For When You Can't Have The Real Thing
[ start | index | login ]
start > Linux > ntp

ntp

Created by dave. Last edited by dave, 13 years and 223 days ago. Viewed 7,385 times. #4
[diff] [history] [edit] [rdf]
labels
attachments
Network Time Protocol (ref: >>http://www.ntp.org)

Basic Server Configuration:

# time in:
server 0.ca.pool.ntp.org
server 1.ca.pool.ntp.org
server 2.ca.pool.ntp.org
# time out
broadcast 10.0.10.255
# housekeeping
driftfile /var/ntp/ntp.drift
This checks four or five servers (in this example they are all stratum one servers) and then broadcasts its thoughts on what time it really is to the local network. Ideally you'll have two or three 'server' systems checking their times with the outside world and then broadcasting their results to the local network -- this should lower the amount of noise on the network as systems check their times.

If you have iptables going, you need to ensure that udp port 123 is permitted in, otherwise clients won't be able to connect to this server.

Ideal Client Configuration:

# we get our time from the network
broadcastclient
# housekeeping
authenticate no
driftfile /var/ntp/ntp.drift
This is the preferred configuration because clients configured like this will behave politely on networks which don't have ntp servers or ntp server options sent through dhcp. This practically never happens because
  • RedHat 8's dhcpcd will ruthlessly rewrite ntp.conf if the server tells it about ntp servers. The re-written ntp.con file will require the use of authentication, which is practically guaranteed to not be set up ahead of time (making such information practically useless).
  • aggressive dhcp servers at client sites force us to force the use of apollo as the ntp master through a local dhcp option
Solaris/x86 8.0 seems to like this just fine, so other solaris revs will probably do the right thing. Also the xntpd which comes with RedHat 6.1 does the right thing when configured like this.

Oh yes, forget about using ntp on Netra X1 systems -- their clocks are so useless that xntpd will quickly give up on them. You'll have to put ntpdate or rdate commands into a hourly crontab or something else similarly crude.

RedHat 8.0 Client Configuration:

# we get our time from the network
broadcastclient
broadcastdelay 0.008
# housekeeping
driftfile /etc/ntp/drift
authenticate no
Notes:
  • broadcastdelay is merely a guess, inheirited from a pre-dhcp-mangled ntp.conf
  • in order to make this set up survive repeated dhcp'ing, you have to save it as a different file name (like /etc/ntp.conf.active); then modify /etc/sysconfig/ntp so that the option -g is passed at run time; and finally modify /etc/init.d/ntpd so that the system does not attempt a ntpdate operation and then invokes ntpd with the correct config file. Mine looks like this:
#!/bin/sh
#
# ntpd		This shell script takes care of starting and stopping
#		ntpd (NTPv4 daemon).
#
# chkconfig: - 58 74
# description: ntpd is the NTPv4 daemon.
# Source function library.
. /etc/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
if [ -f /etc/sysconfig/ntpd ];then
        . /etc/sysconfig/ntpd
fi
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
ntpconf=/etc/ntp.conf.gold
ntpstep=/etc/ntp/step-tickers
[ -x /usr/sbin/ntpd -a -f $ntpconf ] || exit 0
RETVAL=0
prog="ntpd"
# Is there a firewall running, and does it look like one we configured?
FWACTIVE=
if iptables -L -n 2>/dev/null | grep -q RH-Lokkit-0-50-INPUT ; then
    FWACTIVE=1
fi
start() {
	tickers=''
	if [ -n "$FWACTIVE" -a "$FIREWALL_MODS" != "no" ]; then
	    echo -n $"$prog: Opening firewall for port 123"
	    iptables -I RH-Lokkit-0-50-INPUT -m udp -p udp -s 0/0  --sport 123 -d 0/0 --dport 123 -j ACCEPT
		&& success || failure
	    echo
	fi
#	if [ -s "$ntpstep" ]; then
#               tickers=`/bin/sed -e 's/#.*$//g' $ntpstep`
#		echo -n $"$prog: Synchronizing with time server: "
#		/usr/sbin/ntpdate -s -b -p 8 $tickers
#		RETVAL=$?
#		[ $RETVAL -eq 0 ] && success || failure
#		echo
#		[ ! $RETVAL -eq 0 ] && return $RETVAL
#	else
#		# -g can replace the grep for time servers
#		# as it permits ntpd to violate its 1000s limit once.
#		OPTIONS="$OPTIONS -g"
#	fi
        # Start daemons.
	# -g can replace the grep for time servers
	# as it permits ntpd to violate its 1000s limit once.
        echo -n $"Starting $prog: "
        daemon ntpd -g $OPTIONS
	RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/ntpd
	return $RETVAL
}
stop() {
        # Stop daemons.
	if [ -n "$FWACTIVE" -a "$FIREWALL_MODS" != "no" ]; then
	    echo -n $"$prog: Removing firewall opening for port 123"
	    iptables -D RH-Lokkit-0-50-INPUT -m udp -p udp -s 0/0  --sport 123 -d 0/0 --dport 123 -j ACCEPT
		&& success || failure
	    echo
	fi
        echo -n $"Shutting down $prog: "
	killproc ntpd
	RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/ntpd
	return $RETVAL
}
# See how we were called.
case "$1" in
  start)
	start
        ;;
  stop)
	stop
        ;;
  status)
	status ntpd
	RETVAL=$?
	;;
  restart|reload)
	stop
	start
	RETVAL=$?
	;;
  condrestart)
	if [ -f /var/lock/subsys/ntpd ]; then
	    stop
	    start
	    RETVAL=$?
	fi
	;;
  *)
        echo $"Usage: $0 {start|stop|restart|condrestart|status}"
        exit 1
esac
exit $RETVAL

You also need to update /etc/sysconfig/ntpd so that you use the updated config file:

# Drop root to id 'ntp:ntp' by default.  Requires kernel >= 2.2.18.
OPTIONS="-U ntp -c /etc/ntp.conf.gold"
...although really the better solution would be to modify the line in /etc/init.d/ntpd which invokes the daemon to use the variable already defined in the script. Like this: 
daemon ntpd -g -c $ntpconf $OPTIONS

To see what the client is doing: 

[root@pioneer10 etc]# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*apollo.xdroop.c timekeeper.isi.  2 -   13   64  136    0.354  -547.66 532.645
A * character in the first position shows that the ntp client has locked on to the server properly and will do its best to stay reasonably consistant. This should be good enough for most requirements.

Note that none of these configurations use authentication because we're assuming a non-hostile network -- possibly an incorrect assumption, but it sure makes life easier for the lazy (that would be me).

no comments | post comment
see also:
Linux Linux/ntp ntp snipsnap-search
snipsnap-index Time Synchroniz... swappiness Concurrent ...
Permissio... NTP Happiness Visio Caused Cloud Com... loop...
linux SMC WBR14T-G Loop...
Juniper Internet Cursing panic+-+... Things To Do

Virtual Dave Megaplex:

(read this note about local search)

Logged in Users: (1)
… and a Guest.

Recently Changed

Editing: snipsnap-help, Image Macro

(Et auditum est, et idcirco ego nunc simulare)

This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:

snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt