Synchronizing the system clock with NTP
In this recipe, we will learn how to synchronize the system clock with an external time server using NTP.
Time remains an essential tool for your server because every aspect of managing, securing, running, and debugging a network involves determining when events happen or are about to take place. From the need to time stamp documents, e-mails, logfiles, or by simply interacting with shared devices and services, everything on your server is dependent on maintaining an accurate system clock and it is the purpose of this recipe to show you how to achieve this with the Network Time Protocol (NTP).
Getting ready
To complete this recipe you will require a working installation of the CentOS 6 operating system with root privileges, a console-based text editor of your choice, and a connection to the Internet to facilitate the download of additional packages.
How to do it...
If you are using the minimal installation recommended by this book, then the Network Time Protocol (NTP) is not installed by default and for this reason we will need to install the relevant package:
- To begin, log in as root and type:
yum –y install ntpd - The default installation of NTP will use a public server that has access to the atomic clock, but in order to optimize the service we will need to make a few simple changes in order to streamline and optimize what time servers are used. To do this, we shall open the main configuration file with your favorite text editor like so:
vi /etc/ntp.conf - Scroll down and look for the following lines:
# Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). server 0.centos.pool.ntp.org server 1.centos.pool.ntp.org server 2.centos.pool.ntp.org
- Replace the values shown with a list of preferred time servers like so:
# Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). server 0.uk.pool.ntp.org server 1.uk.pool.ntp.org server 2.uk.pool.ntp.org se
Note
Visit http://www.pool.ntp.org/ to obtain a list of local servers. Remember, the use of three or more servers will have a tendency to increase the accuracy of the NTP service.
- Now find the following lines:
# Hosts on local network are less restricted. #restrict 192.168.1.0 mask 255.255.255.0 nomodifynotrap
- Before starting our time service, we should add and confirm a network range in order that we can determine who can and who cannot receive time service-based requests. To do this, uncomment the preceding line and replace the values to reflect your network environment like so:
# Hosts on local network are less restricted. Restrict XXX.XXX.XXX.XXX mask YYY.YYY.YYY.YYY nomodifynotrap
- When complete, save and close the file before synchronizing your server by using the following command:
ntpdate NTP_SERVER_ADDRESS_HERE
- The initial synchronization request requires priming, so you may want to run and repeat this command several times before ensuring that the service will start during the boot process, by using the following command:
chkconfig ntpd on
- When finished, you can start the NTP service like so:
service ntpd start
- You should reboot to ensure that the relevant changes take effect:
reboot
- Well done, you have now installed and configured the NTP service. The overall process of time synchronization will take some time to complete, but you will be able to use the standard NTP query program (ntpq) in order to review a list of known peers as and a summary of their current state. To do this, return to your console and type:
ntpq–p
How it works...
The Network Time Protocol (NTP) is a daemon that sets and maintains system time through a process of synchronization with a remote server. It is a very important service, and quite easy to implement, but if you have followed the minimal install procedure recommended by this book, you will be aware that NTP is not installed by default.
So what have we learned from this experience?
By beginning with the installation of the NTP service we have discovered that certain aspects of the initial configuration had to be defined in order to optimize the time servers used and to avoid exposing the server's time keeping service to unwanted requests. This was achieved by customizing and un-commenting the following lines:
# Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). server 0.centos.pool.ntp.org server 1.centos.pool.ntp.org server 2.centos.pool.ntp.org # Hosts on local network are less restricted. Restrict XXX.XXX.XXX.XXX mask YYY.YYY.YYY.YYY nomodifynotrap
During the course of this recipe we have also learned how to prime the service by initiating contact with a third-party time server before configuring the service to be made available at boot process by typing:
chkconfig ntpd on
Having started the service and rebooted the server, we then learned that the standard NTP query program (ntpq) could be used to monitor our new configuration. You can do this any time by typing:
ntpq–p
It is important to realize that the process of synchronizing your server may not be instantaneous and it can take a while for the process to complete. However, you can now relax in the full knowledge that you now know how to install, manage, and configure the NTP service.
There's more...
