Wednesday, September 3, 2014

Linux Servers : NTP (Network Time Protocol) Configuration

NTP (Network Time Protocol) Configuration

NTP (Network Time Protocol) allows a system to sync its time clock with a time server. Time synchronization on IT infrastructures is critical, for example if time system of a node in a cluster is too different from the rest of the nodes the cluster software will think that this node is not responding and automatically will be removed from the cluster. 

Configuring a local NTP server

To keep sync the time clocks of all nodes in a LAN, a local NTP server can be configured. All nodes on the LAN will keep time clock sync with the local NTP server using the NTP protocol, and the local NTP server will be in sync with other NTP servers on the Internet.

To configure a server as local NTP server, the ntp RPM must be installed.

# yum install ntp

Edit /etc/ntp.conf file and uncomment the line that allows access to all nodes on your LAN (192.168.1.0/24)

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap--> /etc/ntp.conf

Note: local NTP server will be synchronized with other public NTP servers on Internet listed on 'server' directive on /etc/named.conf. Examples 0.rhel.poll.ntp.org, 1.rhel.poll.ntp.org, ...

Restart ntpd service with the new configuration and make sure it will started on boot.

# /etc/init.d/ntpd restart
# chkconfig ntpd on 


NTP server security
Some security considerations have to be taken in order to run ntpd service secure. The first one is open the NTP server firewall to allow connections from/to other ntp client/server.

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT

Note: NTP clients must keep open the 123/UDP port on the firewall.

By default the ntpd services is protected by SElinux. In order to disable this protection, just in case of causing problems :

# setsebool -P ntpd_disable_trans 1
NTP clients
In order to configure the ntpd service on a Linux node as client for your LAN NTP server just add the local NTP server IP on 'server' directive in /etc/ntp.conf . Make sure that port 123/UDP is open on your firewall and the service ntpd is up and running.

# /etc/init.d/ntpd restart
# chkconfig ntpd on

In order to force a NTP synchronization the command ntpdate can be used. For example if we want to sync our time clock from NTP server 192.168.1.10 :

ntpdate -u 192.168.1.10

Note : if the NTP server used has not terminated the calculation of its drift time (/var/lib/ntp/driftime file), the NTP server will be not ready to be used and the message "no server suitable for synchronization found" will be displayed on the ntp client. Just be patient and wait, sometimes takes hours ...
================================================================


NTP means  Network Time Protocol

NTP is a protocol designed to synchronize the clocks of computers over a network.

Configure NTP client

root@linuxstorage:~#system-config-date


Click the synchronize tab, Add server name (linuxstorages.com) as the table,

Click advanced option  and first option in that.
root@linuxstorage:~#service ntpd restart


Enable chkconfig for ntpd

root@linuxstorage:~#chkconfig ntpd on

For chechking

ntpq -p

 

Monitoring and Troubleshooting

ntpq -p

A most useful command for querying any time server's status is "ntpq -p". You can query a remote time server for the same kind of information with "ntpq -p <hostname>". 
  # ntpq -p
       remote           refid      st t when poll reach   delay   offset  jitter
  ==============================================================================
   LOCAL(0)        LOCAL(0)        10 l   22   64  377    0.000    0.000   0.001
  *poolxxx.ntp.org .CDMA.           2 u  118  256  377   21.631   -0.401   0.544
  +tick.somnet.net 132.249.20.88    2 u  102  256  377   35.372   -0.264   9.730
 
The first position in the output lines is a quick indicator of the status of the remote server. A "*" indicates the server to which you are currently synchronized. It may take some part of an hour before your server considers itself synchronized. A "+" is a candidate to take the leading role if the current server becomes unsuitable for some reason.
The labeled columns for this are: 
remote  
           The IP address or DNS name of the remote server
refid
An identification of the type of the reference clock.
st
The "stratum" or level of the server: for almost all systems, 2 is great. Your local system will have a higher number.
t
The type of service. Your setup will show "l" for local on your local system, or "u" for "unicast" for communicating with remote servers.
when 
 
This is the number of seconds since the server was last heard from. After a couple of minutes of operation your server should start to report numeric values here.
poll 
 
Current polling interval in seconds. When remote servers are responding, "when" should be no greater than "poll".
reach 
 
This and the remaining fields are important indicators of the health of your local server, your remote servers, and their communication. This field is really a bit array indicating whether responses have been received to your local server's eight most recent requests. The value starts at 0. If your local server is receiving responses to all its requests, it will go to 1, then 3, then 7. The display is in octal, so 377 is the maximum value. Anything less indicates that either your local server recently started or some requests did not receive responses.
delay 
 
Recent average roundtrip time in milliseconds from request to response.
offset 
 
Estimated differential between your system clock and this time server's clock, in milliseconds. You may consider this the "bottom line" on the accuracy of your system clock. NTP can usually drive this down to the level of the jitter or less.
jitter 
 
A measure of the variability of the delays between request and receipt of a response, in milliseconds. High jitter tends to limit your server's ability to synchronize accurately.

tcpdump

You can easily check if packets are going out from your system and coming back to your box using tcpdump. NTP uses port 123, so you might issue a command like this as root:
  # tcpdump udp port 123
 
Allow it to monitor traffic for up to an hour. You should see packets going out to your time servers port 123 (ntp) and replies coming back from each of them. Your local UDP port will probably also be number 123. Kernel firewalling (ipchains or iptables) can prevent synchronization from working even if the servers are replying to your system's requests.
If you see packets coming in from the remote time servers, but ntpq indicates your server is not seeing them, then be sure to look at your ipchains/iptables configuration and to consider the ntpd 4.1.1 issue noted in the configuration section for Red Hat 7.3 and to check the system log for configuration messages from ntpd.

syslog

 

Your ntpd will log various events through your system's syslog facility. This typically means the messages will show up in /var/log/messages, in lines containing the string "ntpd". Configuration problems are reported here. If your local server steps the time ahead or back suddenly, it will report that here also with a message such as: time reset -6.394626 s.

Carefully Adjusting Your Clock

This procedure is especially useful if your system clock is ahead of the actual time. You can use it to prevent ntpd from making large sudden adjustments to your system clock while the system is running, and to make sure the system clock never jumps backward in time. The NTP FAQ suggests doing the following steps if you can take your server down for a little while: 
  1. Shutdown;
  2. Set the BIOS clock;
  3. Restart.
For systems with clocks ahead of real time, plan to leave the system off until real time catches up with its internal time when it was shut down. Since the system clock is initialized from the BIOS clock, this prevents the system clock from jumping back while your system is running. Recall that Linux can be configured to interpret the BIOS time as either local time or GMT (UTC). You can infer the configuration by comparing output from the "date" command with the BIOS clock time.
- See more at: http://www.linuxforfreshers.com/p/ntp-means-network-time-protocol-ntp-is.html#sthash.qXewiHJ9.dpuf

No comments: