| View previous topic :: View next topic |
| Author |
Message |
dpaddy
Apprentice
Joined: 25 Jun 2008
Posts: 160
|
 Posted: Fri Apr 14, 2017 1:04 pm Post subject: [solved] don't understand ntp.conf |
 |
|
To have time on my machine be continuously updated, I want to run ntpd (from net-misc/ntp).
My understanding is that running ntpd will make my machine a time server as well as a time client 
/etc/ntp.conf (from net-misc/ntp) sez
| Code: | # Warning: Using default NTP settings will leave your NTP
# server accessible to all hosts on the Internet. |
Wanting to avoid that, I uncomment like so
| Code: | # If you want to deny all machines (including your own)
# from accessing the NTP server, uncomment:
restrict default ignore |
I suppose the comment "(including your own)" implies that if I run ntpd , then my time won't be set or maintained. 
How to be a client -- so that time can be set and maintained -- without also being a server 
My (bleary-eyed) reading of tfm suggests (to my befuddled mind) that:
leaving things uncommented as above and adding "restrict <my ip address>" to the end of /etc/ntp.conf
| Code: | | ifconfig | sed -ne 's/.*inet \([.0-9]*\).*broadcast.*/restrict \1\n/p' >> /etc/ntp.conf |
will restore to my machine access to external ntp services but prevent others from accessing my ntpd server. I thought I tried that and I thought it didn't work...
Should it have worked, and what is the recommended way to be a client -- so that time can be set and maintained -- without also being a server
Last edited by dpaddy on Fri Apr 14, 2017 4:46 pm; edited 1 time in total |
|
| Back to top |
|
 |
Roman_Gruber
Advocate
Joined: 03 Oct 2006
Posts: 3846
Location: Austro Bavaria
|
|
| Back to top |
|
|
Roman_Gruber
Advocate
Joined: 03 Oct 2006
Posts: 3846
Location: Austro Bavaria
|
| Posted: Fri Apr 14, 2017 1:13 pm Post subject: |
|
|
| Quote: | # To allow machines within your network to synchronize
# their clocks with your server, but ensure they are
# not allowed to configure the server or used as peers
# to synchronize against, uncomment this line.
#
#restrict 192.168.0.0 mask 255.255.255.0 nomodify nopeer notrap
|
--
| Code: | ASUS-G75VW roman # qlist -Iv ntp
net-misc/ntp-4.2.8_p10
|
My use case is just a single box. I suggest that you set it up to the external ntp servers. ofc i pointed out above some starting points to get it done |
|
| Back to top |
|
|
dpaddy
Apprentice
Joined: 25 Jun 2008
Posts: 160
|
| Posted: Fri Apr 14, 2017 1:17 pm Post subject: tfm |
|
|
I don't grock...
My (perhaps mistaken) understanding is that the modes are not mutually exclusive, moreover | Code: | # Pools for Gentoo users
server 0.gentoo.pool.ntp.org
server 1.gentoo.pool.ntp.org
server 2.gentoo.pool.ntp.org
server 3.gentoo.pool.ntp.org |
makes my machine a client, whereas by default -- and unless some extra configuration steps are followed -- my machine will simultaneously be a server |
|
| Back to top |
|
|
Roman_Gruber
Advocate
Joined: 03 Oct 2006
Posts: 3846
Location: Austro Bavaria
|
| Posted: Fri Apr 14, 2017 1:29 pm Post subject: |
|
|
| Quote: | # If you want to deny all machines (including your own)
# from accessing the NTP server, uncomment:
#restrict default ignore
# Default configuration:
# - Allow only time queries, at a limited rate, sending KoD when in excess.
# - Allow all local queries (IPv4, IPv6)
restrict default nomodify nopeer noquery limited kod
restrict 127.0.0.1
|
Without looking further
restrict ...
i am quite sure that restrict statement is well documented
--
we are here to give you a hint
when you want to know how it works. read the docs, read the manpage, read the code of the package please.
those example config files may be correct or maybe not, they are just a starting point. |
|
| Back to top |
|
|
dpaddy
Apprentice
Joined: 25 Jun 2008
Posts: 160
|
| Posted: Fri Apr 14, 2017 2:15 pm Post subject: tfm |
|
|
My (perhaps mistaken) understanding is that | Quote: | # Pools for Gentoo users
server 0.gentoo.pool.ntp.org
server 1.gentoo.pool.ntp.org
server 2.gentoo.pool.ntp.org
server 3.gentoo.pool.ntp.org |
makes my machine a client (of the listed servers), and my machine will continue to be -- unless some other configuration steps are made -- a time server
The following | Quote: | # To allow machines within your network to synchronize
# their clocks with your server, but ensure they are
# not allowed to configure the server or used as peers
# to synchronize against, uncomment this line.
#
restrict 192.168.0.0 mask 255.255.255.0 nomodify nopeer notrap |
is not necessarily about allowing (unless the rule takes precedence over more restrictive rules which would disallow what it does not), but is about restricting the actions that machines in the network 192.168.0.* may perform
My initial conjecture in my initial post was an attempt to put the rule "restrict <my ip address>" in place so that it could take precedence over "restrict default ignore" (since the default mask is 0.0.0.0 which has fewer ones than the implied mask 255.255.255.255 in "restrict <my ip address>") and thereby prevent my machine being denied access.
My (perhaps mistaken) understanding is that it is precisely such logic which is behind | Quote: | # Default configuration:
# - Allow only time queries, at a limited rate, sending KoD when in excess.
# - Allow all local queries (IPv4, IPv6)
restrict default nomodify nopeer noquery limited kod
restrict 127.0.0.1 |
Should my initial conjecture have worked, and what is the recommended way to be a client -- so that time can be set and maintained -- without also being a server |
|
| Back to top |
|
|
Sadako
Advocate
Joined: 05 Aug 2004
Posts: 3792
Location: sleeping in the bathtub
|
| Posted: Fri Apr 14, 2017 3:44 pm Post subject: |
|
|
Perhaps net-misc/openntpd would be a better alternative for you?
Smaller, supposedly more secure codebase, and includes the following option in the config file; | Code: | # Addresses to listen on (ntpd does not listen by default)
#listen on * |
Meaning by default it does NOT function as a server as well as a client.
net-misc/ntp may very well support the exact same option, grep /etc/ntp.conf for listen?
_________________
"You have to invite me in" |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Fri Apr 14, 2017 3:58 pm Post subject: Re: tfm |
|
|
| dpaddy wrote: | | Should my initial conjecture have worked, and what is the recommended way to be a client -- so that time can be set and maintained -- without also being a server :?: |
dpaddy ... under such circumstances all the tools are there for you to check if that conjecture is correct or not:
... and otherwise, you should switch to net-misc/openntpd which has the explicit directive "listen". You should also take this thread as an object lesson on the sort of advice Roman_Gruber is likely to supply.
best ... khay |
|
| Back to top |
|
|
dpaddy
Apprentice
Joined: 25 Jun 2008
Posts: 160
|
| Posted: Fri Apr 14, 2017 4:44 pm Post subject: |
|
|
I was fishing for "what am I missing" or "what is the recommended configuration approach", because I wanted to sharpen my understanding more than get X to work...
Thanx for all the comments, and I'll experiment with netstat  |
|
| Back to top |
|
|
The Main Man
Veteran
Joined: 27 Nov 2014
Posts: 1172
Location: /run/user/1000
|
| Posted: Sun Apr 23, 2017 1:26 pm Post subject: |
|
|
Hm, I don't get it, I guess you're not starting ntp-client at boot but ntpd instead.
I mean I guess that's what you want, to just use the client and not the server.
