Computer Help for the New and Veteran User of Linux

Networking & Security Help


  1. Network Time Protocol (NTP), Sync your time at bootup.

    This below tutorial is for Gentoo NTP Version >= 4.1.2 . For earlier NTP versions use tutorial below this one!

    Answer: Let's say your time is always off or you just want to make sure it is correct. The no hands way is with NTP. Well, this is pretty simple. First you emerge ntp (see Installing until unmasked). That will install the Network Time Protocal program on your system. There are two ways you can use this: 1) Use ntpd, which doesn't do large time increments, but will do small ones over a course of time. It might take awhile for you to notice the time if finally keeping set (see driftfile for more info). 2) Use ntp-client, which will do large time increments, but won't run on it's own to keep the time accurate, unless you set it up to do so in cron (see note below on this). It's purpose is to correct your time at boot-up.

    So if your the average home user, you are probably shutting your computer down frequently enough that ntp-client is going to be the ticket for you. Also unless your time drifts badly, leave it on for extended periods and exact time over a long period is very important to you, then the same applies. For those in the previous category of needing exact time kept, then ntpd would probably be what you want.

    Note: ntp-client is currently using ntpdate to initially set the time. Ntpdate is suppose to be phased out sooner or later. I have seen the notice up though for quite awhile, so that phase-out is probably sometime long in the future. But, if you decided to use a cron job with ntpdate, then when it when it stops working you will have to adjust your cron job to whatever the new command is.

    First of all, for those familiar with the previous versions of NTP on Gentoo, you might want to know what the differences are. One of the main differences is that the previous file /etc/conf.d/ntpd has been split. There is now ntp-client and ntpd files in /etc/conf.d . Another is that there are two seperate init scripts in /etc/init.d folder now, one for each. So you don't have to add ntpd to your default runlevels if all you want to use is the ntp-client at boot. You'll just add ntp-client to your default runlevels.

    Also, one thing is the same. If you previously used ntpdate, you know that you couldn't have ntpd running or ntpdate wouldn't work. You have to install NTP to get both programs, but you don't have to add ntpd to your default run levels to run ntp-client either. So that is still the same.

    Installing NTP: (NTP-CLIENT Section)

    At the time of this writing you have to implicitly imply ntp-4.1.2 if you want it. It will also upgrade swig and libcap.

    After you emerge ntp you need to get it to work at boot. Add it to default run-levels (as root): rc-update add ntp-client default . Now it will load at boot, but you don't have a server picked yet. So go to NTP Servers and read the info if you want and at the bottom of the page is the Servers Urls. Find a server(s) in your Time Zone, several incase one is down, preferably in stratum 2. Then as root, open up the /etc/conf.d/ntp-client file. It looks like this:

    ...
    # Command to run to set the clock initially
    # Most people should just leave this line alone ...
    # however, if you know what you're doing, and you
    # want to use ntpd to set the clock, change this to 'ntpd'
    NTPCLIENT_CMD="ntpdate"

    # Options to pass to the above command
    # Most people should just uncomment this variable and
    # change 'someserver' to a valid hostname which you
    # can aquire from the URL's below
    #NTPCLIENT_OPTS="-b ntp0.mcs.anl.gov"          uncomment & add server
    #NTPCLIENT_OPTS="-b ntp-2.cso.uiuc.edu"        added by me
    NTPCLIENT_OPTS="-b time-ext.missouri.edu"     added by me


    ##
    # A list of available servers is available here:
    # http://www.eecis.udel.edu/~mills/ntp/servers.html
    # Please follow the rules of engagement and use a
    # Stratum 2 server (unless you qualify for Stratum 1)

    That is pretty much it. You have your server(s) in place, it is set to start at boot. If for some reason you find you time off, you can always: /etc/init.d/ntp-client restart and you will see a message like this:

    Setting clock via the ntp client 'ntpdate'...

    Then again, until ntpdate is actually dropped you could lookup which server your using and issue a: ntpdate server_name again. Using ntp-client seems a little easier to me. There is an init script to restart it if you want and don't have to stop the ntpd if you have it running to run ntp-client.

    Installing NTP: (NTPD Section)

    At the time of this writing you have to implicitly imply ntp-4.1.2 if you want it. It will also upgrade swig and libcap.

