From Fedora Project Wiki

Revision as of 03:10, 5 March 2009 by Laubersm (talk | contribs) (add cat)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Managing Network Time Server

What is NTP

The Network Time Protocol (NTP) allows the computer to synchronize the clock to that of an external authoritative time source and provide the accurate time to clients on the local network. Fedora provides this functionality through the ntpd server. The ntpd daemon and associated utilities are provided by the ntp rpm package.

Installing NTP server

To install the Network Time Protocol Server, run:

su -c '/usr/bin/yum install ntp'

Configuring the NTP server

The configuration of the NTP server is managed through:

/etc/sysconfig/ntp:: Configuration file for the ntpd daemon start-up options. /etc/ntp.conf:: The main configuration file for the server and client. /etc/ntp/:: Contains the remaining files necessary to set the server up.

Before configuring the NTP server and starting the ntpd daemon, it is important to perform initial time synchronization of the system clock. The reason is that the ntpd daemon will not perform the initial synchronization at start up time if the system clock deviates from the real, accurate time too much.

To synchronize the system time to that of the public ntp server pool, run:

su -c '/usr/sbin/ntpdate -b pool.ntp.org'

Admonition("Note","pool.ntp.org is the project that manages a cluster of publicly available time servers across the world. Its clever DNS round-robin setup greatly reduces the load on individual time servers and aids in reducing the bandwidth cost for the operators and users by utilizing pgeodns data. It is likely that the response to the ntpdate command above will come from the geographically close time server.")

Access Controls

The NTP server provides a resource to the remote systems and clients, which implies enforcing of certain security measures. Access control parameters are adjustable and defined in the /etc/ntp.conf file using the following format:

restrict <ipaddress or FQDN> <netmask> parameter

The most commonly used parameters are:

ignore:: Deny all packets and queries kod:: Send Kiss-Of-Death packet on access violation nomodify:: Deny ntpq / ntpdc queries that attempt to modify the server notrap:: Deny control message trap service noquery:: Deny all ntpq / ntpdc queries noserve:: Deny all queries - except ntpq / ntpdc notrust:: Deny access unless cryptographically authenticated nopeer:: Deny all packets that attempt to establish a peer association

Admonition("Tip","Omit all parameters to grant the full access to NTP server.")

/etc/ntp.conf

To allow full control to the localhost, add the following entry:

restrict 127.0.0.1

The default configuration file has the pool of time servers listed:

server 0.fedora.pool.ntp.org dynamic
server 1.fedora.pool.ntp.org dynamic
server 2.fedora.pool.ntp.org dynamic

Admonition("Note","The listed servers are used in this guide. Consider changing the default entries to public servers that are available in your country or region to ensure faster response and help better network load handling.")

Restrict the listed servers from querying or modifying the local NTP server:

restrict 0.fedora.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
restrict 1.fedora.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
restrict 2.fedora.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery

Allow clients from the internal subnet to query the server (adjust the subnet address, if needed):

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

Complete the configuration file with the following entries:

server          127.127.1.0     # local clock
fudge           127.127.1.0 stratum 10
driftfile       /var/lib/ntp/drift
broadcastdelay  0.008
keys            /etc/ntp/keys

The entries above provide the following:

server:: Specifies that a server is running on the host (own local clock) fudge:: Passes additional information to the clock driver stratum 10:: Manually sets the Stratum the server should operate at (1-15) driftfile:: Specifies the location of the file that holds calculated clock frequency offset broadcastdelay:: Sets the propagation delay from the server when broadcasting keys:: Store a list of keys needed for any cryptographic links

Admonition("Note","Stratum levels define the distance from the reference clock in the NTP hierarchy. Stratum 0 are reference clocks assumed to operate with very little or "zero-delay" and synchronize their clock to UTC over GPS, long wave radio, or similar links. They cannot be used on the network and are attached to Stratum 1 servers directly, for example through RS-232 serial port. Stratum 1 servers provide time synchronization over network links to Stratum 2 servers and so on, to Stratum 15. The higher the Stratum level is, the less accurate is the time source, estimated to be in a range of 10 - 100 ms per Startum level.")

Admonition("Tip","When determining the stratum of your server, firstly consider who you are providing time to? If you are only using the system for yourself and passing it on to a few workstations, then your stratum can be safely left at 10. If you are using the system for a large scale network, then plan your time servers and strata effectively.")

To start the NTP server, run:

su -c '/sbin/service ntpd start'

To enable the NTP server at boot time, run:

su -c '/sbin/chkconfig ntpd on'

By default, the ntpd daemon logs messages to the system log - /var/log/messages. The alternate log file may be specified in the /etc/ntp.conf:

logfile /var/log/ntpd.log

...and must be writable by ntp user.

To test the proper operation of the NTP server, run:

/usr/sbin/ntpq -pn

The initial output of the command is similar to:

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
66.118.163.120  .INIT.          16 u    -   64    0    0.000    0.000   0.000
202.135.38.18   .INIT.          16 u    -   64    0    0.000    0.000   0.000
208.113.193.10  .INIT.          16 u    -   64    0    0.000    0.000   0.000
127.127.1.0     .LOCL.          10 l    -   64    1    0.000    0.000   0.001

Running the same command again after a few seconds should produce the output similar to:

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
66.118.163.120  198.82.1.202     3 u   20   64    1  208.157   14.189   0.001
202.135.38.18   131.203.16.6     2 u   20   64    1   22.891   13.406   0.001
208.113.193.10  132.239.1.6      2 u   20   64    1  145.721    8.078   0.001
127.127.1.0     .LOCL.          10 l   20   64    1    0.000    0.000   0.001

The above output shows a properly synchronised time server drawing from NTP pool allocated sources. Notice that the local server is running at a stratum of 10.

Admonition("Tip","The clients on the local network will not be able to use the service until the .LOCL. time is stable. This may take up to 15 minutes upon the start of the ntpd daemon.")

Additional Information

Related Website

Installed Documentation

  • /usr/share/doc/ntp-*/index.html Installed Documentation

Related Manuals

  • man 8 ntpd
  • man 5 ntp.conf
  • man 5 ntp_acc
  • man 5 ntp_auth
  • man 5 ntp_mon
  • man 5 ntp_clock
  • man 5 ntp_misc