Anyway, in my case with ntp-client server is not started and clock is syncing while with ntpd server is started (clock is syncing too) but the machine is listening on port 123 |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Sun Apr 23, 2017 8:51 pm Post subject: |
|
|
| kajzer wrote: | | Hm, I don't get it, I guess you're not starting ntp-client at boot but ntpd instead. I mean I guess that's what you want, to just use the client and not the server. Anyway, in my case with ntp-client server is not started and clock is syncing while with ntpd server is started (clock is syncing too) but the machine is listening on port 123 |
kajzer ... ntp-client from net-misc/ntp is just a one time script to get the clock set before ntpd starts (because ntpd will baulk if the time skew is substancial), it won't then keep the clock in sync with the ntp servers/pool. So, it's not running ntpd as a 'client' (meaning, non-serving ntpd), it runs once, sets the clock (if the ntpd server/pool can be reached), and then exits.
best ... khay |
|
| Back to top |
|
|
The Main Man
Veteran
Joined: 27 Nov 2014
Posts: 1172
Location: /run/user/1000
|
| Posted: Sun Apr 23, 2017 9:19 pm Post subject: |
|
|
Oh I see now, thanks for clarification.
That actually might be good as well (in my case), if clock is bad on boot it gets synced, or it can be run manually and it will sync.
Though running ntpd with disabled server would be even better  |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Sun Apr 23, 2017 9:44 pm Post subject: |
|
|
| kajzer wrote: | | Oh I see now, thanks for clarification. That actually might be good as well (in my case), if clock is bad on boot it gets synced, or it can be run manually and it will sync. |
kajzer ... you're welcome. Sure, and if you have, say, a laptop that reconnects often then that would work out fine. If the machine is up and connected for months at a time then ntpd (of some sort) would be the better option.
| kajzer wrote: | | Though running ntpd with disabled server would be even better :) |
Well, you can:
| Code: | % su -
# for i in ntp{d,-client} ; do rc-update del $i default ; done
# emerge --unmerge net-misc/ntp
# rm -f /etc/{ntpd.conf,{conf.d,init.d}/ntp{d,-client}}
# emerge net-misc/openntpd
# rc-update add ntpd default
# /etc/init.d/ntpd start
# netstat -tlnp
# netstat -aple | grep ntp |
You might also use net-misc/ntpclient in place of net-misc/openntpd
best ... khay |
|
| Back to top |
|
|
The Main Man
Veteran
Joined: 27 Nov 2014
Posts: 1172
Location: /run/user/1000
|
| Posted: Wed Apr 26, 2017 12:49 am Post subject: |
|
|
khayyam, interestingly enough I did a new gentoo installation and decided to emerge ntp and use ntp-client on boot, like I did on previous install.
For some reason it didn't want to start on boot, in log I found this error :
| Code: | ntpdate[2938]: name server cannot be used: Temporary failure in name resolution (-3)
/etc/init.d/ntp-client[2920]: ERROR: ntp-client failed to start |
I'm guessing that's because dhcpd was starting after ntp-client (both dhcpd and ntp-client are on default runlevel), starting the service after boot manually worked fine and clock was adjusting.
I could have played with that and most likely solved it but I went with openntpd instead and that one works just great, no issues at all, plus it's not acting as a server hence it's not showing with netstat |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Wed Apr 26, 2017 5:31 am Post subject: |
|
|
| kajzer wrote: | | I'm guessing that's because dhcpd was starting after ntp-client (both dhcpd and ntp-client are on default runlevel), starting the service after boot manually worked fine and clock was adjusting. I could have played with that and most likely solved it but I went with openntpd instead and that one works just great, no issues at all, plus it's not acting as a server hence it's not showing with netstat :) |
kajzer ... yeah, because openntpd will daemonise and so continue to attempt to contact the ntp server/pool, whereas ntp-client runs (ntpdate) once, fails, and exits. You could probably make ntp-client behave by adding the following to /etc/rc.conf or /etc/conf.d/ntp-client
| /etc/rc.conf: | | rc_dhcpcd_before="ntp-client" |
or perhaps have it run last (so as to give dhcpcd some time)
| /etc/conf.d/ntp-client: | | rc_after="local" |
... but I guess there is no need in this case.
best ... khay |
|
| Back to top |
|
|
The Main Man
Veteran
Joined: 27 Nov 2014
Posts: 1172
Location: /run/user/1000
|
| Posted: Wed Apr 26, 2017 10:36 am Post subject: |
|
|
| Yeah no need in this case, but good to know when something similar happens in the future, wasn't aware of rc_after and rc_before, good stuff ! |
|
| Back to top |
|
|
|
Networking & Security
