-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OSDOCS#9399: Added NTP/UDP 123 port in network connectivity requirements table #75863
base: main
Are you sure you want to change the base?
OSDOCS#9399: Added NTP/UDP 123 port in network connectivity requirements table #75863
Conversation
🤖 Thu May 16 06:09:27 - Prow CI generated the docs preview: |
83cef82
to
247c4de
Compare
@sr1kar99: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
/lgtm |
@dushyantu2: changing LGTM is restricted to collaborators In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
@aleskandro |
/cc @jinyunma @zhaozhanqi |
@@ -183,6 +183,10 @@ the Cluster Version Operator on port `9099`. | |||
|N/A | |||
|IPsec Encapsulating Security Payload (ESP) | |||
|
|||
|NTP | |||
|`123` | |||
|Network Time Protocol (NTP) over UDP port `123` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Checked on OCP cluster deployed on azure platform, it uses chronyd and the /dev/ptp device(Azure host time) for ntp time sync.
# systemctl status chronyd.service
● chronyd.service - NTP client/server
Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; preset: enabled)
Drop-In: /usr/lib/systemd/system/chronyd.service.d
└─platform-chrony.conf
Active: active (running) since Tue 2024-05-21 09:19:48 UTC; 2h 0min ago
Docs: man:chronyd(8)
man:chrony.conf(5)
Main PID: 1137 (chronyd)
Tasks: 1 (limit: 204808)
Memory: 3.3M
CPU: 1.659s
CGroup: /system.slice/chronyd.service
└─1137 /usr/sbin/chronyd -F 2 -f /run/coreos/platform-chrony.conf
May 21 09:19:48 jima21c-rzc9l-master-0 systemd[1]: Starting NTP client/server...
May 21 09:19:48 jima21c-rzc9l-master-0 chronyd[1137]: chronyd version 4.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 +DEBUG)
May 21 09:19:48 jima21c-rzc9l-master-0 chronyd[1137]: Loaded 0 symmetric keys
May 21 09:19:48 jima21c-rzc9l-master-0 chronyd[1137]: Frequency -20.121 +/- 5.347 ppm read from /var/lib/chrony/drift
May 21 09:19:48 jima21c-rzc9l-master-0 chronyd[1137]: Using right/UTC timezone to obtain leap second data
May 21 09:19:48 jima21c-rzc9l-master-0 chronyd[1137]: Loaded seccomp filter (level 2)
May 21 09:19:48 jima21c-rzc9l-master-0 systemd[1]: Started NTP client/server.
May 21 09:20:12 jima21c-rzc9l-master-0 chronyd[1137]: Selected source PHC0
May 21 09:20:12 jima21c-rzc9l-master-0 chronyd[1137]: System clock TAI offset set to 37 seconds
# netstat -tunlp | grep chrony
udp 0 0 127.0.0.1:323 0.0.0.0:* 1137/chronyd
udp6 0 0 ::1:323 :::* 1137/chronyd
When checking port used by chronyd service, didn't find chronyd listening on port 123 for NTP requests from clients. And on running OCP cluster (communication on port 123 is not allowed between machines), chronyd service was running well and didn't find any errors.
What's the scenario that needs to open port 123? what's the error if port 123 is not opened?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dushyantu2
Could you PTAL at the above query?
Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sr1kar99
On a node, when chronyd service starts, it listens on 323 UDP port. But when a node/system syncs time with the NTP time servers, the transactions of requests/responses happens on 123 UDP port.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dushyantu2 OCP cluster deployed on azure platform use Azure host time via ptp device to sync time by default, seems no need 123 UDP port, 123 UDP port will be used if any external NTP time server is configured, is that right? correct me if I'm wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jinyunma Yes you are correct.
Can we mention this thing in our documentation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You mean that if any external NTP time server is configured, then open 123 UDP port? if so, I'm okay with that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes If there is external NTP time server then 123/UDP port must be opened
Version(s):
4.12+
Issue:
OSDOCS-9399
Link to docs preview:
Ports used for all-machine to all-machine communications
QE review: