ISO/IEC 10164-20:1999 情報技術—オープンシステム相互接続—システム管理：時間管理機能—パート20： | ページ 8

H.2.1 時間値の取得

この節では、DTS クラークまたは DTS サーバーがリモート プロシージャ コールを実行して DTS サーバーから時間を取得する方法について説明します。図 H.4 は、クラークまたはサーバーのサーバーへのリモート プロシージャ コールを実装するメッセージの時空間図を表しています。

k = 1, 2, ...8 の時間t₈は、正確に知ることのできない UTC の値に対応します。二重矢印はメッセージの送信を表し、単一の矢印はメッセージの受信を表します。

手順は、クライアントが要求を送信する準備としてクロックを読み取ることから始まります。この時点での UTC の値はt₁であり、時計の読み取り値はTc ( t₁ ) です。その直後に、クラークまたはクライアントとして機能するサーバーがその要求を送信します。ほとんどのシステムでは、オペレーティング システムがリクエストをネットワーク アダプタに転送し、アダプタが送信のためにキューに入れるため、リクエストの送信遅延S _Cが発生します。 S _Cの一部のコンポーネントは決定論的ですが (クライアントからネットワークに要求を転送する際に最小数の命令を実行する必要があります)、残りはランダムであり、その時点での他のシステムおよびネットワーク アクティビティに依存します。図 H.4 では、要求は実際には時刻t₂に送信され、t _csで示されるランダムな伝播遅延の後、時刻t₃にサーバ オープン システムで受信されます。

サーバーが要求の到着時に行う最初のアクションは、時間を記録することです。送信と同様に、ランダムな受信遅延r _Sが発生します。その結果、サーバーは、サーバーのクロックによってT _C ( t₄ ) として測定される時刻t₄での要求の到着時刻を記録します。次に、サーバーは要求を処理し、時間t₅で応答データグラムを送信します。クライアントは、時刻t₈でこの応答を受け取り、タイムスタンプを押します。応答には、要求と同様の遅延、つまりS _C 、t _cs 、およびr _Cが発生します。要求メッセージと応答メッセージの対応する遅延が等しいとは想定していません。つまり、一般的にS _S ? _scC t _csとr_c ? _s ．

サーバーでの処理遅延は、図 H.4 で明示的に説明されています。遅延は小さいと予想されるかもしれませんが、そうではない場合があります。たとえば、負荷の高いサーバーでは、時間要求がすぐに処理されるのではなく、サービスのためにキューに入れられる場合があります。安全なシステムでは、サーバーは応答メッセージに署名するという時間のかかるタスクを引き受ける場合があります。

処理遅延は、/4, 75(/4) でのサーバーのクロックの値、およびその時点でのクロックの不正確さI _s ( t₄ ) と共に応答メッセージで返されます。これにより、サーバーが高度な適時性で要求に応答する必要がなくなります。代わりに、クライアントは、以下の計算に示すように、サーバーでの処理とスケジューリングの遅延を補うことができます。

t₄でのサーバーのクロックの値は、その時点での自身のクロックの値を認識していないため、クライアントには役に立ちません。したがって、クライアントは、自身のクロックの値を知っている時点でサーバーのクロックの値を計算する必要があります。この瞬間をt₁とします (ただし、 t₈やその他の瞬間を選択することもできます)この計算の結果は、事実上、クライアントのクロックがT _C ( t₁ ) を読み取った瞬間のサーバーのクロックの読み取り値です。

サーバーに障害がないと仮定すると、クライアントは次のことを認識しています。

T_S ( t₄ ) - I _S ( t 4 ) = t 4 = T _S ( t₄ ) + I _S ( t 4 )

したがって、 t₄の範囲は次のとおりです。

(H.1)

ここで、図 H.4 からx = SC + tCS + r xは不明ですが、0 = x = t₈ - t₁ - w の範囲にありますt₈ - t₁は⁹⁾で与えられます。

(H.2)

上記の式のクロック分解能 r は、クライアントのクロックの離散的な性質を説明し、係数 (1 +d _C ) は期間 [ t₁ 、 t₈ ] でのドリフトを説明します。その結果：

(H.3)

