::: Virtual Aleph ::: Virtualization Techniques: Are you syncronized?

VMworld 2016 Banner

VMworld 2016 Banner
VMworld 2016 Barcelona

17 December, 2007

Are you syncronized?

One of the most important thing in an enterprise infrastructure is being syncronized with the res of the world. For this we use ntp servers (Network time protocol). With ESX we syncronize the physical hosts and then, we flag the "syncronize with host" check box inside VmWare Tools window.
Let's have a deeper look into ESX configuration with external ntp source. We can use as sources the three pools that vmware give us as an example in the knowledge base article.
The three NTP servers are the following (it's a best practice to edit /etc/hosts and insert the three enties):
194.185.27.180 0.vmware.pool.ntp.org
88.33.54.219 1.vmware.pool.ntp.org

212.97.63.99 2.vmware.pool.ntp.org

As often happens (and it's desiderable), ESX host are behind a firewall; so let's give some iptables commands in order to open UDP port number 123 to and from the Internet (pointing to vmware ntp pools):

iptables -A lan-to-internet -s Our_Host -d 212.97.63.99 -p UDP --dport 123 --sport 123 -j allowed
iptables -A lan-to-internet -s Our_Host -d 88.33.54.219 -p UDP --dport 123 --sport 123 -j allowed

iptables -A lan-to-internet -s Our_Host -d 194.185.27.180 -p UDP --dport 123 --sport 123 -j allowed
iptables -A internet-to-lan -d Our_Host -s 212.97.63.99 -p UDP --dport 123 --sport 123 -j allowed
iptables -A internet-to-lan -d Our_Host -s 88.33.54.219 -p UDP --dport 123 --sport 123 -j allowed
iptables -A internet-to-lan -d Our_Host -s 194.185.27.180 -p UDP --dport 123 --sport 123 -j allowed

Now we must edit /etc/ntp.conf file, so that it read as the following:

restrict 127.0.0.1
restrict default kod nomodify notrap

server 0.vmware.pool.ntp.org

server 1.vmware.pool.ntp.org
server 2.vmware.pool.ntp.org

driftfile /var/lib/ntp/drift

Last but not least let's start ntpd service (service ntpd start) and config with chkconfig the automatic startup for ntpd at runlevel 234.

It's not compulsory to use vmware pools and there are different thinkings about the syncronization of virtual machines: someone for example prefer to syncronize the domain controllers with external source directly instead of using the flag inside vmtools check-box


cheers
\mf

italian version of this post