NTP (Network Time Protocol)



NTP (Network Time Protocol) allows a system to sync its time clock with a time server. Time synchronization on IT infrastructures is critical, for example if time system of a node in a cluster is too different from the rest of the nodes the cluster software will think that this node is not responding and automatically will be removed from the cluster. 

Configuring a local NTP server

To keep sync the time clocks of all nodes in a LAN, a local NTP server can be configured. All nodes on the LAN will keep time clock sync with the local NTP server using the NTP protocol, and the local NTP server will be in sync with other NTP servers on the Internet.

To configure a server as local NTP server, the ntp RPM must be installed.

# yum install ntp

Edit /etc/ntp.conf file and uncomment the line that allows access to all nodes on your LAN (192.168.1.0/24)

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap--> /etc/ntp.conf

Note: local NTP server will be synchronized with other public NTP servers on Internet listed on 'server' directive on /etc/named.conf. Examples 0.rhel.poll.ntp.org, 1.rhel.poll.ntp.org, ...

Restart ntpd service with the new configuration and make sure it will started on boot.

# /etc/init.d/ntpd restart
# chkconfig ntpd on 


NTP server security
Some security considerations have to be taken in order to run ntpd service secure. The first one is open the NTP server firewall to allow connections from/to other ntp client/server.

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT

Note: NTP clients must keep open the 123/UDP port on the firewall.

By default the ntpd services is protected by SElinux. In order to disable this protection, just in case of causing problems :

# setsebool -P ntpd_disable_trans 1
NTP clients
In order to configure the ntpd service on a Linux node as client for your LAN NTP server just add the local NTP server IP on 'server' directive in /etc/ntp.conf . Make sure that port 123/UDP is open on your firewall and the service ntpd is up and running.

# /etc/init.d/ntpd restart
# chkconfig ntpd on

In order to force a NTP synchronization the command ntpdate can be used. For example if we want to sync our time clock from NTP server 192.168.1.10 :

ntpdate -u 192.168.1.10

Note : if the NTP server used has not terminated the calculation of its drift time (/var/lib/ntp/driftime file), the NTP server will be not ready to be used and the message "no server suitable for synchronization found" will be displayed on the ntp client. Just be patient and wait, sometimes takes hours ...

No comments:

Post a Comment