All daemons are prone to the environmental conditions found on your network, and the NTP service is not an exception. Periodic packet breaks can be disruptive, but even if you have not experienced this yet, it may be advantageous to explore a solution that will make your NTP service far more persistent when probing the third-party servers.
Known as the iburst option, this feature is designed to tell the NTP service to issue a burst of eight packets to the remote server instead of one in order to offer an improved approach to the time synchronization process. Implementing this method is very simple and to begin, simply return to your console and open the main configuration file in your favorite text editor like so:
vi /etc/ntp.conf
Scroll down the file and locate your time servers. Now simply append your time servers with a whitespace followed by the term iburst. For example, your new configuration file will look like this:
# Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). server 0.uk.pool.ntp.org iburst server 1.uk.pool.ntp.org iburst server 2.uk.pool.ntp.org iburst server 3.uk.pool.ntp.org iburst
When finished, simply save and close your file before rebooting your server or restarting the NTP service with the following command:
service ntpd restart
Based on this recipe, we can now use the NTP service to synchronize multiple machines.
Having configured the master time server, all subsequent machines in your local environment can now use the local master instead of a third-party (external) source, and by doing this you will not only speed-up the process of allocating the measurement of time among local machines, but you will also improve the security of your local network.
To begin, simply open the main configuration file on each of the slave computers. You can do this on all operating systems, but the instructions may vary.
On CentOS, this is achieved by opening the main configuration file in your favorite text editor like so:
vi /etc/ntp.conf
Now scroll down and locate the listing for your time servers. Based on the examples used in the main recipe, your new configuration file may look like this:
# Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). server 0.uk.pool.ntp.org iburst server 1.uk.pool.ntp.org iburst server 2.uk.pool.ntp.org iburst server 3.uk.pool.ntp.org iburst
If the network address for the new local time server is time.masterserver.lan, then simply modify your configuration file to reflect this value:
# Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html).time.masterserver.lan
You can also use the iburst option like so:
# Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html).time.masterserver.lan iburst
When finished, simply save and close your file before restarting the local time service in order to allow the changes to take immediate effect:
service ntpd restart
Now repeat this action on all computers across your network. Remember, the approach may be different for each operating system, but by using a local time server this recipe can be used to benefit all the computers on your network.
By using the default settings, all NTP activity will be recorded at /var/log/messages. Of course, NTP activity can be filtered using the grep command, but if you would prefer to use to a separate logfile, then simply make the following adjustment.
To begin, open the main configuration in your favorite text editor:
vi /etc/ntp.conf
Scroll to the bottom of this file and add the following new line:
logfile /var/log/ntpd.log
When finished, simply save and close the file before restarting the NTP service like so:
service ntpd restart
By doing this we are merely asking the NTP service to make a separate logfile at /var/log/ntpd.log. Of course, you can always modify the name of this logfile to something more appropriate to your own needs, and having made this configuration change, it would be appropriate to point out that a select number of NTP-based events will persist in /var/log/messages. However, having implemented this simple solution, you should now find that the NTP log is far more concise and a lot easier to read.
If your network does not have Internet connection or the Internet connection is intermittent, then a fallback solution is often required. In such cases you can implement a process known as reflective synchronization . This may sound complicated, but in reality we are simply telling the NTP service that the monitoring system's internal clock is correct and it should be used as our definitive time keeper if a fallback is required.
To do this, open the main configuration file in your favorite text editor like so:
vi /etc/ntp.conf
Now scroll down and locate the following lines:
# Undisciplined Local Clock. This is a fake driver intended for backup # and when no outside source of synchronized time is available. #server 127.127.1.0 # local clock #fudge 127.127.1.0 stratum 10
This is where we will literally fudge time by simply un-commenting the relevant lines like so:
# Undisciplined Local Clock. This is a fake driver intended for backup # and when no outside source of synchronized time is available. server 127.127.1.0 # local clock fudge 127.127.1.0 stratum 10
When complete, save and close your file before restarting the NTP service:
service ntpd restart
See also
- The NTP home page: http://www.ntp.org/
- The NTP Pool project's home page – list of time servers: http://www.pool.ntp.org/