NTP
From Gentoo Linux Wiki
The Network Time Protocol (NTP) is used to synchronize your system's time to another system's time.
Since high precision online servers feed the Internet with a high quality shared time, NTP allows the synchronization of every computer in the world in a very accurate fashion.
net-misc/ntp is a very useful application, and should be installed on every machine, to grant time synchronization, proper file and directory times, expected cron behavior, appropriate logs and so on.
net-misc/ntp can also be used to serve time for a network. For example a LAN consisting of Windows and Linux machines can all synchronize to a single NTP server, saving bandwidth.
There are alternative programs to perform time synchronization via NTP, such as OpenNTPD and Chrony.
Contents |
[edit] About the NTP logic
The NTP protocol is a client/server protocol but also a peer-to-peer protocol.
The servers, in fact, can synchronize each other in a symmetric way.
Referring to a limited number of stratum 1 servers -- directly connected to the high precision clocks (normally atomic clocks) -- all other servers take the time from the lower stratum and synchronize each other within the same stratum.
In general, computer away from a clock by the same number of hops are said to be in the same stratum. Computers never synchronized are known to be in the stratum 16.
Computers in stratum 1 are not always public.
You can find stratum 2 (or higher) servers available on the net and many people try to find stratum 2 servers in their own country to get the best time synchronization.
If you can connect your computers directly to the Internet, normally you'll refer to such stratum 2 servers, but if your computers are connected each others (for example in a LAN), they can also act as stratum 3 (or higher) and synchronize themselves in the peer-to-peer way.
See the links at the very bottom part of this page to learn more (#See Also).
[edit] Installation
Normally, you'll run NTP as a service, called ntpd. ntpd can (and should) easily be set up to run as a non-root user, defaulting to user ntp.
If you want to drop root privileges running the NTP daemon, make sure that your kernel has been compiled with the following options (>=2.6.26):
| Linux Kernel Configuration: Linux Capabilities Control Privileges |
Security options --->
[*] File POSIX Capabilities
|
Then you must activate the caps USE flag:
Finally, to install net-misc/ntp, emerge it as usual:
[edit] Configuration
The behavior of NTP is driven by /etc/ntp.conf.
Via this file you can control especially three features of the ntpd service:
- the servers to connect to, as client;
- the clients allowed to connect to your service;
- the hosts to connect to as peers.
The servers are indicated via the server directive, that you must repeat once per server. The iburst option is highly recommended to improve the initial behavior.
The clients and peers are allowed by default to connect to your server. You can manage the restrictions via the restrict directive. Note that a restrict rule with no options "indicates that free access to the server is to be given" (see the man page).
The peer directive indicates the peers to search for.
To learn more, read the (large) man page:
If you have a low-speed/high-latency connection, and if you have iburst option set, consider the calldelay directive.
[edit] Configuration example
See the section below (#Find a Time Server) to find the best time servers.
# NOTES: # - you should only have to update the server line below # - if you start getting lines like 'restrict' and 'fudge' # and you didnt add them, AND you run dhcpcd on your # network interfaces, be sure to add '-Y -N' to the # dhcpcd_ethX variables in /etc/conf.d/net # Name of the servers ntpd should sync with # Please respect the access policy as stated by the responsible person. #server ntp.example.tld iburst # ================================ # Good stratum 2 servers for Italy # http://support.ntp.org/bin/view/Servers/StratumTwoTimeServers # ================================ server ntp1.altarisoluzione.com iburst server ntp2.altarisoluzione.com iburst server ntp.prato.linux.it iburst server quassia.associazione-tp.it iburst server ntps.net4u.it iburst # ====================== # Other servers in Italy # http://www.pool.ntp.org/ # ====================== server 2.it.pool.ntp.org iburst server 1.europe.pool.ntp.org iburst server 3.europe.pool.ntp.org iburst # Common pool for random people #server pool.ntp.org # Pools for Gentoo users server 0.gentoo.pool.ntp.org server 1.gentoo.pool.ntp.org server 2.gentoo.pool.ntp.org server 3.gentoo.pool.ntp.org ## # A list of available servers can be found here: # http://www.pool.ntp.org/ # http://www.pool.ntp.org/#use # A good way to get servers for your machine is: # netselect -s 3 pool.ntp.org ## # you should not need to modify the following paths driftfile /var/lib/ntp/ntp.drift #server ntplocal.example.com prefer #server timeserver.example.org # Warning: Using default NTP settings will leave your NTP # server accessible to all hosts on the Internet. # If you want to deny all machines (including your own) # from accessing the NTP server, uncomment: #restrict default ignore # To deny other machines from changing the # configuration but allow localhost: restrict default nomodify nopeer restrict 127.0.0.1 # To allow machines within your network to synchronize # their clocks with your server, but ensure they are # not allowed to configure the server or used as peers # to synchronize against, uncomment this line. # #restrict 192.168.0.0 mask 255.255.255.0 nomodify nopeer notrap
[edit] Find a Time Server
There are many public time servers around the world.
