Network Time Protocol daemon
This article describes how to set up and run NTPd (Network Time Protocol daemon), the most common method to synchronize the software clock of a GNU/Linux system with internet time servers using the Network Time Protocol; if set up correctly, NTPd can make your computer act as a time server itself.
Template:Package Official is available from the extra repository:
- pacman -S ntp
The first thing you define in your Template:Filename is the servers your machine will synchronize to. NTP servers are classified in a hierarchical system with many levels called strata: the devices which are considered independent time sources are classified as stratum 0 sources; the servers directly connected to stratum 0 devices are classified as stratum 1 sources; servers connected to stratum 1 sources are then classified as stratum 2 sources and so on.
It has to be understood that a server's stratum cannot be taken as an indication of its accuracy or reliability. Typically, stratum 2 servers are used for general synchronization purposes: if you don't already know the servers you're going to connect to, you should use the pool.ntp.org servers (alternate link) and choose the server pool that is closest to your location.
The following lines are just an example:
server 0.it.pool.ntp.org iburst server 1.it.pool.ntp.org iburst server 2.it.pool.ntp.org iburst server 3.it.pool.ntp.org iburst
The iburst option is recommended, and sends a burst of packets if it cannot obtain a connection with the first attempt. The burst option always sends a burst of packets, even on the first attempt. The burst option should never be used without explicit permission and may result in blacklisting.
If setting up an NTP server, you need to add local clock as a server, so that, in case it loses internet access, it will continue serving time to the network; add local clock as a stratum 10 server (using the fudge command) so that it will never be used unless internet access is lost:
server 127.127.1.0 fudge 127.127.1.0 stratum 10
Next, define the rules that will allow clients to connect to your service (localhost is considered a client too) using the restrict command; you should already have a line like this in your file:
restrict default nomodify nopeer
This restricts everyone from modifying anything and prevents everyone from querying your time server.
You can also add other options:
restrict default kod nomodify notrap nopeer noquery
In the past, notrust option was used too, but its function has changed to mean that authentication with a key is required.
Following this line, you need to tell ntpd what to allow through into your server; the following line is enough if you're not configuring an NTP server:
Otherwise you can add more clients like in this example:
restrict 184.108.40.206 nomodify restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap
This tells ntpd that 220.127.116.11 and all IP addresses from the 192.168.0.0 range will be allowed to synchronize on this server, but they will not be allowed to modify anything. All other IP addresses in the world will still obey the default restrictions (the first restrict line in the Template:Filename).
If you want to force DNS resolution to the IPv6 namespace, write -6 before the IP address or host name (-4 forces IPv4 instead), for example:
restrict -6 default nomodify nopeer restrict -6 ::1 # ::1 is the IPv6 equivalent for 127.0.0.1
Lastly, specify the drift file (which keeps track of your clock's time deviation) and optionally the log file location:
driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp.log
A very basic configuration file will look like this (all comments have been stripped out for clarity):
Actually, defining the log file is not mandatory, but it is always a good idea to have feedback for ntpd operations.
Running as a daemon
ntpd sets 11 minute mode, which syncs the system clock to hardware every 11 minutes. The hwclock daemon measures hardware clock drift and syncs it, which conflicts with ntpd.
Stop the hwclock daemon (if it's running):
Start the ntpd daemon: Template:Cli
Add ntpd to your DAEMONS array so it starts automatically on boot and make sure hwclock is disabled: Template:File
ntpd can be brought up/down along with a network connection through the use of NetworkManager's dispatcher scripts. You can install the needed script from [community]:
Running as non-root user
When compiled with --enable-linux-caps, ntp can be run as a non-root user for increased security (the vanilla Arch Linux package has this enabled).
Create ntp group and ntp user:
Change ownership of the ntp directory to the ntp user/group:
Edit Template:Filename and change
NTPD_ARGS="-g -u ntp:ntp"
Finally, restart the daemon:
Syncing the clock without running the daemon
If what you want is just synchronize your system clock at boot time without running ntpd as a daemon, you can add this line to your Template:Filename:
ntpd -qg &
This behavior mimics that of the ntpdate program, which is now deprecated.
- Using this method is highly discouraged on servers and in general on machines that need to run continuously for more than 2 or 3 days, as the system clock will be updated only once at boot time.
- Running "Template:Codeline" as a cron event is to be completely avoided, unless you are perfectly aware of how your running applications would react to instantaneous system time changes.
Check that the DAEMONS array in Template:Filename includes hwclock, to ensure the hardware clock is periodically updated:
An available alternative to NTPd is OpenNTPD, part of the OpenBSD project and currently not maintained for Linux.
- Time (for more information on computer timekeeping)