| View previous topic :: View next topic |
| Author |
Message |
sarnold
Developer
Joined: 28 Nov 2002
Posts: 115
Location: California
|
 Posted: Thu Mar 27, 2003 7:28 am Post subject: Proper ntp config - a short howto |
 |
|
This is a short howto on nptd config, the Network Time Protocol. I have a mixed network of ntp v4 and v3, Gentoo and RedHat (ie, new and old). It took a little while to get everything synced up and working, and then updating the Gentoo ntp config to remove ntpdate (since it's deprecated, and will soon go bye-bye). This will only cover basic config, with no authentication. Key generation should be straight-forward with the ntp docs and tools. For the definitive docs, see ntp.org
The RedHat setup is a little different, and to get ntp3 and ntp4 working, I had to set each machine (RedHat puts everything in /etc/ntp.conf) like so:
as well as the server settings, etc (also required in the Gentoo ntp.conf for this setup; it's left as an exercise for the reader to generate the proper keys for authentication).
For Gentoo, the default ntpdate command to set the clock at boot-up works okay, with a valid server, but then takes about 30 minutes or so to stabilize. If it's your own local server, then other machines won't be able to sync to it until it becomes stable, then they have a 30 minute delay, and so on.
In order to remove the deprecated ntpdate command, I changed the Gentoo ntp config to use the ntp command to set the initial time instead. A side benefit seems to be that the server time becomes stable almost right away (ie, no more 30 minute delay). However, there is a short delay when setting the time at boot-up, so I guess there's a little trade-off...
So if you haven't setup ntp on your machine yet, just 'emerge ntp' and then copy /usr/share/ntp/ntp.conf to /etc/ntp.conf. Then make the following changes to /etc/conf.d/ntpd:
| Code: | NTPDATE_CMD="ntpd"
NTPDATE_OPTS="-q -g"
NTPD_OPTS="-b -m"
|
The last one is not required, unless you want to run your own local servers in broadcast or multicast mode. For a stand-alone machine, leave NTPD_OPTS commented (as suggested in the comments).
Now go to the list of Stratum 2 public ntp servers, and pick at least 2 or 3 from this list. Then you can add them to /etc/ntp.conf like so:
| Code: | server clock.isc.org iburst
server ntp.ucsd.edu iburst
server chronos1.umt.edu iburst
|
Be sure to include the iburst keyword for proper setting of the clock at boot-up (this works with the -q and -g switches to replace the functionality of ntpdate). The example machine in this case would show as a stratum 3 server via ntptrace (or ntpq). Once the above setup is running, try the ntptrace command as root. It should show something like this:
| Code: | localhost: stratum 3, offset -0.000077, synch distance 0.26402
br1.umtnet.umt.edu: stratum 2, offset -0.014036, synch distance 0.11276
vega.cbk.poznan.pl: stratum 1, offset -0.015579, synch distance 0.00046, refid 'PPS'
|
If you want to run your own server(s) for your LAN, then do the same thing on a smaller scale (if possble). I have 3 servers with the above configuration (all at stratum 3), each with a different set of external servers. Then the rest of my local machines all use my 3 servers in their config, putting them at stratum 4. This results in a 2-tiered architecture, with all local clients syncing off of my 3 local servers. Ntp4 has lots of other cool config options, including authentication, access control, multicast, etc. See if you can find something new and interesting, and help eliminate unnecessary temporal flux.
Have fun... |
|
| Back to top |
|
 |
RayVan
n00b
Joined: 12 Aug 2002
Posts: 40
Location: Houston, Tx
|
| Posted: Sun Mar 30, 2003 4:01 am Post subject: |
|
|
I'm assuming that you don't use DHCP, since if you do this configuration won't work. The reason is that dhcpd is able to dynamically configure NTP, and unless you turn that feature off (It's on by default, and Gentoo leaves it on) then every time you start dhcpd (every reboot) it will overwrite your /etc/ntp.conf (yours goes to /etc/ntp.conf.sv). This sucks, especially if you reboot more than once before you notice, since the second time your config goes poof. 
To fix, edit /etc/conf.d/net, and add the -N option to dhcp (the comments tell you where to put it). dhcpd also does this to some other protocols (YP and NIS, iirc), so if you notice other network configs vanishing check dhcpd's man page.
(edited to fix typos someone pointed out below)
Last edited by RayVan on Wed Apr 02, 2003 3:41 am; edited 1 time in total |
|
| Back to top |
|
|
RayVan
n00b
Joined: 12 Aug 2002
Posts: 40
Location: Houston, Tx
|
| Posted: Sun Mar 30, 2003 5:50 am Post subject: |
|
|
Yes, I know I responded twice.  Different subject.
