JP Vossen on 8 Jul 2015 11:41:01 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] ntp


Ohhh, that's...bad...

Running `ntpdate` periodically can be dangerous and is the WRONG answer
if the server hosts any kind of database or anything time sensitive
(even arguably just logs).  Large jumps forward in time can be bad
enough, but if it adjusts backwards it can really be a problem.

Just use NTP, do not use ntpdate [1].
https://lists.debian.org/debian-user/2002/12/msg04091.html
https://www.redhat.com/archives/nahant-list/2005-December/msg00009.html

Aside from the general wrongness of the answer, `ntpdate` is deprecated:
	http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate

That said, VMs can be tricky.  VMware tools has a "keep in sync" option
but even they recommend using NTP:
	http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006427
	"VMware recommends using NTP instead of VMware Tools periodic time
synchronization. NTP is an industry standard and ensures accurate
timekeeping in your guest..."

I can't speak to other virtualization, but I'm positive solutions exist
if NTP isn't the right answer.

Once in sync NTP should not "slip" and if it does it should certainly
not slip more than 1,000 seconds ([1] and `man ntpd`, then search for
-g).  See also `ntptrace` `ntpstat` or `ntpq -pn` depending on distro
flavor and age.


[1] You used to use `ntpdate` at boot time to get the system clock close
enough that NTP would keep it in sync.  Probably some distros still do that.

NTP itself will refuse to adjust larger than the "panic threshold,"
which is 1000s by default.  It used to not be to clear about why it
wasn't working, and ntpdate used to be more clear.  That has hopefully
improved, but I can't swear to it.  My NTP, virtual or otherwise, Just
Works.


On 07/08/2015 02:35 PM, Eric Lucas wrote:
> About 2 years ago I worked, briefly, with some systems using ntp.  Turns
> out if the time is off by some small amount (less than a minute IIRC),

1,000 seconds per the man page I was just looking at in Debian 7.

> it simply stops changing the target system's time because it "thinks"
> something is drastically wrong.
> 
> Seems like a cron job to re-sync is a good idea to me.
> 
> Eric
> 
> On Wed, Jul 8, 2015 at 2:24 PM, Keith C. Perry
> <kperry@daotechnologies.com <mailto:kperry@daotechnologies.com>> wrote:
> 
>     I hope you're saying that in jest Walt.  In my experience ntpd slips
>     way too much.  Once clocks get out of sync by too much ntpd won't
>     nudge it back and that can happens more often than not on
>     interactive and poorly tuned HPC nodes.
> 
>     You can have the same issue on system boots.
> 
>     My apologies if I'm misinterpreting tone.
> 
> 
>     ----- Original Message -----
>     From: "Walt Mankowski" <waltman@pobox.com <mailto:waltman@pobox.com>>
>     To: plug@lists.phillylinux.org <mailto:plug@lists.phillylinux.org>
>     Sent: Wednesday, July 8, 2015 2:15:39 PM
>     Subject: Re: [PLUG] ntp
> 
>     But...but...
> 
>     You do realize that's essentially what ntpd does, only ntpd does it
>     way better, right?
> 
>     Right?
> 
>     On Wed, Jul 08, 2015 at 01:37:59PM -0400, Keith C. Perry wrote:
>     > That's what I do. Run "ntpdate us.pool.ntp.org
>     <http://us.pool.ntp.org>" every 4 to 6 hours on critical / core systems.
>     >
>     >
>     >
>     > From: "Bill East" <wm.east@gmail.com <mailto:wm.east@gmail.com>>
>     > To: "Philadelphia Linux User's Group Discussion List"
>     <plug@lists.phillylinux.org <mailto:plug@lists.phillylinux.org>>
>     > Sent: Wednesday, July 8, 2015 1:35:29 PM
>     > Subject: Re: [PLUG] ntp
>     >
>     >
>     >
>     > I just had to deal with a vendor installation which was about 4
>     seconds off the ntp server it was supposed to be synced with. Come
>     to find out the vendor ran a ntpdate command once a day and the vm
>     was drifting 4 seconds in the 24 hours between. Their solution was
>     to run the command once an hour instead.
>     > On Jul 8, 2015 1:13 PM, "Eric Riese" < eric.riese@gmail.com
>     <mailto:eric.riese@gmail.com> > wrote:
>     >
>     >
>     >
>     > So I just noticed that my KVM server's clocks were way off. The
>     host OS was 4 minutes behind time.gov <http://time.gov> and the
>     guests were 4 minutes ahead of time.gov <http://time.gov> .
>     >
>     > Turns out the host did not have ntp installed at all. It's Ubuntu
>     12.04 and was installed as some sort of minimal installation. A sudo
>     apt-get install ntp and five minutes later it's in good shape.
>     >
>     > The guests are debian installs from turnkeylinux.org
>     <http://turnkeylinux.org> and they have ntp installed but were not
>     running by default!
>     >
>     > To think, Google runs it's own internal NTP servers and had to
>     spread the leap second out over a day, and I'm off by whole minutes!


Later,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug