xref: /src/usr.sbin/timed/CHANGES

#	@(#)CHANGES	5.1 (Berkeley) 5/11/93

This new version is almost identical to the timed and timedc code
that has been shipped for years by a workstation vendor.

Among the many changes:

improve `timedc msite` to accept a list of hostnames.

change slave-masters to answer the packets generated by `timedc msite`
    with the name of the real master, not their own.  This makes it
    possible to "chase the chain" of slave servers to the ultimate
    master.

much improve the log caused by `timedc trace on`:
    -made `timed -t` work.
    -suppression of repeated entries, which both slowed down the daemon
	(sometimes catastrophically) and tended to make disks fill up
	even more quickly.
    -better time stamps on log entries
    -more messages
    -dump information about slaves, master, and so on each time
	a message asking the log be turned on is received, and
	when the log is turned off.
    -fewer CPU cycles

use a hash table to keep track of slaves, instead of the stupid linear
    list.  This becomes handy with hundreds of slaves, instead of
    the original design limit of "a room with a few VAX's."

separate the main protocol timer from that used to look for other networks
    to master.

time stamp packets received by the daemon, so that time corrections
    are not made (even more) inaccurate by waiting in the internal,
    timed queue while the daemon is processing other messages.

made -n and -i work with subnets not named in /etc/networks

compute the median of the measured clocks, instead of the average
    of "good" times.

vastly improve the accuracy of the clock difference measure by 
    `timedc clockdiff`.

use adjtime() when possible, and directly set the clock only when
    necessary.

when the requested adjustment is small, perform only part of it, to
    damp oscillations and improve the long term accuracy of the
    adjustments.

fix uncounted core-dumps on machines that do not allow dereferencing 0
    in both the daemon and timedc.

fix "master loop detection".

fix several cases in which multi-homed masters could get into shouting 
    matches, consuming all available network bandwidth and CPU cycles
    (which ever runs out first), and convincing all bystanders to stop
    advancing their own clocks.

refuse to behave badly when other machines do.  Instead of arguing forever,
    go off and sulk when other machines refuse to play by the rules.

increase the maximum number of clients.

add "-F host,host2,..." to "freerun" or "trust" only some hosts.  This
    is handy both when only some machines should be trusted to let
    root use the `date` command to change time in the network.

    It is also handy when one machine has some other way of adjusting
    its clock, whether NTP or a direct radio or atomic connection.
    "-F localhost" causes `timed` to "trust" only itself.

    It is also handy to build a hierarchy of timed masters crossing
    networks.  The TSP protocol has no provision of "goodness of clock",
    no natural way to completely heal network partitions.  Judicious
    use of -F or -G can cause each gateway to trust only itself and
    machines closer to a central machine with a radio or atomic clock.

add #ifdef code that supports NIS "netgroups" of trusted hosts, which
    can be easier to administer than -F.

add #ifdef code to compute an aged total adjustment.  This can be used
    in systems that can make long term changes in their system clock
    frequency, e.g. "timetrim" in the Silicon Graphics kernel.


Problems observed by others that are unresolved include:

Practically any users can send to the master TSP messages and this
	way corrupt the reliability of the system.  Authentication
	of messages should be provided.  Unfortunately, that would
	require changing the protocol with all of the implied
	compatibility problems.  Fortunately, the new -F and -G args
	can be used to cause the daemon to ignore time changes from
	untrusted machines.

MAN.	The limit of 1013 on the number of slaves hosts should be doc'ed.

	It should be dynamically allocated with no limit.  On a
	large network, one host could possibly master over many
	more than 30 hosts.   Given the timers in the code and
	effectively in the protocol, and the time required by each
	master to talk to each slave, it is not practical to have
	more than 200-300 slaves.  The master cannot keep up because
	the slave-chatting is single-threaded.  when the master
	gets behind, slaves start demanding elections.  To
	significantly increase the number of slaves would require
	multi-treading things, and given that a network with more
	than 300 directly addressable machines has worse problems
	than keep the time of day right, not worth worrying about.

UGLY,CODE. timedc/cmds.c has a lots of repeated code in it.

****    The first thing is that each command is set up as if it
	were an individual program taking argc and argv.  A more
	conventional calling style should be used.  I don't think
	any of the routines take more than a couple arguments.

UGLY.	fxn definition syntax does't follow convention:
	has type on same line.

****	It needs to be fixed at least enough that tags
	will work on it.  An entire cleanup might be nice later, but
	is noncritical.

LOBBY(mildly),CODE:	Would be very convenient if date(1) took a
	+-<number> argument to set the time relatively.  With
	the advent of timed it is now reasonable to synchronize
	with WWV, which is nearly impossible to do "by hand"
	with just an absolute date, and scripts are too slow.
	format could be +-nn...nn.ss, where the '.' is required
	to remove ambiguity.

****	If you want to do it go ahead.  It sounds useful.  As far as
	syntax goes, the normal format for the date should work just
	fine for this.  If the date is preceded by a plus or minus,
	the change is relative, otherwise it is absolute.


Vernon Schryver.
vjs@sgi.com