Difference between revisions of "Network Time Protocol daemon"

From ArchWiki
Jump to: navigation, search
m (Running in a chroot: mark as out of date)
m (Style fixes.)
Line 8: Line 8:
 
This article describes how to set up and run NTPd (Network Time Protocol daemon), the most common method to synchronize the [[Time|software clock]] of a GNU/Linux system with internet time servers using the [[Wikipedia:Network Time Protocol|Network Time Protocol]]; if set up correctly, NTPd can make your computer act as a time server itself.
 
This article describes how to set up and run NTPd (Network Time Protocol daemon), the most common method to synchronize the [[Time|software clock]] of a GNU/Linux system with internet time servers using the [[Wikipedia:Network Time Protocol|Network Time Protocol]]; if set up correctly, NTPd can make your computer act as a time server itself.
  
==Installation==
+
== Installation ==
[[pacman|Install]] {{pkg|ntp}}, available in the [[Official Repositories]].
+
  
==Configuration==
+
[[pacman|Install]] {{Pkg|ntp}}, available in the [[official repositories]].
{{Tip|The {{pkg|ntp}} package is installed with a default {{ic|/etc/ntp.conf}} that should make NTPd work without requiring custom configuration.}}
+
 
 +
An alternative to NTPd is '''Chrony''', a dial-up friendly and specifically designed for systems that are not online all the time. See the dedicated [[Chrony|article]].
 +
 
 +
== Configuration ==
 +
 
 +
{{Tip|The ''ntp'' package is installed with a default {{ic|/etc/ntp.conf}} that should make NTPd work without requiring custom configuration.}}
 +
 
 +
=== Configuring connection to NTP servers ===
  
===Configuring connection to NTP servers===
 
 
The first thing you define in your {{ic|/etc/ntp.conf}} is the servers your machine will synchronize to.
 
The first thing you define in your {{ic|/etc/ntp.conf}} is the servers your machine will synchronize to.
  
Line 30: Line 35:
 
The {{ic|iburst}} option is recommended, and sends a burst of packets only if it cannot obtain a connection with the first attempt. The {{ic|burst}} option always does this, even on the first attempt, and should never be used without explicit permission and may result in blacklisting.
 
The {{ic|iburst}} option is recommended, and sends a burst of packets only if it cannot obtain a connection with the first attempt. The {{ic|burst}} option always does this, even on the first attempt, and should never be used without explicit permission and may result in blacklisting.
  
===Configuring your own NTP server===
+
=== Configuring your own NTP server ===
 +
 
 
If setting up an NTP server, you need to add [http://www.ntp.org/ntpfaq/NTP-s-refclk.htm#Q-LOCAL-CLOCK ''local clock''] as a server, so that, in case it loses internet access, it will continue serving time to the network; add ''local clock'' as a stratum 10 server (using the ''fudge'' command) so that it will never be used unless internet access is lost:
 
If setting up an NTP server, you need to add [http://www.ntp.org/ntpfaq/NTP-s-refclk.htm#Q-LOCAL-CLOCK ''local clock''] as a server, so that, in case it loses internet access, it will continue serving time to the network; add ''local clock'' as a stratum 10 server (using the ''fudge'' command) so that it will never be used unless internet access is lost:
  
Line 40: Line 46:
 
  restrict default nomodify nopeer noquery
 
  restrict default nomodify nopeer noquery
  
This restricts everyone from modifying anything and prevents everyone from querying the status of your time server: {{ic|nomodify}} prevents reconfiguring your ntpd (with ''ntpq'' or ''ntpdc''), and {{ic|noquery}} prevents dumping status data from your ntpd (also with ''ntpq'' or ''ntpdc'').
+
This restricts everyone from modifying anything and prevents everyone from querying the status of your time server: {{ic|nomodify}} prevents reconfiguring your NTPd (with ''ntpq'' or ''ntpdc''), and {{ic|noquery}} prevents dumping status data from your NTPd (also with ''ntpq'' or ''ntpdc'').
  
 
You can also add other options:
 
You can also add other options:
Line 50: Line 56:
 
Full docs for the "restrict" option are in {{ic|man ntp_acc}}. See https://support.ntp.org/bin/view/Support/AccessRestrictions for detailed instructions.
 
Full docs for the "restrict" option are in {{ic|man ntp_acc}}. See https://support.ntp.org/bin/view/Support/AccessRestrictions for detailed instructions.
  
