Difference between revisions of "Network Time Protocol daemon (简体中文)"

From ArchWiki
Jump to: navigation, search
m
(updated)
Line 1: Line 1:
{{out of date}}
 
 
[[Category:Networking (简体中文)]]
 
[[Category:Networking (简体中文)]]
 
[[Category:Daemons and system services (简体中文)]]
 
[[Category:Daemons and system services (简体中文)]]
Line 5: Line 4:
 
{{i18n|Network Time Protocol daemon}}
 
{{i18n|Network Time Protocol daemon}}
  
本文介绍Arch Linux中,如何让系统时间和标准时间同步的方法。第一种是openntpd:一种比较简单的方法;第二种,最完备的方法:ntpd。
+
This article describes how to set up and run NTPd (Network Time Protocol daemon), the most common method to synchronize the [[Time|software clock]] of a GNU/Linux system with internet time servers using the [[Wikipedia:Network Time Protocol|Network Time Protocol]]; if set up correctly, NTPd can make your computer act as a time server itself.
  
= OpenNTPD =
+
==安装==
 +
[[pacman|Install]] {{pkg|ntp}}, available in the [[Official Repositories]].
  
'''用OpenNTPD替代ntpd'''
+
==配置==
 +
{{Tip|The {{pkg|ntp}} package is installed with a default {{ic|/etc/ntp.conf}} that should make NTPd work without requiring custom configuration.}}
  
OpenNTPD is a FREE, easy to use implementation of the Network Time Protocol. 能够使本地时间和NTP服务器的时间同步,同时也能使本地时间变成一个NTP服务器,发布给其他用户。
+
===Configuring connection to NTP servers===
 +
The first thing you define in your {{ic|/etc/ntp.conf}} is the servers your machine will synchronize to.
  
OpenNTPD is primarily developed by Henning Brauer as part of the OpenBSD Project.
+
NTP servers are classified in a hierarchical system with many levels called ''strata'': the devices which are considered independent time sources are classified as ''stratum 0'' sources; the servers directly connected to ''stratum 0'' devices are classified as ''stratum 1'' sources; servers connected to ''stratum 1'' sources are then classified as ''stratum 2'' sources and so on.
  
OpenNTPD is a brand new implementation of the ntp protocol. 相对于NTPD,OpenNTPD比较容易配置和使用。
+
It has to be understood that a server's stratum cannot be taken as an indication of its accuracy or reliability. Typically, stratum 2 servers are used for general synchronization purposes: if you do not already know the servers you are going to connect to, you should use the [http://www.pool.ntp.org/ pool.ntp.org] servers ([http://support.ntp.org/bin/view/Servers/NTPPoolServers alternate link]) and choose the server pool that is closest to your location.
  
首先,安装 OpenNTPD package ——这包Arch Linux社区已经提供了(in the Arch Linux community repository)。
+
The following lines are just an example:
  
<pre>
+
server 0.pool.ntp.org iburst
pacman -S openntpd
+
server 1.pool.ntp.org iburst
</pre>
+
server 2.pool.ntp.org iburst
 +
server 3.pool.ntp.org iburst
  
安装完后,'''必须'''编辑配置文件: /etc/ntpd.conf
+
The ''iburst'' option is recommended, and sends a burst of packets if it cannot obtain a connection with the first attempt. The ''burst'' option always sends a burst of packets, even on the first attempt. The ''burst'' option should never be used without explicit permission and may result in blacklisting.
  
默认配置已经做好,本身就能够同步网络和本地时间。
+
===配置自己的 NTP 服务器===
<pre>
+
If setting up an NTP server, you need to add [http://www.ntp.org/ntpfaq/NTP-s-refclk.htm#Q-LOCAL-CLOCK ''local clock''] as a server, so that, in case it loses internet access, it will continue serving time to the network; add ''local clock'' as a stratum 10 server (using the ''fudge'' command) so that it will never be used unless internet access is lost:
# $OpenBSD: ntpd.conf,v 1.7 2004/07/20 17:38:35 henning Exp $
+
# sample ntpd configuration file, see ntpd.conf(5)
+
  
# Addresses to listen on (ntpd does not listen by default)
+
server 127.127.1.0
#listen on *
+
fudge  127.127.1.0 stratum 10
#listen on 127.0.0.1
+
#listen on ::1
+
  
# sync to a single server
+
Next, define the rules that will allow clients to connect to your service (''localhost'' is considered a client too) using the ''restrict'' command; you should already have a line like this in your file:
#server ntp.example.org
+
  
# use a random selection of 8 public stratum 2 servers
+
restrict default nomodify nopeer noquery
# see http://twiki.ntp.org/bin/view/Servers/NTPPoolServers
+
servers pool.ntp.org
+
</pre>
+
  
如果要和特定的服务器时间同步,去掉注释,并把服务器地址替换掉 "ntp.example.org"。
+
This restricts everyone from modifying anything and prevents everyone from querying the status of your time server: {{ic|nomodify}} prevents reconfiguring your ntpd (with ''ntpq'' or ''ntpdc''), and {{ic|noquery}} prevents dumping status data from your ntpd (also with ''ntpq'' or ''ntpdc'').
<pre>
+
server ntp.example.org
+
</pre>
+
  
The "servers" directive works the same as the "server" directive, however, if the dns name resolves to multiple IP address, ALL of them will be synced to.  其实,默认的 "pool.ntp.org"已经可以满足大部分要求了。具体的时间服务器可以到这查看:www.pool.ntp.org/zone/asia
+
You can also add other options:
<pre>
+
pool.ntp.org
+
</pre>
+
  
Any number of "server" or "servers" directives may be used.
+
restrict default kod nomodify notrap nopeer noquery
  
If you want the computer you run OpenNTPD on to also be a time server, simply uncomment and edit the "listen" directive.
+
{{Note|This still allows other people to query your time server. You need to add {{ic|noserve}} to stop serving time.}}
  
For example:
+
Full docs for the "restrict" option are in {{ic|man ntp_acc}}. See https://support.ntp.org/bin/view/Support/AccessRestrictions for detailed instructions.
<pre>
+
listen on *
+
</pre>
+
will listen on all interfaces.
+
  
and
+
Following this line, you need to tell ''ntpd'' what to allow through into your server; the following line is enough if you are not configuring an NTP server:
<pre>
+
listen on 127.0.0.1
+
</pre>
+
will only listen on the loopback interface.
+
  
If you would like to run OpenNTPD at boot, add openntpd the DAEMONS variable in your /etc/rc.conf.
+
restrict 127.0.0.1
  
查看同步进度,可以查看 /var/log/daemon.log
+
If you want to force DNS resolution to the IPv6 namespace, write {{ic|-6}} before the IP address or host name ({{ic|-4}} forces IPv4 instead), for example:
  
即刻同步时间:
+
restrict -6 default kod nomodify notrap nopeer noquery
<pre>
+
restrict -6 ::1    # ::1 is the IPv6 equivalent for 127.0.0.1
net time set /bin/date
+
</pre>
+
  
= ntp =
+
Lastly, specify the drift file (which keeps track of your clock's time deviation) and optionally the log file location:
  
  pacman -S ntp
+
  driftfile /var/lib/ntp/ntp.drift
 +
logfile /var/log/ntp.log
  
'''/etc/ntp.conf''' '''Configuration'''
+
A very basic configuration file will look like this ('''all comments have been stripped out for clarity'''):
  
The very first line of your ntp.conf file should contain a line such as the following:
+
{{hc|/etc/ntp.conf|
restrict default noquery notrust nomodify
+
server 0.pool.ntp.org iburst
 +
server 1.pool.ntp.org iburst
 +
server 2.pool.ntp.org iburst
 +
server 3.pool.ntp.org iburst
  
This essentially restricts everyone from modifying anything. Following this, you need to let ntpd know what you want to let through into your NTP server. Here is where you would specify any other ip addresses you would like to synchronize on your NTP server. For example:
+
restrict default kod nomodify notrap nopeer noquery
 +
restrict -6 default kod nomodify notrap nopeer noquery
  
restrict 1.2.3.4
+
restrict 127.0.0.1
  restrict 192.168.0.0 mask 255.255.255.0 nomodify
+
restrict -6 ::1  
  
