[ntp:questions] NTPD silently not tracking

David Lord snews at lordynet.org
Mon Sep 2 00:26:29 UTC 2013


Magnus Danielson wrote:
> On 09/01/2013 10:42 PM, unruh wrote:
>> On 2013-09-01, Steve Kostecke <kostecke at ntp.org> wrote:
>>> On 2013-09-01, Rob <nomail at example.com> wrote:
>>>
>>> The NTP Reference Implementation is free software. The copyright
>>> holder (The University of Delaware) makes no representations
>>> about the suitability this software for any purpose. It is
>>> provided "as is" without express or implied warranty. Please visit
>>> http://www.ntp.org/copyright for the complete copyright notice and
>>> license statement.
>> Yes, usual legal ass protection. Fortunately ntpd developers usually do not
>> actually either believe that nor act as though they believe that. 
>> They tend not to say "Oh-- it does not work, tough shit."
>> And you do them, and yourself a disservice by saying that that is what
>> they do. It is not what they or you do. 
>>
>> In this case ntpd wandered off by hours with no complaint. That is not a
>> proper behaviour of a professional piece of software. Now it could be
>> that they have the local clock enables, and for some reason ntpd chased
>> that rather than all of the other server sources. Pointing out that they
>> should never actually use the local clock as a source is certainly
>> useful since the clock is never wrong with respect to the local source.
>> But if the computer has 5 outside source available and still chases
>> after the local source that is a bug that should be fixed. If you know
>> some attempt was made to fix a bug like than in a more recent version
>> than the one used by the user, then advising upgrade is appropriate (as
>> is telling him never to use local)
> As we are coming back to topic...
> 
> 8<---
> # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
> 
> driftfile /var/lib/ntp/ntp.drift
> 
> 
> # Enable this if you want statistics to be logged.
> #statsdir /var/log/ntpstats/
> 
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable

Hi

I'll join in here

where is your statsdir?

> # You do need to talk to an NTP server or two (or three).
> #server ntp.your-provider.example
> 
> # pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
> # pick a different set every time it starts up.  Please consider joining the
> # pool: <http://www.pool.ntp.org/join.html>
> 
> server ntp1.kth.se iburst maxpoll 7
> server ntp2.kth.se iburst maxpoll 7
> server ntp3.kth.se iburst maxpoll 7
> server ntp1.sp.se iburst maxpoll 7
> server ntp2.sp.se iburst maxpoll 7

that seems too restrictive and possibly abusive if you do not
yourself have control over those servers.

My own servers and clients are NetBSD with ntpd 4.2.6p5 except
for one client on ntpd-4.2.7p377

iburst is used on my clients but only against servers on my local
network and from others where I have accounts.

If your clients pointed to my own pool servers they would
eventually get KOD or reach would slowly decay.

eg. one of my pool servers that is also a local client has:

! tos minsane 3
! tos orphan 10
! tos mindist 0.01
! peer -4 ntp0.lordynet.org.uk minpoll 6 maxpoll 8 iburst
! peer -4 ntp2.lordynet.org.uk minpoll 6 maxpoll 8 iburst
! server -4 ntp1.lordynet.org.uk minpoll 6 maxpoll 8 iburst
! server -4 (friendly isp_1) minpoll 8 maxpoll 10 iburst
! server -4 (friendly isp_2) minpoll 8 maxpoll 10 iburst
! server -4 (other isp_3) minpoll 8 maxpoll 11
! server -4 (other isp_4) minpoll 8 maxpoll 11
! server -4 (other isp_5) minpoll 8 maxpoll 11

There are some sane suggestions on the pool website as to how
to configure ntpd clients.

The only debian based systems I used are Ubuntu but that was
only clients and were usually within a few ms offset within
30 min of bootup. I have no idea if they drifted over several
days but logs show they keep good time when powered up.

Your servers aren't by any chance 'virtual' in which case you
should obtain time from your base system.


David


> 
> # Access control configuration; see
> /usr/share/doc/ntp-doc/html/accopt.html for
> # details.  The web page
> <http://support.ntp.org/bin/view/Support/AccessRestrictions>
> # might also be helpful.
> #
> # Note that "restrict" applies to both servers and clients, so a
> configuration
> # that might be intended to block requests from certain clients could
> also end
> # up blocking replies from your own upstream servers.
> 
> # By default, exchange time with everybody, but don't allow configuration.
> restrict -4 default kod notrap nomodify nopeer noquery
> restrict -6 default kod notrap nomodify nopeer noquery
> 
> # Local users may interrogate the ntp server more closely.
> restrict 127.0.0.1
> restrict ::1
> 
> # Clients from this (example!) subnet have unlimited access, but only if
> # cryptographically authenticated.
> # up blocking replies from your own upstream servers.
> 
> # By default, exchange time with everybody, but don't allow configuration.
> restrict -4 default kod notrap nomodify nopeer noquery
> restrict -6 default kod notrap nomodify nopeer noquery
> 
> # Local users may interrogate the ntp server more closely.
> restrict 127.0.0.1
> restrict ::1
> 
> # Clients from this (example!) subnet have unlimited access, but only if
> # cryptographically authenticated.
> #restrict 192.168.123.0 mask 255.255.255.0 notrust
> 
> 
> # If you want to provide time to your local subnet, change the next line.
> # (Again, the address is an example only.)
> #broadcast 192.168.123.255
> 
> # If you want to listen to time broadcasts on your local subnet,
> de-comment the
> # next lines.  Please do this only if you trust everybody on the network!
> #disable auth
> #broadcastclient
> --->8
> 
> This is the default Debian config file which have been changed to point
> out 5 servers, which I was referring to in my follow-up message:
> 
> 8<---
> 
> It has 2 stratum 1 and 3 stratum 2 unicast servers configured. NTP wise
> this machine is a client with 5 configured servers. The problem was that
> it was way off time with no apparent indication, which is wrong.
> 
> --->8
> 
> The debugger (another system admin) of this system did strace, and saw
> updates to kernel. Nothing anywhere to indicate problems other than what
> I mentioned that there was a zero offset.
> 
> I'll try to see if I can re-create this behavior on another machine, as
> the machine we did see it on needs to be on time since its a server for
> other things than time.



More information about the questions mailing list