Nice howto, and it will give you a working config, but I disagree on some things. I will add the caveat that I only run ntpd on one machine, but I have messed with it a lot over the years.
| sarnold wrote: | | This is a short howto on nptd config, the Network Time Protocol. I have a mixed network of ntp v4 and v3, Gentoo and RedHat (ie, new and old). It took a little while to get everything synced up and working, and then updating the Gentoo ntp config to remove ntpdate (since it's deprecated, and will soon go bye-bye). |
I know you aren't, but it should probably be pointed out that using both ntpdate and ntpd on the same machine is not a good idea. In fact, it can actually cause ntpd to 'step' the clock to a wrong time when you start it, and then you will have to wait for it to skew back. This is because when ntpd starts, it uses the info in the driftfile to correct the hardware time for an inaccurate bios clock before it sets the system time. If you set the clock while ntpd isn't running, you bork this.
Also, if you set the time while ntpd isn't running, you will cause ntpd to inaccurately estimate how inaccurate your (hardware) clock is, and it will not properly track the time servers until it has time to 're-estimate' your drift rate.
If you use ntp, you should set your time by hand before you start using ntp, and then NEVER set it by hand (or ntpdate) again unless you notice that ntpd is dying because your clock is over 1000 seconds off. This'll never happen unless something goes wrong (cmos battery, computer off for a LONG time, etc.)
If I'this sounds confusing, it's because I'm not really being precise when I say 'clock'. Linux has three different clocks (the CMOS clock, the hardware clock, and the software clock), and they all work differently. Google if you really care.
| Quote: |
For Gentoo, the default ntpdate command to set the clock at boot-up works okay, with a valid server, but then takes about 30 minutes or so to stabilize. If it's your own local server, then other machines won't be able to sync to it until it becomes stable, then they have a 30 minute delay, and so on.
|
As I said, do NOT use ntpdate if you are using ntpd. The Gentoo config that does this is, quite simply, wrong. It forces ntpd to re-discipline your clock at every reboot (IOW, ignore all that neat stuff in the docs about a 'driftfile' , because you're deliberately breaking it).
| Quote: |
In order to remove the deprecated ntpdate command, I changed the Gentoo ntp config to use the ntp command to set the initial time instead. A side benefit seems to be that the server time becomes stable almost right away (ie, no more 30 minute delay). However, there is a short delay when setting the time at boot-up, so I guess there's a little trade-off...
|
You don't need to set the time at boot. ntpd will set the time when it starts anyway. Doing it twice just increases the load on your upstream server, especially if you use iburst. The delay at boot is because iburst makes ntpd hit each server eight times, with a pause in between. Immediately quitting and restarting ntpd (which is effectively what you're doing) just discards ntpd's internal data, and makes it hit the same clocks again. Pointless, as far as I can tell.
| Quote: |
So if you haven't setup ntp on your machine yet, just 'emerge ntp' and then copy /usr/share/ntp/ntp.conf to /etc/ntp.conf. Then make the following changes to /etc/conf.d/ntpd:
| Code: | NTPDATE_CMD="ntpd"
NTPDATE_OPTS="-q -g"
NTPD_OPTS="-b -m"
|
The last one is not required, unless you want to run your own local servers in broadcast or multicast mode. For a stand-alone machine, leave NTPD_OPTS commented (as suggested in the comments).
|
You shouldn't run 'ntpd -q' instead of ntpdate, unless you intend to only set the clock by callling 'ntpd -q' with a cron job, which is inadvisable unless you run it so often (hourly, according to the docs) that it will never step the clock. This only really makes sense if you're on dialup.
Instead, just run ntpd as a daemon. It's initial behavior when it starts will EXACTLY mirror what 'ntpd -q' does.
IOW, comment out both NTPDATE_CMD and NTPDATE_OPTS. ntpd will then just run normally, as it should.
| Quote: |
Now go to the list of Stratum 2 public ntp servers, and pick at least 2 or 3 from this list. Then you can add them to /etc/ntp.conf like so:
| Code: | server clock.isc.org iburst
server ntp.ucsd.edu iburst
server chronos1.umt.edu iburst
|
|
Randomly picking servers is a bad idea for a couple of reasons. First, you get better accuracy if you pick servers that are netwise close to you (and just picking servers in your state will NOT accomplish this). Second, you get better reliability if your upstream clocks sync to different stratum 1 servers.
To pick your servers, it's best to dump a BUNCH (I normally use 20-30) of servers into your config file, let ntpd run for a hour or so, and then look at the output of 'ntpq -p'. Then, pick a few servers with a low 'delay', and different 'refid's. You'll get a more accurate and reliable clock.
It's also nice to add 'maxpoll 17' after iburst. ntpd automatically increases the poll interval after a while, once it has disciplined your clock, and increasing maxpoll decreases load on your upstream server.