This tells ntpd that 1.2.3.4 and all ip addresses from the 192.168.0.0 range will be allowed to synchronize on this server, but they will not be allowed to modify anything. All other IP addresses in the world will still obey the default restrictions (the first line in the ntp.conf).
+
driftfile /var/lib/ntp/ntp.drift
 
+
Now, is where the stratum 2 servers that our server will synchronize with come into play. The lines in ntp.conf will be used to tell ntpd what servers we would like to use for synchronizing (these are just examples; use ntp servers that are closest to your location). Please see http://ntp.isc.org/bin/view/Servers/NTPPoolServers for a list a closer servers.
+
 
+
<pre>
+
server ntp1.cs.wisc.edu
+
server ntp3.cs.wisc.edu
+
server ntp3.sf-bay.org
+
</pre>
+
 
+
Unless you have a good reason not to, it is advisable to use the pool.ntp.org servers: http://www.pool.ntp.org/.
+
Alternatively, a list of ntp servers is available at http://www.eecis.udel.edu/~mills/ntp/clock2a.html. Please pay attention to the Access Policies.
+
 
+
If we left it alone right now, we would never connect to a server because the response from any of the three servers listed above would never be allowed back into our server due to the fact that our default restrict statement would be in use (since we did not add the servers to our lesser restrictions (like we did with 127.0.0.1 and the subnet of 192.168.0.0).
+
 
+
To correct this, enter the following lines in ntp.conf:
+
 
+
<pre>
+
restrict ntp1.cs.wisc.edu noquery nomodify
+
restrict ntp3.cs.wisc.edu noquery nomodify
+
restrict ntp3.sf-bay.org noquery nomodify
+
</pre>
+
 
+
This will allow the response from the above servers into our system so our local clock can be synchronized. The noquery restriction will not allow any of the above three servers to query for information from our server. The nomodify restriction will not allow the three servers to modify anything (synchronization will still take place).
+
 
+
The only thing left to do is add the drift file (which keeps track of yours clocks time deviation). and the log file location:
+
 
+
<pre>
+
driftfile /etc/ntp.drift
+
 
logfile /var/log/ntp.log
 
logfile /var/log/ntp.log
</pre>
+
}}
  
The complete file will look like this:
+
{{Note|Defining the log file is not mandatory, but it is always a good idea to have feedback for ''ntpd'' operations.}}
  
<pre>
+
===其他关于配置 NTP 的资源===
# default restrictions
+
In conclusion, never forget man pages: {{ic|man ntp.conf}} is likely to answer any doubts you could still have (see also the related man pages: {{ic|man <nowiki>{ntpd|ntp_auth|ntp_mon|ntp_acc|ntp_clock|ntp_misc}</nowiki>}}).
restrict default noquery notrust nomodify
+
  
# override the default restrictions here
+
{{Gentoo|NTP}}
restrict 10.1.1.0 mask 255.255.255.0 nomodify
+
  
# public NTP servers to sync with (all stratum 2)
+
==Using without daemon==
server ntp1.cs.wisc.edu
+
To synchronize your system clock just once, without starting the NTP daemon, run:
server ntp3.cs.wisc.edu
+
# ntpd -qg
server ntp3.sf-bay.org
+
# hwclock -s
  
restrict ntp1.cs.wisc.edu noquery nomodify
+
{{ic|ntpd -qg}} has the same effect as the {{ic|ntpdate}} program, [http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate which is now deprecated]. {{ic|hwclock -s}} stores the time to the hardware clock so that it is preserved when rebooting.
restrict ntp3.cs.wisc.edu noquery nomodify
+
restrict ntp3.sf-bay.org noquery nomodify
+
  
# NTP drift file - used to keep track of your system clocks
+
{{ic|ntpd}}'s {{ic|-g}} option allows shifting the clock further than the panic threshold (15 min by default) without a warning. Note that such offset is abnormal and might indicate either wrong timezone setting, clock chip failure, or simply a very long period of neglect. If in these cases you would rather not set the clock and print an error to syslog, remove {{ic|-g}}:
# time deviation
+
# ntpd -q
driftfile /etc/ntp.drift
+
  
