[ntp:questions] change in behavior from RHEL 5 to Ubuntu 9.10

Dave Hart hart at ntp.org
Wed Jun 2 19:53:26 UTC 2010

On Wed, Jun 2, 2010 at 18:51 UTC, Aaron Bennett wrote:
> Hi,
> I'm puzzling through an odd discrepancy between ntpd on CentOS 5 to
> Ubuntu 9.10 -- to wit, with this exact same config on both os's:
> restrict default ignore
> restrict
> restrict mask nomodify
> restrict mask nomodify
> server 0.us.pool.ntp.org iburst
> server 1.us.pool.ntp.org iburst
> server 2.us.pool.ntp.org iburst
> server us.pool.ntp.org iburst
> server 0.north-america.pool.ntp.org iburst
> server 1.north-america.pool.ntp.org iburst
> server 2.north-america.pool.ntp.org iburst
> server north-america.pool.ntp.org iburst
> server pool.ntp.org iburst
> restrict 0.us.pool.ntp.org nomodify nopeer notrap noquery
> restrict 1.us.pool.ntp.org nomodify nopeer notrap noquery
> restrict 2.us.pool.ntp.org nomodify nopeer notrap noquery
> restrict us.pool.ntp.org nomodify nopeer notrap noquery
> restrict 0.north-america.pool.ntp.org nomodify nopeer notrap noquery
> restrict 1.north-america.pool.ntp.org nomodify nopeer notrap noquery
> restrict 2.north-america.pool.ntp.org nomodify nopeer notrap noquery
> restrict north-america.pool.ntp.org nomodify nopeer  notrap noquery
> restrict pool.ntp.org nomodify nopeer notrap noquery
> driftfile /var/lib/ntp/drift
> -----
> It works -- and has worked, for years, on CentOS 5 (ntp 4.2.2).  On
> Ubuntu 9.10 (ntp 4.2.4), all but one of the peer's stay in ".INIT."
> mode.
> From what I just read at http://support.ntp.org/bin/view/Support/AccessRestrictions#Section_6.
> , it looks like if you use 'restrict default ignore' then "You must
> use an IP address on the restrict line" -- can that be right?   If so,
> how can you do that and still use the pool servers?

Ask yourself why "restrict default ignore" is there and if it's really
doing you the good you think it is, because, as you are discovering,
it gets tricky to use the round-robin DNS of pool.ntp.org with a
blanket "ignore" restriction.  Most of us get by fine never using any
"ignore" restriction.  In every configuration I can think of, ntpd
ignores unsolicited NTP traffic anyway.  In your configuration, ntpd
will be acting as a unicast client with each of its sources, so every
time exchange is initiated by your ntpd.  I'm having a hard time
understanding what you (and others who use "restrict default ignore")
understand to be the benefit to outweigh the pain.

Assuming we can't resolve this the easy way, or we're bored and like
to discuss, let's go down the "restrict default ignore" plus pool path
a bit more.  Using round-robin DNS names from pool.ntp.org in both
ntp.conf  "server" and "restrict" lines is asking for trouble,
basically, because those DNS names resolve to multiple addresses, I
believe.  The changing results every three minutes don't come into
play, I suspect.  When it is not working, I suspect you will find if
you dig enough that "server" and "restrict" for the same DNS name are
using different IP addresses.

To dig:  ntpq -np -c 'rv &1' will show you the details for the first
association in the peers billboard.  &2 for the second association,
etc.  ntpdc -c reslist will show you the restrictions in effect.  When
it's not working the IP address in the rv output will not match the IP
address in the reslist.

Despite my prejudice that people in your situation are wasting time
with the "ignore" restriction, I added a solution in the current -dev
branch, as of early April (4.2.7p22):  "restrict source".  With that
you can do what you want with just two restrict statements and it will
do the right thing with the pool's multiple, changing IPs:

restrict default ignore
restrict source nomodify nopeer notrap noquery

Every configured source uses the "restrict source" template
restrictions without having to have as many restrict statements as
association ones like "server".

Dave Hart
questions mailing list
questions at lists.ntp.org

More information about the questions mailing list