NTP
Contents
Debian packages
Debian package required to run an NTP daemon that synchronizes local time, but also provides a time sync service to clients:
ntp
Debian package required to simply synchronize local time:
ntpdate
Documentation package:
ntp-doc
References
- NTP documentation @ pelargir.herzbube.ch (available only if the
ntp-docpackage is installed): Main page with overview information, the Sitemap is more useful to quickly find stuff - A list of public time servers : http://www.eecis.udel.edu/~mills/ntp/servers.html
Glossary
- Stratum 1 = Primary Server
- Stratum 2 = Secondary Server
- [...]
ntpd or ntpdate?
Quoting from http://www.tldp.org/LDP/sag/html/basic-ntp-config.html:
Many people get the idea that instead of running the NTP daemon, they should just setup a cron job job to periodically run the ntpdate command. There are 2 main disadvantages of using using this method.
The first is that ntpdate does a "brute force" method of changing the time. So if your computer's time is off my 5 minutes, it immediately corrects it. In some environments, this can cause problems if time drastically changes. For example, if you are using time sensitive security software, you can inadvertently kill someones access. The NTP daemon slowly changes the time to avoid causing this kind of disruption.
The other reason is that the NTP daemon can be configured to try to learn your systems time drift and then automatically adjust for it.
So the answer clearly is: ntpd.
System time vs. hardware clock
Edit
/etc/init.d/hwclock.sh
- Comment (= disable) the line where hwclock is run with the parameter --adjust, in order to prevent conflicts between hwclock and NTP
- Uncomment (= enable) the line where hwclock is run with the parameter --systohc, in order to write the system time to the hardware clock on reboot
Note: I have not enabled this option.
NTP daemon
Local time sync
To activate an NTP server
- Add the following lines to /etc/ntp.conf if they don't exist
driftfile /var/lib/ntp/ntp.drift server ntp.foobar.org
- Restart the NTP server
- Wait some time until system time has been updated. The NTP server performs time synchronization in many little steps instead of in one huge fell swoop, so it may take a while until full synchronization has occurred.
- It is important that the system time is not out-of-sync more than 1000 seconds, otherwise ntp refuses to automatically correct the system time ("time correction exceeds sanity limit")
These days, the default configuration in /etc/ntp.conf seems to work out of the box. The servers configured there are
0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org
Provide time to clients
The configuration file /etc/ntp.conf mentions that, in order to provide time to clients a "broadcast" line needs to be enabled. For instance
broadcast 192.168.1.255 broadcast 192.168.2.255
However, I did not enable these commands because so far my Mac OS X clients were perfectly able to synchronize, once I told them where they were supposed to connect to (System Preferences > Date & Time).
Note: I added a "time-servers" option to my DHCP configuration (e.g. "time-servers 192.168.1.11" on the 192.168.1.0 subnet), but at the time of writing Mac OS X did not honor this option (Mac OS X 10.6). I have not yet tested how Windows behaves.
pool.ntp.org
A long time ago, on my old server osgiliath I tried to use the server pool.ntp.org - which is supposed to assign a different NTP server to my client every time my client is restarted. Unfortunately, pool.ntp.org never seemed to work, even after several attempts to use it. The system time never got corrected - the drift grew to 40 minutes and more until I had to manually re-adjust the system time. Nowadays pool.ntp.org may work better, but I haven't tried anymore.
Prevent the NTP daemon from opening a network port
TL;DR: You can't. The NTP daemon must open a network port, or it won't synchronize time.
And now the long version. If you care about network security, then one principle should be obvious and clear: Every open TCP and UDP port is a potential risk, so if you don't need it, shut it down! Now for the NTP daemon: As long as ntpd is only "fetching" the time and is not acting itself as time server to other clients, there should be no need for ntpd to open any network ports. Right?
Apparently not. According to one of the answers to this ServerFault question
[ntpd] must bind to a routable ip address to work.