And, even though your're not explaining how to setup authentication, using 'autokey' will automatically authenticate your upstream servers, w/o you having to get them to give you a key. I have never found a public server that doesn't support autokey, and adding the keyword is all of the config it takes.
| Quote: |
Be sure to include the iburst keyword for proper setting of the clock at boot-up (this works with the -q and -g switches to replace the functionality of ntpdate). The example machine in this case would show as a stratum 3 server via ntptrace (or ntpq). Once the above setup is running, try the ntptrace command as root. It should show something like this:
| Code: | localhost: stratum 3, offset -0.000077, synch distance 0.26402
br1.umtnet.umt.edu: stratum 2, offset -0.014036, synch distance 0.11276
vega.cbk.poznan.pl: stratum 1, offset -0.015579, synch distance 0.00046, refid 'PPS'
|
|
Using 'ntpq -p' would be better. ntptrace just gives info about the server you're currently synced to, and it's upstream servers. 'ntpq -p' gives that info (and more) for all of your servers.
| Quote: |
If you want to run your own server(s) for your LAN, then do the same thing on a smaller scale (if possble). I have 3 servers with the above configuration (all at stratum 3), each with a different set of external servers. Then the rest of my local machines all use my 3 servers in their config, putting them at stratum 4. This results in a 2-tiered architecture, with all local clients syncing off of my 3 local servers. Ntp4 has lots of other cool config options, including authentication, access control, multicast, etc. See if you can find something new and interesting, and help eliminate unnecessary temporal flux.
|
If you use multicast on your local net, you can avoid having to configure your individual hosts to see your local servers. Your servers will also be able to set (and propogate downstream) the time even if your network uplink or upstream servers are down, and they will be better at rejecting falsetickers(the time will be less accurate, but a group of disciplined hosts that can see each other will drift /very/ slowly even w/o seeing the rest of the world). This makes it harder for someone to spoof you, decreases the need for authentication, and increases reliability (a server w/o upstream hosts will set itself from your other hosts.
You can use multicast securely without authentication by just telling your router to not propogate the ntp multicast address (in my experience, my ISPs don't support multicast), or by just using a different one. |
|
| Back to top |
|
|
bLanark
Apprentice
Joined: 27 Aug 2002
Posts: 181
Location: Royal Berkshire, UK
|
| Posted: Mon Mar 31, 2003 8:37 am Post subject: dhcp |
|
|
| Quote: | | To fix, edit /etc/conf.d/ntp, and add the -Y option to dhcp (the comments tell you where to put it). dhcpd also does this to some other protocols (YP and NIS, iirc), so if you notice other network configs vanishing check dhcpd's man page. |
Hmm, I can't find any reference to dhcp or even "-Y" in the /etc/conf.d/ntp file. And there is no man page for dhcp or dhcpd on my machine either.
However, I have an ntp.conf.sv file dated last time my IP address changed (I use dhcp at home, on client site and at the office).
Care to provide some more information on what to put where in conf.d/ntp?
I am running 4.1.1b-r5 on a gentoo 1.4 system
Thanks,
bLanark
_________________
.sig: access denied |
|
| Back to top |
|
|
RayVan
n00b
Joined: 12 Aug 2002
Posts: 40
Location: Houston, Tx
|
| Posted: Mon Mar 31, 2003 11:29 pm Post subject: |
|
|
Sorry, typo. It's /etc/conf.d/net
Another typo is that you need to add -N, not -Y. -Y is to protect your YP config.
It's 'man dhcpcd' (DHCP 'control daemon').
It's also here. |
|
| Back to top |
|
|
MaRTiaN
Tux's lil' helper
Joined: 22 Apr 2002
Posts: 85
Location: London
|
| Posted: Tue Apr 01, 2003 9:52 am Post subject: Is something wrong? |
|
|
I've just tried to set this up. It appears that ntpd is setting my clock right, I have a little alarm clock that updates via radio waves and my pc is almost exactly in sync. However ntpq -p gives me this, which doesn't look right to my untrained eye:
| Code: | remote refid st t when poll reach delay offset jitter
==============================================================================
hades.hosts.net 0.0.0.0 16 u - 128 0 0.000 0.000 4000.00
194.164.127.4 0.0.0.0 16 u - 128 0 0.000 0.000 4000.00
194.164.127.5 0.0.0.0 16 u - 128 0 0.000 0.000 4000.00
194.164.127.6 0.0.0.0 16 u - 128 0 0.000 0.000 4000.00 |
my /etc/ntp.conf is:
| Code: | server time-server.ndo.com iburst
server ntp0.sandvika.net iburst
server ntp1.sandvika.net iburst
server ntp2.sandvika.net iburst
logfile /var/log/ntpd.log
driftfile /var/lib/misc/ntp.drift
|
I have also uncommented every single one of the security parts (I've messed about with them, doesn't seem to resolve the problem).
