Re: [chrony-users] Changing hostnames for chronyc sources and sourcestats results

[ Thread Index | Date Index | More Archives ]

On Tue, Nov 26, 2019 at 05:14:41PM +0000, Kohr, Alexander wrote:
> In my opinion having just a ntpnames command would be a much less useful, than being able to display that information in the sources and sourcestats outputs, especially in light of SSL being integrated into ntp.

Ok. New options to select what information is printed in the
IP/Address column of the sources/sourcestats commands make most sense
to me. I'd rather avoid printing more information in that column. 

> I also suspect that as part of the SSL related work you are
> going to be making modifications to the current chrony commands and or some new chronyc commands to provide feedback on SSL status. So maybe adding a/some new command/s to display ssl connection status information about the remote servers might be way to integrate the configured hostname and actual IP address information into chronyc output along with those new outputs, for instance whether each of the sources are supposed be connecting via SSL or not, and if  each of their related SSL connection are working or not and if it is not, and possibly a helpful error message or the open ssl error codes.

The "ntpdata" command currently just prints Authenticated yes or no.
I was thinking about a new "ntsdata" command that would display
information specific to NTS. TLS-specific errors might go to the
system log. 

There is a complication with NTS, that the NTS-KE server (using TLS)
may be separate from the NTP server. So there are actually two
hostnames/addresses per NTP source. I think "sources" should display
the NTP server and "ntsdata" the NTS-KE server, or maybe both.

> Though the more I think about it you could just use the normal "sources state" column of the sources output with either the normal ? for unreachable or maybe a new character code specific to failed SSL connection for an SSL source and make people look in the chronyd logs for the actual SSL issues and or use openssl to debug the issue. 

That's an interesting idea. Currently all the codes come from the
source selection algorithm. It doesn't know why a source is
unreachable, whether there is a network problem, authentication
failure, or something else.

Miroslav Lichvar

To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Mail converted by MHonArc 2.6.19+