ntp

From Gentoo Wiki
Jump to:navigation Jump to:search

Resources

net-misc/ntp is a suite of tools utilizing Network Time Protocol. Their purpose is to keep the system clock in time.

Installation

USE flags

USE flags for net-misc/ntp Network Time Protocol suite/programs

caps Use Linux capabilities library to control privilege
debug Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces
ipv6 Add support for IP version 6
openntpd Allow ntp to be installed alongside openntpd
parse-clocks Add support for PARSE clocks
readline Enable support for libreadline, a GNU line-editing library that almost everyone wants
samba Provide support for Samba's signing daemon (needed for Active Directory domain controllers)
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
snmp Add support for the Simple Network Management Protocol if available
ssl Add support for SSL/TLS connections (Secure Socket Layer / Transport Layer Security)
threads Add threads support for various packages. Usually pthreads
vim-syntax Pulls in related vim syntax scripts
zeroconf Support for DNS Service Discovery (DNS-SD)

Emerge

Install the suite of NTP programs:

root #emerge --ask net-misc/ntp

Configuration

Ntp-client

The service ntp-client is used for one-time sync, usually during bootup. Its purpose is to help with the ntpd startup, as ntpd initially waits before attempting to correct the clock skew, and may even refuse to do so if the skew is too large.

Starting the ntp-client service will run the sync only once. It is then expected that ntpd is used for maintaining the time until the next reboot.

Note
During boot, ntp-client service will run before ntpd service. It's safe to have both in the same (default) runlevel.

Upstream servers

To adjust ntp-client's command and upstream servers, edit the ntp-client configuration file. The default configuration is populated with:

FILE /etc/conf.d/ntp-client
NTPCLIENT_CMD="ntpdate"
NTPCLIENT_OPTS="-s -b -u \
	0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org \
	2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org"

Usage

To run the ntp-client:

root #rc-service ntp-client start

To have the ntp-client run at boot:

root #rc-update add ntp-client default

To run the ntpdate command manually:

root #ntpdate -b -u 0.gentoo.pool.ntp.org

Ntpd

Upstream servers

In /etc/ntp.conf the servers that will be used to synchronize the local time for ntpd can be specified. The default configuration is populated with:

FILE /etc/ntp.conf
server 0.gentoo.pool.ntp.org
server 1.gentoo.pool.ntp.org
server 2.gentoo.pool.ntp.org
server 3.gentoo.pool.ntp.org
Note
Time zones and location of the server do not matter for NTP; it synchronizes via UTC.

By default the configuration uses the Gentoo NTP servers. A list of available servers can be found on ntp.org. A private server can also be used.

Network not always available?

On systems where a network connection is not always available at boot (laptops, etc.), it might help to add the following lines to server configuration:

FILE /etc/ntp.conf
server 127.127.1.0
fudge  127.127.1.0 stratum 10

This sets localhost as a server with low priority, so that the daemon starts properly even without a network connection and switches to using network servers when a connection is established.

Permissions

Permission are used to control who is allowed to synchronize or change permissions.

To enable time syncing, the ntpd server must be reachable by the other ntp services. noserve can be used for blocking.

To prevent other machines from reconfiguring your server, use nomodify.

To prevent your server from being used in Denial of Service attacks, use noquery.

FILE /etc/ntp.conf
# Default configuration:
# - Allow only time queries, at a limited rate, sending KoD when in excess.
restrict default nomodify nopeer noquery limited kod
restrict 127.0.0.1

Access to NTP service allowed only from the 192.0.2.0/24 network:

FILE /etc/ntp.conf
# To allow machines within the local network to synchronize
# their clocks with this server, but ensure they are
# not allowed to configure the server or used as peers
# to synchronize against
restrict 192.0.2.0 mask 255.255.255.0 nomodify nopeer notrap

To deny access to monlist functionality, used for querying traffic stats, but which may also be exploited in a Denial of Service attack:

FILE /etc/ntp.conf
disable monitor

Usage

To start the ntpd service:

root #rc-service ntpd start

To have the ntpd service start at boot:

root #rc-update add ntpd default

To monitor status of the ntpd service:

root #rc-service ntpd status


See also

External resources