The relevent parts of my /etc/conf.d/ntpd :
| Code: |
NTPDATE_WARN="y"
NTPDATE_CMD="ntpd"
NTPDATE_OPTS="-g -m"
#NTPD_OPTS=""
|
edit: I commented out the last three servers, I was getting lots of connection refused from them in the logs, but with the first server I get:
| Quote: | 1 Apr 11:04:44 ntpd[17895]: frequency initialized 0.000 from /var/lib/misc/ntp.drift
1 Apr 11:04:44 ntpd[17902]: signal_no_reset: signal 17 had flags 4000000
1 Apr 11:04:44 ntpd[17904]: signal_no_reset: signal 17 had flags 4000000
1 Apr 11:04:46 ntpd[17902]: server indicates a format error occurred(!!)
1 Apr 11:04:46 ntpd[17902]: signal_no_reset: signal 14 had flags 4000000
1 Apr 11:04:46 ntpd[17904]: server indicates a format error occurred(!!)
1 Apr 11:04:46 ntpd[17904]: signal_no_reset: signal 14 had flags 4000000 |
_________________
Some people are alive only because it's illegal to kill them. |
|
| Back to top |
|
|
RayVan
n00b
Joined: 12 Aug 2002
Posts: 40
Location: Houston, Tx
|
| Posted: Wed Apr 02, 2003 1:13 am Post subject: Re: Is something wrong? |
|
|
| MaRTiaN wrote: |
I have also uncommented every single one of the security parts (I've messed about with them, doesn't seem to resolve the problem).
|
You should turn OFF all of the security stuff until you get it working.
| Quote: |
The relevent parts of my /etc/conf.d/ntpd :
| Code: |
NTPDATE_WARN="y"
NTPDATE_CMD="ntpd"
NTPDATE_OPTS="-g -m"
#NTPD_OPTS=""
|
|
The '-m' option is what is breaking your ntpd.
This config is wrong anyway, tho. The program run by NTPDATE_CMD should be one that exits after it sets the time (ntpdate, or ntpd -q). You're actually starting ntpd twice, once instead of ntpdate, and then again when it would normally be run. Comment out ALL of those lines. ntpd will still be started, and it should work right. |
|
| Back to top |
|
|
MaRTiaN
Tux's lil' helper
Joined: 22 Apr 2002
Posts: 85
Location: London
|
| Posted: Wed Apr 02, 2003 1:52 am Post subject: |
|
|
No it doesn't. My /etc/ntp.conf was clobbered, though, I changed it to this:
| Code: |
#restrict default noquery notrust nomodify
#restrict 127.0.0.1
#restrict 213.107.35.0 mask 255.255.255.0
driftfile /etc/ntp.drift
logfile /var/log/ntp.log
authenticate no
server ntp.exnet.com iburst
server time-server.ndo.com iburst
server ntp0.sandvika.net iburst
server ntp1.sandvika.net iburst
server ntp2.sandvika.net iburst |
I commented the lines in /etc/conf.d/ntpd, and left the warning line in. I got a warning to configure /etc/conf.f/ntp
so I tried putting
| Code: | NTPDATE_CMD="ntpd"
NTPDATE_OPTS="-q -g"
|
back in; it now tells me its initializing the clock viat ntpd... and sits there for ages without doing anything.
ntpq -p now gives me | Code: |
remote refid st t when poll reach delay offset jitter
==============================================================================
*LOCAL(0) LOCAL(0) 5 l 18 64 377 0.000 0.000 0.015
|
there's nothing new in the ntpd.log but ntp.log has this
| Code: | 2 Apr 02:47:34 ntpd[22032]: signal_no_reset: signal 17 had flags 4000000
2 Apr 02:48:16 ntpd[22032]: server indicates a format error occurred(!!)
2 Apr 02:48:16 ntpd[22032]: server indicates a format error occurred(!!)
2 Apr 02:48:16 ntpd[22032]: server indicates a format error occurred(!!)
2 Apr 02:48:16 ntpd[22032]: server indicates a format error occurred(!!)
2 Apr 02:48:16 ntpd[22032]: signal_no_reset: signal 14 had flags 4000000
2 Apr 02:48:40 ntpd[22031]: ntpd exiting on signal 2
2 Apr 02:48:40 ntpd[22032]: ntpd exiting on signal 2
2 Apr 02:48:40 ntpd[22037]: signal_no_reset: signal 17 had flags 4000000
2 Apr 02:48:45 ntpd[22035]: ntpd exiting on signal 15
|
what am I doing wrong? this is got to be the problem that has taken me the longest to solve with gentoo (compiling aside).
