OSDOCS#9399: Added NTP/UDP 123 port in network connectivity requirements table #75863
Conversation
sr1kar99
changed the title
openshift-ci
bot
added
the
size/XS
|
🤖 Thu May 16 06:09:27 - Prow CI generated the docs preview: |
sr1kar99
force-pushed
the
9399-adding-ntp-123-port-in-net-con-req
branch
from
83cef82
to
247c4de
Compare
|
@sr1kar99: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm |
|
@dushyantu2: changing LGTM is restricted to collaborators In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@aleskandro |
|
/cc @jinyunma @zhaozhanqi |
| @@ -183,6 +183,10 @@ the Cluster Version Operator on port `9099`. | |||
| |N/A | |||
| |IPsec Encapsulating Security Payload (ESP) | |||
|
|
|||
| |NTP | |||
| |`123` | |||
| |Network Time Protocol (NTP) over UDP port `123` | |||
There was a problem hiding this comment.
Checked on OCP cluster deployed on azure platform, it uses chronyd and the /dev/ptp device(Azure host time) for ntp time sync.
# systemctl status chronyd.service
● chronyd.service - NTP client/server
Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; preset: enabled)
Drop-In: /usr/lib/systemd/system/chronyd.service.d
└─platform-chrony.conf
Active: active (running) since Tue 2024-05-21 09:19:48 UTC; 2h 0min ago
Docs: man:chronyd(8)
man:chrony.conf(5)
Main PID: 1137 (chronyd)
Tasks: 1 (limit: 204808)
Memory: 3.3M
CPU: 1.659s
CGroup: /system.slice/chronyd.service
└─1137 /usr/sbin/chronyd -F 2 -f /run/coreos/platform-chrony.conf
May 21 09:19:48 jima21c-rzc9l-master-0 systemd[1]: Starting NTP client/server...
May 21 09:19:48 jima21c-rzc9l-master-0 chronyd[1137]: chronyd version 4.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 +DEBUG)
May 21 09:19:48 jima21c-rzc9l-master-0 chronyd[1137]: Loaded 0 symmetric keys
May 21 09:19:48 jima21c-rzc9l-master-0 chronyd[1137]: Frequency -20.121 +/- 5.347 ppm read from /var/lib/chrony/drift
May 21 09:19:48 jima21c-rzc9l-master-0 chronyd[1137]: Using right/UTC timezone to obtain leap second data
May 21 09:19:48 jima21c-rzc9l-master-0 chronyd[1137]: Loaded seccomp filter (level 2)
May 21 09:19:48 jima21c-rzc9l-master-0 systemd[1]: Started NTP client/server.
May 21 09:20:12 jima21c-rzc9l-master-0 chronyd[1137]: Selected source PHC0
May 21 09:20:12 jima21c-rzc9l-master-0 chronyd[1137]: System clock TAI offset set to 37 seconds
# netstat -tunlp | grep chrony
udp 0 0 127.0.0.1:323 0.0.0.0:* 1137/chronyd
udp6 0 0 ::1:323 :::* 1137/chronyd
When checking port used by chronyd service, didn't find chronyd listening on port 123 for NTP requests from clients. And on running OCP cluster (communication on port 123 is not allowed between machines), chronyd service was running well and didn't find any errors.
What's the scenario that needs to open port 123? what's the error if port 123 is not opened?
There was a problem hiding this comment.
@dushyantu2
Could you PTAL at the above query?
Thanks!
There was a problem hiding this comment.
@sr1kar99
On a node, when chronyd service starts, it listens on 323 UDP port. But when a node/system syncs time with the NTP time servers, the transactions of requests/responses happens on 123 UDP port.
There was a problem hiding this comment.
@dushyantu2 OCP cluster deployed on azure platform use Azure host time via ptp device to sync time by default, seems no need 123 UDP port, 123 UDP port will be used if any external NTP time server is configured, is that right? correct me if I'm wrong.
There was a problem hiding this comment.
@jinyunma Yes you are correct.
Can we mention this thing in our documentation?
There was a problem hiding this comment.
You mean that if any external NTP time server is configured, then open 123 UDP port? if so, I'm okay with that.
There was a problem hiding this comment.
Yes If there is external NTP time server then 123/UDP port must be opened
Version(s):
4.12+
Issue:
OSDOCS-9399
Link to docs preview:
Ports used for all-machine to all-machine communications
QE review: