Hi John,
On Thu, Apr 11, 2019 at 10:33:51AM -0800, John Thurston wrote:
So it might be an idea to drop the "-p 1" completely.
That seems premature. The fact that ntpseq has dropped the parameter does not make it common or standard.
I expect ntpsec to become standard in the near future. See https://www.ntpsec.org/FAQ.html#_why_ntpsec why.
I though must admit, that we're still far away from there, at least in Debian: https://qa.debian.org/popcon-graph.php?packages=ntpsec%2Cntpsec-ntpdate%2Cnt...
But a decline of ntp installations is clearly visible in that graph (probably due to systemd also providing a time service, though).
And ntpsec is not yet available in a Debian Stable release, but will be in the upcoming Debian 10 release "buster".
And what also just became clear to me is that only the ntp-announce mailing list is dead with only a single mail since mid 2015 (c.f. http://lists.ntp.org/pipermail/announce/), but there seems to be at least about 1 security update per year: http://support.ntp.org/bin/view/Main/SecurityNotice
Maybe forking off ntpsec in 2015 was a kinda wakeup call, at least the amount of security fixes in 2016 was much high than in the years afterwards.
Dropping the "-p 1" option means ntpdate will attempt to collect more than one time sample before returning. In all man pages I've consulted the default value for "samples" is 4. Which means that each non-answering server will block that xymonnet queue for three additional seconds.
Yes, I am aware of that. This only has an impact on bigger setups with more than approx. 75 hosts to monitor. (And yes, I ran into exactly that issue previously when Xymon still had "-p 2" in there.)
If you're using ntpsec, I don't think it is unreasonable to expect you to tweak that parameter on your own server.
Yes, and that's what I did.
I nevertheless think it is as reasonable to expect you to tweak that parameter on your own server if you run a big setup. BTDT.
I don't think it is reasonable to build in a 4x longer delay for everyone.
I think Xymon should support both variants by using default settings which work with both implementations.
But maybe it should indeed do that only with a later release, when ntpsec gained more traction and is available in more stable distributions.
Kind regards, Axel-- PGP: 2FF9CD59612616B5 /~\ Plain Text Ribbon Campaign, http://arc.pasp.de/ Mail: abe at deuxchevaux.org \ / Say No to HTML in E-Mail and Usenet Mail+Jabber: abe at noone.org X https://axel.beckert.ch/ / \ I love long mails: https://email.is-not-s.ms/