os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Editorial pass through the NTP chapter.

Browse source 
Headings and content shuffled about to improve flow.
Text clarified and logic should be much clearer now.

Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne 2014-01-31 21:35:11 +00:00
parent a19e1edbb8
commit 3d667630bb
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=43710
1 changed files with 98 additions and 156 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

254
en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
View file

@ -5227,208 +5227,158 @@ Starting smbd.</screen>
-->
<title>Clock Synchronization with NTP</title>
<indexterm><primary>NTP</primary></indexterm>
<para>Over time, a computer's clock is prone to drift. The
Network Time Protocol (NTP) is one way to ensure the clock
stays accurate.</para>
<para>Many Internet services rely on, or greatly benefit from,
computers' clocks being accurate. For example, a web server
may receive requests to send a file if it has been modified
since a certain time. In a local area network environment, it
is essential that computers sharing files from the same file
server have synchronized clocks so that file timestamps stay
consistent. Services such as &man.cron.8; also rely on an
accurate system clock to run commands at the specified
times.</para>
<indexterm><primary>NTP</primary>
<secondary>ntpd</secondary>
<secondary>ntpd</secondary>
</indexterm>
<para>&os; ships with the &man.ntpd.8;
<acronym role="Network Time Protocol">NTP</acronym> server
which can be used to query other
<acronym role="Network Time Protocol">NTP</acronym> servers to
set the clock on the machine or provide time services to
others.</para>
<para>Over time, a computer's clock is prone to drift. This is
problematic as many network services require the computers on a network
to share the same accurate time. Accurate time is also needed to ensure
that file timestamps stay
consistent. The
Network Time Protocol (<acronym>NTP</acronym>) is one way to provide clock
accuracy in a network.</para>
<sect2>
<title>Choosing Appropriate NTP Servers</title>
<indexterm>
<primary>NTP</primary>
<secondary>choosing servers</secondary>
</indexterm>
<para>In order to synchronize the clock, one or more
<acronym role="Network Time Protocol">NTP</acronym> servers
must be defined. The network administrator or ISP may have
set up an NTP server for this purpose&mdash;check their
documentation to see if this is the case. There is an <link
<para>&os; includes &man.ntpd.8;
which can be configured to query other
<acronym>NTP</acronym> servers in order to
synchronize the clock on that machine or to provide time services to
other computers in the network. The servers which are queried
can be local to the network or provided by an <acronym>ISP</acronym>.
In addition, an <link
xlink:href="http://support.ntp.org/bin/view/Servers/WebHome">online
list of publicly accessible NTP servers</link> which may be
referenced to find an NTP server nearest to the system. Take
care to review the policy for any chosen servers, and ask for
permission if required.</para>
list of publicly accessible <acronym>NTP</acronym> servers</link>
is available. When choosing a public <acronym>NTP</acronym> server, select
one that is geographically close and
review its usage policy.</para>
<para>Choosing several unconnected NTP servers is a good idea in
case one of the servers being used becomes unreachable or
its clock is unreliable. &man.ntpd.8; uses the responses it
receives from other servers intelligently&mdash;it will favor
unreliable servers less than reliable ones.</para>
</sect2>
<para>Choosing several <acronym>NTP</acronym> servers is recommended in
case one of the servers becomes unreachable or
its clock proves unreliable. As <application>ntpd</application> receives responses,
it favors
reliable servers over the less reliable ones.</para>
<para>This section describes how to configure <application>ntpd</application> on &os;. Further documentation can be found in
<filename>/usr/share/doc/ntp/</filename> in HTML
format.</para>
<sect2>
<title>Configuring The Machine</title>
<title><acronym>NTP</acronym> Configuration</title>
<indexterm>
<primary>NTP</primary>
<secondary>configuration</secondary>
<indexterm><primary>NTP</primary>
<secondary>ntp.conf</secondary>
<tertiary>ntpdate</tertiary>
</indexterm>
<sect3>
<title>Basic Configuration</title>
<indexterm><primary>ntpdate</primary></indexterm>
<para>To synchronize the clock only when the machine boots up,
use &man.ntpdate.8;. This may be appropriate for some
desktop machines which are frequently rebooted and only
require infrequent synchronization, but most machines should
run &man.ntpd.8;.</para>
<para>Using &man.ntpdate.8; at boot time is also a good idea
for machines that run &man.ntpd.8;. The &man.ntpd.8;
program changes the clock gradually, whereas &man.ntpdate.8;
<para>To only synchronize the clock when a system boots,
use &man.ntpdate.8;. This alone can be appropriate for
desktops which are frequently rebooted. However,
most systems should
run <application>ntpdate</application> at boot time as well as configure <application>ntpd</application>.
This is because <application>ntpd</application>
changes the clock gradually, whereas <application>ntpdate</application>
sets the clock, no matter how great the difference between a
machine's current clock setting and the correct time.</para>
<para>To enable &man.ntpdate.8; at boot time, add
<para>To enable <application>ntpdate</application> at boot time, add
<literal>ntpdate_enable="YES"</literal> to
<filename>/etc/rc.conf</filename>. Also specify all
synchronization servers and any flags to be passed to
&man.ntpdate.8; in <varname>ntpdate_flags</varname>.</para>
</sect3>
<filename>/etc/rc.conf</filename>. To also enable
<application>ntpd</application>, add the <literal>ntpd_enable="YES"</literal>
entry to <filename>/etc/rc.conf</filename>. Additional variables can be specified
in <filename>/etc/rc.conf</filename>. Refer to &man.rc.conf.5;,
&man.ntpdate.8;, and &man.ntpd.8; for details.</para>
<sect3>
<title>General Configuration</title>
<para>Both applications
read <filename>/etc/ntp.conf</filename> to determine
which servers to query. Here is a simple example of an
<filename>/etc/ntp.conf</filename>:</para>
<indexterm>
<primary>NTP</primary>
<secondary>ntp.conf</secondary>
</indexterm>
<para>NTP is configured by the
<filename>/etc/ntp.conf</filename> file in the format
described in &man.ntp.conf.5;. Here is a simple
example:</para>
<example>
<title> Sample <filename>/etc/ntp.conf</filename></title>
<programlisting>server ntplocal.example.com prefer
server timeserver.example.org
server ntp2a.example.net
driftfile /var/db/ntp.drift</programlisting>
</example>
<para>The <literal>server</literal> option specifies which
servers are to be used, with one server listed on each line.
If a server is specified with the <literal>prefer</literal>
argument, as with
<systemitem
class="fqdomainname">ntplocal.example.com</systemitem>,
<para>The format of this file is
described in &man.ntp.conf.5;. The <literal>server</literal> option specifies which
servers to query, with one server listed on each line.
If a server entry includes <literal>prefer</literal>,
that server is preferred over other servers. A response
from a preferred server will be discarded if it differs
significantly from other servers' responses, otherwise it
will be used without any consideration to other responses.
The <literal>prefer</literal> argument is normally used for
NTP servers that are known to be highly accurate, such as
significantly from responses; otherwise it
will be used.
The <literal>prefer</literal> argument should only be used for
<acronym>NTP</acronym> servers that are known to be highly accurate, such as
those with special time monitoring hardware.</para>
<para>The <literal>driftfile</literal> option specifies which
<para>The <literal>driftfile</literal> entry specifies which
file is used to store the system clock's frequency offset.
The &man.ntpd.8; program uses this to automatically
<application>ntpd</application> uses this to automatically
compensate for the clock's natural drift, allowing it to
maintain a reasonably correct setting even if it is cut off
from all external time sources for a period of time.</para>
from all external time sources for a period of time. This
file also stores information about previous responses
from <acronym>NTP</acronym> servers. Since this file contains
internal information for <acronym>NTP</acronym>, it should not be modified.</para>
<para>The <literal>driftfile</literal> option specifies which
file is used to store information about previous responses
from the NTP servers being used. This file contains
internal information for NTP. It should not be modified by
any other process.</para>
</sect3>
<sect3>
<title>Controlling Access to Your Server</title>
<para>By default, the NTP server will be accessible to all
hosts on the Internet. The <literal>restrict</literal>
option in <filename>/etc/ntp.conf</filename>
controls which machines can access the server.</para>
<para>To deny all machines from accessing the NTP
<para>By default, an <acronym>NTP</acronym> server is accessible to any
network host. The <literal>restrict</literal>
option in <filename>/etc/ntp.conf</filename> can be used to
control which systems can access the server. For example,
to deny all machines from accessing the <acronym>NTP</acronym>
server, add the following line to
<filename>/etc/ntp.conf</filename>:</para>
<programlisting>restrict default ignore</programlisting>
<note>
<para>This will also prevent access from the server to any
servers listed in the local configuration. If there is a
need to synchronise the NTP server with an external NTP
<para>This will also prevent access from other <acronym>NTP</acronym> servers.
