ntp

From Gentoo Wiki
(Redirected from NTP)
Jump to: navigation, search

NTP (Network Time Protocol) is used to synchronize the system time with other devices over the network. This usually happens in a client-server model.

Installation

USE flags

USE flags for net-misc/ntp Network Time Protocol suite/programs

caps Use Linux capabilities library to control privilege global
debug Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces global
ipv6 Add support for IP version 6 global
libressl Use dev-libs/libressl as SSL provider (might need ssl USE flag), packages should not depend on this USE flag global
openntpd Allow ntp to be installed alongside openntpd local
parse-clocks Add support for PARSE clocks local
readline Enable support for libreadline, a GNU line-editing library that almost everyone wants global
samba Provide support for Samba's signing daemon (needed for Active Directory domain controllers) local
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur global
snmp Add support for the Simple Network Management Protocol if available global
ssl Add support for Secure Socket Layer connections global
threads Add threads support for various packages. Usually pthreads global
vim-syntax Pulls in related vim syntax scripts global
zeroconf Support for DNS Service Discovery (DNS-SD) global

Emerge

Install the suite of NTP programs:

root #emerge --ask net-misc/ntp

Alternatively OpenNTPD can be used instead of net-misc/ntp.

Configuration

Ntp-Client

To adjust ntp-client's command and upstream servers, edit the ntp-client configuration file. The default configuration is populated with:

FILE /etc/conf.d/ntp-client
NTPCLIENT_CMD="ntpdate"
NTPCLIENT_OPTS="-s -b -u \
	0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org \
	2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org"

Server

In /etc/ntp.conf the servers that will be used to synchronize the local time for ntpd can be specified. The default configuration is populated with:

FILE /etc/ntp.conf
server 0.gentoo.pool.ntp.org
server 1.gentoo.pool.ntp.org
server 2.gentoo.pool.ntp.org
server 3.gentoo.pool.ntp.org
Note
Time zones and location of the server do not matter for NTP; it synchronizes via UTC.

By default the Gentoo servers are listed and enabled. A list of available servers can be found on ntp.org. A home or company server here can be used, if ntpd is running and the machine is allowed access.

On systems where a network connection is not always available at boot (laptops, etc.), it might help to add the following lines to server configuration:

FILE /etc/ntp.conf
server 127.127.1.0
fudge  127.127.1.0 stratum 10

This sets localhost as a server with low priority, so that the daemon starts properly even without a network connection and switches to using network servers when a connection is established.

Permissions

Permission are used to control who is allowed to synchronize or change permissions.

Access to NTP service allowed only from localhost. noquery can be added to help prevent the server from being abused to conduct DDOS attacks:

FILE /etc/ntp.conf
# To deny other machines from changing the
# configuration but allow localhost:
restrict default nomodify nopeer noquery
restrict 127.0.0.1

Access to NTP service allowed only from the 192.168.0.0/24 network:

FILE /etc/ntp.conf
# To allow machines within the local network to synchronize
# their clocks with this server, but ensure they are
# not allowed to configure the server or used as peers
# to synchronize against, uncomment this line.
#
restrict 192.168.0.0 mask 255.255.255.0 nomodify nopeer notrap

Denying access to NTP's monlist functionality, used for querying traffic stats but also exploited in a denial-of-service attack.

FILE /etc/ntp.conf
disable monitor

Usage

Basic tools and common usage.

Client

ntp-client

To start the ntp-client:

root #rc-service ntp-client start

To view the status of the client:

root #rc-service ntp-client status

To have the client start at boot:

root #rc-update add ntp-client default

ntpdate

This used to be the client, but its functionality is now moved into ntpd and ntp-client itself. It is purely to set the local time when started and then exits (not a service):

root #ntpdate pool.ntp.org

Server

The server is both a client, and server. If the setup can not access net early in init, use server only instead.

ntpd service

If ntpd is run as a service, the time will automatically synchronize as long as the difference between the local time and the time on the server is less than 1000s (~17 mins). So it is pretty common to adjust the time initially to whatever the server time is as a trusted source:

root #ntpd -g -c /etc/ntp.conf
Note
If ntpd is already running, it will not start a second time.

Add ntpd to the default runlevel to have the time synchronized automatically. There is no need to run a client when the service is running. In this case verify that ntp-client or ntpdate are not in any runlevels.

root #rc-update

When it is confirmed the configuration is clear from ntp-client or ntpdate, add the ntpd service:

root #rc-service ntpd start
root #rc-update add ntpd default

To monitor status of the server:

root #rc-service ntpd status

See also

External resources