[ntp:questions] Re: ntpd, boot time, and hot plugging
Richard B. Gilbert
rgilbert88 at comcast.net
Thu Feb 3 22:14:26 UTC 2005
Brad Knowles wrote:
> At 10:21 AM -0500 2005-02-03, Tom Smith wrote:
>>> With a decent drift file ...
>> Precisely. The decent drift file is a problem. It sometimes doesn't
>> exist after a large initial offset has been turned over to ntpd.
> Even without a good drift file, you can still sync very quickly.
> It may not be seven seconds, it may be fifteen. But that should still
> be tolerable.
>> You should discuss that with a bank or stock exchange that
>> is losing millions in transactions during those seconds
>> or with public utility that is paying the government
>> penalties for downtime. :-)
> My wife is general counsel, head of legal, and secretary to the
> board for the world's largest clearing and settlement firm for
> European stocks and bonds, with an annual turnover in excess of 256
> trillion Euro last year, and assets under management in excess of
> twelve trillion Euros. Yes, I mean trillion.
> When Argentina decides not to make their interest payments on
> their Brady bond debt, because 80% of their bonds are held through her
> company, the final decision of whether or not to declare what used to
> be the world's seventh largest economy officially bankrupt, arrives on
> her desk.
> I understand the scale of the problem. With over a trillion Euro
> of turnover in a single workday, milliseconds do count.
>> Well, no. As David pointed out in his posting, all engineering
>> is a matter of tradeoffs. For many users, the tradeoff needs
>> to be 'Get these applications up fast on a "good enough"
>> time and refine the time (and frequency) in the background.'
> So, doing a single query and taking whatever bogus time may be set
> from that server, is more important than waiting a few more seconds to
> make sure that you've got a pretty good timesync?
> I'm sorry, I don't buy it. The bigger the application, the more
> you have to lose, the more important it is to have good time sync.
> See above -- milliseconds do count.
>> Perhaps it is. For you. If it's seven seconds.
> For financial applications, if the server goes down, then your N+M
> fault-tolerant systems take over that load, and not a single
> transaction is dropped or excessively delayed. If your main server
> facility is taken out by terrorists or natural disaster, then your hot
> spare facility, that is located hundreds or thousands of miles away,
> takes over and a few transactions might be delayed, but nothing is
> If you're running something that mission-critical and you don't
> have those kinds of systems (which can tolerate a few extra seconds of
> startup time in order to ensure that the time is set reasonably well),
> then you are shooting yourself in the foot with a thermonuclear
> weapon, and you will get what you deserve.
It's worth noting that, on September 11, 2001, Merrill-Lynch "failed
over'" to a duplicate data center in Westchester County in something
like four minutes; without losing a single transaction or a byte of
data. If downtime costs you $50,000,000/minute, the budget to ensure
that there isn't any downtime is practically infinite!!!!!
More information about the questions