https://github.com/openshift/openshift-docs/pull/27240 Jianlin, will you PTAL?
I got some update from coreos team on this when we was discussion https://bugzilla.redhat.com/show_bug.cgi?id=1879887#c13. Per that thread, I got a conclusion: For all version >=4.5 on gcp/aws/azure, we does not need this chrony.conf modification any more, for other platforms, still need it. For all version <4.5, all platform still need it. If anything worng, pls correct me, cc @walters.
Hmm...we tried to backport the time sync change to 4.4 but that may not have gone fully through. I'll look at that. Might have only landed in a later version of 4.4, not the original 4.4. But after upgrading, it should work to delete the custom chrony configuration after the 4.5 upgrade is complete as a "day 2" operation, though I didn't explicitly test that. IOW let's test+document something like this: "In OpenShift 4.5 and above, RHCOS contains logic to use provider-specific time synchronization servers by default that are accessible even on restricted networks, so it is no longer necessary to customize the platform use a private NTP server. If you have provided a configuration, after the update to 4.5 (or above) is successful, you can e.g. `oc delete machineconfig/99-custom-chrony-config`."
OK I just checked, we apparently only backported the fix for Azure to 4.4, not including AWS and GCP.
> I just checked, we apparently only backported the fix for Azure to 4.4, not including AWS and GCP. ACK. In my 4.4 cluster, Azure cluster has this PR, but AWS has no.
> If you have provided a configuration, after the update to 4.5 (or above) is successful, you can e.g. `oc delete machineconfig/99-custom-chrony-config`. I tried this scenarios, but seem like the prviate NTP server is still existing /etc/chrony.conf after I run `oc delete mc master-chrony-configuration worker-chrony-configuration`. $ oc delete mc master-chrony-configuration worker-chrony-configuration machineconfig.machineconfiguration.openshift.io "master-chrony-configuration" deleted machineconfig.machineconfiguration.openshift.io "worker-chrony-configuration" deleted $ oc get mc NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE 00-master bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 93m 00-worker bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 93m 01-master-container-runtime bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 93m 01-master-kubelet bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 93m 01-worker-container-runtime bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 93m 01-worker-kubelet bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 93m 99-master-79567c4b-0de2-4da1-8317-e8b8420c18a9-registries bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 93m 99-master-generated-crio-capabilities 2.2.0 28m 99-master-ssh 2.2.0 94m 99-worker-908f0c52-ca6d-419a-b252-e06cfc8eb7f4-registries bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 93m 99-worker-generated-crio-capabilities 2.2.0 28m 99-worker-ssh 2.2.0 94m rendered-master-45e3f7c077d10297a7d33be45c7599f0 c96f5b0bfa95eabf4e4fe64068b14eef965f5e22 2.2.0 93m rendered-master-cdfc0577af77fce45766fed82d967e43 bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 27m rendered-worker-72881e1a461126e2a4d203c1a9291772 c96f5b0bfa95eabf4e4fe64068b14eef965f5e22 2.2.0 93m rendered-worker-887249c39f64447bb5ab140acc460c2a bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 27m $ oc get mc NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE 00-master bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 94m 00-worker bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 94m 01-master-container-runtime bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 94m 01-master-kubelet bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 94m 01-worker-container-runtime bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 94m 01-worker-kubelet bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 94m 99-master-79567c4b-0de2-4da1-8317-e8b8420c18a9-registries bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 94m 99-master-generated-crio-capabilities 2.2.0 28m 99-master-ssh 2.2.0 94m 99-worker-908f0c52-ca6d-419a-b252-e06cfc8eb7f4-registries bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 94m 99-worker-generated-crio-capabilities 2.2.0 28m 99-worker-ssh 2.2.0 94m rendered-master-45e3f7c077d10297a7d33be45c7599f0 c96f5b0bfa95eabf4e4fe64068b14eef965f5e22 2.2.0 94m rendered-master-cdfc0577af77fce45766fed82d967e43 bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 28m rendered-master-ce54a3bcd25f0b5d31d137b9a5525576 bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 23s rendered-worker-72881e1a461126e2a4d203c1a9291772 c96f5b0bfa95eabf4e4fe64068b14eef965f5e22 2.2.0 94m rendered-worker-887249c39f64447bb5ab140acc460c2a bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 28m rendered-worker-eb087cbce3eca619b9bc36afe0290402 bc4ece5c0409f288eed8aa74b11fb646fc02226e 2.2.0 23s After new machineconfig file is rolled out and applied all nodes, check NTP server setting. $ oc describe node |grep machineconfig machineconfiguration.openshift.io/currentConfig: rendered-worker-eb087cbce3eca619b9bc36afe0290402 machineconfiguration.openshift.io/desiredConfig: rendered-worker-eb087cbce3eca619b9bc36afe0290402 machineconfiguration.openshift.io/reason: machineconfiguration.openshift.io/state: Done machineconfiguration.openshift.io/currentConfig: rendered-master-ce54a3bcd25f0b5d31d137b9a5525576 machineconfiguration.openshift.io/desiredConfig: rendered-master-ce54a3bcd25f0b5d31d137b9a5525576 machineconfiguration.openshift.io/reason: machineconfiguration.openshift.io/state: Done machineconfiguration.openshift.io/currentConfig: rendered-master-ce54a3bcd25f0b5d31d137b9a5525576 machineconfiguration.openshift.io/desiredConfig: rendered-master-ce54a3bcd25f0b5d31d137b9a5525576 machineconfiguration.openshift.io/reason: machineconfiguration.openshift.io/state: Done machineconfiguration.openshift.io/currentConfig: rendered-worker-eb087cbce3eca619b9bc36afe0290402 machineconfiguration.openshift.io/desiredConfig: rendered-worker-eb087cbce3eca619b9bc36afe0290402 machineconfiguration.openshift.io/reason: machineconfiguration.openshift.io/state: Done machineconfiguration.openshift.io/currentConfig: rendered-master-ce54a3bcd25f0b5d31d137b9a5525576 machineconfiguration.openshift.io/desiredConfig: rendered-master-ce54a3bcd25f0b5d31d137b9a5525576 machineconfiguration.openshift.io/reason: machineconfiguration.openshift.io/state: Done machineconfiguration.openshift.io/currentConfig: rendered-worker-eb087cbce3eca619b9bc36afe0290402 machineconfiguration.openshift.io/desiredConfig: rendered-worker-eb087cbce3eca619b9bc36afe0290402 machineconfiguration.openshift.io/reason: machineconfiguration.openshift.io/state: Done $ oc debug node/ip-10-0-51-227.us-east-2.compute.internal Creating debug namespace/openshift-debug-node-4lbmw ... Starting pod/ip-10-0-51-227us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` Pod IP: 10.0.51.227 If you don't see a command prompt, try pressing enter. sh-4.2# chroot /host sh-4.4# chronyc tracking Reference ID : 0A00073C (ip-10-0-7-60.us-east-2.compute.internal) Stratum : 3 Ref time (UTC) : Fri Nov 13 11:19:24 2020 System time : 0.000002166 seconds fast of NTP time Last offset : +0.000000210 seconds RMS offset : 0.000019035 seconds Frequency : 1.533 ppm fast Residual freq : +0.000 ppm Skew : 0.080 ppm Root delay : 0.040578343 seconds Root dispersion : 0.001184455 seconds Update interval : 64.7 seconds Leap status : Normal sh-4.4# cat /etc/chrony.conf pool ip-10-0-7-60.us-east-2.compute.internal iburst driftfile /var/lib/chrony/drift makestep 1.0 3 rtcsync logdir /var/log/chrony Here ip-10-0-7-60.us-east-2.compute.internal is my original NTP server set in 4.4 fresh install. Does mco support file contents restore after delete the original machineconfig? From m test result, seem like no, or do I miss anything?
> Here ip-10-0-7-60.us-east-2.compute.internal is my original NTP server set in 4.4 fresh install. Does mco support file contents restore after delete the original machineconfig? From m test result, seem like no, or do I miss anything? It should. Do you have a kubeconfig for this cluster?
Jianlin, will you PTAL another look? https://github.com/openshift/openshift-docs/pull/27240 Because 4.4 is EOL, only the 4.5+ changes are still valid.
Most of part looks good to me, just a minor comment in the PR.
I responded in the PR. The typo is pre-existing, and I would rather not change it because we'd lose the file edit history. I will update it if you'd like, though.
If it bring some trouble for you, I am okay with the typo. Of course, if we can correct it, that would be better, on your call now.
This change is live, eg: https://docs.openshift.com/container-platform/4.7/installing/installing_bare_metal/installing-restricted-networks-bare-metal.html#installation-special-config-chrony_installing-restricted-networks-bare-metal
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days