式 (H.1) と (H.3) の不等式を組み合わせて、クライアントまたはクライアントとして機能するサーバーは、クロックがT _C ( t₁ ) を読み取ったときに、UTC が範囲内にあるとサーバーが信じていたことを確認します。

(H.4)

このサーバーの時刻の推定値は、 ¹⁰⁾の不正確な時刻として表すことができます。

サーバーの洗練された実装は、推定の不正確さを減らすために、( t₁ ) に既知のすべての遅延コンポーネントを含めます。たとえば、 S _Sおよびr _Sの任意の既知のコンポーネントを含めることができます。ただし、 wに含まれるr _Sの任意のコンポーネントでは、 t_S)をその量だけ減らす必要があります。

同様に、クライアントとして機能する洗練された事務員またはサーバーは、SC, r _C 、t _C 、または t C _Sの既知のコンポーネントを補償することによって ( t₁ ) を減らすことができます_C二重補償を防ぐために、サーバーは t S _Cまたは t C _Sの既知のコンポーネントを補償することを禁止されています。

H.2 Distributed Time service

H.2.2 Computing a correct time

This subclause describes how a clerk or server acting as client computes a correct time from time values obtained from several servers or from the time provider, even if some are faulty. The description is presented as if the time values were obtained from other servers. However, the procedure is the same if the time values are obtained from the time provider interface.

Consider a clerk or server acting as client which has obtained M time values. For each server S_j with j = 1, 2 . . . M, theclerk or server acting as client has computed (t_j ) and (t_j ) where t_j corresponds to the instant t₁ in Figure H.4but for the request sent to S_j .

Calculating a correct time is feasible only if all the time values pertain to the same instant. So the first task is to translatethese values to correspond to one synchronization instant, which is denoted by t_S . Any choice of t_S is adequate, the onlyrequirement being that the value of the clerk or server acting as client?s clock T_C (t_S ) is known. Least inaccuracy isachieved if tS is close to the current time. All calculations that the clerk or server acting as client performs are in terms ofT_C (t_S ) since tS itself is never known. Translating the S_j time value to t_S is achieved by the following equations:

(H.6)

Note that the inaccuracy of each time value increases to compensate for the maximum possible drift of the clerk?s clockover the period [t_j , t_S ].

The basis of the calculation is now described. Assume for now that all servers are correct. Therefore, all the M timeintervals contain UTC. The narrowest correct time that the clerk or server acting as client can compute is simply theintersection of these M time intervals. An example is shown in Figure H.5. We point out that this intersection is thesmallest interval containing UTC that the clerk or server acting as client could possibly compute from the giveninformation (the M time values).

But what if some servers are faulty? There may be no intersection or, even worse, the intersection may not contain UTC.The actual algorithm embellishes the idea of a simple intersection to accommodate the possibility of faulty servers. It isarrived at by the following reasoning.

The narrowest correct time that the clerk or server acting as client could possibly compute is the intersection of all thecorrect time intervals; any point on the real line contained in all the correct time values could potentially be the truevalue of UTC at the instant when the clerk?s clock reads T_C (t_S ). However, the clerk or server acting as client does notknow which servers are correct and which (if any) are faulty.

Let us assume that at most f servers are faulty. In this case, any point on the real line contained in at least M - f of thetime intervals could be a point in all the correct intervals, and hence could be UTC. While this is the smallest set ofpoints guaranteed to contain UTC, it does not necessarily constitute a single interval as shown by the example inFigure H.5. Rather than considering the time to be multiple intervals, the clerk or server acting as client takes the correcttime to be the smallest single interval containing all points in at least M - f of the intervals.

The complexity of computing the narrowest correct time may at first appear to be high. However, it is simple and fastwith a suitable data structure and algorithm. We now describe this computation algorithmically:

• 1) Arrange the endpoints of the M time values into a list. The list is of length 2M as each time valuecontributes two elements to the list: and .
• 2) Mark each end point to indicate if it is a minimum or maximum endpoint.
• 3) Sort the list according to the values of the endpoints in ascending order. In the case where two or moreendpoints take on the same value, those corresponding to lower bounds must precede those correspondingto upper bounds in the list; that is, if:
  then must precede in the list.
• 4) Set the initial value of f.
• 5) Scan the list in ascending order to find the first endpoint that is contained in at least M - f intervals. Thispoint corresponds to the minimum value of the correct time interval.
• 6) If no such point is found, then there are more than f faulty servers. Increase f by one and go back tostep 5). If a minimum value has been found, then continue with the current value of f.
• 7) Scan the list in descending order to find the first endpoint that is contained in at least M - f intervals. Thispoint corresponds to the maximum value of the correct time interval.

