[ntp:questions] Re: ntpd -x

John Pettitt jpp at cloudview.com
Fri Jan 27 22:56:26 UTC 2006


David L. Mills wrote:
> Joel,
> 
> At the very real risk of boring everybody on this list to tears, I have
> a burning agenda to expose this issue to a responsible community.
> 
> Your flight dispatcher machines are running just fine and one of them
> suddenly veers off course by one hour. Your application is airt traffic
> control. Your choices are:
> 
> 1. Immediately shut down the timewarper and dispatch a repair crew.
> 
> 2. Force the timewarper to slew, even though it will take a week to slew
> within one second, your sanity limit. During most of the week the warper
> clock will be ahead of the rest by more than the sanity limit. Of
> course, a rew airplanes might collide, but will crash in monotonic order.
> 
> 3. Step the clock back, possibly confusing flight planning, but at least
> all planning is to the same clock and nobody crashes.
> 
> Comments from your database gurus, ALPA and PATCO would be highly prized.
> 
> Dave
> 
> 

#1 one is the only sane option in the case cited - if you have a sanity limit an insane system
should not be allowed to operate outside that limit in a mission critical environment.  when a
system goes insane it's job needs to be assumed by a backup.  If there is no backup then you have a
badly screwed up design in that you have a meaningless sanity check and no redundancy.

#2 and #3 have safety and or data integrity implication in mission critical systems that are, in
almost every system I've worked on, unacceptable. (BTW the correct phrase is "Aluminum Rain")

Part of what the repair crew needs to do is bring the system in error back on-line in a way that
manages overall system integrity and safety, procedures to do so need to be documented and
practiced.  This is a topic for comp.risks rather than c.p.t.ntp.

Back to the original posters question:

If your box can't be stepped what is your sanity limit, how do you test for it and what do you do if
it's exceeded.  If you can answer those questions you will probably have answered (or obviated) the
original issue.


John
P.S. substitute 1 second for one hour and you have what happened in many places with the leap second
this year.




More information about the questions mailing list