[ntp:questions] NTPD silently not tracking

unruh unruh at invalid.ca
Mon Sep 2 01:49:52 UTC 2013


On 2013-09-01, Magnus Danielson <magnus at rubidium.dyndns.org> wrote:
> On 09/01/2013 10:42 PM, unruh wrote:
>> On 2013-09-01, Steve Kostecke <kostecke at ntp.org> wrote:
>>> On 2013-09-01, Rob <nomail at example.com> wrote:
>>>
>>> The NTP Reference Implementation is free software. The copyright
>>> holder (The University of Delaware) makes no representations
>>> about the suitability this software for any purpose. It is
>>> provided "as is" without express or implied warranty. Please visit
>>> http://www.ntp.org/copyright for the complete copyright notice and
>>> license statement.
>> Yes, usual legal ass protection. Fortunately ntpd developers usually do not
>> actually either believe that nor act as though they believe that. 
>> They tend not to say "Oh-- it does not work, tough shit."
>> And you do them, and yourself a disservice by saying that that is what
>> they do. It is not what they or you do. 
>>
>> In this case ntpd wandered off by hours with no complaint. That is not a
>> proper behaviour of a professional piece of software. Now it could be
>> that they have the local clock enables, and for some reason ntpd chased
>> that rather than all of the other server sources. Pointing out that they
>> should never actually use the local clock as a source is certainly
>> useful since the clock is never wrong with respect to the local source.
>> But if the computer has 5 outside source available and still chases
>> after the local source that is a bug that should be fixed. If you know
>> some attempt was made to fix a bug like than in a more recent version
>> than the one used by the user, then advising upgrade is appropriate (as
>> is telling him never to use local)
> As we are coming back to topic...
>
> 8<---
> # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
>
> driftfile /var/lib/ntp/ntp.drift
>
>
> # Enable this if you want statistics to be logged.
> #statsdir /var/log/ntpstats/
>
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable
>
>
> # You do need to talk to an NTP server or two (or three).
> #server ntp.your-provider.example
>
> # pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
> # pick a different set every time it starts up.  Please consider joining the
> # pool: <http://www.pool.ntp.org/join.html>
>
> server ntp1.kth.se iburst maxpoll 7
> server ntp2.kth.se iburst maxpoll 7
> server ntp3.kth.se iburst maxpoll 7
> server ntp1.sp.se iburst maxpoll 7
> server ntp2.sp.se iburst maxpoll 7
>
> # Access control configuration; see
> /usr/share/doc/ntp-doc/html/accopt.html for
> # details.  The web page
><http://support.ntp.org/bin/view/Support/AccessRestrictions>

I do hope that was really all on the same line, or there was a # at the
start of that second line.
Otherwise ntpd will be confused. 



> # might also be helpful.
> #
> # Note that "restrict" applies to both servers and clients, so a
> configuration
> # that might be intended to block requests from certain clients could
> also end
> # up blocking replies from your own upstream servers.
>
> # By default, exchange time with everybody, but don't allow configuration.
> restrict -4 default kod notrap nomodify nopeer noquery
> restrict -6 default kod notrap nomodify nopeer noquery
>
> # Local users may interrogate the ntp server more closely.
> restrict 127.0.0.1
> restrict ::1
>
> # Clients from this (example!) subnet have unlimited access, but only if
> # cryptographically authenticated.
> # up blocking replies from your own upstream servers.
>
> # By default, exchange time with everybody, but don't allow configuration.
> restrict -4 default kod notrap nomodify nopeer noquery
> restrict -6 default kod notrap nomodify nopeer noquery
>
> # Local users may interrogate the ntp server more closely.
> restrict 127.0.0.1
> restrict ::1
>
> # Clients from this (example!) subnet have unlimited access, but only if
> # cryptographically authenticated.
> #restrict 192.168.123.0 mask 255.255.255.0 notrust
>
>
> # If you want to provide time to your local subnet, change the next line.
> # (Again, the address is an example only.)
> #broadcast 192.168.123.255
>
> # If you want to listen to time broadcasts on your local subnet,
> de-comment the
> # next lines.  Please do this only if you trust everybody on the network!
> #disable auth
> #broadcastclient
> --->8
>
> This is the default Debian config file which have been changed to point
> out 5 servers, which I was referring to in my follow-up message:
>
> 8<---
>
> It has 2 stratum 1 and 3 stratum 2 unicast servers configured. NTP wise
> this machine is a client with 5 configured servers. The problem was that
> it was way off time with no apparent indication, which is wrong.

Agreed. Noone is arguing it is right. The question is why. You do not
seem to be using the local refclock, so that is one explanation gone. 
None of those servers happens to be the machine itself do they? Of
progeny of that server?


And looking at those log files around the time things go bad might be
suggestive. 

Exactly which version of ntpd, and you are sure that someone has not
made "improvements" to it?



>
> --->8
>
> The debugger (another system admin) of this system did strace, and saw
> updates to kernel. Nothing anywhere to indicate problems other than what
> I mentioned that there was a zero offset.
>
> I'll try to see if I can re-create this behavior on another machine, as
> the machine we did see it on needs to be on time since its a server for
> other things than time.
>
> Cheers,
> Magnus



More information about the questions mailing list