View previous topic :: View next topic |
Author |
Message |
carlos123 Guru
Joined: 12 Feb 2003 Posts: 536 Location: Alberta, Canada.
|
Posted: Thu Mar 13, 2003 11:40 am Post subject: Time synchronization with ntp daemon. |
|
|
FAST START INSTRUCTIONS TO GETTING NTPD RUNNING
(Please NOTE that these instructions are two years old and that things may have changed since I wrote them. I just don't have time to keep them updated these days so if someone wants to change them or let me know how I can let them do that please PM me or just do it - if you know how. Thanks.)
The following instructions will install the ntpd program. After following the instructions below your system time will automatically be kept accurate by ntpd. Which will synchronize your computer's time with that kept by a time server out on the Internet.
- # emerge ntp
- # cp /usr/share/ntp/ntp.conf /etc/ntp.conf
- Find three timeservers from here.
Note: do NOT use a Stratum 1 server unless you are authorized to do so! Using at least three time servers will ensure that your time gets updated if any one or more of the three is not available at any one point in time.
- # nano /etc/ntp.conf
Note: or use any other editor like vi, vim, emacs, etc..
- Add "server <your_timeserver_domain_name>" on a seperate line for each of the three time servers you chose earlier.
Note: do NOT add "iburst" to these lines if you have an always on connection to the Internet like ADSL or cable if you want the most accurate time synchronization. Otherwise the time will only be updated about once an hour in a burst. "iburst" is really more for those whose internet connection will generally be getting started and stopped such as with dial-up.
- # nano /etc/conf.d/ntpd
- Uncomment the NTPDATE_CMD="ntpdate" line.
- Uncomment the NTPDATE_OPTS="-b someserver" line.
- Replace "someserver" with the domain name of one of the three servers you chose.
Note: I am not yet sure how to add multiple servers to this line.
- # /etc/init.d/ntpd start
- # rc-update add ntpd default
- Verify that correct time was set by going to
http://tycho.usno.navy.mil/cgi-bin/timer.pl (for North American time zones only - use http://www.worldtimeserver.com/ to get International time zones).
- Verify that the time servers are being accessed by typing "ntpq -p" at the command prompt. You should see the time servers being contacted as output.
Discussion leading up to these instructions can be found at https://forums.gentoo.org/viewtopic.php?p=240688#240688. Thanks to forum member, cederberg, for the original idea and set of instructions on which the above are based.
If you turn off your computer and then restart it and the time is off by too great of an amount, ntpd may refuse to start until you manually correct the time and bring it more in line with the correct time. To do that:
- # /etc/init.d/ntpd stop
Note: this is just to stop anything still running that ntpd uses.
- Set your time manually.
- # /etc/init.d/ntpd start
Note: restarts everything needed by ntpd to operate.
If the above or any other instructions don't work check the ntpd log at /var/log/ntpd.log for additional insight as to possible reasons.
A few miscellaneous notes:
ntp is a protocol. ntpd is a daemon that is both an ntp server (serving up time) and an ntp client (getting the time from an ntp server). The ntp server part is not useful unless it gets it's time from an external source of time. Under Gentoo "emerging ntp" will install ntpd.
If you see any innacuracies in these intructions please send me a private email so that I can research and revise the instructions. I will respond to all emails though it might take me a few days.
By sending me a private email it will avoid confusion from those who might read your communication on this thread.
To send me a private email just hit the "pm" button at the bottom of this thread.
If these instructions have helped you I would be overjoyed to hear that too
Thanks.
Carlos
PS. If you are surprised by the great number of times that I have edited these instructions please be aware that this is due to my search for the perfect and most easily understood instructions and notes. Not because the basic instructions themselves needed a lot of revising due to errors.
Last edited by carlos123 on Sat Feb 05, 2005 5:05 pm; edited 26 times in total |
|
Back to top |
|
|
Gnufsh Guru
Joined: 28 Dec 2002 Posts: 400 Location: Portland, OR
|
Posted: Thu Mar 13, 2003 9:59 pm Post subject: |
|
|
You have to emerge ntp first, right? |
|
Back to top |
|
|
AlterEgo Veteran
Joined: 25 Apr 2002 Posts: 1619
|
Posted: Thu Mar 13, 2003 10:04 pm Post subject: |
|
|
Complicated......
I just emerged ntp
and made a cronjob "ntpdate ntp.xs4all.nl" every hour/day whatever.