    After you emerge ntp you need to get it to work at boot. Add it to default run-levels (as root): rc-update add ntpd default . Now it will load at boot, but you don't have a server picked yet. So go to NTP Servers and read the info if you want and at the bottom of the page is the Servers Urls. Find a server(s) in your Time Zone, several incase one is down, preferably in stratum 2. Then as root, copy the sample config file from /usr/share/ntp/ntp.conf to /etc/ntp.conf. Then open up the /etc/ntp.conf file. It looks like this:

    # NOTES:
    # - you should only have to update the server line below
    # - if you start getting lines like 'restrict' and 'fudge'
    # and you didnt add them, AND you run dhcpcd on your
    # network interfaces, be sure to add '-Y -N' to the
    # dhcpcd_ethX variables in /etc/conf.d/net

    # Name of the servers ntpd should sync with
    # Please respect the access policy as stated by the responsible person.
    #server ntp.example.tld iburst          example
    #server ntp-2.mcs.anl.gov iburst         add a server
    #server ntp-2.cso.uiuc.edu iburst        added another server
    server time-ext.missouri.edu iburst     added another server
    ##
    # A list of available servers is available here:
    # http://www.eecis.udel.edu/~mills/ntp/servers.html
    # Please follow the rules of engagement and use a
    # Stratum 2 server (unless you qualify for Stratum 1)
    ##

    # you should not need to modify the following paths
    logfile /var/log/ntpd.log            Logfile location
    driftfile /var/lib/ntp/ntp.drift     driftfile new location

    #server ntplocal.example.com prefer
    #server timeserver.example.org

    # Warning: Using default NTP settings will leave your NTP
    # server accessible to all hosts on the Internet.

    #
    # If you want to deny all machines from accessing
    # your NTP server, uncomment:
    #
    #restrict 127.0.0.1 default ignore
    #restrict 127.0.0.1

    # To only deny other machines from changing the
    # configuration but allow localhost uncomment:
    #
    restrict 127.0.0.1 ignore notrust nomodify     <-- Deny all others.
    #restrict 127.0.0.1                            Accept localhost. Does not seem to work and clock won't update if have
                                                   in seperate lines. So I ADDED ignore, and moved 127.0.0.1 up. If have                                                default will get error in log, but still works. So put restrict in one line.



    # To allow machines within your network to synchronize
    # their clocks with your server, but ensure they are
    # not allowed to configure the server or used as peers
    # to synchronize against, uncomment this line.
    #
    #restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap

    # To only deny other machines from changing the
    # configuration but allow localhost uncomment:
    #
    #restrict default notrust nomodify
    #restrict 127.0.0.1


    The restrictions I am using above are because I don't have any other machines on the network that need to access my ntp server. It is a standalone machine. So set it up so no one can sync off my time. Have to allow localhost though or the software won't work right. Not going to get into all the restrict setups though. They are pretty self explanatory for the most part. You can view the docs at ntp link at bottom of page if need more.

    DHCPCD: Lastly, if you don't want the above file: /etc/ntp.conf Overwritten by DHCP you will have to pass a couple options to it during boot. Had a hard time finding this information all together in one item. If you do not do this you will have your /etc/ntp.conf file looking like this below each time you boot and your old file saved as /etc/ntp.conf.sv .

    restrict default noquery notrust nomodify
    restrict 127.0.0.1
    restrict 24.207.208.0 mask 255.255.240.0
    fudge 127.127.1.0 stratum 3
    server 127.127.1.0
    driftfile /etc/ntp.drift
    logfile /var/log/ntp.log

    Well that doesn't look like what you had or want. So, you need to edit your /etc/conf.d/net file. Change this line to look like this, or if you already have something in there, add the two options.

    # For DHCP set iface_eth? to "dhcp"
    # For passing options to dhcpcd use dhcpcd_eth?
    #
    iface_eth0="dhcp"
    dhcpcd_eth0="-YN"    Uncomment and put the -YN in the quotes.

    The Y tells dhcpcd not to overwrite the /etc/yp.conf file and the N tells it not to overwrite the /etc/ntp.conf file. Also if your having bootup problems with ethX timeouts cause it isn't connecting and you can't boot or takes forever, you can add a -t timeout period to the options. See dhcpcd options manpage for the information.

    Finishing up:

    Now that you have ntp.conf in place, servers picked, ntpd set as default and if using dhcp have the /etc/conf.d/net file edited correctly, your good to go. Either reboot or /etc/init.d/ntpd start. You won't see any time corrections for awhile yet with ntp. The driftfile doesn't have any value in it yet. It will take ntp about 1 hour to write to the drift file. So if you want to check your /var/log/ntpd.log file after an hour you should start to see it correcting the time.

    The drift file is:

    When the NTP daemon (ntpd) is first started, it computes the error in the intrinsic frequency of the clock on the computer it is running on. This process usually takes about a day or two after the daemon is started to compute a good estimate of this (and it needs a good estimate to synchronize closely to its server). Once the initial value is computed, it will change only by relatively small amounts during the course of continued operation.

    The driftfile declaration should always be included in the ntp.conf file. This provides xntpd with complete path name to a file in which it can store the current value of the frequency error. That way, if the daemon is stopped and restarted, it can reinitialize itself to the previous estimate without spending time recomputing the frequency estimate.

    Except, I think the xntpd is called ntpd in Gentoo. Not sure at this time though, not like it really matters either as long as it works. No need to make the ntp folder or driftfile now, it is made for you.

    Couple tools to use:

    ntpq is the command to use to Query NTP Servers. You could use it like this to see if it is reading your server list correctly: ntpq -p and you would see a list like below.


          remote          refid   st t when  poll  reach  delay  offset  jitter
    ==============================================================================
    +navobs1.wustl.e .PSC.         1 u 758   1024   377  38.573  12.681   0.372
    *now.cis.okstate .PSC.         1 u 701   1024   377  54.754  21.052   5.975
    +ntp0.mcs.anl.go 0.0.0.0       1 u 828   1024   377  38.982  25.168   5.408

    Which you can see is making contact with the servers (peers).

    ntptrace is the trace command, which with no arguments given will use localhost. You can see a little more detail about the server it is using to sync with. Use it with the -v option and you will get more detail information.

    This below tutorial is for Gentoo NTP Versions < 4.1.2 . As of version 4.1.2 use the above tutorial!

    Answer: Let's say your time is always off or you just want to make sure it is correct. The no hands way is with NTP. Well, this is pretty simple. First you emerge ntp . That will install the Network Time Protocal program on your system. There are two ways you can use this: 1) Use ntpd, which doesn't do large time increments, but will do small ones over a course of time. It might take awhile for you to notice the time if finally keeping set (see driftfile for more info). 2) Use ntpdate, which will do large time increments, but won't run on it's own to keep the time accurate, unless you set it up to do so in cron. After you emerge ntp you need to get it to work at boot with: rc-update add ntpd default . Now it will load at boot, but you don't have a server picked yet. So go to NTP Servers and read the info if you want and at the bottom of the page is the servers. Find a server(s) in your Time Zone, several incase one is down, preferably in stratum 2. Then as root, open up the /etc/ntp.conf file. It looks like this: (Leave the 'iburst' part in place).

    logfile   /var/log/ntpd.log
    driftfile  /var/state/ntp.drift

    # Name of the servers ntpd should sync with
    # Please respect the access policy as stated by the responsible person.
    #server  navobs1.wustl.edu  iburst
    #server  now.okstate.edu   iburst
    server  ntp0.mcs.anl.gov  iburst
    ##
    # A list of available servers is available here:
    # * http://www.eecis.udel.edu/~mills/ntp/clock1a.html
    # and
    # * http://www.eecis.udel.edu/~mills/ntp/clock2a.html
    ##

    If you want to sync your time first without rebooting do (read note below first), as root: ntpdate -b servername and you should see something like below. This forces the time to be updated, no matter how great the time difference. Example: ntpdate -b now.okstate.edu

    4 Dec 18:17:58 ntpdate[29372]: step time server 128.252.19.1 offset -0.001818 sec

    Your time on the clock should adjust accordingly. Note: If you have the ntp deamon running (ie. ntpd), then you will have to stop it first with: /etc/init.d/ntpd stop or it won't work. Then you can start it up again after. Also note that if you are using KDE as your Desktop, you might need to right-click on the clock and select 'Adjust Date & Time...' and set to your Time Zone. I had mine set in /etc/rc.conf to local and the time zone set to Central during the install, but for some reason KDE didn't take it.

    There is another thing to do. The drift file isn't made by default, so as root: mkdir /var/state to make the state folder, then touch /var/state/ntp.drift . Otherwise you will see errors in your log file about no such file. See below DHCPCD for info on the drift file.

    DHCPCD: Lastly, if you don't want the above file: /etc/ntp.conf Overwritten by DHCP you will have to pass a couple options to it during boot. Had a hard time finding this information all together in one item. If you do not do this you will have your /etc/ntp.conf file looking like this below each time you boot and your old file saved as /etc/ntp.conf.sv .

    restrict default noquery notrust nomodify
    restrict 127.0.0.1
    restrict 24.207.208.0 mask 255.255.240.0
    fudge 127.127.1.0 stratum 3
    server 127.127.1.0
    driftfile /etc/ntp.drift
    logfile /var/log/ntp.log

    Well that doesn't look like what you had or want. So, you need to edit your /etc/conf.d/net file. Change this line to look like this, or if you already have something in there, add the two options.

    # For DHCP set iface_eth? to "dhcp"
    # For passing options to dhcpcd use dhcpcd_eth?
    #
    iface_eth0="dhcp"
    dhcpcd_eth0="-YN"    Uncomment and put the -YN in the quotes.

    The Y tells dhcpcd not to overwrite the /etc/yp.conf file and the N tells it not to overwrite the /etc/ntp.conf file. Also if your having bootup problems with ethX timeouts cause it isn't connecting and you can't boot or takes forever, you can add a -t timeout period to the options. See dhcpcd options manpage for the information.

    The drift file is:

    When the NTP daemon (ntpd) is first started, it computes the error in the intrinsic frequency of the clock on the computer it is running on. This process usually takes about a day or two after the daemon is started to compute a good estimate of this (and it needs a good estimate to synchronize closely to its server). Once the initial value is computed, it will change only by relatively small amounts during the course of continued operation.

    The driftfile declaration should always be included in the ntp.conf file. This provides xntpd with complete path name to a file in which it can store the current value of the frequency error. That way, if the daemon is stopped and restarted, it can reinitialize itself to the previous estimate without spending time recomputing the frequency estimate.

    Except, I think the xntpd is called ntpd in Gentoo. Not sure at this time though, not like it really matters either as long as it works. So make the folder and file and stay in Time.

    Extra:

    NTPDATE: Now let's say you want to just use ntpdate instead of ntpd to correct your time. You can simply edit your /etc/conf.d/ntp file. You would put ntpdate inplace of ntpd and list your servers there. It would look like this below, otherwise leave it alone.

    # Copyright 1999-2002 Gentoo Technologies, Inc.
    # Distributed under the terms of the GNU General Public License v2 # $Header: /home/cvsroot/gentoo-x86/net-misc/ntp/files/ntpd.confd,v 1.11 2003/01/13 21:09:51 vapier Exp $ # NOTES: # - NTPDATE variables below are used if you wish to set your # clock when you start the ntp init.d script # - make sure that the NTPDATE_CMD will close by itself ... # the init.d script will not attempt to kill/stop it # - ntpd will be used to maintain synchronization with a time # server regardless of what NTPDATE is set to # - read each of the comments above each of the variable
    # Comment this out if you dont want the init script to warn
    # about not having ntpdate setup
    NTPDATE_WARN="y"

    # Command to run to set the clock initially
    # Most people should just uncomment this line ...
    # however, if you know what you're doing, and you
    # want to use ntpd to set the clock, change this to 'ntpd'
    NTPDATE_CMD="ntpdate"

    # Options to pass to the above command
    # Most people should just uncomment this variable and
    # change 'someserver' to a valid hostname which you
    # can aquire from the URL's below
    #NTPDATE_OPTS="-b ntp0.mcs.anl.gov"
    #NTPDATE_OPTS="-b navobs1.wustl.edu"
    NTPDATE_OPTS="-b now.okstate.edu"
    ##
    # A list of available servers is available here:
    # Please respect the access policy as stated by the responsible person.
    # * http://www.eecis.udel.edu/~mills/ntp/clock1a.html
    # and
    # * http://www.eecis.udel.edu/~mills/ntp/clock2a.html
    ##
    # Options to pass to the ntpd process that will *always* be run
    # Most people should not uncomment this line ...
    # however, if you know what you're doing, feel free to tweak
    #NTPD_OPTS=""

    Put your own servers there and then take ntpd out of default runscripts, so it doesn't start before ntpdate: rc-update del ntpd default . Then when you reboot it will use the above script and ntpdate to correct your time.

    Either method you want to use works and will correct your time. If you don't have a preference and don't leave your computer on all the time. Then ntpdate should work fine for you. It will correct the time each time you reboot. If you leave the computer on all the time, then maybe ntpd is for you.

    Which ever way you choose you also can use these tools that come with the package to see how things are working. For instance:

    ntpq is the command to use to Query NTP Servers. You could use it like this to see if it is reading your server list correctly: ntpq -p and you would see a list like below.


          remote          refid   st t when  poll  reach  delay  offset  jitter
    ==============================================================================
    +navobs1.wustl.e .PSC.         1 u 758   1024   377  38.573  12.681   0.372
    *now.cis.okstate .PSC.         1 u 701   1024   377  54.754  21.052   5.975
    +ntp0.mcs.anl.go 0.0.0.0       1 u 828   1024   377  38.982  25.168   5.408

    Which you can see is making contact with the servers (peers).

    ntptrace is the trace command, which with no arguments given will use localhost. You can see a little more detail about the server it is using to sync with. Use it with the -v option and you will get more detail information.

    Another way to use ntpdate: You can also dispense with the above info and just add ntpdate to your /etc/conf.d/local.start file. My entry looks like this:

    ntpdate ntp0.mcs.anl.gov

    You still have to remove ntp from default runlevels, but don't have to change the /etc/conf.d/ntpd file. Again, it runs at the end of bootup. But you won't be able to just run ntpdate to update if the time is off. You will have to add the server, so it looks just like above. So I would only do this if your time was rarely off. Currently that is how mine is setup and works fine. This is just another way, basically your in the same folder to setup ntpdate as above, but just shows another way to do it.

    References:

    1) Ntpd
    2) Ntpdate
    3) Ntp Troubleshooting

    4) Check out the html pages in your /usr/share/doc/ntp/html



Decibels

Valid XHTML 1.0!