NTP – Rage Against the Shell

The ntpq utility is the tool to monitor the NTP daemon status. After configure NTP server you can use this tool to see the synchronization server status, and determine performance:

~ $ ntpq -pn
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================

*217.114.59.66   75.12.230.181    2 u  127  128  377    8.786   -0.448   0.094
-193.225.118.163 228.143.95.23    2 u   70  128  377   36.129   -1.790   0.079
-46.22.223.220   129.242.4.241    2 u   52  128  377   40.330    3.975   0.055
+91.234.160.19   162.23.41.55     2 u   57  128  377   21.482   -0.364   0.093
 127.127.1.0     .LOCL.          10 l  37m   64    0    0.000    0.000   0.000

remote column:

* : custom time server source
# : source selected, distance exceeds maximum value
o : the PPS (Pulse Per Second) source if you have a PPS capable system and refclock
+ : candidate, it is considered a good source
– : discarded, quality is not good
x : false ticker, this one is considered to distribute bad time
blank : source discarded, failed sanity or high stratum

refid column:

The identification of the time source to which the remote machine is synced. May be a radio clock or another ntp server.

st column:

Stratum of the remote machine, 16 is “unsynchronized”, 0 is the best value. A stratum 0 could be a radio clock or the ntp servers private caesium clock.

t column:

l = local (such as a GPS, WWVB)
u = unicast (most common)
m = multicast
b = broadcast
– = netaddr

when column:

Seconds since the last poll of the remote machine.

poll column:

The polling interval in seconds.

reach column:

Connections to reach source, 377 means all connections got success.

delay column:

The time delay (in milliseconds) to communicate with the remote source.

offset column:

The offset (in milliseconds) between our time and that of the remote source.

jitter column:

The observed difference (in milliseconds) of time with the remote source.

S.O: Ubuntu 14.04 LTS

Install ntp daemon:

~ $ apt-get install ntp

Now modify the configuration file /etc/ntp.conf, first configure the servers which will synchronize, for example:

server 1.2.3.1 prefer
server 1.2.3.2
server 1.2.3.3
server 1.2.3.4

With the option prefer you can establish preferred servers, in this case server 1.2.3.1. It’s optional.

Add drift file and log file:

driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log

The drift file contains the latest estimate of clock frequency error, and taking it as a reference, the NTP daemon will learn to adjust clock automatically.

Add localhost as a fallback server con a high stratum so that if none of our synchronization servers are working, NTP daemon can serve the local time (system clock time):

server 127.127.1.0
fudge 127.127.1.0 stratum 10

Stratum is a parameter used to synchronize the time based on distance. A server working at stratum 1 belongs to the class of best NTP servers available, because it has an accurate reference clock. So a stratum 10 server will have a low priority and usually will not be used for synchronize unless all other servers fail.

We want make a restrictive configuration so block all traffic by default:

restrict -4 default ignore
restrict -6 default ignore

And then permit the localhost;

restrict 127.0.0.1
restrict ::1

Synchronization servers:

restrict 1.2.3.1 kod notrap nomodify nopeer noquery
restrict 1.2.3.2 kod notrap nomodify nopeer noquery
restrict 1.2.3.3 kod notrap nomodify nopeer noquery
restrict 1.2.3.4 kod notrap nomodify nopeer noquery

And clients:

restrict 10.10.10.0 mask 255.255.0.0 nomodify notrap
restrict 192.168.172.0 mask 255.255.255.0 nomodify notrap
restrict 192.168.0.10 nomodify notrap

The meaning of the restriction options is the next:

notrap: rejects packets not authenticated
nomodify: blocks access to ntpq and ntpdc queries which try to change the state of the server
nopeer: deny packets that try to making peering
noquery: rejects ntpq and ntpdc queries, time service is not affected

Finally restart the server:

~ $ /etc/init.d/ntp restart

TIP: if you want start service on IPv4 only, you can configure this at /etc/default/ntp file:

NTPD_OPTS='-4 -g'

Now at the client side you can use ntpdate to synchronize time. Install the packet:

~ $ apt-get install ntpdate

And create a cront task to execute ntpdate every 10 minutes:

*/10 * * * * /usr/sbin/ntpdate -u myntpserver.domain.com

Category: NTP

NTP daemon status

Configure a NTP server