Your NTP Server
With this set-up, we’ve got one-to-many Linux servers in a network that all want to be synced with the same up-stream Network Time Protocol (NTP) server/s that your router (or what ever server you choose to be your NTP authority) uses.
On your router or what ever your NTP server host is, add the NTP server pools. Now how you do this really depends on what your using for your NTP server, so I’ll leave this part out of scope. There are many NTP pools you can choose from. Pick one or a collection that’s as close to you’re NTP server as possible.
If your NTP daemon is running on your router, you’ll need to decide and select which router interfaces you want the NTP daemon supplying time to. You almost certainly won’t want it on the WAN interface (unless you’re a pool member) if you have one on your router.
Make sure you restart your NTP daemon.
Your Client Machines
If you have ntpdate installed, /etc/default/ntpdate says to look at /etc/ntp.conf which doesn’t exist without ntp being installed. It looks like this:
# Set to "yes" to take the server list from /etc/ntp.conf, from package ntp, # so you only have to keep it in one place. NTPDATE_USE_NTP_CONF=yes
but you’ll see that it also has a default NTPSERVERS variable set which is overridden if you add your time server to /etc/ntp.conf. If you enter the following and ntpdate is installed:
dpkg-query -W -f='${Status} ${Version}\n' ntpdate
You’ll get output like:
install ok installed 1:4.2.6.p5+dfsg-3ubuntu2
Otherwise install it:
apt-get install ntp
The public NTP server/s can be added straight to the bottom of the /etc/ntp.conf file, but because we want to use our own NTP server, we add the IP address of our server that’s configured with our NTP pools to the bottom of the file.
server <IP address of your local NTP server here>
Now if your NTP daemon is running on your router, hopefully you have everything blocked on its interface/s by default and are using a white-list for egress filtering.
In which case you’ll need to add a firewall rule to each interface of the router that you want NTP served up on.
NTP talks over UDP and listens on port 123 by default.
After any configuration changes to your ntpd make sure you restart it. On most routers this is done via the web UI.
On the client (Linux) machines:
sudo service ntp restart
Now issuing the date command on your Linux machine will provide the current time, yes with seconds.
Trouble-shooting
The main two commands I use are:
sudo ntpq -c lpeer
Which should produce output like:
remote refid st t when poll reach delay offset jitter
===============================================================================================
*<server name>.<domain name> <upstream ntp ip address> 2 u 54 64 77 0.189 16.714 11.589
and the standard NTP query program followed by the as argument:
ntpq
Which will drop you at ntpq’s prompt:
ntpq> as
Which should produce output like:
ind assid status conf reach auth condition last_event cnt =========================================================== 1 15720 963a yes yes none sys.peer sys_peer 3
Now in the first output, the * in front of the remote means the server is getting it’s time successfully from the upstream NTP server/s which needs to be the case in our scenario. Often you may also get a refid of .INIT. which is one of the “Kiss-o’-Death Codes” which means “The association has not yet synchronized for the first time”. See the NTP parameters. I’ve found that sometimes you just need to be patient here.
In the second output, if you get a condition of reject, it’s usually because your local ntp can’t access the NTP server you set-up. Check your firewall rules etc.
Now check all the times are in sync with the date command.
Tags: dev-ops, DevOps, FreeBSD, GNU/Linux, Linux, Networking, NTP, sysadmin, VPS
Binarymist 
Leave a comment