The default Gentoo configuration includes a list of "Pools for Gentoo users" (see the example above), but you can choose a server in your own country or right inside your network (if any).
Perhaps the best choice is to start looking for a good set of stratum 2 official public servers.
Generally, you can start reading the official server list, to find geographic servers and low stratum servers.
If you want to learn more about official server you can check the NTP Project site. The NTP Pool Project is a very interesting reading, too.
Finally, you can test the chosen servers via:
or
The last command is available after:
If you are in a corporate or similar local context, perhaps they have one or more local NTP servers, well connected to public servers. In a Windows world you could use a Domain Controller (DC). Ask to your network administrator for that.
If your network rules don't allow you to connect to a public server, an internal server should exist.
[edit] Be a Time Server
Simply uncomment the last line of the configuration example:
restrict 192.168.0.0 mask 255.255.255.0 nomodify nopeer notrap
Naturally, the address/mask pair must match your network configuration and preferences.
If you want to share your time as peer, you have to omit the nopeer option and add this kind of line:
restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap peer hostToConnectAsPeer
If you have a public IP address and if you want to take part in a pool, read joining the pool.
[edit] Zeroconf
If you want to publish the NTP server service on your local network using Zeroconf, add to /etc/ntp.conf,
... multicastclient
Restart the ntpd for the changes to take effect,
See the Avahi article for more information.
[edit] Running the ntpd service
ntpd should always be run as service, to grant permanent and accurate clock synchronization.
As usual, start the service:
And, register the service in your default runlevel, to make it start automatically at the boot:
[edit] Setting the hardware clock during shutdown
Hardware clocks are not very accurate. (See the NTP.org article on clock quality.)
Systems keep the clock accuracy up via software techniques, but when you power off a computer, the hardware time could significantly drift.
To avoid this, you can set your hardware clock during shutdown. For baselayout < 2.0.0:
CLOCK_SYSTOHC="yes"
For baselayout >= 2.0.0:
clock_systohc="YES"
[edit] Checking ntp
It may take up to 4 hours of semi-continuous reachability to calibrate the clock before you achieve right stratum status. If the stratum status hasn't changed in a few hours, your synchronization is definitely failing.
From synchronization with stratum 2 servers, your stratum should settle at stratum 3.
You can check your stratum status (and other info):
assID=0 status=06c4 leap_none, sync_ntp, 12 events, event_peer/strat_chg, version="ntpd 4.2.4p5@1.1541-o dom nov 23 01:53:44 UTC 2008 (1)", processor="x86_64", system="Linux/2.6.26-gentoo-r3-s2", leap=00, stratum=3, precision=-20, rootdelay=1058.355, rootdispersion=197.731, peer=52626, refid=146.48.81.102, reftime=ccd71166.f658267e Wed, Nov 26 2008 1:05:58.962, poll=6, clock=ccd711f3.a404822a Wed, Nov 26 2008 1:08:19.640, state=4, offset=102.200, frequency=-2.919, jitter=47.034, noise=54.332, stability=0.349, tai=0
You can check what peers you are connected to (and in turn what they are connected to):
remote refid st t when poll reach delay offset jitter ============================================================================== xntp2.inrim.it .UTCI. 1 u 8 128 377 1374.95 301.984 42.437 *saguaro.bilink. 193.204.114.232 2 u 5 128 373 522.163 -172.36 103.515 +ns1.nexellent.n 193.67.79.202 2 u 4 128 337 693.205 -95.659 257.506 +jane.telecom.mi 129.69.1.153 2 u 6 64 337 646.135 -101.23 223.258 -tucano.isti.cnr 193.204.114.232 2 u 1 128 317 141.040 -314.45 243.724 -kraken2.bilink. 193.204.114.232 2 u 2 128 377 122.122 -349.67 303.197 +host219-54-stat 193.204.114.232 2 u 4 64 157 413.224 -180.87 89.052 -h180.argonavis. 62.173.184.58 3 u 62 64 377 112.123 -352.11 295.195 lap 192.108.114.23 3 u 19 64 377 0.001 229.477 6.025
After some hour of connection, if your computer hangs in the stratum 16 something is going wrong. See the #Troubleshooting section to resolve.
