Making every (leap) second count with our new public NTP servers (opens in new tab)

(cloudplatform.googleblog.com)

110 pointsscommab9y ago69 comments

69 comments

“Leap Smearing must not be used for public-facing NTP servers” - https://tools.ietf.org/html/draft-ietf-ntp-bcp-02

There's good reason it's in the standard. Many applications of computer science rely on being able to accurately measure time.

Having every second increased by a non-trivial amount (~0.001%) on some days, and not on others, will produce subtly wrong results in all kinds of fields, from manufacturing to astronomy.

This was a bad, bad choice by Google.

acqq9y ago

I don't see any possibility for problems, as long as you just do what has sense to do.

https://developers.google.com/time/

"We recommend that you don’t configure Google Public NTP together with non-leap-smearing NTP servers."

If you point your NTP clients to time1.google.com to time4.google.com then don't point them to anything else.

That's all.

If you use Google's time servers you are using them either to be fully in sync with Google or because you like the time-smearing feature. In both cases, just use them, don't mix. Think it as a non-standard-service which is for convenience API compatible with the "standard" NTP.

As magicalist pointed, there are already other smearing algorithms online:

https://developers.google.com/time/smear#othersmears

and Google plans to switch to the new algorithm soon. If all those who need smear standardize around one algorithm, it's going to be even better: there will be one more standard, with the new name, but then it will be even more obvious to everybody what's going on. Obviously both approaches are needed, depending on the usage scenario.

klodolph9y ago

Wow, that's a really boneheaded thing to put in a standard. I think we can all agree that it's important to make leap smearing available for those who want to use it, especially considering the bugs in leap second handling for common NTP clients.

paulajohnson9y ago

I disagree. The point of NTP, and of time services in general, is that everyone agrees about the time. If an organisation wants to use non-standard time it can, but public-facing NTP servers should all agree and all provide the standard time. Google, for whatever reasons, is making its NTP servers deliberately wrong, and there is no mechanism in NTP for a server to say "I'm using time-smearing". So they shouldn't be doing this on public-facing NTP.

2 more replies

jve9y ago

Is that a standard?

              Network Time Protocol Best Current Practices
                         draft-ietf-ntp-bcp-02

1. Introduction

   NTP Version 4 (NTPv4) has been widely used since its publication as
   RFC 5905 [RFC5905].  This documentation is a collection of Best
   Practices from across the NTP community.

1 more reply

agwa9y ago

That's an Internet-Draft, which is a work-in-progress of the IETF. It's not a formal specification. https://www.ietf.org/id-info/

brandmeyer9y ago

> Instead of adding a single extra second to the end of the day, we'll run the clocks 0.0014% slower across the ten hours before and ten hours after the leap second, and “smear” the extra second across these twenty hours.

Holy leaping second, batman! Unilaterally being off by up to a half second from the rest of the world's clocks is a pretty aggressive step. I think I would have preferred to see a resolution made by an independent body on something this drastic.

magicalist9y ago

You're going to have a bad time if you assume "the rest of the world" isn't doing their own, different adjustment

https://developers.google.com/time/smear#othersmears

> preferred to see a resolution made by an independent body

Independent bodies have spent the last decade debating if leap seconds should even exist. Agreeing on how to treat them if we keep them is way down the priority list.

orblivion9y ago

> You're going to have a bad time...

Hilarious. Was this intentional?

JoshTriplett9y ago

Smearing leap seconds does make sense, but it's an odd step to take unilaterally, rather than coordinating with other NTP servers and with Linux timekeeping (which currently handles leap seconds via a 61-second minute instead).

toast09y ago

I think taking this step unilaterally is the only way it's going to be taken. Given that Google doesn't want to deal with leap seconds [1], and that the standards organizations have been debating removing leap seconds for years, at least they're publicizing what they're doing.

[1] for good reasons

1 more reply

ac299y ago

>Linux timekeeping (which currently handles leap seconds via a 61-second minute instead)

Google doesn't think so: "No commonly used operating system is able to handle a minute with 61 seconds"

3 more replies

toomuchtodo9y ago

I'd assume its because, at Google scale, you can dictate what "time" is considered internally.

> All Google services, including all APIs, will be synchronized on smeared time, as described above. You’ll also get smeared time for virtual machines on Compute Engine if you follow our recommended settings.

jrnichols9y ago

This seems to be the Google way sometimes. "We're going to take a standard and change it and do things our way. Toodles!" Just like what they did with IMAP & Gmail.

KayEss9y ago

It's far better than what POSIX clocks do. They'll just drop back a second and you'll get the same time twice.

paulajohnson9y ago

That is a historical artifact. The original Unix developers decided to treat time as seconds since the start of 1970, implicitly assuming that every day has 86400 seconds. Back then UTC was in its infancy, most programmers had not even heard of leap seconds, and most computer clocks were set by the sysadmin looking at his watch. If we were starting from scratch we would have a date-time type with a day number field and a seconds-since-midnight field. However that would be a breaking change for every piece of software out there, so we are stuck with a time_t that cannot handle leap seconds.