This seems pretty stupid, but I was indeed able to confirm the problem. After adding "interface ignore" statements to ntp.conf and restarting the service, ntpd seemed to be stuck in an eternal initialization loop:
root@pelargir:~# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
ds1789963.dedic .INIT. 16 - - 1024 0 0.000 0.000 0.000
ntp1.as34288.ne .INIT. 16 - - 1024 0 0.000 0.000 0.000
ch-ntp01.10g.ch .INIT. 16 - - 1024 0 0.000 0.000 0.000
lx.ujf.cas.cz .INIT. 16 - - 1024 0 0.000 0.000 0.000
So in the end I had to give up and remove all "interface ignore" statements from ntp.conf. Now the output of ntpq looks like this:
root@pelargir:/var/log# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*time.sunrise.ne 10.19.10.20 2 u 2 64 1 4.364 1.524 0.105
one.ntp1.pw 128.105.39.11 3 u 1 64 1 96.679 -6.272 0.013
ms21.snowflakeh 162.23.41.55 2 u 1 64 1 0.888 -3.032 0.054
ntp0.as34288.ne 85.158.25.74 2 u 2 64 1 1.098 -2.860 0.032
For posterity's sake, here is what I tried. The main thing to know is that you can add one or more "interface ignore" statements to ntp.conf to tell the NTP daemon to not listen on a given network interface.
- Without any such statements, ntpd listens on the following UDP ports
(result obtained from netstat -lnptu) udp 0 0 82.195.228.21:123 0.0.0.0:* 58099/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 58099/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 58099/ntpd udp6 0 0 ::1:123 :::* 58099/ntpd udp6 0 0 fe80::42a8:f0ff:fe7:123 :::* 58099/ntpd udp6 0 0 :::123 :::* 58099/ntpd
- interface ignore all
- With only this, ntpd still opens the ports 127.0.0.1:123, 0.0.0.0:123, ::1:123 and :::123
- interface ignore wildcard
- With only this, ntpd still opens the ports 127.0.0.1:123 and ::1:123.
- It is very strange that this prevents listening on 82.195.228.21:123 and the IPv6 port.
- interface ignore 127.0.0.1
- With only this, ntpd still opens the ports 127.0.0.1:123, 0.0.0.0:123, ::1:123 and :::123
- It is very strange that this prevents listening on 82.195.228.21:123 and the IPv6 port.
- interface ignore wildcard
interface ignore all- The "ignore all" line has no effect, ntpd still opens the ports 127.0.0.1:123 and ::1:123.
- interface ignore wildcard
interface ignore 127.0.0.1- The "ignore 127.0.0.1" line has no effect, ntpd still opens the ports 127.0.0.1:123 and ::1:123.
- interface ignore wildcard
interface ignore ::1- ntpd still opens the ports 127.0.0.1:123.
- This is the most I was able to achieve. It seems to be absolutely impossible to prevent ntpd from listening on 127.0.0.1. It is also weird (to say the least) how ntpd interprets "interface ignore" statements. But since I am forced to let ntpd listend on a public interface anyway, I am not going to pursue this any further.
ntpdate
The Debian package ntpdate provides the utility ntpdate which can be used to immediately adjust the system date at the time when the utility is run - no matter how much off the system time currently is. For instance:
ntpdate time.euro.apple.com
For continuous time sync, you can add the following crontab entry:
pelargir:~# ls -l /etc/cron.hourly/pelargir-ntpdate -rwxr-xr-x 1 root root 56 2011-02-09 19:15 /etc/cron.hourly/pelargir-ntpdate pelargir:~# cat /etc/cron.hourly/pelargir-ntpdate #!/bin/sh /usr/sbin/ntpdate -u -s time.euro.apple.com
There is also the utility ntpdate-debian which uses the configuration in the following file
/etc/default/ntpdate
ntpq
ntpq is the standard NTP query program. For instance, it can be used to check the current time source
ntpq -pn
(the source is the line with the asterisk)
For example:
root@pelargir:~# ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
+217.147.208.1 194.242.34.149 2 u 61 64 3 9.450 -10.368 10.087
+192.33.214.57 129.194.216.1 3 u 55 64 7 13.198 -10.532 8.899
+94.23.99.155 94.23.99.153 3 u 31 64 7 27.351 -5.038 7.588
*192.33.96.102 .PPS. 1 u 24 64 17 9.889 -12.321 11.285