# NTP log file
+
===Synchronize once at boot time===
logfile /var/log/ntp.log
+
If you want to synchronize your system clock once every time the system boots, you can add a {{ic|ntpd -qg &}} line to your {{ic|/etc/rc.local}}. See [[Autostarting]] for alternative methods.
</pre>
+
  
Take note that this is for a client and a server ntp.conf configuration. If you just want to synchronize with a stratum server and are not concerned with other PCs synchronizing with your ntp server, then you can do something like the following (note that only 127.0.0.1 is allowed to be synchronized):
+
You must also [[Daemon#Performing_daemon_actions_manually|start]] the {{ic|hwclock}} daemon and add it to your [[Daemon#Starting_on_Boot|DAEMONS array]] to initialize it at every boot. See [[Time#hwclock daemon]] for more information.
  
<pre>
+
In order for this method to work you have to make sure that, when {{ic|rc.local}} is executed, the network connection has already been initialized (for example you should not background essential network-related daemons in {{ic|/etc/rc.conf}})
# default restrictions
+
restrict default noquery notrust nomodify
+
 
+
# Permit all access over the loopback interface
+
restrict 127.0.0.1
+
 
+
# public NTP servers to sync with (all stratum 2)
+
server ntp1.cs.wisc.edu
+
server ntp3.cs.wisc.edu
+
server ntp3.sf-bay.org
+
 
+
restrict ntp1.cs.wisc.edu noquery nomodify
+
restrict ntp3.cs.wisc.edu noquery nomodify
+
restrict ntp3.sf-bay.org noquery nomodify
+
 
+
# NTP drift file - used to keep track of your system clocks
+
# time deviation
+
driftfile /etc/ntp.drift
+
 
+
# NTP log file
+
logfile /var/log/ntp.log
+
</pre>
+
 
+
... or if you don't care about restrictions at all, something like this (note there are no restrictions, thus no need to reduce restrictions for 127.0.0.1 to allow your local clock to synchronize):
+
 
+
<pre>
+
# public NTP servers to sync with (all stratum 2)
+
server ntp1.cs.wisc.edu
+
server ntp3.cs.wisc.edu
+
server ntp3.sf-bay.org
+
 
+
# NTP drift file - used to keep track of your system clocks
+
# time deviation
+
driftfile /etc/ntp.drift
+
 
+
# NTP log file
+
logfile /var/log/ntp.log
+
</pre>
+
  
 +
{{Warning|
 +
*Using this method is discouraged on servers and in general on machines that need to run continuously for more than 2 or 3 days, as the system clock will be updated only once at boot time.
 +
*Running {{ic|ntpd -qg}} as a ''cron'' event is to be avoided, unless you are aware of how your running applications would react to instantaneous system time changes.
 +
*If something other already takes care of updating the hardware clock, for example another operating system in dual boot, you should avoid starting {{ic|hwclock}}.}}
  
'''A''' '''Note''' '''about''' '''Security'''
+
==作为守护进程运行==
 +
===启动 ntpd===
 +
ntpd sets 11 minute mode, which syncs the system clock to hardware every 11 minutes. The hwclock daemon measures hardware clock drift and syncs it, which conflicts with ntpd.
  
You may wonder about all of the restrict lines.  The reason for them is security.  If you don't want a secure NTP server, don't add any restrict lines to your ntp.conf file.  If you want a secure NTP server, start out by adding a default restrict that doesn't allow anything to contact your server, then add more (less restrictive) restrict lines - allowing certain addresses various access privileges.
+
Stop the hwclock daemon (if it is running):
  
 +
{{bc|# rc.d stop hwclock}}
  
'''/etc/rc.d/network''' '''file''' '''modification'''
+
Start the ntpd daemon:
 +
{{bc|# rc.d start ntpd}}
  
One more thing that you may want to do.  大多数情况下, /etc/ntp.conf 会被dhcp重写,为防止发生这情况,编辑 the /etc/conf.d/dhcpcd , add -N to the line that starts with 'dhcpcd -t 10'.
+
Add ntpd to your DAEMONS array so it starts automatically on boot and make sure hwclock is disabled:
 +
{{hc|/etc/rc.conf|2=DAEMONS=(... !hwclock '''ntpd''' ...)}}
  