Following this line, you need to tell ''ntpd'' what to allow through into your server; the following line is enough if you are not configuring an NTP server:
+
Following this line, you need to tell NTPd what to allow through into your server; the following line is enough if you are not configuring an NTP server:
  
 
  restrict 127.0.0.1
 
  restrict 127.0.0.1
Line 64: Line 70:
 
  logfile /var/log/ntp.log
 
  logfile /var/log/ntp.log
  
A very basic configuration file will look like this ('''all comments have been stripped out for clarity'''):
+
A very basic configuration file will look like this:
  
 
{{hc|/etc/ntp.conf|
 
{{hc|/etc/ntp.conf|
Line 82: Line 88:
 
}}
 
}}
  
{{Note|Defining the log file is not mandatory, but it is always a good idea to have feedback for ''ntpd'' operations.}}
+
{{Note|Defining the log file is not mandatory, but it is always a good idea to have feedback for NTPd operations.}}
 +
 
 +
=== Other resources about NTP configuration ===
  
===Other resources about NTP configuration===
 
 
In conclusion, never forget man pages: {{ic|man ntp.conf}} is likely to answer any doubts you could still have (see also the related man pages: {{ic|man <nowiki>{ntpd|ntp_auth|ntp_mon|ntp_acc|ntp_clock|ntp_misc}</nowiki>}}).
 
In conclusion, never forget man pages: {{ic|man ntp.conf}} is likely to answer any doubts you could still have (see also the related man pages: {{ic|man <nowiki>{ntpd|ntp_auth|ntp_mon|ntp_acc|ntp_clock|ntp_misc}</nowiki>}}).
  
==Using without daemon==
+
== Using without daemon ==
 +
 
 
To synchronize your system clock just once, without starting the NTP daemon, run:
 
To synchronize your system clock just once, without starting the NTP daemon, run:
 
  # ntpd -q
 
  # ntpd -q
Line 96: Line 104:
 
  # hwclock -w
 
  # hwclock -w
  
===Synchronize once per boot===
+
=== Synchronize once per boot ===
 +
 
 
{{Warning|Using this method is discouraged on servers and in general on machines that run without rebooting for more than a few days.}}
 
{{Warning|Using this method is discouraged on servers and in general on machines that run without rebooting for more than a few days.}}
  
Line 112: Line 121:
 
WantedBy=multi-user.target}}
 
WantedBy=multi-user.target}}
  
and enable it: {{bc|# systemctl enable ntp-once}}
+
and enable it.
Note that a [[systemd]] unit of the type ''oneshot'' executes once only. Hence the {{ic|ntpd -q}} option should not be used in this case.
+
{{Note|A [[systemd]] unit of the type ''oneshot'' executes once only. Hence the {{ic|ntpd -q}} option should not be used in this case.}}
  
==Running as a daemon==
+
=== Netctl ===
  
To start ntpd:
+
To synchronize your system clock along with a network connection through the use with [[Netctl]]. You can append the following line to your netctl profile.
{{bc|# systemctl start ntpd}}
+
ExecUpPost='/usr/bin/ntpd -q || true'
  
To enable ntpd at startup:
+
=== NetworkManager ===
{{bc|# systemctl enable ntpd}}
+
  
Or alternatively with the command:
+
{{Note|''ntpd'' should still be running when the network is down if the hwclock daemon is disabled, so you should not use this.}}
{{bc|# timedatectl set-ntp 1}}
+
NTPd can be brought up/down along with a network connection through the use of [[NetworkManager#Network services with NetworkManager dispatcher|NetworkManager's dispatcher scripts]]. You will need to install {{Pkg|networkmanager-dispatcher-ntpd}} from the [[official repositories]].
  
===Check whether the daemon is synchronizing correctly===
+
== Running as a daemon ==
Use ntpq to see the list of configured peers:
+
{{bc|$ ntpq -np}}
+
The delay, offset and jitter columns should be non-zero. The servers ntpd is synchronizing with are prefixed by an asterisk. It can take several minutes before ntpd selects a server to synchronize with; try checking after 17 minutes (1024 seconds).
+
  
===Netctl===
+
Start ''ntpd'' [[daemon|service]]. To start at boot either enable it or alternatively use the command:
To synchronize your system clock along with a network connection through the use with [[Netctl]]. You can append the following line to your netctl profile.
+
# timedatectl set-ntp 1
{{bc|<nowiki>ExecUpPost='/usr/bin/ntpd -q || true'</nowiki>}}
+
 
 +
=== Check whether the daemon is synchronizing correctly ===
 +
 
 +
Use ''ntpq'' to see the list of configured peers:
 +
$ ntpq -np
 +
The delay, offset and jitter columns should be non-zero. The servers NTPd is synchronizing with are prefixed by an asterisk. It can take several minutes before NTPd selects a server to synchronize with; try checking after 17 minutes (1024 seconds).
  