Simple |
|
Back to top |
|
|
zojas Veteran
Joined: 22 Apr 2002 Posts: 1138 Location: Phoenix, AZ
|
Posted: Thu Mar 13, 2003 10:11 pm Post subject: |
|
|
but ntpd is much better. It actually figures out how much your clock drifts, and can continually and smoothly adjust the clock with sub-second accuracy, rather than jerking it to the correct time once an hour.
also with ntpd you can specify multiple servers in your /etc/ntp.conf file. the ntpd daemon can use more than one time source. |
|
Back to top |
|
|
magne n00b
Joined: 05 Jan 2003 Posts: 27 Location: sarpsborg / norway
|
Posted: Thu Mar 13, 2003 10:22 pm Post subject: |
|
|
yep |
|
Back to top |
|
|
NickDaFish Tux's lil' helper
Joined: 12 Sep 2002 Posts: 112 Location: Boston, USA
|
Posted: Fri Mar 14, 2003 3:39 am Post subject: |
|
|
Four those of you with security in mind you may want to add the following lines to your /etc/ntp.conf.....
Code: | # By default don't listen to anyone
restrict default ignore
# allow full access to local IPs
restrict 127.0.0.1
restrict 192.168.1.1
# allow time server's packets but don't allow config modifications
restrict 10.0.0.1 nomodify
|
(Example assumes that the host is running on 192.168.1.1 and that the time server is 10.0.0.1)
I *think* that allows you full access, your timeservers limited access and by default ignores everyone else.
If you want to support clients on a 192.168.1.0 network I think you would also need a line like this.....
Code: | restrict 192.168.1.0 mask 255.255.255.0 nomodify |
I say think alot because there is alot of cryptic docs (IMHO) for ntp. The page I got most of these options from is here: http://www.eecis.udel.edu/~mills/ntp/html/accopt.html.
EDIT: Descovered that the dispite what the docs listed above say you don't appear to be able to use DNS host names with restrict. Any one with any insite on why not please let me know. |
|
Back to top |
|
|
scout Veteran
Joined: 08 Mar 2003 Posts: 1991 Location: France, Paris en Semaine / Metz le W-E
|
Posted: Fri Mar 14, 2003 3:02 pm Post subject: |
|
|
To continue with security ... I had to open the udp port "ntp" for ntpd and ntpdate to work (I have a stateful firewall). Could someone confirm me that ntpd and ntpdate can only use udp ?. |
|
Back to top |
|
|
Koon Retired Dev
Joined: 10 Dec 2002 Posts: 518
|
Posted: Fri Mar 14, 2003 4:16 pm Post subject: Re: Time synchronization with ntp daemon. |
|
|
carlos123 wrote: | Note: do NOT use a Stratum 1 server unless you are authorized to do so! |
Clean way if you have multiple machines : set up one host as a Stratum 3 (sync with a Stratum 2) and set up the others as Stratum 4 (sync on your Stratum 3 host) : this way you will not overload the Stratum 2 servers !
-K |
|
Back to top |
|
|
Forse Apprentice
Joined: 26 Dec 2002 Posts: 260 Location: /dev/random
|
Posted: Fri Mar 14, 2003 5:14 pm Post subject: nice post |
|
|
Thnx for a nice tip =) _________________ [ My sites ]: UnixTutorials : AniFIND : AnimeYume |
|
Back to top |
|
|
zojas Veteran
Joined: 22 Apr 2002 Posts: 1138 Location: Phoenix, AZ
|
Posted: Fri Mar 14, 2003 5:22 pm Post subject: |
|
|
scout wrote: | To continue with security ... I had to open the udp port "ntp" for ntpd and ntpdate to work (I have a stateful firewall). Could someone confirm me that ntpd and ntpdate can only use udp ?. |
you should only have to open the ports if you want other hosts to be able to use your ntpd to synchronize their clocks. If you just want to get your local clock synchronized, the standard NEW and ESTABLISHED,RELATED rules should allow your ntpd to use ntpds on the internet as time sources.
but since you brought it up, I'm interested in this too for my laptop, so I experimented with iptables. (when I'm at home, I use my laptop as an ntpd peer to my workstation)
to my laptop, i only allowed tcp packets to 123. I logged and dropped udp packets to 123, and also logged (but allowed) tcp packets to 123.
set up ntp on the laptop and got it running. ran it on another machine with the only server entry in ntp.conf as the laptop.
it tried to send udp packets to the laptop, never tried to send tcp packets.
once I allowed the udp packets through and blocked the tcp ones, it worked, 'ntpq -p' on the client machine started giving data about the laptop's ntp server. |
|
Back to top |
|
|
Gnufsh Guru
Joined: 28 Dec 2002 Posts: 400 Location: Portland, OR
|
Posted: Sun Mar 16, 2003 4:25 pm Post subject: Re: Time synchronization with ntp daemon. |
|
|
Koon wrote: | carlos123 wrote: | Note: do NOT use a Stratum 1 server unless you are authorized to do so! |
Clean way if you have multiple machines : set up one host as a Stratum 3 (sync with a Stratum 2) and set up the others as Stratum 4 (sync on your Stratum 3 host) : this way you will not overload the Stratum 2 servers !