_________________
Some people are alive only because it's illegal to kill them. |
|
| Back to top |
|
|
bLanark
Apprentice
Joined: 27 Aug 2002
Posts: 181
Location: Royal Berkshire, UK
|
| Posted: Wed Apr 02, 2003 2:36 am Post subject: Still not enough |
|
|
| Quote: | Sorry, typo. It's /etc/conf.d/net
Another typo is that you need to add -N, not -Y. -Y is to protect your YP config.
It's 'man dhcpcd' (DHCP 'control daemon').
It's also here. |
Cheers! (although that online man page doesn't mention it AFAICS)
BTW, this is probably the answer to most of my ntp woes - I wish I knew about DHCP taking over! THANKS!
_________________
.sig: access denied
Last edited by bLanark on Wed Apr 02, 2003 6:26 am; edited 2 times in total |
|
| Back to top |
|
|
MaRTiaN
Tux's lil' helper
Joined: 22 Apr 2002
Posts: 85
Location: London
|
| Posted: Wed Apr 02, 2003 2:47 am Post subject: |
|
|
Thanks, I noticed that earlier and have already changed it. Its getting ntpd to actually work thats causing the problem, unless I use ntpdate but people keep saying thats getting removed soon. So I'm going to have to get this sorted at one point. I just need a working set of conf files, if someone who uses DHCP sould post theirs, then I could just add in servers that are close to me, that would probably help me see where I'm going wrong.
_________________
Some people are alive only because it's illegal to kill them. |
|
| Back to top |
|
|
RayVan
n00b
Joined: 12 Aug 2002
Posts: 40
Location: Houston, Tx
|
| Posted: Wed Apr 02, 2003 3:37 am Post subject: |
|
|
| MaRTiaN wrote: | No it doesn't. My /etc/ntp.conf was clobbered, though.
|
dhcpcd will do that. Read my earlier comment about adding the -N option.
| Quote: |
I changed it to this:
| Code: |
#restrict default noquery notrust nomodify
#restrict 127.0.0.1
#restrict 213.107.35.0 mask 255.255.255.0
driftfile /etc/ntp.drift
logfile /var/log/ntp.log
authenticate no
server ntp.exnet.com iburst
server time-server.ndo.com iburst
server ntp0.sandvika.net iburst
server ntp1.sandvika.net iburst
server ntp2.sandvika.net iburst |
|
'authenticate no' isn't a valid config option for ntpd (it's not in the docs for it), and even if it was you wouldn't need it, since no authentication is the default setting. ntpd doesn't no sanity checking on the config file, and the docs specifically warn that wierd config options might make it go insane.
'authenticate no' is a command you give to ntpq in interactive mode. I don't know what sarnold was talking about, but I assume that he meant that to use ntpq to control his RedHat machines, he had to feed it that command first.
You would disable authentication in the config file with the line 'disable auth', if that wasn't the default setting. (DO NOT ADD 'disable auth' to your config file, please. Let's keep things simple.)
Given that your server is apparently not seeing any of the lines in your config file past it (since it isn't using the servers, but is logging to the non-default /etc/log/ntp.log) I'm guessing that it is causing the 'format error' that the log is referring to.
| Quote: |
I commented the lines in /etc/conf.d/ntpd, and left the warning line in. I got a warning to configure /etc/conf.f/ntp
|
The warning is meaningless, other than as a hint to people who've just installed ntp that it won't work unless you configure it. You will see it if NTPDATE_CMD is not set, unless you comment out NTPDATE_WARN. It in no way at all whatsoever tests if you have a valid configuration, so for your purposes it's meaningless. You can figure out if your config works yourself. Just comment out NTPDATE_WARN. Seriously.
| Quote: |
so I tried putting
| Code: | NTPDATE_CMD="ntpd"
NTPDATE_OPTS="-q -g"
|
back in; it now tells me its initializing the clock viat ntpd... and sits there for ages without doing anything.
|
As I said, comment them out. ntpd WILL STILL BE STARTED. What you're doing is running ntpd twice, which is not only pointless, but actively bad (it gives you a delay at boot, as you noticed (because 'ntpd -q' takes a lot longer than ntpdate to set the time), and increases load on your servers). You do not need to run ntpdate, 'ntpd -q', or anything else from /etc/conf.d/ntp.
I have EVERY SINGLE LINE in /etc/conf.d/ntp commented out, and my config works perfectly. You should do the same. The only thing that might be useful is NTPD_OPTS, and you don't need that either since you can set all needed options in the config file.
I'm not going to bother to post my config files, because you'd just see that /etc/conf.d/ntp is empty, and your ntp.conf is like mine except for that 'authentication' bit, and that I didn't comment out my restrict lines. You can uncomment those, btw...they're not the problem. I thought you meant you'd tried to set keys or something when I told to turn off the security stuff. |
|
| Back to top |
|
|
MaRTiaN
Tux's lil' helper
Joined: 22 Apr 2002
Posts: 85
Location: London
|
| Posted: Wed Apr 02, 2003 5:27 pm Post subject: |
|
|
Thanks, finally got it working. I'm going to have to learn not to try and configure stuff at 4am when I'm about ready to drop dead with sleep.
