Keith C. Perry on 8 Jul 2015 13:32:49 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] ntp


Great info!

After reviewing the man page myself on some of my servers, looks like I have a capable build.  Problem is, its not working for me. ntpd -gxq nor ntpd -xq (which should be able to run when the ntpd daemon is running).

I'll have to play around with it or upgrade those servers.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 
Keith C. Perry, MS E.E. 
Owner, DAO Technologies LLC 
(O) +1.215.525.4165 x2033 
(M) +1.215.432.5167 
www.daotechnologies.com

----- Original Message -----
From: "JP Vossen" <jp@jpsdomain.org>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Wednesday, July 8, 2015 3:50:24 PM
Subject: Re: [PLUG] ntp

VMs and laptops (that sleep) can be troublesome.  This has some good
discussion:
http://askubuntu.com/questions/138916/why-is-ubuntus-clock-getting-slower-or-faster.

You can run `ntpd -gxq` which is basically the same as `ntpdate` early
during boot and resume.

You can nuke your drift file and let it rebuild to see if that helps.

You can add -g to your system options (where varies by distro), but per
`man ntpd` it's one time only:
-g     Normally, ntpd exits with a message to the  system  log  if  the
      offset  exceeds the panic threshold, which is 1000 s by default.
      This option allows the time to  be  set  to  any  value  without
      restriction; however, this can happen only once.  If the thresh-
      old is exceeded after that, ntpd will exit with a message to the
      system log.  This option can be used with the -q and -x options.

-P priority
      To the extent permitted by the operating system, run the ntpd at
      the specified priority.


I do run this in cron to keep an eye on things.  But I only ever get
notified during reboots until it syncs up, or if wireless goes out for a
while or something and a client can't sync.

25 * * * * ntptrace 2> /dev/null | head -n1 | perl -ne 'm/^[\w.]+:
stratum (\d+),/ or next; print qq(NTP not in sync: $_) if ( $1 > 5 );'

Basically, that makes sure the local machine is stratum 5 or lower.  All
my machines except my internal NTP server usually are stratum 4.  I use
4 "server" lines to the Debian pool on my NTP server and that's  stratum 3.

`ntptrace` looks like the following.  Note there was an NTP
amplification/reflection vulnerability a couple of years ago
(https://www.us-cert.gov/ncas/alerts/TA14-013A) that caused most folks
to turn off monitoring, so now you mostly get "***Request timed out".
As long as you are not stratum 16 you are OK.  Lower is better to a
point, but stratum 1 requires an external time source (usually GPS).

$ ntptrace
localhost.localdomain: stratum 4, offset -0.000896, synch distance 0.013087
192.168.nnn.nnn: timed out, nothing received
***Request timed out

See also https://en.wikipedia.org/wiki/Network_Time_Protocol and note
that NTP was written and maintained by a guy locally a UDel.  Given
packet switched networks and latency it's really fascinating stuff.
(Heh, maybe he'd come do a talk?)


