The Network Time Protocol (NTP) is a protocol for synchronizing the clocks of computers over UDP. The clocks on x86 hardware are notoriously unreliable and because they tend to drift, one can easily end up with servers reporting different times. To avoid possible complications I prefer to set up a small footprint NTP server in every system consisting of more than a few machines. Here is a quick HOWTO on how to install and configure an NTP server in Oracle Enterprise Linux 5. The only prerequisite for following this HOWTO is to have a default installation of Enterprise Linux 5.
Setting up an NTP server
Let's start by checking if the NTP package is installed. With Enterprise Linux 5.3 the ntp-4.2.2 should be installed by default but there is no harm in querying the installed packages for a confirmation.
[root@ntp ~]# rpm -qa |grep ntp-4 ntp-4.2.2p1-9.el5 [root@ntp ~]#
Next we have to edit the /etc/ntp.conf file. There we will set the addresses of the time servers that our NTP will use to sync it's own time. We can get a list of free public NTP servers by visiting http://support.ntp.org/bin/view/Servers/NTPPoolServers. Rule of the thumb here is to select a pool of machines that are closer to our location and have minimum packets delay.
Since I am located in Bulgaria I will pick a bg.pool.ntp.org zone and add it to the /etc/ntp.conf, commenting all other servers that are included in ntp.conf by default.
# Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). # server 0.rhel.pool.ntp.org # server 1.rhel.pool.ntp.org # server 2.rhel.pool.ntp.org server 0.bg.pool.ntp.org server 1.bg.pool.ntp.org server 2.bg.pool.ntp.org server 3.bg.pool.ntp.org
By default the NTP server is accessible to all machines on the Internet. It might be a good idea to restrict this access only to hosts residing in our network. In order to do that we have to add a restrict option to ntp.conf. The IP address of the server that I am configuring is 192.168.1.5. In order to allow all only the machines on the 192.168.0.0 network to synchronize their clocks against it, I will add the following restriction:
# Hosts on local network are less restricted. restrict 192.168.100.0 mask 255.255.255.0 nomodify notrap
The nomodify option instructs our server to deny queries that attempt to modify it's ntp settings. The notrap makes the server decline to provide control message trap service.
Now let's make the initial time synchronization by running the ntpdate command with some of the configured time servers. This step is not mandatory, but if the server's clock is too different from the time reported by the servers in ntp.conf, the ntpd daemon will terminate with an error.
[root@ntp ~]# ntpdate 0.bg.pool.ntp.org 19 Jul 14:41:53 ntpdate[15808]: adjust time server 85.14.12.140 offset 0.372735 sec [root@ntp ~]#
Now let's configure ntpd to start when the system boots.
[root@ntp ~]# chkconfig ntpd on [root@ntp ~]#
We can start the ntpd service manually to avoid restarting the machine.
[root@ntp ~]# service ntpd start Starting ntpd: [ OK ] [root@ntp ~]#
We use the ntpq command to check if our server is synchronizing correctly. If our configuration is right we should see a list of remote time servers that ntpd is using.
[root@ntp ~]# ntpq -p remote refid st t when poll reach delay offset jitter ==================================================================== 6bez10.info 87.120.40.9 4 u 12 64 1 14.934 366.925 0.001 oet-energy.cust 130.133.1.10 2 u 11 64 1 1.263 353.295 0.001 ntp.internews-b 195.13.23.5 3 u 10 64 1 2.126 354.088 0.001 marla.ludost.ne 193.190.230.66 2 u 9 64 1 1.101 350.973 0.001 LOCAL(0) .LOCL. 10 l 9 64 1 0.000 0.000 0.001 [root@ntp ~]#
A final touch in our setup is to add a firewall rule that will allow clients to contact the NTP server on UDP port 123.
[root@ntp ~]# iptables -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT [root@ntp ~]# iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT [root@ntp ~]# service iptables save Saving firewall rules to /etc/sysconfig/iptables: [ OK ] [root@ntp ~]# service iptables restart Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: [ OK ] Loading additional iptables modules: ip_conntrack_netbios_n[ OK ] [root@ntp ~]#
Setting up clients to synchronize with the server
In order to set up client hosts to sync with the newly installed server, we have to execute three simple steps:
1. Install ntp (or confirm it is already installed)
2. Remove the default servers from ntp.conf and add a line with our own NTP server address in it (server 192.168.1.5). You can also set appropriate restrict options.
3. Perform a manual synchronization (ntpdate 192.168.1.5), setup and start the ntpd service.
After a client is configured to synchronize with our NTP server, the ntpq command's output should look similar to this:
[root@database ~]# ntpq -p remote refid st t when poll reach delay offset jitter ==================================================================== LOCAL(0) .LOCL. 10 l 7 64 377 0.000 0.000 0.001 *192.168.1.5 217.75.140.188 3 u 635 1024 377 0.687 -4.298 0.713 [root@database ~]#