I think a big thing is that I was being impatient and expecting to see results immedietly. It took about 5 minutes for the clock to sync. 
_________________
Some people are alive only because it's illegal to kill them. |
|
| Back to top |
|
|
axxackall
l33t
Joined: 06 Nov 2002
Posts: 651
Location: Toronto, Ontario, 3rd Rock From Sun
|
| Posted: Wed Apr 02, 2003 6:35 pm Post subject: |
|
|
I have one (and single!) server with a real IP address, which is a firewall for a small 192.168.0.0 LAN. How should my setup of NTP be different from the described above?
I've tried already ntp server on that firewall and it seems working. ntptrace:
| Code: |
localhost: stratum 3, offset 0.000049, synch distance 0.12930
time1.chu.nrc.ca: stratum 2, offset -0.013052, synch distance 0.02339
toc.chu.nrc.ca: stratum 1, offset -0.004467, synch distance 0.00116, refid 'PPS'
|
Then I've tried to instal ntp on the workstation inside the LAN, using only one reference to the server. But it doesn't seem working. ntptrace:
| Code: |
localhost: stratum 4, offset -0.000050, synch distance 0.17685
ns: stratum 3, offset -0.004182, synch distance 0.13173
time1.chu.nrc.ca: *Timeout*
|
What am I doing wrong? And how can I check the correctness of that workstation's ntp setup? |
|
| Back to top |
|
|
sarnold
Developer
Joined: 28 Nov 2002
Posts: 115
Location: California
|
| Posted: Sat Apr 05, 2003 12:19 am Post subject: |
|
|
Boy, that's some good info above. I don't know what that sarnold guy was thinking either. I need to update my config...
axxackall, it looks like your internal machine sees the server okay. Depending on your internal name resolution setup, you might want to use the IP address in the workstation config.
And try that ntpq -p command instead of ntptrace. That sounds good too :) |
|
| Back to top |
|
|
sarnold
Developer
Joined: 28 Nov 2002
Posts: 115
Location: California
|
| Posted: Sat Apr 05, 2003 12:53 am Post subject: me too; different topic also |
|
|
RayVan, your comments are excellent. I guess I shouldn't place too much stock in experimental evidence (when I don't know what I'm doing) nor in RedHat config files.
Like I said, I had trouble syncing, so I played around with things until I got it working. But the new version of the howto will be much better :) I'm following your advice now, and compiling timing details on 20 or so servers from the stratum 2 list.
I appear to have local broadcast working now, but I'd like to try multicast too (so I have some options to play around with). I'm also updating the old RedHat machines to ntp4 and replacing their borked config files with my own custom one (once I finish it :)
Thank you very much for the feedback. |
|
| Back to top |
|
|
sarnold
Developer
Joined: 28 Nov 2002
Posts: 115
Location: California
|
| Posted: Sun Apr 20, 2003 10:12 pm Post subject: ntp howto update |
|
|
Okay, some of my original write-up is still good, with RayVan's modifications :)
First, for your server machine(s), follow his advice above and collect data from about 25 servers or so. Then pick 2 or 3 (based on low delay and independent RefIDs) for your own local machine.
Then comment out everything in /etc/conf.d/ntpd (that's right, comment out everything in there). All settings should go in /etc/ntp.conf, unless you need to change the server arguments (in which case, you can use the last setting in /etc/conf.d/ntpd to add server command-line options).
Here is my main local server config (stratum 3) for the first machine. Remember, these external servers are close to me; yours will probably be different. The peer line is for my second local server (also stratum 3).
| Code: | server ntp.drydog.com autokey maxpoll 17
server ntp.tmc.edu autokey maxpoll 17
server ntp1.sf-bay.org autokey maxpoll 17
peer myserver2.mydomain.org
driftfile /etc/ntp/drift
# broadcast on my local subnets
broadcast 192.168.128.255
broadcast 192.168.129.255
#statistics loopstats
#statsdir /var/log/ntp/
#filegen peerstats file peers type day link enable
#filegen loopstats file loops type day link enable
keys /etc/ntp/keys
#trustedkey 24
requestkey 65004
controlkey 65005 |
I'm not quite sure about the key stuff yet, as I just started playing with it. I just followed the example I found on the ntp site. Comments and additions are welcome :) Here is my example key file:
| Code: | 24 M akey
65004 M anotherkey
65005 M onemorekey |
My internal client machines all use the above servers, so they end up being stratum 4 machines. Their config is slightly different:
| Code: | server myserver1.mydomain.org maxpoll 17
server myserver2.mydomain.org maxpoll 17
broadcastdelay 0.008
broadcastclient yes
# you should not need to modify the following paths
logfile /var/log/ntpd.log
driftfile /etc/ntp/ntp.drift
keys /etc/ntp/keys
#trustedkey 24
requestkey 65004
controlkey 65005 |
So everything seems to work, except I get some key errors in the log files on the two servers:
| Code: | | ntpd[29804]: cannot change keyid 0, key entry `*' ignored |
I could use an explanation, or at least a pointer to something specific (there's so much info at the main ntp site, but it's not very well organized, IMHO). I think part of the problem may be that I couldn't upgrade all the way to the current version on all my machines. I now have these versions:
ntp-4.0.99k-15 on the RedHat machines, and
net-misc/ntp 4.1.1b-r5 on the Gentoo machines.