Computing the minimum and maximum endpoints of the narrowest correct time interval is equivalent to computing atime and inaccuracy. We denote this computed time and inaccuracy by CT_C (t_S ) and CI_C (t_S ), respectively.

H.2.3 Adjusting the clock

Once a clerk or server acting as client or server has computed a correct time CT_C (t_S ) and inaccuracy CI_C (t_S ), it adjustsits clock in accordance with the computed time. This subclause describes how that adjustment is made so that the clocknever jumps forward or backward.

Recall that, at the synchronization point t_S , the clerk or server acting as client?s clock reads T_C (t_S ). Consequently, theclerk or server acting as client must adjust the clock by CT_C (t_S ) - T_C (t_S ).

Since time always advances, the clock too must always advance; that is, increase monotonically. A clerk or server actingas client should not set its clock backward to adjust a fast clock. When the clock is slow, it is desirable, but not strictlynecessary, for the clerk or server acting as client to adjust the clock gradually so that users do not experience a suddenforward jump in the time. To satisfy these requirements, a clerk or server acting as client adjusts a fast clock by slowingit down so that UTC catches up, and a slow clock by speeding it up so that it catches up to UTC.

The procedure by which gradual monotonic adjustments are made depends on the underlying hardware and softwareconstituting the clock. We describe this procedure for one particular realization of a clock, one common to manycomputer systems. Other realizations of clocks may use different procedures as long as they guarantee that a non-faultyclock always contains UTC in its interval.

A clock consists of memory containing its current measure of UTC and a hardware timer that periodically interrupts theprocessor. Normally, the routine servicing these tick interrupts increments the clock?s memory by the resolution r,causing the contents of the memory to increase at (approximately) the same rate as UTC.

To adjust the clock, the clerk or server acting as client changes the amount by which the clock increments at each tick,increasing the amount if CT_C (t_S ) = T_C (t_S ); otherwise, decreasing it. We denote the amount by which the nominal tickincrement ? is adjusted by e. Suppose that the clerk or server acting as client increases the tick increment to ? + e forsome number of ticks, say n. If e is positive, the clock gains ne seconds, while if it is negative, the clock loses thatamount. So to gain CT_C (t_S ) - T_C (t_S ), the clerk or server acting as client modifies the tick increment by e for:

(H.7)

ticks. (If CT_C (t_S ) - T_C (t_S ) < 0, then e is negative and the clock loses rather than gains.)

The value of e is an implementation constant. However, the specification imposes two restrictions: to ensure that theclock is monotonic, e must be greater than or equal to -?; and, because the adjustment compensates for drift, theadjustment rate must be greater than the drift, or | e | > ? d. If, in addition, | e | is small compared with ?, users will barelyperceive the adjustment, if at all.

H.2.4 Determining the maximum error

Our realization of the clock does not automatically measure inaccuracy as it does time. Instead, the clerk or servercalculates the inaccuracy whenever the clock is read. This subclause presents the formula for making that calculation.

The inaccuracy of a clock consists of four components:

Combining these four components gives the formula for calculating the inaccuracy at any time after t_S as:

(H.8)

where N is given by equation H.7. Note that implementations can reduce the contribution of resolution to0.5(1 = d _C )? if the time reported by the clock is increased by 0.5(1 = d _C )? over its actual value.

We note that it may not be possible to schedule the beginning of the adjustment at precisely t as required by the formulafor adjustment decrease in the preceding list. If this is the case, the formula for calculating the inaccuracy must take intoaccount the number of ticks between the synchronization instant and the instant at which adjustment actually begins. Wenow show one way to do this.

Call the instant at which adjustment begins the base time t_b . The clock reads T(t_b ) at this instant. The inaccuracy at t_b ,which we call the base inaccuracy, is the inaccuracy at t, increased to account for the drift over the time ttot_b . So:

I_C (t_b ) = CI_C (t_S ) + | CT_C (t_S ) - TC (ts) | + (T_C (t_b ) - T_C (t_S )) d _C

(Higher-order terms are ignored in this equation.) As the base inaccuracy now includes drift from t_Stot_b , the driftincrease need only include drift thereafter. So at time t, it is given by (T_C (t) - T_C (t_b )) d _C .