 +
===NetworkManager===
 +
{{Note|ntpd should still be running when the network is down if the hwclock daemon is disabled, so you should not use this.}}
 +
''ntpd'' can be brought up/down along with a network connection through the use of [[NetworkManager#Network Services with NetworkManager Dispatcher|NetworkManager's dispatcher scripts]]. You can install the needed script from [community]:
  
 +
{{bc|# pacman -S networkmanager-dispatcher-ntpd}}
  
FYI: This was my experience/solution with setting the time.
+
===Running as non-root user===
 +
When compiled with ''--enable-linux-caps'', ntp can be run as a non-root user for increased security (the vanilla Arch Linux package has this enabled).
  
On my system my /etc/conf.d/dhcpcd contains a single line:
+
{{Note|Before attempting this, make sure ntp has already created {{ic|/var/lib/ntp/ntp.drift}}.}}
    DHCPCD_ARGS="-t 30 -h $HOSTNAME"
+
  
I assume it needs to be changed to:
+
Create ''ntp'' group and ''ntp'' user:
    DHCPCD_ARGS="-N -t 30 -h $HOSTNAME"
+
  
Some have suggested adding -R to preserve /etc/resolv.conf as well.
+
{{bc|<nowiki># groupadd ntp
 +
# useradd -r -d /var/lib/ntp -g ntp -s /bin/false ntp</nowiki>}}
  
'''To''' '''fix''' '''Time''' '''use''' '''/etc/rc.local'''
+
Change ownership of the ntp directory to the ntp user/group:
  
To set the correct time; Set time and start ntpd at boot via  /etc/rc.local
+
{{bc|# chown -R ntp:ntp /var/lib/ntp}}
  
 +
Edit {{ic|/etc/conf.d/ntpd.conf}} and change
  
Relevant sections of /etc/rc.conf
+
NTPD_ARGS="-g"
  
   
+
to
    HARDWARECLOCK="UTC"
+
    TIMEZONE="US/Mountain"
+
   
+
    Network/ DHCP section:
+
       
+
    lo="lo 127.0.0.1"
+
    eth0="dhcp"
+
    INTERFACES=(lo eth0)
+
   
+
    Daemons subsection:
+
   
+
    DAEMONS=(syslog-ng hotplug !pcmcia network netfs !ntpd crond dbus hal alsa gdm)
+
  
This is my /etc/rc.local
+
NTPD_ARGS="-g -u ntp:ntp"
  
 +
Finally, restart the daemon:
  
    #!/bin/bash
+
{{bc|# rc.d restart ntpd}}
    #
+
    # /etc/rc.local: Local multi-user startup script.
+
    #
+
   
+
    # Re-copy ntp.conf (was over written by dhcp)
+
    cp /root/CONFIG.BAK/ntp.conf.bac /etc/ntp.conf
+
    # I advise you keep your desired /etc/ntp.conf
+
    # OUTSIDE of /etc
+
   
+
    # Set time
+
    /usr/bin/ntpdate ntp.nasa.gov #Use any time server you like here
+
   
+
    # Start ntpd
+
    /etc/rc.d/ntpd start
+
  
 +
===Running in a chroot===
 +
{{Note|Before attempting this, complete the previous section on running as non-root, since chroots are relatively useless at securing processes running as root.}}
  
And here is my /root/CONFIG.BAK/ntp.conf.bac (this is just a copy of the desired /etc/ntp.conf)
+
Edit {{ic|/etc/conf.d/ntpd.conf}} and change
  
 +
NTPD_ARGS="-g -u ntp:ntp"
  
    # default restrictions
+
to
    restrict default noquery notrust nomodify
+
   
+
    # override the default restrictions here
+
    restrict 127.0.0.1 nomodify
+
    restrict 192.168.2.0 mask 255.255.255.0 nomodify
+
   
+
    # public NTP servers to sync with (all stratum 2)
+
    server ntp.nasa.gov #Use any time server you like here
+
   