Any tips? |
|
| Back to top |
|
|
Loial
n00b
Joined: 24 Mar 2003
Posts: 29
|
| Posted: Mon Apr 28, 2003 9:43 pm Post subject: |
|
|
I think I tried all the suggestions mentioned. It resulted in these config files:
---------------------
/etc/ntp.conf
server ntp1.theinternetone.net iburst maxpoll 17
server ntp2.theinternetone.net iburst maxpoll 17
server ntp3.theinternetone.net iburst maxpoll 17
restrict default noquery notrust nomodify
restrict 127.0.0.1
restrict (my ext ip network incl. netmask)
fudge 127.127.1.0 stratum 3
driftfile /etc/ntp.drift
logfile /var/log/ntp.log
---------------------
/etc/conf.d/ntpd
all lines are commented out here
---------------------
ntp version installed: 4.1.1b-r5
I then started ntpd:
/etc/init.d/ntpd start
To check what was going on this is what I did:
| Code: | Hostname # ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
lnx-4.ams-2.the 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
lnx-7-fe1.ams-2 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
lnx-12-be1.ams- 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
Hostname # ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
lnx-4.ams-2.the time-b.nist.gov 2 u 1 64 1 38.071 -738149 0.015
lnx-7-fe1.ams-2 gps.freebsd.dk 2 u 2 64 1 30.907 -738150 0.015
lnx-12-be1.ams- 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
Hostname # ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
lnx-4.ams-2.the time-b.nist.gov 2 u 5 64 1 38.071 -738149 0.015
lnx-7-fe1.ams-2 gps.freebsd.dk 2 u 6 64 1 30.907 -738150 0.015
lnx-12-be1.ams- ntp0.NL.net 2 u 2 64 1 27.614 -738150 0.015
Hostname # ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
lnx-4.ams-2.the time-b.nist.gov 2 u 12 64 1 38.071 -738149 0.015
lnx-7-fe1.ams-2 gps.freebsd.dk 2 u 13 64 1 30.907 -738150 0.015
lnx-12-be1.ams- ntp0.NL.net 2 u 9 64 1 27.614 -738150 0.015
Hostname # ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
lnx-4.ams-2.the time-b.nist.gov 2 u 1 64 1 28.297 -738150 5.902
lnx-7-fe1.ams-2 gps.freebsd.dk 2 u - 64 1 32.495 -738150 2.736
lnx-12-be1.ams- ntp0.NL.net 2 u 14 64 1 27.614 -738150 0.015
Hostname # ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
+lnx-4.ams-2.the time-b.nist.gov 2 u - 64 1 28.297 -738150 3.434
*lnx-7-fe1.ams-2 gps.freebsd.dk 2 u 1 64 1 26.610 -738151 6.054
lnx-12-be1.ams- ntp0.NL.net 2 u 1 64 1 38.889 -738150 0.645
Hostname # ntpq -p
ntpq: read: Connection refused
Hostname # ntpq -p
ntpq: read: Connection refused
Hostname # ntptrace
localhost: *Timeout*
Hostname # |
I have no id what happened here. It seems to work at first but then there are these + and * signs in front of the first 2 servernames and then it says Connection refused. Running 'ps axu' doesn't show any ntp program anymore. I'm lost  |
|
| Back to top |
|
|
Loial
n00b
Joined: 24 Mar 2003
Posts: 29
|
| Posted: Mon Apr 28, 2003 9:54 pm Post subject: |
|
|
okay, never mind my drunk ass 
/var/log/ntp.log is my friend...
seems my time is 7382 seconds out of sync... and that sorta exceeds the sanity limit of 1000 seconds
Ergo the weirdness... |
|
| Back to top |
|
|
sarnold
Developer
Joined: 28 Nov 2002
Posts: 115
Location: California
|
| Posted: Fri May 02, 2003 9:31 pm Post subject: good catch |
|
|
Yeah, I forgot to mention that part :-)
The old ntpdate command would set the time to current before ntp starts up, or you could always set the system time manually with date. But that's a good point that, with a typical ntp configuration, the ntp daemon will die if the local time is more than 1000 seconds off.