The adjustment decrease is calculated by measuring the number of ticks that have elapsed since adjustment began aslong as adjustment began at t_b . So, it is given by | (T_C (t) - T_C (t_b )) e)/(?+ e) | but still no more than the total of | N e |.Thus, equation H.8 can be expressed in more general terms by:

I_C (t) = CI_C (t_S ) + | CT_C (t_S ) - T_C (t_S ) | + (T_C (t_b ) - T_C (t_S )) d _C + (T_C (t) - T_C (t_b )) d _C - min{(T_C (t) - T_C (t_b ))/ (? + e), N} | e | + (1 + d _C )?

H.2.5 Local faults

Despite periodic synchronization, an error (either transient or permanent) on a system can cause the clock on that systemto become faulty. A faulty clock can be detected at synchronization by comparing the interval of the clock to thecomputed interval. If they do not intersect, the local clock is faulty.

The usual mechanism for adjusting the clock and computing the inaccuracy will correct a faulty clock. However, if theamount by which the clock is in error is large (say, several days), it may be undesirable to adjust the clock gradually tocorrect the error; instead, it may be preferable to set the clock to the computed time.

To facilitate this, there is a management attribute to control whether a faulty clock is set to the correct time or adjustedmonotonically. This parameter is called errorTolerance. A faulty clock is set rather than monotonically adjusted if theseparation between its interval and the computed interval is greater than errorTolerance. This is expressed quantitativelyby the following:

| CT_C (t_S ) - T_C (t_S ) | -CI_C (t_S ) - I_C (t_S )) = errorTolerance

By specifying the error tolerance of a faulty clock in this way, it is easy to accommodate the boundary conditions;namely, to never reset a faulty clock (errorTolerance = ∞) or, to immediately reset a faulty clock (errorTolerance = 0).

H.2.6 Configuration

The number of servers from which a clerk requests the time during each synchronization is determined by a managementattribute called minServers. The Time Service must be configured so that there are enough servers to satisfy the needs ofevery clerk. In addition, it is desirable for servers to be located close to the clerks to which they provide the time. Thisminimizes communication delay that contributes to inaccuracy.

While small cells can satisfy these criteria with a single set of servers serving all clerks, large cells must be configuredwith many more servers than required for any one clerk. Consequently, the architecture partitions servers into sets witheach set serving a subset of clerks.

To simplify management partitioning, we exploit the assumption that most systems are connected to LANs. Each LANcontains a (possibly empty) set of servers called the local set. Normally, there are sufficient servers in a local set tosatisfy the needs of all clerks on the LAN of that set. If this is the case, clerks obtain the time from servers in theirrespective local sets. They discover these servers through RPC service profiles using the algorithm described in C.3.2.

This algorithm makes it possible to autoconfigure the Time Service local sets.

While this arrangement is well suited for configuring local sets, it suffers two shortcomings:

• 1) If none of the servers in a local set have a time provider, an operator must periodically reset the time at fservers in this set.
• 2) Clerks whose local sets contain insufficient servers have no mechanism to discover additional servers.

To overcome these shortcomings, we provide an additional set of servers that are available throughout the cell. We callthis set the global set and the servers of this set we call global servers. A global server is usually a member of some localset, but this is not required.

A clerk accesses global servers only if there are fewer servers in its local set than the number it requires forsynchronization. A server accesses global servers if it does not have a time provider and either of the following twoconditions holds:

• 1) There are fewer servers in the local set than the number it requires for synchronization.
• 2) The server is a courier.

Couriers are servers that import time from the global set into the local set. This is useful when none of the servers in thelocal set have time providers but some servers in the global set do. The mechanism by which a server becomes a courieris described in C.3.4.

Note that global servers do not synchronize with each other explicitly. A global server synchronizes with another globalserver only if the two are in different local sets and the first does not have a time provider.

H.2.7 Couriers

It is likely that some local sets will be configured without any servers that have time providers. With this configuration,an operator must periodically mimic a time provider to prevent inaccuracies in such a local set from becomingexcessively large.

