| Version 4 (modified by , 7 years ago) ( diff ) |
|---|
NTP
The download URL is http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/snapshots/ntp-stable/2006/02/ntp-stable-4.2.0a-20060224.tar.gz
NTPD privsep
Installing ntpd to drop to non-root -
If you have libacl and libattr installed, you can configure NTP with:
--enable-linuxcaps
Then add an ntpd user:
groupadd ntpd &&
useradd -c 'ntpd PrivSep' -d /var/lib/ntpd -g ntpd \
-s /bin/false ntpd &&
install -v -m710 -g ntpd -d /var/lib/ntpd
Install the blfs bootscript, and modify /etc/rc.d/init.d/ntp with this:
loadproc /usr/sbin/ntpd --configfile=/etc/ntpd.conf \
--jaildir=/var/lib/ntpd --logfile=/var/log/ntpd.log \
--pidfile=/var/run/ntpd.pid --user=ntpd:ntpd \
--no-load-opts
To give the ntpd user minimal privileges create a tmpfs just big enough for the drift file:
install -d -m 0000 /var/lib/ntpd/drift
And add this to /etc/fstab, and replace the gid with ntpd's group id:
tmpfs /var/lib/ntpd/drift tmpfs size=9k,nosuid,noexec,nodev,mode=1770,gid=1003,nr_inodes=2,nr_blocks=2 0 0
Fixes if synchronisation fails
For a long time the default kernel clocksource has been tsc, but it used to be acpi_pm. On one of my machines, in one kernel release, I lost synchronisation and the log showed:
frequency error 1726 PPM exceeds tolerance 500 PPM
Google found a not-too-old link to redhat [https://access.redhat.com/solutions/35640] which suggested checking the available drivers with
cat /sys/devices/system/clocksource/clocksource0/available_clocksource
and assuming that acpi_pm is available, temporarily changing to it with
echo acpi_pm >/sys/devices/system/clocksource/clocksource0/current_clocksource
and seeing if that helps. If useful, it can forced by adding
clocksource=acpi_pm
to the bootargs in grub.
When the clock is too far away from the correct time
If ntpd bails out because the clock is too far from the correct time, try stopping ntpd, using
ntpd -gq
to let it sync, and then restarting ntpd. According to the man page, -g can be used multiple times if the clock is far adrift.