+
    restrict ntp.nasa.gov noquery nomodify
+
   
+
    # NTP drift file - used to keep track of your system clocks
+
    driftfile /etc/ntp.drift
+
   
+
    # NTP log file
+
    logfile /var/log/ntp.log
+
  
 +
NTPD_ARGS="-g -i /var/lib/ntp -u ntp:ntp"
  
Leave /etc/conf.d/dhcpcd at default. Mine is a single line and reads
+
Then, edit {{ic|/etc/ntp.conf}} to change the driftfile path such that it is relative to the chroot directory, rather than to the real system root. Change:
  
 +
driftfile      /var/lib/ntp/ntp.drift
  
    DHCPCD_ARGS="-t 30 -h $HOSTNAME"
+
to
  
 +
driftfile      /ntp.drift
  
With this configuration I get the correct time and ntpd running at boot.
+
Create a suitable chroot environment so that getaddrinfo() will work by creating pertinent directories and files (as root):
There may be a better way, but this worked for me.
+
I hope it helps.
+
  
 +
{{bc|<nowiki># mkdir /var/lib/ntp/etc /var/lib/ntp/lib /var/lib/ntp/proc
 +
# touch /var/lib/ntp/etc/resolv.conf /var/lib/ntp/etc/services</nowiki>}}
  
 +
and by bind-mounting the aformentioned files:
  
'''Updating''' '''your''' '''system''' '''immediately''' '''using''' '''ntpdate'''
+
{{hc|/etc/fstab|
 +
...
 +
#ntpd chroot mounts
 +
/etc/resolv.conf  /var/lib/ntp/etc/resolv.conf none bind 0 0
 +
/etc/services   /var/lib/ntp/etc/services none bind 0 0
 +
/lib           /var/lib/ntp/lib none bind 0 0
 +
/proc   /var/lib/ntp/proc none bind 0 0
 +
}}
  
建议在/etc/rc.local加上下面一行,这样在系统启动时,就能和NTP时间同步 (服务器地址用一个对你来说快点的 NTP 服务器).
+
{{bc|# mount -a}}
  
<pre>
+
Finally, restart the daemon again:
/usr/bin/ntpdate ntp1.cs.wisc.edu
+
</pre>
+
  
Running ''ntpdate'' when you boot up is a good idea because ntpd may take a long time to synchronize your local clock depending on how far off the time is. If your clock is synchronized when ntpd starts, then it's sole purpose is to keep it synchronized.  To run ntpd at startup, add ''ntpd'' to the daemons section of the /etc/rc.conf file.
+
{{bc|# rc.d restart ntpd}}
  
ntpd will work well if you have a connection to the internet all the time. If you are using dialup, you may just want to stick with using ntpdate via the command line.
+
It is relatively difficult to be sure that your driftfile configuration is actually working without waiting a while, as ntpd does not read or write it very often. If you get it wrong, it will log an error; if you get it right, it will update the timestamp. If you do not see any errors about it after a full day of running, and the timestamp is updated, you should be confident of success.
  
'''Querying''' '''your''' '''NTP''' '''server''' '''using''' '''ntpq'''
+
==Alternatives==
 +
Available alternative to NTPd are [[Chrony]], a dial-up friendly and specifically designed for systems that are not online all the time, and [[OpenNTPD]], part of the OpenBSD project and currently not maintained for Linux.
  
There is a default restrict statement for the localhost that includes an ignore flag.  Without overriding it (adding the line ''restrict'' ''127.0.0.1'') you will not be able to query your NTP server.  If that's not a concern to you, then leave out the restrict line for your localhost.  You will still be able to synchronize with your stratum 2 servers.
+
==参见==
 +
* [[Time]] (for more information on computer timekeeping)
  
= External Resources =
+
==外部链接==
 
* http://www.ntp.org/
 
* http://www.ntp.org/
* http://twiki.ntp.org/bin/view/Main/WebHome
+
* http://support.ntp.org/
 +
* http://www.pool.ntp.org/
 
* http://www.eecis.udel.edu/~mills/ntp/html/index.html
 
* http://www.eecis.udel.edu/~mills/ntp/html/index.html
* http://www.openntpd.org
+
* http://www.akadia.com/services/ntp_synchronize.html

Revision as of 05:37, 18 January 2012

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

This article describes how to set up and run NTPd (Network Time Protocol daemon), the most common method to synchronize the software clock of a GNU/Linux system with internet time servers using the Network Time Protocol; if set up correctly, NTPd can make your computer act as a time server itself.