[edit] Other things
[edit] Setting time now
The net-misc/ntpd comes with a set of options and tools useful to perform a quick and dirty clock synchronization.
These tools, however, should not be confused with the deprecated ntpdate tools (and with the deprecated startup logic).
If you want to synchronize your system manually, without starting a service, you can run:
This will start the service and keep it on until it performs a good synchronization, then it leaves.
The previous command is not yet a quick and dirty command. It performs many requests and drift back the system clock slowly, to avoid time jumps.
If you need set up your time really quickly (for example if your system time is totally wrong and you're not afraid of time jumps), you can run:
[edit] Setting time at boot
If you really need a quick time synchronization during bootstrap, you can activate the ntp-client service, provided by net-misc/ntp.
At this time (net-misc/ntp-4.2.4_p4) the Gentoo ntp-client service is based on the deprecated ntpdate command (see the man page).
You can easily switch to the sntp command in the way shown below.
# /etc/conf.d/ntp-client
# Command to run to set the clock initially
# Most people should just leave this line alone ...
# however, if you know what you're doing, and you
# want to use ntpd to set the clock, change this to 'ntpd'
#NTPCLIENT_CMD="ntpdate"
NTPCLIENT_CMD="sntp"
# Options to pass to the above command
# This default setting should work fine but you should
# change the default 'pool.ntp.org' to something closer
# to your machine. See http://www.pool.ntp.org/ or
# try running `netselect -s 3 pool.ntp.org`.
#NTPCLIENT_OPTS="-s -b -u \
# 0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org \
# 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org"
NTPCLIENT_OPTS="-P no -r \
0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org \
2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org"
where you'll choose your best servers.
The option -P no is only needed if you don't want the ntp-client service to ask questions on the command-line in the middle of bootup (after a bigger change in clocktime). This is particularilly useful in a headless server.
Then you can start the service and load it at default runlevel, as usually.
The actual indication, however, doesn't require this.
See this high pitched discussion (with some dust up) to learn more.
[edit] Firewall configuration
NTP uses UDP port 123. TCP is not used.
To synchronize with external time servers, the following standard iptables rule is sufficient:
If you want to serve time, you need that your 123 UDP port be reachable.
Add this before the corresponding DROP lines
More information on IPTABLES firewall and its settings can be found in the Gentoo Handbook.
[edit] DHCP
If you are using dhcp to get an ip address, dhcpcd will overwrite /etc/ntp.conf by default.
If your dhcp server hands out a valid ntp server this is not a problem. If it does not hand out a valid ntp server, you will want to make sure dhcpcd will not overwrite this file.
You can do this by editing /etc/conf.d/net as such:
dhcpcd_eth0="-N"
Where eth0 is the interface using dhcpcd.
If you are using dhclient instead of dhcpcd to retrieve an IP-address it will also overwrite /etc/ntp.conf. By editing /etc/conf.d/net you can avoid this.
Edit the file to read something like this:
modules=( "dhclient" ) config_eth0=( "dhcp" ) dhcp_eth0=( "nontp" )
More information on DHCP and its settings can be found in the Gentoo Handbook.
[edit] PPP and discontinuous connections
If your Internet connection is a ppp discontinuous connection (e.g. a dial-up connection or a GPRS/UMTS/HSDPA connection) and if you start/stop the ntpd service in the typical runlevel related mode, the ntpd daemon will fill your logs with a garbage of annoying error messages when the Internet connection is down.
To avoid this, you can keep the start/stop scripts off from your runlevels and add two simple scripts in the /etc/ppp/ip-up.d/ and /etc/ppp/ip-down.d/ directories:
#!/bin/sh
# Wait 10 seconds for the slow connection and start the ntpd service
sleep 10
if [ -x /etc/init.d/ntpd ]; then
if ! /etc/init.d/ntpd --quiet status ; then
/etc/init.d/ntpd --quiet start
fi
fi
(Don't forget to perform some test to establish the best sleeping time.)
#!/bin/sh
# Stop the ntpd service after the disconnection
if [ -x /etc/init.d/ntpd ]; then
if /etc/init.d/ntpd --quiet status ; then
/etc/init.d/ntpd --quiet stop
fi
fi
Obviously, in this way you cannot act as a good ntpd server for a LAN.
In addition, you should consider the low-speed/high-latency of most PPP connection. If you set the iburst option (see above), use a different calldelay could be a good idea:
calldelay 5
[edit] Troubleshooting
[edit] Time is wrong by several hours
If date shows the wrong hour, then check /etc/conf.d/clock and /etc/localtime in the localization guide and handbook.
Run:
(rather than ntpd) to instantly set the time - quick and dirty.
[edit] Clock drifts
If the clock moves faster or slower than normal, then try adding noapic to the kernel line in /boot/grub/menu.lst.
[edit] No server suitable for synchronization found
Client machines will refuse to synchronize from a stratum 16 time server, with the error message no server suitable for synchronization found.
If you use the Gentoo Home Router Guide it blocks incoming requests to privileged ports. To avoid this, comment out the two lines
Or add the following above the drop lines:
[edit] Bad file descriptor
If you are seeing Bad file descriptor errors in /var/log/messages, then make sure that only one instance of ntpd is running:
[edit] Error : Servname not supported for ai_socktype
If you are seeing the error message Error : Servname not supported for ai_socktype, then run:
[edit] Gnome's time & date settings
If you have previously tried to set up NTP through Gnome's time & date settings, and are seeing Failed to set clock or NTP socket is in use errors, then uncheck Gnome's "Synchronize clock with Internet servers" box.
[edit] Access Restrictions
If ntpd won't connect with the servers, the access restrictions could be too strict. For example
restrict default ignore
Here the ntpd does ignore all packets, even those answers from the time servers. Output from the command ntpq -c peers looks like this:
| Code: ntpq -c peers |
remote refid st t when poll reach delay offset jitter
==============================================================================
tack.Informatik .INIT. 16 u - 1024 0 0.000 0.000 4000.00
|
Solution: If you have a firewall which filters access to port 123, you can leave the restrictions a bit lesser like this:
restrict default kod nomodify notrap nopeer noquery
Without a firewall you can write a strong default restriction and add lesser restrictions for each time server:
restrict default ignore restrict ntp.theremailer.net nomodify notrap nopeer noquery restrict tick.fh-augsburg.de nomodify notrap nopeer noquery
But you have to manage the restrictions for each time server, which could be too much work to do. It is better to use a firewall. Note that this example is also inaccurate, as you can't specify hostnames in restrict lines, only IP addresses, which further complicates things.
Also don't forget that if you use the nopeer keyword, then ntpd won't synchronise against any servers covered by that restrict line! (So in the above example, ntpd will never sync against anything, because the two timeservers are listed as nopeer and everything else is covered by the ignore line.)
[edit] Failed to Drop root Privileges
If ntpd does not start and /var/log/ntp.log contains the error message, cap_set_proc() failed to drop root privileges: Operation not permitted, then check that the kernel "capability" module is loaded, as referred to above.
If the server simply runs as root, then check that you emerged net-misc/ntp with the caps enabled.
Then check that your /etc/conf.d/ntpd appears like this:
# /etc/conf.d/ntpd # Options to pass to the ntpd process # Most people should leave this line alone ... # however, if you know what you're doing, feel free to tweak NTPD_OPTS="-u ntp:ntp"
[edit] Other Problems
Read the NTP troubleshooting guide, which includes some online tools for remotely querying your server, to make sure your firewall or your ISP's firewall isn't blocking TCP/UDP port 123.