===NetworkManager===
+
=== Running in a chroot ===
{{Note|ntpd should still be running when the network is down if the hwclock daemon is disabled, so you should not use this.}}
+
''ntpd'' can be brought up/down along with a network connection through the use of [[NetworkManager#Network services with NetworkManager dispatcher|NetworkManager's dispatcher scripts]]. You will need to install {{Pkg|networkmanager-dispatcher-ntpd}} from the [[official repositories]].
+
  
===Running in a chroot===
 
 
{{Out of date|{{ic|ntpd.service}} does not use {{ic|/etc/conf.d/ntpd.conf}} anymore}}
 
{{Out of date|{{ic|ntpd.service}} does not use {{ic|/etc/conf.d/ntpd.conf}} anymore}}
{{Note|ntpd should be run as non-root before attempting to jail it in a chroot (default in the vanilla Arch Linux package), since chroots are relatively useless at securing processes running as root.}}
+
{{Note|''ntpd'' should be run as non-root before attempting to jail it in a chroot (default in the vanilla Arch Linux package), since chroots are relatively useless at securing processes running as root.}}
  
 
Edit {{ic|/etc/conf.d/ntpd.conf}} and change
 
Edit {{ic|/etc/conf.d/ntpd.conf}} and change
Line 172: Line 179:
 
  # mount -a
 
  # mount -a
  
Finally, restart the daemon again:
+
Finally, restart ''ntpd'' daemon again.
# systemctl restart ntpd
+
  
It is relatively difficult to be sure that your driftfile configuration is actually working without waiting a while, as ntpd does not read or write it very often. If you get it wrong, it will log an error; if you get it right, it will update the timestamp. If you do not see any errors about it after a full day of running, and the timestamp is updated, you should be confident of success.
+
It is relatively difficult to be sure that your driftfile configuration is actually working without waiting a while, as NTPd does not read or write it very often. If you get it wrong, it will log an error; if you get it right, it will update the timestamp. If you do not see any errors about it after a full day of running, and the timestamp is updated, you should be confident of success.
  
==Alternatives==
+
== See also ==
An alternative to NTPd is [[Chrony]], a dial-up friendly and specifically designed for systems that are not online all the time.
+
  
==See also==
 
 
* [[Time]] (for more information on computer timekeeping)
 
* [[Time]] (for more information on computer timekeeping)
 
==External links==
 
 
* http://www.ntp.org/
 
* http://www.ntp.org/
 
* http://support.ntp.org/
 
* http://support.ntp.org/

Revision as of 12:48, 11 November 2013

This article describes how to set up and run NTPd (Network Time Protocol daemon), the most common method to synchronize the software clock of a GNU/Linux system with internet time servers using the Network Time Protocol; if set up correctly, NTPd can make your computer act as a time server itself.

Installation

Install ntp, available in the official repositories.

An alternative to NTPd is Chrony, a dial-up friendly and specifically designed for systems that are not online all the time. See the dedicated article.

Configuration

Tip: The ntp package is installed with a default /etc/ntp.conf that should make NTPd work without requiring custom configuration.

Configuring connection to NTP servers

The first thing you define in your /etc/ntp.conf is the servers your machine will synchronize to.

NTP servers are classified in a hierarchical system with many levels called strata: the devices which are considered independent time sources are classified as stratum 0 sources; the servers directly connected to stratum 0 devices are classified as stratum 1 sources; servers connected to stratum 1 sources are then classified as stratum 2 sources and so on.

It has to be understood that a server's stratum cannot be taken as an indication of its accuracy or reliability. Typically, stratum 2 servers are used for general synchronization purposes: if you do not already know the servers you are going to connect to, you should use the pool.ntp.org servers (alternate link) and choose the server pool that is closest to your location.

The following lines are just an example:

/etc/ntp.conf
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

The iburst option is recommended, and sends a burst of packets only if it cannot obtain a connection with the first attempt. The burst option always does this, even on the first attempt, and should never be used without explicit permission and may result in blacklisting.

Configuring your own NTP server

If setting up an NTP server, you need to add local clock as a server, so that, in case it loses internet access, it will continue serving time to the network; add local clock as a stratum 10 server (using the fudge command) so that it will never be used unless internet access is lost:

server 127.127.1.0
fudge  127.127.1.0 stratum 10

Next, define the rules that will allow clients to connect to your service (localhost is considered a client too) using the restrict command; you should already have a line like this in your file:

restrict default nomodify nopeer noquery

This restricts everyone from modifying anything and prevents everyone from querying the status of your time server: nomodify prevents reconfiguring your NTPd (with ntpq or ntpdc), and noquery prevents dumping status data from your NTPd (also with ntpq or ntpdc).

You can also add other options:

restrict default kod nomodify notrap nopeer noquery
Note: This still allows other people to query your time server. You need to add noserve to stop serving time. It will also block time synchronization since it blocks all packets except ntpq and ntpdc queries.