Besides, you really don't want ntp changing the time over that broad a range anyway. Setting it close manually, before starting ntpd, is generaly a good thing.
Also, I don't think you want the fudge line in there. AFAIK, that's only for an un-disciplined local clock. |
|
| Back to top |
|
|
slimb
n00b
Joined: 24 Apr 2003
Posts: 9
|
| Posted: Sat May 17, 2003 11:22 pm Post subject: |
|
|
Hmm, can't get ntpd to run properly for me, starts fine, but after that I just get
| Quote: | 17 May 17:44:50 ntpd[3826]: ntpd exiting on signal 15
17 May 17:45:00 ntpd[10129]: frequency initialized 0.000 from /var/lib/misc/ntp.drift
17 May 17:45:00 ntpd[10131]: signal_no_reset: signal 17 had flags 4000000
17 May 17:46:32 ntpd[10129]: ntpd exiting on signal 15
17 May 18:48:10 ntpd[10199]: frequency initialized 0.000 from /var/lib/misc/ntp.drift
17 May 18:48:10 ntpd[10201]: signal_no_reset: signal 17 had flags 4000000
17 May 22:51:12 ntpd[10199]: ntpd exiting on signal 15
17 May 18:51:17 ntpd[10270]: frequency initialized 0.000 from /var/lib/misc/ntp.drift
17 May 18:51:17 ntpd[10272]: signal_no_reset: signal 17 had flags 4000000
17 May 19:11:12 ntpd[10270]: ntpd exiting on signal 15
17 May 19:11:15 ntpd[10355]: frequency initialized 0.000 from /var/lib/misc/ntp.drift
17 May 19:11:15 ntpd[10357]: signal_no_reset: signal 17 had flags 4000000 |
My /etc/conf.d/ntpd file is entirely commented out. My ntp.conf file looks like so :
| Quote: | # NOTES:
# - you should only have to update the server line below
# - if you start getting lines like 'restrict' and 'fudge'
# and you didnt add them, AND you run dhcpcd on your
# network interfaces, be sure to add '-Y -N' to the
# dhcpcd_ethX variables in /etc/conf.d/net
# Name of the servers ntpd should sync with
# Please respect the access policy as stated by the responsible person.
#server ntp.example.tld iburst
server clock.linuxshell.net prefer
server clock.nyc.he.net iburst
server tick.jrc.us iburst
server tock.jrc.us iburst
server ntp0.cornell.edu iburst
server sundial.columbia.edu iburst
server timex.cs.columbia.edu iburst
server fuzz.psc.edu iburst
server clock-1.cs.cmu.edu iburst
#
# A list of available servers is available here:
# http://www.eecis.udel.edu/~mills/ntp/servers.html
# Please follow the rules of engagement and use a
# Stratum 2 server (unless you qualify for Stratum 1)
##
# you should not need to modify the following paths
logfile /var/log/ntpd.log
driftfile /var/lib/misc/ntp.drift
#server ntplocal.example.com prefer
#server timeserver.example.org
# Warning: Using default NTP settings will leave your NTP
# server accessible to all hosts on the Internet.
#
# If you want to deny all machines from accessing
# your NTP server, uncomment:
#
restrict default ignore
# To only deny other machines from changing the
# configuration but allow localhost uncomment:
#
restrict default notrust nomodify
restrict 127.0.0.1
# To allow machines within your network to synchronize
# their clocks with your server, but ensure they are
# not allowed to configure the server or used as peers
# to synchronize against, uncomment this line.
#
#restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
# To only deny other machines from changing the
# configuration but allow localhost uncomment:
#
#restrict default notrust nomodify
#restrict 127.0.0.1 |
Any thoughts? ntpq -p shows :
| Quote: | remote refid st t when poll reach delay offset jitter
==============================================================================
cpe2-93.dtvk.tp 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
avi-lis.gw.ligh 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
ntp2.jrc.us 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
ntp1.jrc.us 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
cudns.cit.corne 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
filbert.cc.colu 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
cs.columbia.edu 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
mailer1.psc.edu 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
CYAN.SRV.CS.CMU 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
|
Can't seem to find anything on the net or here to figure this one out. My only thought is possibly the clock on the PC is invalid, but a date shows :
Sat May 17 19:20:54 EDT 2003
Which is pretty much dead nuts when compared to atomic time (of course when translated into UTC it is). |
|
| Back to top |
|
|
slimb
n00b
Joined: 24 Apr 2003
Posts: 9
|
| Posted: Sun May 18, 2003 7:46 pm Post subject: |
|
|
| Hmm seems the first server in my list was timing out and none of the rest wanted to play nice - replaced it with another and all of the rest started to populate properly. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
