Difference between revisions of "Network Time Protocol daemon"

From ArchWiki
Jump to: navigation, search
m (Using without daemon: tidy it a bit)
m (Using without daemon: works with default or non-default config)
Line 88: Line 88:
  
 
==Using without daemon==
 
==Using without daemon==
To synchronize your system clock just once, without starting the NTP daemon or changing the default configuration, run:
+
To synchronize your system clock just once, without starting the NTP daemon, run:
 
  # ntpd -qg
 
  # ntpd -qg
 
You must also start the [[Time#hwclock daemon|hwclock]] daemon:
 
You must also start the [[Time#hwclock daemon|hwclock]] daemon:

Revision as of 10:38, 13 January 2012

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

This article describes how to set up and run NTPd (Network Time Protocol daemon), the most common method to synchronize the software clock of a GNU/Linux system with internet time servers using the Network Time Protocol; if set up correctly, NTPd can make your computer act as a time server itself.

Installation

Install ntp, available in the Official Repositories.

Configuration

Tip: If you just want to perform a one-time sync, see Using without daemon.

Configuring connection to NTP servers

The first thing you define in your /etc/ntp.conf is the servers your machine will synchronize to. Some defaults are present already.

NTP servers are classified in a hierarchical system with many levels called strata: the devices which are considered independent time sources are classified as stratum 0 sources; the servers directly connected to stratum 0 devices are classified as stratum 1 sources; servers connected to stratum 1 sources are then classified as stratum 2 sources and so on.

It has to be understood that a server's stratum cannot be taken as an indication of its accuracy or reliability. Typically, stratum 2 servers are used for general synchronization purposes: if you do not already know the servers you are going to connect to, you should use the pool.ntp.org servers (alternate link) and choose the server pool that is closest to your location.

The following lines are just an example:

server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

The iburst option is recommended, and sends a burst of packets if it cannot obtain a connection with the first attempt. The burst option always sends a burst of packets, even on the first attempt. The burst option should never be used without explicit permission and may result in blacklisting.

Configuring your own NTP server

If setting up an NTP server, you need to add local clock as a server, so that, in case it loses internet access, it will continue serving time to the network; add local clock as a stratum 10 server (using the fudge command) so that it will never be used unless internet access is lost:

server 127.127.1.0
fudge  127.127.1.0 stratum 10

Next, define the rules that will allow clients to connect to your service (localhost is considered a client too) using the restrict command; you should already have a line like this in your file:

restrict default nomodify nopeer noquery

This restricts everyone from modifying anything and prevents everyone from querying the status of your time server: nomodify prevents reconfiguring your ntpd (with ntpq or ntpdc), and noquery prevents dumping status data from your ntpd (also with ntpq or ntpdc).

You can also add other options:

restrict default kod nomodify notrap nopeer noquery
Note: This still allows other people to query your time server. You need to add noserve to stop serving time.

Full docs for the "restrict" option are in man ntp_acc. See https://support.ntp.org/bin/view/Support/AccessRestrictions for detailed instructions.

Following this line, you need to tell ntpd what to allow through into your server; the following line is enough if you are not configuring an NTP server:

restrict 127.0.0.1

If you want to force DNS resolution to the IPv6 namespace, write -6 before the IP address or host name (-4 forces IPv4 instead), for example:

restrict -6 default kod nomodify notrap nopeer noquery
restrict -6 ::1    # ::1 is the IPv6 equivalent for 127.0.0.1

Lastly, specify the drift file (which keeps track of your clock's time deviation) and optionally the log file location:

driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log

A very basic configuration file will look like this (all comments have been stripped out for clarity):

/etc/ntp.conf
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

restrict 127.0.0.1
restrict -6 ::1  

driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log
Note: Defining the log file is not mandatory, but it is always a good idea to have feedback for ntpd operations.

Other resources about NTP configuration

In conclusion, never forget man pages: man ntp.conf is likely to answer any doubts you could still have (see also the related man pages: man {ntpd|ntp_auth|ntp_mon|ntp_acc|ntp_clock|ntp_misc}).

Template:Gentoo

Using without daemon

To synchronize your system clock just once, without starting the NTP daemon, run:

# ntpd -qg

You must also start the hwclock daemon:

# rc.d start hwclock

hwclock will just save the system clock to the hardware clock when you power off. Add hwclock to your DAEMONS array to avoid the second step in the future.

The -g option allows shifting the clock further than the panic threshold (15 min by default) without a warning. This behavior mimics that of the ntpdate program, which is now deprecated. Note that such offset is abnormal and might indicate either wrong timezone setting, clock chip failure, or simply a very long period of neglect. If in these cases you would rather not set the clock and print an error to syslog, remove -g:

# ntpd -q

For example, you could add a ntpd -qg & line to your /etc/rc.local to run at every boot. See Autostarting for alternative methods.

Warning:
  • Using this method is highly discouraged on servers and in general on machines that need to run continuously for more than 2 or 3 days, as the system clock will be updated only once at boot time.
  • Running ntpd -qg as a cron event is to be completely avoided, unless you are perfectly aware of how your running applications would react to instantaneous system time changes.
  • If something other already takes care of updating the hardware clock, for example another operating system in dual boot, you should avoid starting hwclock.
Note: In order for this method to work you have to make sure that, when rc.local is executed, the network connection has already been initialized (for example you should not background essential network-related daemons in /etc/rc.conf)

Running as a daemon

Starting ntpd

ntpd sets 11 minute mode, which syncs the system clock to hardware every 11 minutes. The hwclock daemon measures hardware clock drift and syncs it, which conflicts with ntpd.

Stop the hwclock daemon (if it is running):

# rc.d stop hwclock

Start the ntpd daemon:

# rc.d start ntpd

Add ntpd to your DAEMONS array so it starts automatically on boot and make sure hwclock is disabled:

/etc/rc.conf
DAEMONS=(... !hwclock ntpd ...)

NetworkManager

Note: ntpd should still be running when the network is down if the hwclock daemon is disabled, so you should not use this.

ntpd can be brought up/down along with a network connection through the use of NetworkManager's dispatcher scripts. You can install the needed script from [community]:

# pacman -S networkmanager-dispatcher-ntpd

Running as non-root user

When compiled with --enable-linux-caps, ntp can be run as a non-root user for increased security (the vanilla Arch Linux package has this enabled).

Note: Before attempting this, make sure ntp has already created /var/lib/ntp/ntp.drift.

Create ntp group and ntp user:

# groupadd ntp
# useradd -r -d /var/lib/ntp -g ntp -s /bin/false ntp

Change ownership of the ntp directory to the ntp user/group:

# chown -R ntp:ntp /var/lib/ntp

Edit /etc/conf.d/ntpd.conf and change

NTPD_ARGS="-g"

to

NTPD_ARGS="-g -u ntp:ntp"

Finally, restart the daemon:

# rc.d restart ntpd

Running in a chroot

Note: Before attempting this, complete the previous section on running as non-root, since chroots are relatively useless at securing processes running as root.

Edit /etc/conf.d/ntpd.conf and change

NTPD_ARGS="-g -u ntp:ntp"

to

NTPD_ARGS="-g -i /var/lib/ntp -u ntp:ntp"

Then, edit /etc/ntp.conf to change the driftfile path such that it is relative to the chroot directory, rather than to the real system root. Change:

driftfile       /var/lib/ntp/ntp.drift

to

driftfile       /ntp.drift

Create a suitable chroot environment so that getaddrinfo() will work by creating pertinent directories and files (as root):

# mkdir /var/lib/ntp/etc /var/lib/ntp/lib /var/lib/ntp/proc
# touch /var/lib/ntp/etc/resolv.conf /var/lib/ntp/etc/services

and by bind-mounting the aformentioned files:

/etc/fstab
...
#ntpd chroot mounts
/etc/resolv.conf  /var/lib/ntp/etc/resolv.conf none bind 0 0
/etc/services	  /var/lib/ntp/etc/services none bind 0 0
/lib		          /var/lib/ntp/lib none bind 0 0
/proc		  /var/lib/ntp/proc none bind 0 0
# mount -a

Finally, restart the daemon again:

# rc.d restart ntpd

It is relatively difficult to be sure that your driftfile configuration is actually working without waiting a while, as ntpd does not read or write it very often. If you get it wrong, it will log an error; if you get it right, it will update the timestamp. If you do not see any errors about it after a full day of running, and the timestamp is updated, you should be confident of success.

Alternatives

Available alternative to NTPd are Chrony, a dial-up friendly and specifically designed for systems that are not online all the time, and OpenNTPD, part of the OpenBSD project and currently not maintained for Linux.

See also

  • Time (for more information on computer timekeeping)

External links