Dave's Bit Bucket

Monday October 02, 2006

Tempus Fugit: addendum

Once in a while, I wake up in the small hours with an interesting idea.

If you have an infrastructure involving multiple "stovepipe" networks, which may or may not be looked after by different teams, you nonetheless need to have time synchronisation across everything - not only for business process flow tracking and root cause analysis in the event of issues arising, but also to keep log files in synch and therefore make looking for things easier from a Governance and Compliance perspective.

Consider Zones in Solaris. While each zone can notionally be in a different TZ (by virtue of each zone having its own /etc/default/init ), the zones all synchronise to the same internal UTC by virtue of the fact that all zones share a common kernel. In other words, zone time can't suffer relative drift in the same Solaris instance.

Therefore, it makes most sense to push any external time feed into a Global Zone by running an NTP client there, set up one zone per stovepipe (or segregated part of the organisation) and run NTP servers in each zone at one stratum numerically greater than the external time feed. Thus, all parts of the organisation get synchronised time with segregated admin.

If you want to make it as certain as possible that different zones can't affect eachothers' operation, resource-limit them and run Trusted Extensions.

Job done :-)

Coda: Cunning realtime-forensic methods such as are described here will also identify which zones are running on the same OS instance as a result of this lack of relative drift, but that's another story...

(2006-10-01 23:59:34.0) Permalink Comments [0]