LPI Linux Certification in a Nutshell (53 page)

Read LPI Linux Certification in a Nutshell Online

Authors: Adam Haeder; Stephen Addison Schneiter; Bruno Gomes Pessanha; James Stanger

Tags: #Reference:Computers

BOOK: LPI Linux Certification in a Nutshell
8.78Mb size Format: txt, pdf, ePub
Name

ntpd

Syntax
ntpd [
options
]
Description

ntpd
is the heart of the NTP
software package. It performs the following functions:

  • Synchronizes the PC clock with remote NTP servers

  • Allows synchronization from other NTP clients

  • Adjusts (skews) the rate of the kernel’s clock tick so
    that it tracks time accurately

  • Reads time synchronization data from hardware time sources
    such as GPS receivers

Frequently used options
-c
file

This option tells
ntpd
to use
file
as its configuration file
instead of the default
/etc/ntpd.conf
.

-g

This option will let
ntpd
start on
a system with a clock that is off by more than the panic
threshold (1,000 seconds by default).

-n

Normally
ntpd
runs as a daemon, in
the background. This option disables that behavior.

-q

This option tells
ntpd
to exit
after setting the time once.

-N

When this option is specified,
ntpd
attempts to run at the highest priority possible.

ntpd
is configured using the file
/etc/ntp.conf
. The file is fully documented in
a series of files linked to from the
ntpd
documentation, found in the software distribution or at
http://www.eecis.udel.edu/~mills/ntp/html/ntpd.html
.

The most important configuration options are
restrict
, which is used to implement
access controls, and
server
,
which is used to direct
ntpd
to an NTP server.
Another often-used configuration option (not mentioned in the sample
ntp.conf
in
Example 16-1
) is
peer
, which is used
much like
server
, but implies
that the system is both a client and a server. A
peer
is usually a system that is nearby on
the network, but uses different time sources than the local
system.

Example 16-1. Sample /etc/ntp.conf

# Prohibit general access to this service.
restrict default ignore
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would affect some of
# the administrative functions.
restrict 127.0.0.1
# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service. Do not permit those systems to modify the
# configuration of this service. Also, do not use those
# systems as peers for synchronization.
restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
# --- OUR TIMESERVERS -----
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
# time.nist.gov
restrict 192.43.244.18 mask 255.255.255.255 nomodify notrap noquery
server 192.43.244.18
# time-b.nist.gov
restrict 129.6.15.29 mask 255.255.255.255 nomodify notrap noquery
server 129.6.15.29
# --- GENERAL CONFIGURATION ---
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available.
#
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
#
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then renaming
# it to the file.
#
driftfile /etc/ntp/drift
broadcastdelay 0.008
Example

Normally
ntpd
consistently adjusts the
time, depending on how far out-of-sync the server is from the
stratum source, to the correct time. To force the system time to the
right time (for example, when occasionally setting the correct time
from
cron
), use the following:

#
ntpd -g -n -q

Why are IP addresses used in the configuration file instead of
fully qualified
domain names? The answer is security. System time is
an extremely important service, and as a system administrator, you
must always be very careful trusting data you are receiving from an
outside system. When you query a time server, you need to make sure
that you’re querying the correct time server. If you are querying a
fully qualified domain name instead of an IP address, you are
potentially vulnerable to a domain name poisoning attack. If someone
has compromised the DNS server of the time server in question, they
could be relaying your request to any system on the Internet. By
querying directly to an IP address, you are eliminating the
possibility of this kind of spoofing.

Name

ntpdate

Syntax
ntpdate [
options
]
server
[
server
[...]]
Description

ntpdate
is used to set the time
of the local system to match a remote NTP host.

The maintainers of the ntp code intend to drop
ntpdate
in the future since
ntpd
can perform essentially the same function
when used with the
-q
option.

Frequently used options
-b

Using this option, the system time is set instead of
being slowly adjusted, no matter how far off the local time
is.

-d

This option enables debugging mode.
ntpdate
goes through the motions and
prints debugging information, but does not actually set the
local clock.

-p
n

Use this option to specify the number of samples (where
n
is from 1 to 8) to get from each
server. The default is 4.

-q

This option causes
ntpdate
to query
the servers listed on the command line without actually
setting the clock.

-s

This option causes all output from
ntpdate
to be logged via syslog instead
of being printed to
stdout
.

-t
n

This option sets the timeout for a response from any
server to
n
seconds.
n
may be fractional, in which case
it will be rounded to the nearest 0.2 second. The default
value is 1 second.

-u

Normally
ntpdate
uses a privileged
port (123/tcp) as the source port for outgoing packets. Some
firewalls block outgoing packets from privileged ports, so
with this option,
ntpdate
uses an
unprivileged port above 1024/tcp.

-v

This option makes
ntpdate
more
verbose.

-B

Using this option, the system time is slowly adjusted to
the proper time, even if the local time is off by more than
128 ms. (Normally the time is forcibly set if it is off by
more than 128 ms.)

If the time is off by very much, it can take a very long
time to set it with this option.

Example

Quietly sync the local clock with two stratum 1 NTP
servers:

#
ntpdate -s time.nist.gov time-b.nist.gov
Name

ntpq

Syntax
ntpq [
options
] [
host
]
Description

ntpq
is the standard NTP query
program. It is used to send NTP control messages to
host
(or
localhost
if no
host
is specified), which can be
used to check the status of
ntpd
on
host
or change its configuration.

The commands that can be used with
ntpq
are documented in the NTP software documentation included with the
distribution and at
http://www.eecis.udel.edu/~mills/ntp/html/ntpq.html
.

Frequently used options
-c
command

Execute
command
as if it were
given interactively.

-i

Enter interactive mode. This is the default.

-n

Suppress reverse DNS lookups. Addresses are printed
instead of hostnames.

-p

Query the server for a list of peers. This is equivalent
to the
peers
interactive command
or
-c
peers
on the command line.

Example

Print the list of peers known to the server by IP
address:

#
ntpq -p –n pool.ntp.org

or:

#
ntpq -c peers –n pool.ntp.org

or:

#
ntpq –n pool.ntp.org
ntpq>
peers
remote refid st t when poll reach delay offset jitter
==============================================================================
*64.90.182.55 .ACTS. 1 u - 1024 377 2.983 3.253 0.014
+209.51.161.238 .CDMA. 1 u - 1024 377 2.456 -2.795 0.096
-128.118.25.3 147.84.59.145 2 u - 1024 377 18.476 -2.586 0.446
+67.128.71.75 172.21.0.13 2 u - 1024 377 8.195 -2.626 0.194
-66.250.45.2 192.5.41.40 2 u - 1024 377 8.119 -6.491 0.421
ntpq>

The system
pool.ntp.org
is a pointer to a collection of systems that have volunteered to be
publicly available time servers.
Round robin DNS is used to share the request load
among these servers. This kind of setup is usually sufficient for
end users, but in a corporate environment, it’s usually advisable to
query a stratum 2 time server from a designated server on your
network, and then have your other servers query that server. More
information on
pooling is available at
http://support.ntp.org/bin/view/Servers/WebHome
.

Name

ntpdc

Syntax
ntpdc [
options
] [
host
]
Description

ntpdc
is much like
ntpq
, except that it supports some extended
commands. For this reason, it is likely to work only when talking to
ntpd
from the same version of the NTP software
package.

For the most part, the command-line options it supports are
the same as those of
ntpq
. Full documentation
for
ntpdc
can be found in the
NTP software distribution or at
http://www.eecis.udel.edu/~mills/ntp/html/ntpdc.html
.

Name

ntptrace

Syntax
ntptrace [
options
]
server
[
server
[...]]
Description

Traces a chain of NTP servers back to the primary
source.

Frequently used options
-n

Turn off reverse DNS lookups.

Examples

To see where the local system is synchronizing its lock to,
run
ntptrace
with no options:

$
/usr/sbin/ntptrace
localhost: stratum 4, offset 0.000109, synch distance 0.16133
ntp1.example.net: stratum 3, offset 0.004605, synch distance 0.06682
ntp-1.example.edu: stratum 2, offset 0.001702, synch distance 0.01241
stratum1.example.edu: *Timeout*

In this example, the stratum 1 server is not directly
accessible.

ntptrace
can also be used on any
arbitrary NTP server, assuming it is accessible. This example
queries two publicly accessible stratum 2 NTP servers:

$
/usr/sbin/ntptrace ntp0.cornell.edu
cudns.cit.cornell.edu: stratum 2, offset -0.004214, synch distance 0.03455
dtc-truetime.ntp.aol.com: stratum 1, offset -0.005957, synch distance
0.00000, refid 'ACTS'
$
/usr/sbin/ntptrace ntp-2.mcs.anl.gov
mcs.anl.gov: stratum 2, offset -0.004515, synch distance 0.06354
clepsydra.dec.com: stratum 1, offset 0.002045, \
synch distance 0.00107, refid 'GPS'

Other books

The Reluctant Mr. Darwin by David Quammen
The Devotion Of Suspect X by Higashino, Keigo
To Kill a President by By Marc james
The Pajama Affair by Vanessa Gray Bartal
The Dragon in the Sea by Frank Herbert
Jaci's Experiment by D'Arc, Bianca