NTP
Chrony
Example chrony.conf
for chrony:
server 0.pool.ntp.org server 0.europe.pool.ntp.org server 0.de.pool.ntp.org server 0.north-america.pool.ntp.org keyfile /etc/chrony/chrony.keys commandkey 1 driftfile /var/lib/chrony/chrony.drift log tracking measurements statistics logdir /var/log/chrony maxupdateskew 100.0 # Save the measurement history on exit dumponexit dumpdir /var/lib/chrony # Act as NTP server to local networks # local stratum 10 # allow 10/8 # allow 192.168/16 # allow 172.16/12 # Note: While binding to localhost is possible, chrony won't be # able to reach any NTP peers that way.[1] # bindaddress 127.0.0.1 # Restrict the monitoring and command interface[2] # bindcmdaddress /var/lib/chrony/chronyd.sock # sockets are only supported with chronyd 2.1.1[3] bindcmdaddress 127.0.0.1 # Disable the command port entirely.[4] # Note: chrony will no longer be able to connect. # cmdport 0 # To correct even bigger time differences during startup # 100000 seconds - 1.2 days # 200000 seconds - 2.3 days makestep 200000 10 # Send a syslog messages for time changes greater than that logchange 0.5 # Assume our RTC to be on UTC rtconutc
$ systemctl restart chrony.service $ netstat -anptu | grep chrony udp 0 0 127.0.0.1:123 0.0.0.0:* 8027/chronyd udp6 0 0 :::123 :::* 8027/chronyd
Force[5] chrony
to update the system time:
chronyc -a "burst 4/4" # If chronyd is already running chronyd -q "server pool.ntp.org iburst" # If chronyd is not already running
While this will start a slow but steady adjustment, the following can be used to set the correct time at once:
chronyc -a "burst 4/4" && sleep 10 && chronyc -a makestep
NTP
NTP is the de-facto standard when it comes to time synchronization software. A very basic /etc/ntp.conf
:
restrict 127.0.0.1 restrict default kod notrap nomodify nopeer noquery server us.pool.ntp.org server europe.pool.ntp.org server de.pool.ntp.org tinker panic 0 driftfile /var/lib/ntp/drift
Notice the "tinker panic 0"
[6] option, it will make sure that ntpd
adjusts the time even when the difference is very large, e.g. when suspended virtual machines are resumed.[7]
OpenNTPD
OpenNTPD is nice because it doesn't listen on any network interfaces by default, so it's perfect for a client-only setup:
$ cat /etc/openntpd/ntpd.conf servers europe.pool.ntp.org servers us.pool.ntp.org
Start ntpd
with -s
to set the time immediately at startup if the local clock is off by more than 180 seconds.[8]
rdate
rdate is not really an NTP client but uses the Time Protocol instead. The NIST servers[9][10] are still supporting this protocol. Crontab example:
0 * * * * rdate -s time.nist.gov | logger -t RDATE
tlsdate
tlsdate is described as a "secure parasitic rdate replacement". If it's not available as a binary package, we will have to build it from source:
sudo apt-get install git ca-certificates autoconf automake libtool libssl-dev git clone https://github.com/ioerror/tlsdate.git tlsdate-git cd tlsdate-git ./autogen.sh && ./configure --prefix=/opt/tlsdate make && sudo make install
Usage:
$ tlsdate -n -V -H github.com
Sun Apr 19 18:19:36 PDT 2015
Omit -n
to actually set the system time:
$ sudo tlsdate -V -H github.com Sun Apr 19 18:21:12 PDT 2015
Note: for TLSv1.2 only servers, one can use "-P sslv23"
, which is a compatibility option:[11]
$ tlsdate -n -s -P sslv23 -V -H secure.example.org
Sun Apr 19 18:50:29 PDT 2015
- www.ptb.de returning *highly* erratic timestamps
- tlsdate: Time retrieved from default host (www.ptb.de) jumping all over the place?
Links
- The NIST Authenticated NTP Service - The messages from these servers will be available only to registered users
- The NTP FAQ and HOWTO: Authentication
- How do I use pool.ntp.org?
References
- ↑ Run chrony without acting as a NTP server
- ↑ Manual for version 2.3: bindcmdaddress
- ↑ cmdmon: listen on Unix domain socket
- ↑ chrony manual: cmdport
- ↑ Which command is better to force chrony to synchronize time right now -- chronyc burst or chronyc waitsync?
- ↑ NTP: Miscellaneous Options
- ↑ Timekeeping best practices for Linux guests (1006427)
- ↑ ntpd(8)
- ↑ NIST Internet time service
- ↑ NIST Internet Time Servers
- ↑ SSL_CTX_new: SSLv23_method