However, there may be some global servers in the cell with close proximity to time providers from which the servers in alocal set could obtain accurate time. The architecture provides a mechanism for this with a design that limits the loadplaced on global servers and is easy to manage at the expense of reduced fault tolerance. With this mechanism, onlythose servers designated as couriers synchronize with global servers rather than all servers without time providers.

A server becomes a courier by a combination of an election mechanism and an attribute called courierRole which takesone of the three values: courier, non-courier, or backup-courier. A server with courierRole set to non-courier neverbecomes a courier; one with courierRole set to courier is always a courier; a server with courierRole set to backupcourieris, in general, not a courier but becomes one if:

• 1) There are no servers in the local set with courierRole set to courier .
• 2) It is the server whose security UUID (the UUID associated with the server?s security principal) precedesall others with courierRole set to backup-courier.

Servers exchange their courierRole values in time request RPCs. Servers with courierRole set to backup-courier mustredetermine whether or not they are couriers whenever they add an entry to, or remove one from, their lists of localservers.

H.2.8 Determining the next synchronization

A clerk determines when to synchronize its clock by attempting to bound its inaccuracy. The desired bound on theinaccuracy is specified by the management attribute maxInacc.From the computed time and inaccuracyCT_C (t_S ) and CI_C (t_S ), the clerk can calculate the time at which its inaccuracywill reach the value of maxInacc. This is given by:

T =CT_C (t_S ) + (maxInacc -CI_C (t_S ))/d _C

To keep I_C (t) < maxInacc, the clerk must synchronize before its clock reads this time.

Note that the Time Service does not guarantee any bound on CI_C (t_S ). Consequently, it is possible that maxInacc CI_C (t_S )is small or even negative. To prevent a clerk from synchronizing continuously, we require that the time betweensynchronizations be more than a minimum value which is specified by the management attribute syncHold.

Unfortunately there are likely conditions where, using the approach described in the previous paragraph, all clerks willchoose the same instant at which to synchronize, causing bursty loads on the network and servers. To avoid these, somerandomness is introduced into the times at which clerks synchronize.

The following steps describe how to schedule the next synchronization based on the computed time and the twoparameters maxInacc and syncHold:

• 1) Compute the time for the inaccuracy to grow to maxInacc. This is given by the following:

  D = (maxInacc - CI_C (t_S ))/d _C

• 2) If D s syncHold, go to step 4). Otherwise, continue with the next step.
• 3) Draw a random number, R, uniformly distributed over [D/2, D]. Go to step 5).
• 4) Draw a random number, R, uniformly distributed over [(3syncHold)/4, (5syncHold)]/4]
• 5) Schedule the next synchronization so that it can complete before the clock readsCT_C (t_S ) + R.

H.2.9 Maintaining the server lists

To learn of new local servers, clerks must periodically perform an RPC import of the local set. To learn of new globalservers, those clerks using global servers must periodically perform RPC imports of the global set.

The mechanism by which a clerk is forced to perform these imports is for it to periodically flush its entire lists of globaland local servers. As can be seen from the synchronization procedure in C.4.2, this causes the clerk to import the localset and, if necessary, the global set the next time it synchronizes.

Flushing is done periodically. The period between flushes is specified by the management attribute cacheRefresh.

If the server synchronized with the time provider, it schedules the next synchronization for the time specified by the timeprovider. (The nextPoll field of the TPctlMsg returned by a call to the ContactProvider function of the Time Providerinterface.)

If the server synchronized with other servers, or if it aborted the synchronization because there were too few servers, itdetermines the next synchronization in the same way that clerks do as specified in C.4.3.

H.2.10 Checking for faulty servers

To detect and report faulty servers in a timely fashion, servers must periodically obtain time from all other servers in the local set and check that their intervals intersect.

The procedure is the one used for synchronizing with other servers, as described in C.5.3.2, with the following changes:

• No global servers are queried.
• The procedure is not aborted if less than minServers -1 are queried.
• The step to adjust (or set) the clock is not carried out.
• The step to schedule the next synchronization is not carried out.

Checking for faulty servers is initiated by a periodic timer whose average period is specified by the management attribute checklnt. After initialization and after completing the checking procedure, the timer is set by drawing a random number in the range [(3checkInt)/4, (5checkInt)/4],