On 07/08/2015 02:53 PM, Keith C. Perry wrote:
> Right but to me that is still better than continuing to drift because a workload prevented accurate time keeping.
> 
> I think someone mentioned this already.  This probably needs to be configurable for either case- either keep the time on track absolutely or keep the 1000s (or some other configurable tolerance).  Be able to notify if an absolute snap back is over a certain tolerance or if you will NOT snap the time back because of a tolerance exceeded respectively.
> 
> Maybe this is already available?
> 
> 
> ----- Original Message -----
> From: "JP Vossen" <jp@jpsdomain.org>
> To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
> Sent: Wednesday, July 8, 2015 2:47:15 PM
> Subject: Re: [PLUG] ntp
> 
> Right, sudden jumps in time are BAD, and that's exactly what running
> `ntpdate` from cron does...  :-)
> 
> On 07/08/2015 02:44 PM, Josh Zenker wrote:
>> The reason for this behavior, if I remember correctly, is to avoid
>> breaking certain applications which do not gracefully handle sudden
>> changes to the system clock.
>>
>> About 2 years ago I worked, briefly, with some systems using ntp.  Turns
>> out if the time is off by some small amount (less than a minute IIRC),
>> it simply stops changing the target system's time because it "thinks"
>> something is drastically wrong.
>>
>> Seems like a cron job to re-sync is a good idea to me.
>>
>> Eric
>>
>> On Wed, Jul 8, 2015 at 2:24 PM, Keith C. Perry
>> <kperry@daotechnologies.com <mailto:kperry@daotechnologies.com>> wrote:
>>
>>     I hope you're saying that in jest Walt.  In my experience ntpd slips
>>     way too much.  Once clocks get out of sync by too much ntpd won't
>>     nudge it back and that can happens more often than not on
>>     interactive and poorly tuned HPC nodes.
>>
>>     You can have the same issue on system boots.
>>
>>     My apologies if I'm misinterpreting tone.
>>
>>     ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
>>     Keith C. Perry, MS E.E.
>>     Owner, DAO Technologies LLC
>>     (O) +1.215.525.4165 x2033 <tel:%2B1.215.525.4165%20x2033>
>>     (M) +1.215.432.5167 <tel:%2B1.215.432.5167>
>>     www.daotechnologies.com <http://www.daotechnologies.com>
>>
>>     ----- Original Message -----
>>     From: "Walt Mankowski" <waltman@pobox.com <mailto:waltman@pobox.com>>
>>     To: plug@lists.phillylinux.org <mailto:plug@lists.phillylinux.org>
>>     Sent: Wednesday, July 8, 2015 2:15:39 PM
>>     Subject: Re: [PLUG] ntp
>>
>>     But...but...
>>
>>     You do realize that's essentially what ntpd does, only ntpd does it
>>     way better, right?
>>
>>     Right?
>>
>>     On Wed, Jul 08, 2015 at 01:37:59PM -0400, Keith C. Perry wrote:
>>     > That's what I do. Run "ntpdate us.pool.ntp.org
>>     <http://us.pool.ntp.org>" every 4 to 6 hours on critical / core systems.
>>     >
>>     >
>>     > ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
>>     > Keith C. Perry, MS E.E.
>>     > Owner, DAO Technologies LLC
>>     > (O) +1.215.525.4165 x2033 <tel:%2B1.215.525.4165%20x2033>
>>     > (M) +1.215.432.5167 <tel:%2B1.215.432.5167>
>>     > www.daotechnologies.com <http://www.daotechnologies.com>
>>     >
>>     >
>>     > From: "Bill East" <wm.east@gmail.com <mailto:wm.east@gmail.com>>
>>     > To: "Philadelphia Linux User's Group Discussion List"
>>     <plug@lists.phillylinux.org <mailto:plug@lists.phillylinux.org>>
>>     > Sent: Wednesday, July 8, 2015 1:35:29 PM
>>     > Subject: Re: [PLUG] ntp
>>     >
>>     >
>>     >
>>     > I just had to deal with a vendor installation which was about 4
>>     seconds off the ntp server it was supposed to be synced with. Come
>>     to find out the vendor ran a ntpdate command once a day and the vm
>>     was drifting 4 seconds in the 24 hours between. Their solution was
>>     to run the command once an hour instead.
>>     > On Jul 8, 2015 1:13 PM, "Eric Riese" < eric.riese@gmail.com
>>     <mailto:eric.riese@gmail.com> > wrote:
>>     >
>>     >
>>     >
>>     > So I just noticed that my KVM server's clocks were way off. The
>>     host OS was 4 minutes behind time.gov <http://time.gov> and the
>>     guests were 4 minutes ahead of time.gov <http://time.gov> .
>>     >
>>     > Turns out the host did not have ntp installed at all. It's Ubuntu
>>     12.04 and was installed as some sort of minimal installation. A sudo
>>     apt-get install ntp and five minutes later it's in good shape.
>>     >
>>     > The guests are debian installs from turnkeylinux.org
>>     <http://turnkeylinux.org> and they have ntp installed but were not
>>     running by default!
>>     >
>>     > To think, Google runs it's own internal NTP servers and had to
>>     spread the leap second out over a day, and I'm off by whole minutes!


Later,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug