Difference between revisions of "Network Time Protocol daemon"
m (→NetworkManager: fix section level)
(move "Running as a daemon" under "Usage" as discussed in Talk:Network Time Protocol daemon#New structure?)
|Line 138:||Line 138:|
== Usage ==
== Usage ==
=== Using without daemon ===
=== Using without daemon ===
|Line 197:||Line 210:|
/usr/bin/ntpd -gq || true
/usr/bin/ntpd -gq || true
== See also ==
== See also ==
Revision as of 13:22, 25 February 2014
zh-CN:Network Time Protocol daemon Network Time Protocol is the most common method to synchronize the software clock of a GNU/Linux system with internet time servers. It is designed to mitigate the effects of variable network latency and can usually maintain time to within tens of milliseconds over the public Internet. The accuracy on local area networks is even better, up to one millisecond.
The NTP Project provides a reference implementation of the protocol called simply NTP. An alternative to NTP is Chrony, a dial-up friendly and specifically designed for systems that are not online all the time, and OpenNTPD, part of the OpenBSD project and currently not maintained for Linux.
This article further describes how to set up and run the NTP daemon, both as a client and as a server.
- 1 Installation
- 2 Configuration
- 3 Usage
- 4 Autostarting
- 5 See also
The main daemon is ntpd, which is configured in
The ntp package provides a default configuration file that should make ntpd work out of the box in client mode, without requiring custom configuration.
Configuring connection to NTP servers
If you want to configure
/etc/ntp.conf manually, first thing you define is the servers your machine will synchronize to.
NTP servers are classified in a hierarchical system with many levels called strata: the devices which are considered independent time sources are classified as stratum 0 sources; the servers directly connected to stratum 0 devices are classified as stratum 1 sources; servers connected to stratum 1 sources are then classified as stratum 2 sources and so on.
It has to be understood that a server's stratum cannot be taken as an indication of its accuracy or reliability. Typically, stratum 2 servers are used for general synchronization purposes: if you do not already know the servers you are going to connect to, you should use the pool.ntp.org servers (alternative link) and choose the server pool that is closest to your location.
The following lines are just an example:
server 0.pool.ntp.org iburst server 1.pool.ntp.org iburst server 2.pool.ntp.org iburst server 3.pool.ntp.org iburst
iburst option is recommended, and sends a burst of packets only if it cannot obtain a connection with the first attempt. The
burst option always does this, even on the first attempt, and should never be used without explicit permission and may result in blacklisting.
Configuring your own NTP server
If setting up an NTP server, you need to add local clock as a server, so that, in case it loses internet access, it will continue serving time to the network; add local clock as a stratum 10 server (using the fudge command) so that it will never be used unless internet access is lost:
server 127.127.1.0 fudge 127.127.1.0 stratum 10
Next, define the rules that will allow clients to connect to your service (localhost is considered a client too) using the restrict command; you should already have a line like this in your file:
restrict default nomodify nopeer noquery
This restricts everyone from modifying anything and prevents everyone from querying the status of your time server:
nomodify prevents reconfiguring ntpd (with ntpq or ntpdc), and
noquery prevents dumping status data from ntpd (also with ntpq or ntpdc).
You can also add other options:
restrict default kod nomodify notrap nopeer noquery
noserveto stop serving time. It will also block time synchronization since it blocks all packets except ntpq and ntpdc queries.
Following this line, you need to tell ntpd what to allow through into your server; the following line is enough if you are not configuring an NTP server:
If you want to force DNS resolution to the IPv6 namespace, write
-6 before the IP address or host name (
-4 forces IPv4 instead), for example:
restrict -6 default kod nomodify notrap nopeer noquery restrict -6 ::1 # ::1 is the IPv6 equivalent for 127.0.0.1
Lastly, specify the drift file (which keeps track of your clock's time deviation) and optionally the log file location:
driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp.log
A very basic configuration file will look like this:
server 0.pool.ntp.org iburst server 1.pool.ntp.org iburst server 2.pool.ntp.org iburst server 3.pool.ntp.org iburst restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict -6 ::1 driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp.log
Running in a chroot
/etc/conf.d/ntpd.conf and change
NTPD_ARGS="-g -u ntp:ntp"
NTPD_ARGS="-g -i /var/lib/ntp -u ntp:ntp"
/etc/ntp.conf to change the driftfile path such that it is relative to the chroot directory, rather than to the real system root. Change:
Create a suitable chroot environment so that getaddrinfo() will work by creating pertinent directories and files (as root):
# mkdir /var/lib/ntp/etc /var/lib/ntp/lib /var/lib/ntp/proc # touch /var/lib/ntp/etc/resolv.conf /var/lib/ntp/etc/services
and by bind-mounting the aformentioned files:
... #ntpd chroot mounts /etc/resolv.conf /var/lib/ntp/etc/resolv.conf none bind 0 0 /etc/services /var/lib/ntp/etc/services none bind 0 0 /lib /var/lib/ntp/lib none bind 0 0 /proc /var/lib/ntp/proc none bind 0 0
# mount -a
ntpd daemon again.
It is relatively difficult to be sure that your driftfile configuration is actually working without waiting a while, as ntpd does not read or write it very often. If you get it wrong, it will log an error; if you get it right, it will update the timestamp. If you do not see any errors about it after a full day of running, and the timestamp is updated, you should be confident of success.
Other resources about NTP configuration
In conclusion, never forget manual pages:
man ntp.conf is likely to answer any doubts you could still have (see also the related manual pages:
As a daemon
noquerydisables responses for the
monlistcommand. If a user removes
noqueryfrom their configuration, and does not add
disable monlist, then that user is vulnerable. See the arch-dev mailing list post and the aforementioned CVE report for more information.
ntpd.service with systemctl. To have it started at boot also enable it, or alternatively use the command:
# timedatectl set-ntp 1
Check whether the daemon is synchronizing correctly
Use ntpq to see the list of configured peers:
$ ntpq -np
The delay, offset and jitter columns should be non-zero. The servers ntpd is synchronizing with are prefixed by an asterisk. It can take several minutes before ntpd selects a server to synchronize with; try checking after 17 minutes (1024 seconds).
Using without daemon
To synchronize your system clock just once without starting ntpd, run:
# ntpd -q
-q flag causes ntpd to set the time once and quit, i.e. the daemon will not be started. If the operation is unsuccessful, your system clock will not be synchronized.
After updating the system clock, store the time to the hardware clock so that it is preserved when rebooting:
# hwclock -w
Synchronize once per boot
Write a oneshot systemd unit:
[Unit] Description=Network Time Service (once) After=network.target nss-lookup.target [Service] Type=oneshot ExecStart=/usr/bin/ntpd -g -u ntp:ntp ; /usr/bin/hwclock -w [Install] WantedBy=multi-user.target
and enable it.
ntpd -qoption should not be used in this case.
At network connection
To synchronize your system clock along with a network connection through the use with Netctl. You can append the following line to your netctl profile.
ExecUpPost='/usr/bin/ntpd -gq || true'
Executing ntpd once after successful connection of Wicd can be achieved by creating a script in the appropriate
#!/bin/bash /usr/bin/ntpd -gq
- Time (for more information on computer timekeeping)