| 2 | | The download URL is http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/snapshots/ntp-stable/2006/02/ntp-stable-4.2.0a-20060224.tar.gz |
| 3 | | [[br]] |
| 4 | | |
| 5 | | |
| 6 | | == NTPD privsep == |
| 7 | | Installing ntpd to drop to non-root -[[BR]] |
| 8 | | |
| 9 | | If you have libacl and libattr installed, you can configure NTP with: |
| 10 | | |
| 11 | | {{{ |
| 12 | | --enable-linuxcaps |
| 13 | | }}} |
| 14 | | |
| 15 | | Then add an ntpd user: |
| 16 | | |
| 17 | | |
| 18 | | {{{ |
| 19 | | groupadd ntpd && |
| 20 | | useradd -c 'ntpd PrivSep' -d /var/lib/ntpd -g ntpd \ |
| 21 | | -s /bin/false ntpd && |
| 22 | | install -v -m710 -g ntpd -d /var/lib/ntpd |
| 23 | | }}} |
| 24 | | |
| 25 | | Install the blfs bootscript, and modify /etc/rc.d/init.d/ntp with this: |
| 26 | | |
| 27 | | |
| 28 | | {{{ |
| 29 | | loadproc /usr/sbin/ntpd --configfile=/etc/ntpd.conf \ |
| 30 | | --jaildir=/var/lib/ntpd --logfile=/var/log/ntpd.log \ |
| 31 | | --pidfile=/var/run/ntpd.pid --user=ntpd:ntpd \ |
| 32 | | --no-load-opts |
| 33 | | }}} |
| 34 | | |
| 35 | | To give the ntpd user minimal privileges create a tmpfs just big enough for the drift file: |
| 36 | | |
| 37 | | {{{ |
| 38 | | install -d -m 0000 /var/lib/ntpd/drift |
| 39 | | }}} |
| 40 | | |
| 41 | | And add this to /etc/fstab, and replace the gid with ntpd's group id: |
| 42 | | |
| 43 | | {{{ |
| 44 | | tmpfs /var/lib/ntpd/drift tmpfs size=9k,nosuid,noexec,nodev,mode=1770,gid=1003,nr_inodes=2,nr_blocks=2 0 0 |
| 45 | | }}} |
| 49 | | On one of my machines, ntp had lost synchronisation. I initially blamed the tsc clocksource in a particular kernel version, and recommended changing it back to acpi_pm. |
| 50 | | |
| 51 | | === From the initial version of this section: === |
| 52 | | |
| 53 | | On one of my machines, in one kernel release, I lost synchronisation and the log showed: |
| 54 | | {{{ |
| 55 | | frequency error 1726 PPM exceeds tolerance 500 PPM |
| 56 | | }}} |
| 57 | | |
| 58 | | Google found a not-too-old link to redhat [https://access.redhat.com/solutions/35640] which suggested checking the available drivers with |
| 59 | | {{{ |
| 60 | | cat /sys/devices/system/clocksource/clocksource0/available_clocksource |
| 61 | | }}} |
| 62 | | and assuming that acpi_pm is available, temporarily changing to it with |
| 63 | | {{{ |
| 64 | | echo acpi_pm >/sys/devices/system/clocksource/clocksource0/current_clocksource |
| 65 | | }}} |
| 66 | | and seeing if that helps. If useful, it can forced by adding |
| 67 | | {{{ |
| 68 | | clocksource=acpi_pm |
| 69 | | }}} |
| 70 | | to the bootargs in grub. |
| 71 | | |
| 72 | | === A better fix (sysvinit) === |
| 73 | | |
| 74 | | I forgot about the problem, until one day when I discovered that my desktop clock was 5 minutes slow. In the end, this appears to be related to frequent suspend to RAM, sometimes for a few days. In early versions of pm-utils (which is what I use for s2ram) there was a script to fix up ntpd - but that was removed long ago, in the belief that the clock would only drift for a maximum of 64 seconds realtime (not drift *by* 64 seconds!) and then ntpd would start to sync it. For systemd the preferred methods are apparently different. Anyway,I've now added the following script as /usr/lib/pm-utils/sleep.d/48ntpd (mode 755) and things seem to work - using 'ntpq -p' I can sometimes see offsets of several hundred milliseconds (and increasing!) even when the box has sync'd to my local server, but it seems to stay accurate to within a second, and eventually syncs to a few milliseconds. |
| | 5 | On one of my machines, ntp had lost synchronisation. |
| | 6 | This appears to be related to frequent suspend to RAM, sometimes for a few days. In early versions of pm-utils (which is what I use for s2ram) there was a script to fix up ntpd - but that was removed long ago, in the belief that the clock would only drift for a maximum of 64 seconds realtime (not drift *by* 64 seconds!) and then ntpd would start to sync it. For systemd the preferred methods are apparently different. Anyway,I've now added the following script as /usr/lib/pm-utils/sleep.d/48ntpd (mode 755) and things seem to work - using 'ntpq -p' I can sometimes see offsets of several hundred milliseconds (and increasing!) even when the box has sync'd to my local server, but it seems to stay accurate to within a second, and eventually syncs to a few milliseconds. |
