Hello World,
Jean Baptiste greeted the Ubuntu community last week and I wasn’t sure how to outperform that. Since “Hello world” is the most common starting exercise for all coders, so I considered it quite appropriate for my first post in this category.
I joined Canonical 10 years ago after a decade of performance and virtualization for Linux on s390x mainframes. In my roles here at Canonical I’ve always been in the server area. I started by packaging the dataplane and virtualization stacks and over time many more server-scoped packages. For a while I also led the teams behind cloud-init and the Ubuntu Pro Client. Nowadays, I’m more deeply involved in archive administration than I ever expected. Through all of this time I found myself in an interesting evolution - starting by knowing nothing of Ubuntu development to finding myself explaining and leading a lot of it every day. As part of that transition I became Engineering Director of Ubuntu Server quite some time ago.
After Jean Baptiste’s and Jon’s rather visionary posts I’ll stick to my German roots for today and go by “Whoever has visions should go to the doctor” and therefore mix things up with a few rather concrete changes - that in my humble opinion have gone un-noticed.
Network online target
Expressing how to wait - for example with a systemd service - until the system is online has been a complex topic. Quite often people couldn’t even agree what online really meant - are you online once you get a link? Once you get an IP address? Once you are routable? Or once you have DNS resolution?
At the end of the day, the reason why people couldn’t agree was mostly caused by the answer to “online?” depending on your (or your services) needs. This isn’t just nice to have, proven by the fact that there are various related bugs about network-ordering. Most of which are due to the unclear behaviour, which has furthermore changed throughout versions.
To be clear, in a perfect world no one would wait for network-online.target and the services would react dynamically to changes. But let us be honest, that isn’t always possible and thereby all these issues exist.
In 2022 a specification detailed the conditions we would like to include to really “be online.” But, to implement that would require changes in various components. These changes recently got completed for Ubuntu Server (or any Ubuntu system using systemd-networkd as Netplan backend) by a systemd feature backport and the final element landing in 25.04 Plucky via the latest Netplan upload.
Together, all of these changes now finally allow you to rely on a well-defined meaning of online (see “Ubuntu’s definition of online” in the spec). Furthermore you can express via Netplan’s optional attribute which devices should be waited on (or not).
Therefore if you are forced to wait on network-online.target you can now rely more on its behavior.
Network Time Security
Another easily missed, but important change is the availability of secure network time. In addition to our provided NTP server pools like 0.ubuntu.pool.ntp.org we now also provide NTS-enabled servers like 1.ntp.ubuntu.com.
While systemd-timesyncd is not yet capable of using NTS, the other common solution for time synchronization, chrony, does. Chrony isn’t only a great time server but also an awesome NTP/NTS client as well.
We’ve recently worked on modelling different threats and getting initial time safely was one that was left open. Now, the availability of NTS allows anyone concerned about it to utilize time synchronization in a safer fashion.
Of course things can never be easy. How can you use certificates - which depend on time to check validity - to get time via NTS?
This is gladly only needed if a system lacks a somewhat reasonable initial time, but even that still can be overcome, there is a bootstrapping server and a local certificate (used once) to allow you to get initial time, and then “be on time” for the further secure interactions.
Forward - it becomes the default
Chrony will, from 25.04 Plucky onward, use NTS-enabled time servers by default.
The news entry of the package on upgrade as well as the plucky release notes will mention it with a few more details. Those are worth a look because that configuration makes chrony use new ports and new IPs, therefore this might be a good time to talk to your firewall admin to be able to make use of it.
Backward - it is available
While changing the default to the new servers is something for new releases, the feature itself has been supported in chrony since Jammy.
But that is good, as it means you - like me - can use the same client configuration on active Ubuntu releases. Or you can be inspired and have a look at our documentation to set up your own NTS-enabled time server.
Example - use this on Noble
My system has a good initial clock, so I do not need the bootstrapping setup. To admit, I usually even have two GPS receivers to get my time even more under control, but that might be content for a different post. I was already using chrony because I like it, so all I needed to switch my 24.04 Noble Desktop to NTS-enabled time servers was:
# get the latest sources config from the git representation of the package but without bootstrap
curl --silent https://git.launchpad.net/ubuntu/+source/chrony/plain/debian/ubuntu-ntp-pools.sources | sed '/^pool ntp-bootstrap/ s/^/#/' | sudo tee /etc/chrony/sources.d/ubuntu-ntp-pools.sources
# disable classic NTP servers
sudo sed -i '/^pool/ s/^/#/' /etc/chrony/chrony.conf
# make it so
sudo systemctl restart chrony
Disclaimer:
I do not recommend doing it that way, this was just the shortest set of commands I could think of for illustration purposes. Have a look at that file and change your chrony config consciously - in general, consciously is how you should change configs. And “never run sudo commands from strangers” is the new “never take candy from strangers” anyway.
And with that I got my time a bit more secure on my Noble based laptop:
$ sudo chronyc sources
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* ntp-nts-2.ps5.canonical.> 2 6 377 47 +55us[ +57us] +/- 11ms
^+ ntp-nts-3.ps5.canonical.> 2 6 377 47 -10us[ -10us] +/- 11ms
^- ntp-nts-2.ps6.canonical.> 2 6 377 111 -997us[ -989us] +/- 69ms
^- ntp-nts-3.ps6.canonical.> 2 6 377 47 -3306us[-3306us] +/- 72ms
$ sudo chronyc authdata
Name/IP address Mode KeyID Type KLen Last Atmp NAK Cook CLen
=========================================================================
ntp-nts-2.ps5.canonical.> NTS 1 30 128 45m 0 0 8 64
ntp-nts-3.ps5.canonical.> NTS 1 30 128 45m 0 0 8 64
ntp-nts-2.ps6.canonical.> NTS 1 30 128 45m 0 0 8 64
ntp-nts-3.ps6.canonical.> NTS 1 30 128 45m 0 0 8 64
We want to write up nicely how to set this up in older releases, but haven’t gotten to it yet.
You are all invited to head over to our documentation and beat me to it by contributing it there. The documentation as well as our participation in the Open Documentation Academy is a topic for next time…
Communication
After Jean Baptiste told you Desktop is on Matrix and Robie told you that Ubuntu Developer discussions are moving to Matrix, the following will not come as a surprise.
Ubuntu Server also is on Matrix To be clear, our development discussions are with everyone else, so far on IRC and now on Matrix in #ubuntu-release and #ubuntu-devel. The IRC channel #ubuntu-server was always mostly used by the Server community to help each other, with only little support needed from my team, and I assume that will stay the same on Matrix. Therefore, instead of telling you to move, I tell you it exists. We deprecate, but do not abandon the IRC #ubuntu-server channel unless it some day really becomes silent for a very long time. But then on the other hand we know IRC might be used forever right?
The more interesting story is IMHO that of our room icon. Nowadays, looking at the Matrix UI, I have a screen full of indistinguishable orange circles - all slightly different variations of the Ubuntu logo. I’m happy that I very wisely (a.k.a. accidentally) chose back then to express that Server is about being a reliable platform of choice for a wide range of uses. That made me combine the “Hardware and Clouds” icons and the “Ubuntu and Canonical” color schemes in an unbelievably complex 2 minute task in GIMP.
Welcome to Ubuntu Server @ Matrix
If anyone has a better icon proposal achieving the same goals but with a less divided appearance, contact us!
P.S. Yes, it reminds me a bit of DC’s Two-Face, I swear that is not intentional!
Together with an obvious - yes we mean hardware. Follow the Ubuntu-Orange surroundings, but go for not only white but black/white to allow the symbol some contrast to the others.
Ba da ba ba baaaa