1 more reply

subway9y ago

They've been doing this since at least 2011.

brandmeyer9y ago

That doesn't make it any less unilateral. IMO, it makes it rather worse to have been doing this for five years. The situation would be much better if they had been working to build a broader consensus over all that time. As near as I can tell, they don't even have consensus within Linux, let alone POSIX or the ITU.

2 more replies

nullc9y ago

I predicted this for leap smear a while back-- we have time sync because having systems with different times is a source of problems... logical fix: get them onto the same time.

Smear is a workaround for those who care about phase alignment but don't care about frequency error. ... and who don't need to exchange times with anyone else. This last point reduces the set to no one, since it can't extend to everyone (some parties care a lot more about frequency error than phase error!).

This circus is enhanced by NTP's inability to tell you what timebase it's using (or, god forbid, offsets between what its giving you and other timebases...)

It's going be especially awesome when NTP daemons with both smear and non-smear peers get both the smear frequency error AND get a leap second.

I for one welcome this great opportunity for an enhanced trash fire to help convince the world that we need to stop issuing leap seconds. (It's absurd-- causes tens of millions in disruption easily, -- and it would take 4000 years to even drift an hour off solar time, at which point timezones could be rotated if anyone really cared).

detaro9y ago

> Smear is a workaround for those who care about phase alignment but don't care about frequency error. ... and who don't need to exchange times with anyone else. This last point reduces the set to no one, since it can't extend to everyone (some parties care a lot more about frequency error than phase error!).

I don't quite understand that point. E.g. the typical web server doesn't have much of a need to exchange precise time with others. HTTP, TLS, ... require timestamps, timestamps are shown to users occasionally, but as long as they are roughly right that is enough. As long as all internal systems work off the same standard it is fine. Which seems to be the reasoning under which Google choose to use it, even though one might argue that with their cloud offerings they are not as insular.

leephillips9y ago

A lot of interesting geophysics in the unpredictable need for leap seconds. I mention Google's "smearing" approach here:

http://arstechnica.com/science/2016/04/the-leap-second-becau...

1 more reply

leni5369y ago

Why the hell aren't time servers and clients sync to TAI instead? Dealing with leap seconds should be a client side problem.

Unklejoe9y ago

At least the IEEE 1588-2008 (PTPv2) protocol uses TAI time (with the POSIX epoch). The current UTC offset is then passed in the Announce messages (as well as some flags for indicating an upcoming leapsecond) which allows the slave to derive UTC if it wants to.

nothrabannosir9y ago

Because leap seconds are not deterministic, kind of like time zone changes. It would make timestamp <--> date calculations A) harder and B) need constant updates to work. Hell for firmware and embedded code.

Edit: the worst thing is: it would make those calculations harder to do correctly, but it would be too seductive to not care for leap seconds. After all, what's a few seconds error, really? This leaves you in a state where, guaranteed, 99% of time software will not be correct and the error will compound over time.

russdill9y ago

Yup, it seems awesome, but software needs to be written to handle it properly. I think it'd work no problem with software already written against monotonic clocks, but everything else would probably need some fixing.

paulajohnson9y ago

The problem is that time_t (seconds since 1970) implicitly assumes 86400 seconds per day. You would have to redefine time_t and rewrite every piece of code that uses it.

1 more reply

azinman29y ago

Right... Because leap seconds are high on everyone's priority list. It's the programmers fault!

Or... recognize that super rare bugs are inevitable and create a higher level way to avoid them entirely. I vote for option 2.

1 more reply

detaro9y ago

Google introduced this exactly to not have to deal with it client-side, while still having UTC timestamps that match the rest of the world most of the time.

leni5369y ago

You have to deal with it at client side. It doesn't make sense to fix broken software by introducing broken time servers. It could make sense to provide a wrapper library that provides smeared leap seconds and use that for broken software only (like libfaketime).

Now if I want to write software that uses precise TAI, I can't do that because of broken UTC from time servers and TAI is defined as UTC+tai_offset on my side.

1 more reply

antoncohen9y ago

For people talking about Google unilaterally doing this, it has been common to smear the leap second for the last couple years. Usually companies do it internally by having their NTP servers skew time, either with Chrony or `ntpd -x`. Standards bodies have not been able to react quickly enough to the need to smear the leap second in a consistent way. I'm thankful that Google has decided to run public NTP servers with consistently smeared leap seconds.

Here are two Red Hat articles on how to deal with the leap second, from 2016 and 2015:

https://access.redhat.com/articles/15145

http://developers.redhat.com/blog/2015/06/01/five-different-...