安装

Install ntp, available in the Official Repositories.

配置

Tip: The ntp package is installed with a default /etc/ntp.conf that should make NTPd work without requiring custom configuration.

Configuring connection to NTP servers

The first thing you define in your /etc/ntp.conf is the servers your machine will synchronize to.

NTP servers are classified in a hierarchical system with many levels called strata: the devices which are considered independent time sources are classified as stratum 0 sources; the servers directly connected to stratum 0 devices are classified as stratum 1 sources; servers connected to stratum 1 sources are then classified as stratum 2 sources and so on.

It has to be understood that a server's stratum cannot be taken as an indication of its accuracy or reliability. Typically, stratum 2 servers are used for general synchronization purposes: if you do not already know the servers you are going to connect to, you should use the pool.ntp.org servers (alternate link) and choose the server pool that is closest to your location.

The following lines are just an example:

server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

The iburst option is recommended, and sends a burst of packets if it cannot obtain a connection with the first attempt. The burst option always sends a burst of packets, even on the first attempt. The burst option should never be used without explicit permission and may result in blacklisting.

配置自己的 NTP 服务器

If setting up an NTP server, you need to add local clock as a server, so that, in case it loses internet access, it will continue serving time to the network; add local clock as a stratum 10 server (using the fudge command) so that it will never be used unless internet access is lost:

server 127.127.1.0
fudge  127.127.1.0 stratum 10

Next, define the rules that will allow clients to connect to your service (localhost is considered a client too) using the restrict command; you should already have a line like this in your file:

restrict default nomodify nopeer noquery

This restricts everyone from modifying anything and prevents everyone from querying the status of your time server: nomodify prevents reconfiguring your ntpd (with ntpq or ntpdc), and noquery prevents dumping status data from your ntpd (also with ntpq or ntpdc).

You can also add other options:

restrict default kod nomodify notrap nopeer noquery
Note: This still allows other people to query your time server. You need to add noserve to stop serving time.

Full docs for the "restrict" option are in man ntp_acc. See https://support.ntp.org/bin/view/Support/AccessRestrictions for detailed instructions.

Following this line, you need to tell ntpd what to allow through into your server; the following line is enough if you are not configuring an NTP server:

restrict 127.0.0.1

If you want to force DNS resolution to the IPv6 namespace, write -6 before the IP address or host name (-4 forces IPv4 instead), for example:

restrict -6 default kod nomodify notrap nopeer noquery
restrict -6 ::1    # ::1 is the IPv6 equivalent for 127.0.0.1

Lastly, specify the drift file (which keeps track of your clock's time deviation) and optionally the log file location:

driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log

A very basic configuration file will look like this (all comments have been stripped out for clarity):

/etc/ntp.conf
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

restrict 127.0.0.1
restrict -6 ::1  

driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log
Note: Defining the log file is not mandatory, but it is always a good idea to have feedback for ntpd operations.

其他关于配置 NTP 的资源

In conclusion, never forget man pages: man ntp.conf is likely to answer any doubts you could still have (see also the related man pages: man {ntpd|ntp_auth|ntp_mon|ntp_acc|ntp_clock|ntp_misc}).

Template:Gentoo

Using without daemon

To synchronize your system clock just once, without starting the NTP daemon, run:

# ntpd -qg
# hwclock -s

ntpd -qg has the same effect as the ntpdate program, which is now deprecated. hwclock -s stores the time to the hardware clock so that it is preserved when rebooting.

ntpd's -g option allows shifting the clock further than the panic threshold (15 min by default) without a warning. Note that such offset is abnormal and might indicate either wrong timezone setting, clock chip failure, or simply a very long period of neglect. If in these cases you would rather not set the clock and print an error to syslog, remove -g:

# ntpd -q

Synchronize once at boot time

If you want to synchronize your system clock once every time the system boots, you can add a ntpd -qg & line to your /etc/rc.local. See Autostarting for alternative methods.

