Supporting Frame on a Nutanix AHV Cluster - Time Configuration

Time is a crucial factor when deploying Frame workloads on a Nutanix cluster. If not configured properly within the cluster and infrastructure components, it can prevent the Frame control plane from properly connecting to an on-prem cluster (due to Frame's cloud-based services and the on-prem setup mechanisms). For example, the one-click setup wizard in Prism Central and the Cloud Service account orchestration in the cloud will fail if time is not properly configured.

A key aspect to remember is that you have time configurations in several areas, including:

• The underlying infrastructure of a Nutanix cluster, the Controller Virtual Machines (CVMs) with a Prism Element (PE) console, the AHV hosts/nodes, and Prism Central (PC).
• The underlying infrastructure of Frame, such as the Cloud Connector Appliance (CCA), Workload Proxy Cloud Connector Appliance (WCCA), the Secure Gateway Appliance (SGA) Virtual Machines. (VMs) and the Frame workload VMs that users access (Linux or Windows-based OS VMs).

The Nutanix Control Plane for Frame at https://console.nutanix.com (hosted in a public cloud).

This blog details how to set, check, and verify the underlying hosting infrastructure in a cluster. Items to note include:

• The Frame infrastructure VMs, which get their time from the AHV hosts they reside on.
• The Frame workload VMs that users access, which get their time from the AHV hosts they reside on initially (the VMs will set time according to how they are configured within the OS date/time setup).
• The Frame control plane and its time configuration (managed by Nutanix) and the chosen cloud provider (currently AWS; Azure is forthcoming).

The top considerations for time setup in supporting Frame workloads on a Nutanix cluster are:

• Time synchronization across control plane components.
• The time zone setting across all underlying infrastructure items.

Time Synchronization​

For time synchronization, it is important to stay within a five-minute window of variance for effective communication among the control plane components. The Frame Platform generates security tokens when the user authenticates to Frame that have "not valid before" and "not valid after" timestamps. The Frame infrastructure components use these tokens to determine whether the tokens are valid or not. If the timebase on the on-prem Frame components is off from the internet timebase, then users cannot start sessions. The SGA and the workload VMs will deny users access if the security tokens are not valid (time-wise). Synchronized time allows for the control plane to communicate with the on-prem components securely and for things like SSL certificate validation and service checks. This enables proper orchestration among the users' endpoints, the Nutanix control plane, and the Frame on-prem infrastructure (CCA, WCCA, and SGA).

This requirement is similar to how Microsoft Windows uses a time sync for Kerberos use in Active Directory, with an identical five-minute requirement. If the Windows OS timebase is out of sync with the Kerberos server timebase, then users cannot authenticate to their Windows login.

The Time Zone​

Frame deployments use UTC for time zones. This is critical for two main reasons.

1. The Nutanix control plane for Frame and the on-premises AHV Infrastructure components (CCA, WCCA, SGA VMs) operate in UTC. The infrastructure VMs deployed on-premises use UTC by default, so that they are in the same time zone as the Nutanix control plane for Frame.
2. Having all of the infrastructure components in the same time zone allows for a more consistent logging experience, simplifying resource tracking, session analysis, and troubleshooting.

Verifying Time Zone and Time​

• For the CVMs (AOS), log in to one of the CVMs and run:
  

  allssh ssh root@192.168.5.1 date

• For Prism Central, log in to PC and run
  

  date

• For AHV hosts, log in to one of the CVMs and run

  hostssh ssh root@192.168.5.1 date

  ‍

Configuring Time Zone​

• For AOS:
  

  allssh ncli cluster set-timezone timezone=UTC (example syntax for UTC)

• For Prism Central:
  

  allssh ncli cluster set-timezone timezone=UTC

• For AHV:
  

  hostssh "date; mv /etc/localtime /etc/localtime.bak; ln -s /usr/share/zoneinfo/UTC /etc/localtime; date" (example syntax for UTC)

Configuring Time​

Make sure the time is within five minutes on all components. If not, then resync as follows:

1. To resync the time on the CVMs and AHV hosts
   

   allssh ssh root@192.168.5.1 ntpq -p

2. Stop the ntpd daemon
   

   allssh ssh root@a92.168.5.1 service ntpd stop

3. To update the time from the time servers

   allssh ssh root@192.168.5.1 ntpdate -u us.pool.ntp.org

   ‍
4. Start the ntpd daemon again
   

   allssh ssh root@192.168.5.1 service ntpd start

After performing the tasks noted above where applicable, and verifying that time is set up properly, you can now deploy Frame on a Nutanix AHV cluster with confidence that time configurations will not be a source of impediment to a successful deployment.

To deploy a Frame environment on a Nutanix-hosted cluster, follow these steps as documented in the reference link below on Frame on Nutanix AHV.

References​

• Time Synchronization on Nutanix Cluster
• Web-Console-Guide-Prism- ntp server time sync recommendations
• AHV User VM reverts to UTC timezone after it is power cycled
• Frame on Nutanix AHV