JdeBP9y ago

I hope that there are people on standards bodies who remember or learned what it was like before UTC when civil time seconds were not one SI second long, and in effect "smearing" happened all the time.

newman3149y ago

Does anyone know if Google has open sourced the time smearing algorithm?

detaro9y ago

They discuss various ways of smearing here, but I haven't seen their actual implementation code: https://developers.google.com/time/smear

j / k navigate · click thread line to collapse

69 comments

liotier9y ago

“Leap Smearing must not be used for public-facing NTP servers” - https://tools.ietf.org/html/draft-ietf-ntp-bcp-02

etatoby9y ago

There's good reason it's in the standard. Many applications of computer science rely on being able to accurately measure time.

Having every second increased by a non-trivial amount (~0.001%) on some days, and not on others, will produce subtly wrong results in all kinds of fields, from manufacturing to astronomy.

This was a bad, bad choice by Google.

acqq9y ago

I don't see any possibility for problems, as long as you just do what has sense to do.

https://developers.google.com/time/

"We recommend that you don’t configure Google Public NTP together with non-leap-smearing NTP servers."

If you point your NTP clients to time1.google.com to time4.google.com then don't point them to anything else.

That's all.

As magicalist pointed, there are already other smearing algorithms online:

https://developers.google.com/time/smear#othersmears

klodolph9y ago

paulajohnson9y ago

2 more replies

jve9y ago

Is that a standard?

              Network Time Protocol Best Current Practices
                         draft-ietf-ntp-bcp-02

1. Introduction

   NTP Version 4 (NTPv4) has been widely used since its publication as
   RFC 5905 [RFC5905].  This documentation is a collection of Best
   Practices from across the NTP community.

1 more reply

agwa9y ago

That's an Internet-Draft, which is a work-in-progress of the IETF. It's not a formal specification. https://www.ietf.org/id-info/

brandmeyer9y ago

magicalist9y ago

You're going to have a bad time if you assume "the rest of the world" isn't doing their own, different adjustment

https://developers.google.com/time/smear#othersmears

> preferred to see a resolution made by an independent body

Independent bodies have spent the last decade debating if leap seconds should even exist. Agreeing on how to treat them if we keep them is way down the priority list.

orblivion9y ago

> You're going to have a bad time...

Hilarious. Was this intentional?

JoshTriplett9y ago

toast09y ago

[1] for good reasons

1 more reply

ac299y ago

>Linux timekeeping (which currently handles leap seconds via a 61-second minute instead)

Google doesn't think so: "No commonly used operating system is able to handle a minute with 61 seconds"

3 more replies

toomuchtodo9y ago

I'd assume its because, at Google scale, you can dictate what "time" is considered internally.

jrnichols9y ago

This seems to be the Google way sometimes. "We're going to take a standard and change it and do things our way. Toodles!" Just like what they did with IMAP & Gmail.

KayEss9y ago

It's far better than what POSIX clocks do. They'll just drop back a second and you'll get the same time twice.

paulajohnson9y ago

1 more reply

subway9y ago

They've been doing this since at least 2011.

brandmeyer9y ago

2 more replies

nullc9y ago

I predicted this for leap smear a while back-- we have time sync because having systems with different times is a source of problems... logical fix: get them onto the same time.

This circus is enhanced by NTP's inability to tell you what timebase it's using (or, god forbid, offsets between what its giving you and other timebases...)

It's going be especially awesome when NTP daemons with both smear and non-smear peers get both the smear frequency error AND get a leap second.

detaro9y ago

leephillips9y ago

A lot of interesting geophysics in the unpredictable need for leap seconds. I mention Google's "smearing" approach here:

http://arstechnica.com/science/2016/04/the-leap-second-becau...

1 more reply

leni5369y ago

Why the hell aren't time servers and clients sync to TAI instead? Dealing with leap seconds should be a client side problem.

Unklejoe9y ago

nothrabannosir9y ago

russdill9y ago

paulajohnson9y ago

The problem is that time_t (seconds since 1970) implicitly assumes 86400 seconds per day. You would have to redefine time_t and rewrite every piece of code that uses it.

1 more reply

azinman29y ago

Right... Because leap seconds are high on everyone's priority list. It's the programmers fault!

Or... recognize that super rare bugs are inevitable and create a higher level way to avoid them entirely. I vote for option 2.

1 more reply

detaro9y ago

Google introduced this exactly to not have to deal with it client-side, while still having UTC timestamps that match the rest of the world most of the time.

leni5369y ago

Now if I want to write software that uses precise TAI, I can't do that because of broken UTC from time servers and TAI is defined as UTC+tai_offset on my side.

1 more reply

antoncohen9y ago

Here are two Red Hat articles on how to deal with the leap second, from 2016 and 2015:

https://access.redhat.com/articles/15145

http://developers.redhat.com/blog/2015/06/01/five-different-...

JdeBP9y ago

newman3149y ago

Does anyone know if Google has open sourced the time smearing algorithm?

detaro9y ago

They discuss various ways of smearing here, but I haven't seen their actual implementation code: https://developers.google.com/time/smear

j / k navigate · click thread line to collapse