Full docs for the "restrict" option are in man ntp_acc. See https://support.ntp.org/bin/view/Support/AccessRestrictions for detailed instructions.

Following this line, you need to tell NTPd what to allow through into your server; the following line is enough if you are not configuring an NTP server:

restrict 127.0.0.1

If you want to force DNS resolution to the IPv6 namespace, write -6 before the IP address or host name (-4 forces IPv4 instead), for example:

restrict -6 default kod nomodify notrap nopeer noquery
restrict -6 ::1    # ::1 is the IPv6 equivalent for 127.0.0.1

Lastly, specify the drift file (which keeps track of your clock's time deviation) and optionally the log file location:

driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log

A very basic configuration file will look like this:

/etc/ntp.conf
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

restrict 127.0.0.1
restrict -6 ::1  

driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log
Note: Defining the log file is not mandatory, but it is always a good idea to have feedback for NTPd operations.

Other resources about NTP configuration

In conclusion, never forget man pages: man ntp.conf is likely to answer any doubts you could still have (see also the related man pages: man {ntpd|ntp_auth|ntp_mon|ntp_acc|ntp_clock|ntp_misc}).

Using without daemon

To synchronize your system clock just once, without starting the NTP daemon, run:

# ntpd -q
Note: This has the same effect as the now deprecated ntpdate.

After updating the system clock, store the time to the hardware clock so that it is preserved when rebooting:

# hwclock -w

Synchronize once per boot

Warning: Using this method is discouraged on servers and in general on machines that run without rebooting for more than a few days.

Write a oneshot systemd unit:

/etc/systemd/system/ntp-once.service
[Unit]
Description=Network Time Service (once)
After=network.target nss-lookup.target 

[Service]
Type=oneshot
ExecStart=/usr/bin/ntpd -g -u ntp:ntp ; /usr/bin/hwclock -w

[Install]
WantedBy=multi-user.target

and enable it.

Note: A systemd unit of the type oneshot executes once only. Hence the ntpd -q option should not be used in this case.

Netctl

To synchronize your system clock along with a network connection through the use with Netctl. You can append the following line to your netctl profile.

ExecUpPost='/usr/bin/ntpd -q || true'

NetworkManager

Note: ntpd should still be running when the network is down if the hwclock daemon is disabled, so you should not use this.

NTPd can be brought up/down along with a network connection through the use of NetworkManager's dispatcher scripts. You will need to install networkmanager-dispatcher-ntpd from the official repositories.

Running as a daemon

Start ntpd service. To start at boot either enable it or alternatively use the command:

# timedatectl set-ntp 1

Check whether the daemon is synchronizing correctly

Use ntpq to see the list of configured peers:

$ ntpq -np

The delay, offset and jitter columns should be non-zero. The servers NTPd is synchronizing with are prefixed by an asterisk. It can take several minutes before NTPd selects a server to synchronize with; try checking after 17 minutes (1024 seconds).

Running in a chroot

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: ntpd.service does not use /etc/conf.d/ntpd.conf anymore (Discuss in Talk:Network Time Protocol daemon#)
Note: ntpd should be run as non-root before attempting to jail it in a chroot (default in the vanilla Arch Linux package), since chroots are relatively useless at securing processes running as root.

Edit /etc/conf.d/ntpd.conf and change

NTPD_ARGS="-g -u ntp:ntp"

to

NTPD_ARGS="-g -i /var/lib/ntp -u ntp:ntp"

Then, edit /etc/ntp.conf to change the driftfile path such that it is relative to the chroot directory, rather than to the real system root. Change:

driftfile       /var/lib/ntp/ntp.drift

to

driftfile       /ntp.drift

Create a suitable chroot environment so that getaddrinfo() will work by creating pertinent directories and files (as root):

# mkdir /var/lib/ntp/etc /var/lib/ntp/lib /var/lib/ntp/proc
# touch /var/lib/ntp/etc/resolv.conf /var/lib/ntp/etc/services

and by bind-mounting the aformentioned files:

/etc/fstab
...
#ntpd chroot mounts
/etc/resolv.conf  /var/lib/ntp/etc/resolv.conf none bind 0 0
/etc/services	  /var/lib/ntp/etc/services none bind 0 0
/lib		  /var/lib/ntp/lib none bind 0 0
/proc		  /var/lib/ntp/proc none bind 0 0
# mount -a

Finally, restart ntpd daemon again.

It is relatively difficult to be sure that your driftfile configuration is actually working without waiting a while, as NTPd does not read or write it very often. If you get it wrong, it will log an error; if you get it right, it will update the timestamp. If you do not see any errors about it after a full day of running, and the timestamp is updated, you should be confident of success.

See also