You must also start the hwclock daemon and add it to your DAEMONS array to initialize it at every boot. See Time#hwclock daemon for more information.

In order for this method to work you have to make sure that, when rc.local is executed, the network connection has already been initialized (for example you should not background essential network-related daemons in /etc/rc.conf)

Warning:
  • Using this method is discouraged on servers and in general on machines that need to run continuously for more than 2 or 3 days, as the system clock will be updated only once at boot time.
  • Running ntpd -qg as a cron event is to be avoided, unless you are aware of how your running applications would react to instantaneous system time changes.
  • If something other already takes care of updating the hardware clock, for example another operating system in dual boot, you should avoid starting hwclock.

作为守护进程运行

启动 ntpd

ntpd sets 11 minute mode, which syncs the system clock to hardware every 11 minutes. The hwclock daemon measures hardware clock drift and syncs it, which conflicts with ntpd.

Stop the hwclock daemon (if it is running):

# rc.d stop hwclock

Start the ntpd daemon:

# rc.d start ntpd

Add ntpd to your DAEMONS array so it starts automatically on boot and make sure hwclock is disabled:

/etc/rc.conf
DAEMONS=(... !hwclock ntpd ...)

NetworkManager

Note: ntpd should still be running when the network is down if the hwclock daemon is disabled, so you should not use this.

ntpd can be brought up/down along with a network connection through the use of NetworkManager's dispatcher scripts. You can install the needed script from [community]:

# pacman -S networkmanager-dispatcher-ntpd

Running as non-root user

When compiled with --enable-linux-caps, ntp can be run as a non-root user for increased security (the vanilla Arch Linux package has this enabled).

Note: Before attempting this, make sure ntp has already created /var/lib/ntp/ntp.drift.

Create ntp group and ntp user:

# groupadd ntp
# useradd -r -d /var/lib/ntp -g ntp -s /bin/false ntp

Change ownership of the ntp directory to the ntp user/group:

# chown -R ntp:ntp /var/lib/ntp

Edit /etc/conf.d/ntpd.conf and change

NTPD_ARGS="-g"

to

NTPD_ARGS="-g -u ntp:ntp"

Finally, restart the daemon:

# rc.d restart ntpd

Running in a chroot

Note: Before attempting this, complete the previous section on running as non-root, since chroots are relatively useless at securing processes running as root.

Edit /etc/conf.d/ntpd.conf and change

NTPD_ARGS="-g -u ntp:ntp"

to

NTPD_ARGS="-g -i /var/lib/ntp -u ntp:ntp"

Then, edit /etc/ntp.conf to change the driftfile path such that it is relative to the chroot directory, rather than to the real system root. Change:

driftfile       /var/lib/ntp/ntp.drift

to

driftfile       /ntp.drift

Create a suitable chroot environment so that getaddrinfo() will work by creating pertinent directories and files (as root):

# mkdir /var/lib/ntp/etc /var/lib/ntp/lib /var/lib/ntp/proc
# touch /var/lib/ntp/etc/resolv.conf /var/lib/ntp/etc/services

and by bind-mounting the aformentioned files:

/etc/fstab
...
#ntpd chroot mounts
/etc/resolv.conf  /var/lib/ntp/etc/resolv.conf none bind 0 0
/etc/services	  /var/lib/ntp/etc/services none bind 0 0
/lib		          /var/lib/ntp/lib none bind 0 0
/proc		  /var/lib/ntp/proc none bind 0 0
# mount -a

Finally, restart the daemon again:

# rc.d restart ntpd

It is relatively difficult to be sure that your driftfile configuration is actually working without waiting a while, as ntpd does not read or write it very often. If you get it wrong, it will log an error; if you get it right, it will update the timestamp. If you do not see any errors about it after a full day of running, and the timestamp is updated, you should be confident of success.

Alternatives

Available alternative to NTPd are Chrony, a dial-up friendly and specifically designed for systems that are not online all the time, and OpenNTPD, part of the OpenBSD project and currently not maintained for Linux.

参见

  • Time (for more information on computer timekeeping)

外部链接