If there is a
need to synchronize with an external <acronym>NTP</acronym>
server, allow only that specific server. Refer to
&man.ntp.conf.5; for more information.</para>
</note>
<para>To allow machines within the network to synchronize
their clocks with the server, but ensure they are not
allowed to configure the server or used as peers to
synchronize against, add</para>
allowed to configure the server or be used as peers to
synchronize against, instead use:</para>
<programlisting>restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap</programlisting>
<para>instead, where
<systemitem class="ipaddress">192.168.1.0</systemitem> is an
<acronym>IP</acronym> address on the network and
<para>where
<systemitem class="ipaddress">192.168.1.0</systemitem> is the
local network address and
<systemitem class="netmask">255.255.255.0</systemitem> is
the network's netmask.</para>
the network's subnet mask.</para>
<para>The <filename>/etc/ntp.conf</filename> file can contain
multiple <literal>restrict</literal> options. For more
details, see the <literal>Access Control Support</literal>
<para>Multiple <literal>restrict</literal> entries are supported.
For more
details, refer to the <literal>Access Control Support</literal>
subsection of &man.ntp.conf.5;.</para>
</sect3>
<para>Once
<literal>ntpd_enable="YES"</literal> has been added to
<filename>/etc/rc.conf</filename>, <application>ntpd</application>
can be started now without rebooting the system by typing:</para>
<screen>&prompt.root; <userinput>service ntpd start</userinput></screen>
</sect2>
<sect2>
<title>Running the NTP Server</title>
<title>Using <acronym>NTP</acronym> with a <acronym>PPP</acronym>
Connection</title>
<para>To ensure the NTP server is started at boot time, add the
line <literal>ntpd_enable="YES"</literal> to
<filename>/etc/rc.conf</filename>. To pass
additional flags to &man.ntpd.8;, edit the
<varname>ntpd_flags</varname> parameter in
<filename>/etc/rc.conf</filename>.</para>
<para>To start the server without rebooting the machine, run
<command>ntpd</command> being sure to specify any additional
parameters from <varname>ntpd_flags</varname> in
<filename>/etc/rc.conf</filename>. For example:</para>
<screen>&prompt.root; <userinput>ntpd -p /var/run/ntpd.pid</userinput></screen>
</sect2>
<sect2>
<title>Using <application>ntpd</application> with a Temporary
Internet Connection</title>
<para>The &man.ntpd.8; program does not need a permanent
<para><application>ntpd</application> does not need a permanent
connection to the Internet to function properly. However, if
there is a temporary connection that is configured to dial out
on demand, it is a good idea to prevent NTP traffic from
triggering a dial out or keeping the connection alive. PPP
users can use the <literal>filter</literal>
a <acronym>PPP</acronym> connection is configured to dial out
on demand, <acronym>NTP</acronym> traffic should be prevented from
triggering a dial out or keeping the connection alive. This can be configured
with <literal>filter</literal>
directives in <filename>/etc/ppp/ppp.conf</filename>. For
example:</para>
@ -5441,7 +5391,7 @@ driftfile /var/db/ntp.drift</programlisting>
# Prevent outgoing NTP traffic from keeping the connection open
set filter alive 2 permit 0/0 0/0</programlisting>
<para>For more details see the
<para>For more details, refer to the
<literal>PACKET FILTERING</literal> section in &man.ppp.8; and
the examples in
<filename>/usr/share/examples/ppp/</filename>.</para>
@ -5452,14 +5402,6 @@ driftfile /var/db/ntp.drift</programlisting>
reach the machine.</para>
</note>
</sect2>
<sect2>
<title>Further Information</title>
<para>Documentation for the NTP server can be found in
<filename>/usr/share/doc/ntp/</filename> in HTML
format.</para>
</sect2>
</sect1>
<sect1 xml:id="network-syslogd">