Network Time Protocol (ref:
http://www.ntp.org)
Basic Server Configuration:
# time in:
server 0.ca.pool.ntp.org
server 1.ca.pool.ntp.org
server 2.ca.pool.ntp.org
# time out
broadcast 10.0.10.255
# housekeeping
driftfile /var/ntp/ntp.drift
This checks four or five servers (in this example they are all stratum one servers) and then broadcasts its thoughts on what time it really is to the local network. Ideally you'll have two or three 'server' systems checking their times with the outside world and then broadcasting their results to the local network -- this should lower the amount of noise on the network as systems check their times.
If you have iptables going, you need to ensure that udp port 123 is permitted in, otherwise clients won't be able to connect to this server.
Ideal Client Configuration:
# we get our time from the network
broadcastclient
# housekeeping
authenticate no
driftfile /var/ntp/ntp.drift
This is the preferred configuration because clients configured like this will behave politely on networks which don't have ntp servers or ntp server options sent through dhcp. This practically never happens because
- RedHat 8's dhcpcd will ruthlessly rewrite ntp.conf if the server tells it about ntp servers. The re-written ntp.con file will require the use of authentication, which is practically guaranteed to not be set up ahead of time (making such information practically useless).
- aggressive dhcp servers at client sites force us to force the use of apollo as the ntp master through a local dhcp option
Solaris/x86 8.0 seems to like this just fine, so other solaris revs will probably do the right thing. Also the xntpd which comes with RedHat 6.1 does the right thing when configured like this.
Oh yes, forget about using ntp on Netra X1 systems -- their clocks are so useless that xntpd will quickly give up on them. You'll have to put
ntpdate or
rdate commands into a hourly crontab or something else similarly crude.
RedHat 8.0 Client Configuration:
# we get our time from the network
broadcastclient
broadcastdelay 0.008
# housekeeping
driftfile /etc/ntp/drift
authenticate no
Notes:
- broadcastdelay is merely a guess, inheirited from a pre-dhcp-mangled ntp.conf
- in order to make this set up survive repeated dhcp'ing, you have to save it as a different file name (like /etc/ntp.conf.active); then modify /etc/sysconfig/ntp so that the option -g is passed at run time; and finally modify /etc/init.d/ntpd so that the system does not attempt a ntpdate operation and then invokes ntpd with the correct config file. Mine looks like this:
#!/bin/sh
#
# ntpd This shell script takes care of starting and stopping
# ntpd (NTPv4 daemon).
#
# chkconfig: - 58 74
# description: ntpd is the NTPv4 daemon.# Source function library.
. /etc/init.d/functions# Source networking configuration.
. /etc/sysconfig/networkif [ -f /etc/sysconfig/ntpd ];then
. /etc/sysconfig/ntpd
fi# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0ntpconf=/etc/ntp.conf.gold
ntpstep=/etc/ntp/step-tickers[ -x /usr/sbin/ntpd -a -f $ntpconf ] || exit 0RETVAL=0
prog="ntpd"# Is there a firewall running, and does it look like one we configured?
FWACTIVE=
if iptables -L -n 2>/dev/null | grep -q RH-Lokkit-0-50-INPUT ; then
FWACTIVE=1
fistart() {
tickers=''
if [ -n "$FWACTIVE" -a "$FIREWALL_MODS" != "no" ]; then
echo -n $"$prog: Opening firewall for port 123"
iptables -I RH-Lokkit-0-50-INPUT -m udp -p udp -s 0/0 --sport 123 -d 0/0 --dport 123 -j ACCEPT
&& success || failure
echo
fi
# if [ -s "$ntpstep" ]; then
# tickers=`/bin/sed -e 's/#.*$//g' $ntpstep`
# echo -n $"$prog: Synchronizing with time server: "
# /usr/sbin/ntpdate -s -b -p 8 $tickers
# RETVAL=$?
# [ $RETVAL -eq 0 ] && success || failure
# echo
# [ ! $RETVAL -eq 0 ] && return $RETVAL
# else
# # -g can replace the grep for time servers
# # as it permits ntpd to violate its 1000s limit once.
# OPTIONS="$OPTIONS -g"
# fi
# Start daemons.
# -g can replace the grep for time servers
# as it permits ntpd to violate its 1000s limit once.
echo -n $"Starting $prog: "
daemon ntpd -g $OPTIONS
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/ntpd
return $RETVAL
}stop() {
# Stop daemons.
if [ -n "$FWACTIVE" -a "$FIREWALL_MODS" != "no" ]; then
echo -n $"$prog: Removing firewall opening for port 123"
iptables -D RH-Lokkit-0-50-INPUT -m udp -p udp -s 0/0 --sport 123 -d 0/0 --dport 123 -j ACCEPT
&& success || failure
echo
fi
echo -n $"Shutting down $prog: "
killproc ntpd
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/ntpd
return $RETVAL
}# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status ntpd
RETVAL=$?
;;
restart|reload)
stop
start
RETVAL=$?
;;
condrestart)
if [ -f /var/lock/subsys/ntpd ]; then
stop
start
RETVAL=$?
fi
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
exit 1
esacexit $RETVAL
You also need to update /etc/sysconfig/ntpd so that you use the updated config file:
# Drop root to id 'ntp:ntp' by default. Requires kernel >= 2.2.18.
OPTIONS="-U ntp -c /etc/ntp.conf.gold"
...although really the better solution would be to modify the line in /etc/init.d/ntpd which invokes the daemon to use the variable already defined in the script. Like this:
daemon ntpd -g -c $ntpconf $OPTIONS
To see what the client is doing:
[root@pioneer10 etc]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*apollo.xdroop.c timekeeper.isi. 2 - 13 64 136 0.354 -547.66 532.645
A * character in the first position shows that the ntp client has locked on to the server properly and will do its best to stay reasonably consistant. This should be good enough for most requirements.
Note that none of these configurations use authentication because we're assuming a non-hostile network -- possibly an incorrect assumption, but it sure makes life easier for the lazy (that would be me).