-K |
How do I do this? |
|
Back to top |
|
|
zojas Veteran
Joined: 22 Apr 2002 Posts: 1138 Location: Phoenix, AZ
|
Posted: Sun Mar 16, 2003 4:41 pm Post subject: |
|
|
for your local ntp server, put about 5 'server' lines in the ntp.conf file, each 'server' being a different stratum 2 time server on the internet.
like this:
Code: |
server server1
server server2
server server3
server server4
server server5
|
say the host name of your local ntp server is 'one', and you have four other machines, 'two', 'three', 'four', and 'five'. then the ntp.conf file on 'two' should have this in it:
Code: |
server one
peer three
peer four
peer five
|
then the ntp.conf files for the others are similar, so all your internal machines use 'one' as a server and all the other internal machines as peers.
a 'server' line is a host that you will use to set your local clock. a 'peer' is one where the relationship goes both ways; the peer may also ask you for the correct time.
this way 'one' gets time from the internet, and all the others get time from 'one' and also help each other out. |
|
Back to top |
|
|
Gnufsh Guru
Joined: 28 Dec 2002 Posts: 400 Location: Portland, OR
|
|
Back to top |
|
|
Gnufsh Guru
Joined: 28 Dec 2002 Posts: 400 Location: Portland, OR
|
Posted: Sun Mar 16, 2003 4:56 pm Post subject: |
|
|
Do I have to do anything special to the server to get it to reply to incoming requests? |
|
Back to top |
|
|
zojas Veteran
Joined: 22 Apr 2002 Posts: 1138 Location: Phoenix, AZ
|
Posted: Sun Mar 16, 2003 5:07 pm Post subject: |
|
|
not to ntpd by default (your firewall needs to allow udp port 123) |
|
Back to top |
|
|
RayVan n00b
Joined: 12 Aug 2002 Posts: 40 Location: Houston, Tx
|
Posted: Thu Mar 27, 2003 8:48 pm Post subject: |
|
|
AlterEgo wrote: | Complicated......
I just emerged ntp
and made a cronjob "ntpdate ntp.xs4all.nl" every hour/day whatever.
Simple |
Not good. If your clock is running fast, this will 'step' the clock backward, instead of 'skew'ing it. If this ever happens /during/ a compilation, make will give you very odd errors, and you will be extremely confused. Having files created in the future on your drive can be a bad thing.
FYI, the documentation for ntpdate specifically tells you NOT to do this.
Last edited by RayVan on Sun Mar 30, 2003 5:37 am; edited 1 time in total |
|
Back to top |
|
|
cederberg Guru
Joined: 23 Jan 2003 Posts: 349 Location: Stockholm / Sweden
|
Posted: Fri Mar 28, 2003 12:44 am Post subject: |
|
|
RayVan wrote: | AlterEgo wrote: | Complicated......
I just emerged ntp
and made a cronjob "ntpdate ntp.xs4all.nl" every hour/day whatever.
Simple :) |
Not good. If your clock is running fast, this will 'step' the clock backward, instead of 'skew'ing it. If this ever happens /during/ a compilation, make will give you very odd errors, and you will be extremely confused. Having files created in the future on your drive can be a bad thing. |
From reading the ntp distribution documentation, it looks like the ntpdate utility is also to be removed in the future... I'd guess these type of problems is the reason. |
|
Back to top |
|
|
sarnold Developer
Joined: 28 Nov 2002 Posts: 115 Location: California
|
Posted: Sat Mar 29, 2003 2:29 am Post subject: I'm glad you mentioned that... |
|
|
I just wrote a post here on ntp config without using ntpdate. It seems to work just fine, and no waiting for the time to stabilize either (just a short delay when the ntpd init script starts up).
I still need to get auth working, and I also didn't mention the access rules I use on my stratum 3 servers. I think I need to consolidate this stuff into one doc (since I already got a request to do that)... |
|
Back to top |
|
|
Cluster Tux's lil' helper
Joined: 26 Jul 2002 Posts: 146 Location: Cedar Rapids, Iowa
|
Posted: Sat Sep 27, 2003 10:16 pm Post subject: |
|
|
After doing all this (thanks for clear, simple instructions!), is there a way to know that the clock does in fact get corrected and everything is fine? For example, is there a logfile that I can check for recent ntpd activity? |
|
Back to top |
|
|
zojas Veteran
Joined: 22 Apr 2002 Posts: 1138 Location: Phoenix, AZ
|
|
Back to top |
|
|
Cluster Tux's lil' helper
Joined: 26 Jul 2002 Posts: 146 Location: Cedar Rapids, Iowa
|
Posted: Sun Sep 28, 2003 5:43 am Post subject: |
|
|
One more thing: as far as I can see, my machine has now become an NTP server. I read some documentation that says that ntpd can be configured to allow other machines (clients?) to modify the server's time. My question: are the default security settings correct in that my machine can issue time, but does not accept time from any hosts other than those in my configuration files?
Is there anything I should be concerned about, now that I run ntpd? |
|
Back to top |
|
|
TGL Bodhisattva
Joined: 02 Jun 2002 Posts: 1978 Location: Rennes, France
|
Posted: Sun Sep 28, 2003 11:05 am Post subject: |
|
|
Cluster wrote: | After doing all this (thanks for clear, simple instructions!), is there a way to know that the clock does in fact get corrected and everything is fine? For example, is there a logfile that I can check for recent ntpd activity? |
To check that everything is running as expected, you can use ntptrace and ntpq -p. Both have manpages.
And now something different: for people who use dhcp to configure their network, it can be usefull to tell dhcpcd not to use the ntp configuration that the dhcp provides (for instance my DSL modem/router provides one). This can be done by adding the -N option to dhcpd in /etc/conf.d/net: Code: | iface_eth0="dhcp"
dhcpcd_eth0="-R -N" |
|
|
Back to top |
|
|
ronmon Veteran
Joined: 15 Apr 2002 Posts: 1043 Location: Key West, FL
|
Posted: Sun Sep 28, 2003 4:45 pm Post subject: |
|
|
To expand on TGL's advice, after extensive man and HOWTO reading, I could not find a way to add the -N option for a pcmcia network device (specifically my Orinoco) to prevent the overwriting of my /etc/ntp.conf. So I added "-c /etc/ntp.conf.good" (after creating the file) to my /etc/conf.d/ntpd file. |
|
Back to top |
|
|
tovrstra n00b
Joined: 13 Aug 2003 Posts: 66 Location: Gent, Belgium
|
Posted: Tue Sep 30, 2003 9:39 am Post subject: |
|
|
Some ntp-related things seem to have changed in the portage tree. Now there is an extra configfile (/etc/conf.d/ntp-client) which contains some parameters that were in (/etc/conf.d/ntdp) before. An init.d script has been added too (/etc/init.d/ntp-client). Both /etc/init.d/ntp-client and /etc/init.d/ntpd have to be started (in this order) to sync the clock. There are still two things I don't understand:
1) Why should /etc/init.d/ntp-client be started first. It only starts ${NTPCLIENT_CMD} >/dev/null ${NTPCLIENT_OPTS}. In my case NTPCLIENT_CMD="ntpdate" and NTPCLIENT_OPTS="-b ntp.telenet.be" After that I start /etc/init.d/ntpd and everything works fine.
2) I set NTPCLIENT_OPTS="-b ntp.telenet.be" in /etc/conf.d/ntp-client, but when I execute ntpq -p I get the three servers configured in /etc/ntp.conf:
Code: | remote refid st t when poll reach delay offset jitter
==============================================================================
LOCAL(0) LOCAL(0) 5 l 23 64 377 0.000 0.000 0.015
+bia.telenet-ops Time2.Stupi.SE 2 u 357 512 377 15.075 20.077 0.584
*mserv.ugent.be swisstime.ee.et 2 u 292 512 377 32.172 28.298 6.403
+ntp1.belbone.be ntp2-rz.rrze.un 2 u 345 512 377 35.311 -9.690 24.702 |
Why has NTPCLIENT_OPTS="-b ntp.telenet.be" to be set in /etc/conf.d/ntp-client when /etc/ntp.conf all the info ntpd needs? |
|
Back to top |
|
|
cederberg Guru
Joined: 23 Jan 2003 Posts: 349 Location: Stockholm / Sweden
|
Posted: Tue Sep 30, 2003 10:01 am Post subject: |
|
|
tovrstra wrote: | 1) Why should /etc/init.d/ntp-client be started first. |
The ntp-client retrieves current time, sets the clock, and quits. This may adjust the clock several hours if needed, depending on how much your machine clock had drifted since it was last shutdown. This is a safety measure, as the ntpd daemon cannot compensate for clock drifts that are too large.
The ntpd server that you subsequently start, maintains your clock by connecting to several ntp servers. It needs several servers to get the most accurate time. If your computer clock is incorrect, it will be adjusted in small steps (possibly subsecond) making it hardly visible. The ntpd server guarantees that time will always flow forward, and it will not adjust your computer clock backward. Rather, it will make each second a bit longer until the correct time has been reached. It may make large steps forward, though, if I recall correctly.
tovrstra wrote: | Why has NTPCLIENT_OPTS="-b ntp.telenet.be" to be set in /etc/conf.d/ntp-client when /etc/ntp.conf all the info ntpd needs? |
Well, as ntpdate is a stand-alone program it takes all its arguments on the command-line. It does not read the ntpd server configuration file (ntp.conf). Also, it only needs a single time server, as it will not try to set the clock more than roughly accurate (with a precision of about a second). |
|
Back to top |
|
|
|