Spec: undercloud-ntp-server - Add NTP services to Undercloud

This spec describes adding an NTP server to the Undercloud in
order to provide time syncing for overcloud nodes when an external
NTP server is not available.

By adding an NTP server to the Undercloud, and making its usage
optional, we allow for proof-of-concept deployments without Internet
access. This also removes a dependency on an external resource for
CI jobs.

The NTP server will be configured by the Undercloud installation
scripts. We may want to add validation to ensure that this local
NTP server can reach a stratum-1 server, or warn that the time
may be inaccurate if no server can be reached from the Undercloud.

Change-Id: Ia6ed8e8d6ebf40892cb232e39de91630c12bba48
This commit is contained in:
Dan Sneddon 2016-08-03 11:28:25 -07:00
parent 5becb56cc0
commit 82a5f49eb2
1 changed files with 142 additions and 0 deletions

View File

@ -0,0 +1,142 @@
=============================
TripleO Undercloud NTP Server
=============================
The Undercloud should provide NTP services for when external NTP services are
not available.
Problem Description
===================
NTP services are required to deploy with HA, but we rely on external services.
This means that TripleO can't be installed without Internet access or a local
NTP server.
This has several drawbacks:
* The NTP server is a potential point of failure, and it is an external
dependency.
* Isolated deployments without Internet access are not possible without
additional effort (manually deploying an NTP server).
* Infra CI is dependent on an external resource, leading to potential
false negative test runs or CI failures.
Proposed Change
===============
Overview
--------
In order to address this problem, the Undercloud installation process should
include setting up an NTP server on the local Undercloud. The use of this
NTP server would be optional, but we may wish to make it a default. Having
a default is better than none, since HA deployments will fail without time
synchronization between the controller cluster members.
The operation of the NTP server on the Undercloud would be primarily of use
in small or proof-of-concept deployments. It is expected that sufficiently
large deployments will have an infrastructure NTP server already operating
locally.
Alternatives
------------
The alternative is to continue to require external NTP services, or to
require manual steps to set up a local NTP server.
Security Impact
---------------
Since the NTP server is required for syncing the HA, a skewed clock on one
controller (in relation to the other controllers) may make it ineligable to
participate in the HA cluster. If more than one controller's clock is skewed,
the entire cluster will fail to operate. This opens up an opportunity for
denial-of-service attacks against the cloud, either by causing NTP updates
to fail, or using a man-in-the-middle attack where deliberately false NTP
responses are returned to the controllers.
Of course, operating the NTP server on the Undercloud moves that attack
vector down to the Undercloud, so sufficient security hardening should be done
on the Undercloud and/or the attached networks. We may wish to bind the NTP
server only to the provisioning (control plane) network.
Other End User Impact
---------------------
This may make the life of the installer easier, since they don't need to open
a network connection to an NTP server or set up a local NTP server.
Performance Impact
------------------
The operation of the NTP server should have a negligible impact on Undercloud
performance. It is a lightweight protocol and the daemon requires little
resources.
Other Deployer Impact
---------------------
We now require that a valid NTP server be configured either in the templates
or on the deployment command-line. This requirement would be optional if we had
a default pointing to NTP services on the Undercloud.
Developer Impact
----------------
None
Implementation
==============
Assignee(s)
-----------
Primary assignees:
* dsneddon@redhat.com
* bfournie@redhat.com
Work Items
----------
The TripleO Undercloud installation scripts will have to be modified to include
the installation and configuration of an NTP server. This will likely be done
using a composable service for the Undercloud, with configuration data taken
from undercloud.conf. The configuration should include a set of default NTP
servers which are reachable on the public Internet for when no servers are
specified in undercloud.conf.
Implement opening up iptables for NTP on the control plane network (bound to
only one IP/interface [ctlplane] if possible).
Dependencies
============
The NTP server RPMs must be installed, and upstream NTP servers must be
identified (although we might configure a default such as pool.ntp.org)
Testing
=======
Since proper operation of the NTP services are required for successful
deployment of an HA overcloud, this functionality will be tested every time
a TripleO CI HA job is run.
We may also want to implement a validation that ensures that the NTP server
can reach its upstream stratum 1 servers. This will ensure that the NTP
server is serving up the correct time. This is optional, however, since the
only dependency is that the overcloud nodes agree on the time, not that it
be correct.
Documentation Impact
====================
The setup and configuration of the NTP server should be documented. Basic NTP
best practices should be communicated.
References
==========
* [1] - Administration Guide Draft/NTP - Fedora Project
https://fedoraproject.org/wiki/Administration_Guide_Draft/NTP