Tag Archives: ntp

Red Hat Certification – RHCE – Network Services – NTP

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

NTP:

You could possibly test this from Windows as well.

On linux it’s fairly straight-forward, you can use ntpd both as a client and as a server.

Check in /var/log/messages for details

The time-synchronization with ntpd is slow by design (to not overload or cause dramatic changes in the time set).

ntpdate is instant but it’s not recommended to be used. For example with ‘ntpdate -q’.

man ntp.conf
this then points to :
man ntp_acc
man ntp_auth
man ntp_clock
man ntp_misc

  • Install the packages needed to provide the service.
    • yum install ntp
  • Configure SELinux to support the service
    • nothing to configure??
  • Configure the service to start when the system is booted.
    • chkconfig ntpd on
  • Configure the service for basic operation.
    • /etc/ntp.conf
      • server ntp.server.com
    • service ntpd start
    • ntpq -p # to see status
  • Configure host-based and user-based security for the service
    • iptables
      • port 123 (UDP)

Enable ntpd as a client

What’s a bit reverse for ntpd is that first you need to configure the server as a client

So that your local ntp-server gets good time from somewhere else. You can find a good time-server to use on www.pool.ntp.org

You only need to add one server line but for redundancy you should probably have more than one.

As an example with your client on 192.168.0.0/24 and server is on 192.168.1.0/24.

All you need to do is for the client part:

server ntp.example.com
service ntpd restart
ntpq -p

 

Enable ntpd as a server

You need to add a restrict line in ntp.conf.

You also need to allow port 123 UDP in the firewall.

restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap
service ntpd restart

Client to use your ntp server

Basically the same as the above for client, but you specify the address to your NTP-server instead of one from pool.ntp.org.

Extra

  • Synchronize time using other NTP peers.

I believe this has been covered.

More Extra

One extra thing you may want to check out is the ‘tinker’ command.

This is put on top of ntp.conf and more info are available in ‘man ntp_misc’.

However, most of the time you just need to wait a bit for the time change to come through.

tcpdump

There’s not much to go in logs on either server or client for ntpd. You’ll get messages in /var/log/messages though that says “synchronized” and when the service is starting.

You can also use tcpdump on the server to see if there are any packets coming in.

tcpdump -i eth0 -w /tmp/tcmpdump.123 -s0 'udp port 123 and host NTP.CLIENT.IP'
# wait a while, restart ntpd on client
tcpdump -r /tmp/tcmpdump.123
# this will then show some packets if you have a working communication between server and client

To test that it’s working

Start with the server still connecting to an ntp-server with good time.

You could then set the date and time manually on the server to something else. For example, let’s say the current time is 6 JUN 2012 17:15:00.

Set it to 15 minutes before:

date -s "6 JUN 2012 17:00:00"
service ntpd restart

Also restart ntpd on the client, then wait, this will probably take a bit longer than before.

If you set the time manually to something too big it won’t work. You could then experiment with ‘tinker panic 0’

Time Sync for Linux VMs in VMWare Workstation

You may have seen in my previous post about EyeOS that I tried many things to get time in sync on the virtual OS. It was drifting lots of time and after a few hours it was an hour behind. Google tells me this is quite common but I could not find anything that decidedly fixed it.

run ntpdate every hour. This is not advised, primarily because it will add a lot of extra load after a while to the public(free) time servers. Especially if I want to have several machines up to date. One thought then was to set up a local ntpd and let other guest OS sync time with that. But then I could not get that in sync so we were back to square one.

others mention using VMWare tools time sync.

My setup:

Intel Quad Core i7-920
8GB RAM Corsair XMS3 DDR3 1333MHz 8GB CL9
Gigabyte GA-EX58-UD3R
Windows 7 x64
Vmware Workstation 7.1.1

What works for me

For ubuntu 10.10 x64:

Make sure vmware tools is installed (type vmware and hit ‘tab’).
With a .txt editor open up “vmname.vmx” on your host OS.
Set tools.syncTime = “FALSE” to “TRUE”. Restart vm.

Now on this particular machine I’ve had ntpd installed, but it is now uninstalled.

For Red Hat Enterprise Linux  5 x64 – RHEL 5:

  • Install vmware-tools (without make/gcc installed).
  • Set tools.syncTime = “TRUE”
  • Set up ntpd with the below from ntp.conf
  • Restart ntpd by getting root shell with ‘su -‘ and then ‘/etc/init.d/ntpd restart’

I filled out the ntp-information during installation and then after wards I added the “tinker panic 0” which should let the ntpd make ‘big jumps’ and by commenting the fudge-line I chose not to use the local clock because this is drifting so much.
More than 24 hours after I installed the OS the driftfile is still 0.000.

ntp.conf:

tinker panic 0
restrict default kod nomodify notrap nopeer noquery

restrict 127.0.0.1
restrict -6 ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

server 0.rhel.pool.ntp.org
server 1.rhel.pool.ntp.org
server 2.rhel.pool.ntp.org

# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available.
#fudge  127.127.1.0 stratum 10

driftfile /var/lib/ntp/drift
keys /etc/ntp/keys
restrict 0.rhel.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
restrict 1.rhel.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
restrict 2.rhel.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery