just joined the pool, a check list - NTP

This is a discussion on just joined the pool, a check list - NTP ; Hello I've just joined the pool with a server running ntpd 4.2.4p4. I would like to have done well, so I post here the configuration for comments if needed. 1/ ntpd is lauched with option -g 2/ here is ntpd.conf ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: just joined the pool, a check list

  1. just joined the pool, a check list

    Hello
    I've just joined the pool with a server running ntpd 4.2.4p4.
    I would like to have done well, so I post here the configuration for
    comments if needed.

    1/ ntpd is lauched with option -g

    2/ here is ntpd.conf :

    statsdir /var/log/ntpstats/
    statistics loopstats peerstats clockstats
    filegen loopstats file loopstats type day enable
    filegen peerstats file peerstats type day enable
    filegen clockstats file clockstats type day enable

    driftfile /etc/ntp.drift

    server ntp.via.ecp.fr iburst dynamic
    server ntp.obspm.fr iburst dynamic
    server ntp1.belbone.be iburst dynamic
    server ntp1.kamino.fr iburst dynamic
    server timeserver.ntp.ch iburst dynamic
    server canon.inria.fr
    server ntp.probe-networks.de

    restrict -4 default kod notrap nomodify nopeer noquery
    restrict -6 default kod notrap nomodify nopeer noquery


  2. Re: just joined the pool, a check list

    Cyrille37 wrote:
    > Hello
    > I've just joined the pool with a server running ntpd 4.2.4p4.
    > I would like to have done well, so I post here the configuration for
    > comments if needed.
    >
    > 1/ ntpd is lauched with option -g
    >
    > 2/ here is ntpd.conf :
    >
    > statsdir /var/log/ntpstats/
    > statistics loopstats peerstats clockstats
    > filegen loopstats file loopstats type day enable
    > filegen peerstats file peerstats type day enable
    > filegen clockstats file clockstats type day enable


    Since you aren't running a clock driver, clockstats won't generate anything.

    > driftfile /etc/ntp.drift


    I've been told it's bad practice to allow ntpd to write to /etc . You
    should use /var/lib/ntp.drift or something similar.

    You also don't have a logfile specified.

    > server ntp.via.ecp.fr iburst dynamic
    > server ntp.obspm.fr iburst dynamic
    > server ntp1.belbone.be iburst dynamic
    > server ntp1.kamino.fr iburst dynamic
    > server timeserver.ntp.ch iburst dynamic
    > server canon.inria.fr
    > server ntp.probe-networks.de


    According to the documentation, the dynamic option isn't supported in the
    current implementation. You should use iburst on all your servers.

    > restrict -4 default kod notrap nomodify nopeer noquery
    > restrict -6 default kod notrap nomodify nopeer noquery


    You don't specify -4 or -6 with restrict. And don't use the 'noquery'
    option as that turns off 'ntpq' and 'ntpdc' queries. A lot of operators
    like to know information about their clients. Plus, if you set:

    restrict default kod notrap nomodify nopeer noquery

    You won't be able to query your server from the local machine, unless you
    specify a restriction for it.

    Set it up like this:

    # Default access restrictions (applies to all clients, local or not)
    restrict default kod nopeer nomodify notrap

    # Allow localhost unrestricted access
    restrict 127.0.0.1


    So to summarize, here is a fixed ntp.conf:


    # Default access restrictions (applies to all clients)
    restrict default kod nopeer nomodify notrap

    # Allow localhost unrestricted access
    restrict 127.0.0.1

    server ntp.via.ecp.fr iburst
    server ntp.obspm.fr iburst
    server ntp1.belbone.be iburst
    server ntp1.kamino.fr iburst
    server timeserver.ntp.ch iburst
    server canon.inria.fr iburst
    server ntp.probe-networks.de iburst

    driftfile /var/lib/ntp.drift

    logfile /var/log/ntp/ntp.log

    statsdir /var/log/ntp/
    statistics loopstats peerstats clockstats
    filegen loopstats file loopstats type day enable
    filegen peerstats file peerstats type day enable


    --
    Dennis Hilberg, Jr. timekeeper(at)dennishilberg(dot)com
    NTP Server Information: http://saturn.dennishilberg.com/ntp.php

  3. Re: just joined the pool, a check list

    Dennis Hilberg, Jr. wrote:
    > statsdir /var/log/ntp/
    > statistics loopstats peerstats clockstats
    > filegen loopstats file loopstats type day enable
    > filegen peerstats file peerstats type day enable


    Oops, might as well remove the 'clockstats' option:

    statsdir /var/log/ntpstats/
    statistics loopstats peerstats
    filegen loopstats file loopstats type day enable
    filegen peerstats file peerstats type day enable

    --
    Dennis Hilberg, Jr. timekeeper(at)dennishilberg(dot)com
    NTP Server Information: http://saturn.dennishilberg.com/ntp.php

  4. Re: just joined the pool, a check list

    "Dennis Hilberg, Jr." wrote:

    > Cyrille37 wrote:
    > > restrict -4 default kod notrap nomodify nopeer noquery
    > > restrict -6 default kod notrap nomodify nopeer noquery

    >
    > You don't specify -4 or -6 with restrict.


    Yes you do, otherwise it assumes IPv4, certainly for "default";
    bug still open: https://support.ntp.org/bugs/show_bug.cgi?id=320

    --
    Ronan Flood

  5. Re: just joined the pool, a check list

    Ronan Flood wrote:
    > "Dennis Hilberg, Jr." wrote:
    >
    >> Cyrille37 wrote:
    >>> restrict -4 default kod notrap nomodify nopeer noquery
    >>> restrict -6 default kod notrap nomodify nopeer noquery

    >> You don't specify -4 or -6 with restrict.

    >
    > Yes you do, otherwise it assumes IPv4, certainly for "default";
    > bug still open: https://support.ntp.org/bugs/show_bug.cgi?id=320


    Oops! Sorry, I was going off the documentation, which doesn't mention IPv4
    or IPv6 for 'restrict':
    http://www.eecis.udel.edu/~mills/ntp/html/accopt.html , unless I missed it
    somewhere else . Thanks for the clarification.

    --
    Dennis Hilberg, Jr. timekeeper(at)dennishilberg(dot)com
    NTP Server Information: http://saturn.dennishilberg.com/ntp.php

  6. Re: just joined the pool, a check list

    On 2007-11-08, Dennis Hilberg, Jr.
    wrote:

    > Ronan Flood wrote:
    >
    >> "Dennis Hilberg, Jr." wrote:
    >>
    >>> You don't specify -4 or -6 with restrict.

    >>
    >> Yes you do, otherwise it assumes IPv4, certainly for "default"; bug
    >> still open: https://support.ntp.org/bugs/show_bug.cgi?id=320

    >
    > Oops! Sorry, I was going off the documentation,
    > which doesn't mention IPv4 or IPv6 for 'restrict':
    > http://www.eecis.udel.edu/~mills/ntp/html/accopt.html , unless I
    > missed it somewhere else . Thanks for the clarification.


    See the Community Supported Documentation about ntpd Access Restrictions
    at http://support.ntp.org/Support/AccessRestrictions

    --
    Steve Kostecke
    NTP Public Services Project - http://support.ntp.org/

  7. Re: just joined the pool, a check list

    Thank you very much Dennis for your corrections !

    Best regards
    Cyrille.

    On 7 nov, 22:02, "Dennis Hilberg, Jr."
    wrote:
    > Cyrille37 wrote:
    > > Hello
    > > I've just joined the pool with a server running ntpd 4.2.4p4.
    > > I would like to have done well, so I post here the configuration for
    > > comments if needed.

    >
    > > 1/ ntpd is lauched with option -g

    >
    > > 2/ here is ntpd.conf :

    >
    > > statsdir /var/log/ntpstats/
    > > statistics loopstats peerstats clockstats
    > > filegen loopstats file loopstats type day enable
    > > filegen peerstats file peerstats type day enable
    > > filegen clockstats file clockstats type day enable

    >
    > Since you aren't running a clock driver, clockstats won't generate anything.
    >
    > > driftfile /etc/ntp.drift

    >
    > I've been told it's bad practice to allow ntpd to write to /etc . You
    > should use /var/lib/ntp.drift or something similar.
    >
    > You also don't have a logfile specified.
    >
    > > server ntp.via.ecp.fr iburst dynamic
    > > server ntp.obspm.fr iburst dynamic
    > > server ntp1.belbone.be iburst dynamic
    > > server ntp1.kamino.fr iburst dynamic
    > > server timeserver.ntp.ch iburst dynamic
    > > server canon.inria.fr
    > > server ntp.probe-networks.de

    >
    > According to the documentation, the dynamic option isn't supported in the
    > current implementation. You should use iburst on all your servers.
    >
    > > restrict -4 default kod notrap nomodify nopeer noquery
    > > restrict -6 default kod notrap nomodify nopeer noquery

    >
    > You don't specify -4 or -6 with restrict. And don't use the 'noquery'
    > option as that turns off 'ntpq' and 'ntpdc' queries. A lot of operators
    > like to know information about their clients. Plus, if you set:
    >
    > restrict default kod notrap nomodify nopeer noquery
    >
    > You won't be able to query your server from the local machine, unless you
    > specify a restriction for it.
    >
    > Set it up like this:
    >
    > # Default access restrictions (applies to all clients, local or not)
    > restrict default kod nopeer nomodify notrap
    >
    > # Allow localhost unrestricted access
    > restrict 127.0.0.1
    >
    > So to summarize, here is a fixed ntp.conf:
    >
    > # Default access restrictions (applies to all clients)
    > restrict default kod nopeer nomodify notrap
    >
    > # Allow localhost unrestricted access
    > restrict 127.0.0.1
    >
    > server ntp.via.ecp.fr iburst
    > server ntp.obspm.fr iburst
    > server ntp1.belbone.be iburst
    > server ntp1.kamino.fr iburst
    > server timeserver.ntp.ch iburst
    > server canon.inria.fr iburst
    > server ntp.probe-networks.de iburst
    >
    > driftfile /var/lib/ntp.drift
    >
    > logfile /var/log/ntp/ntp.log
    >
    > statsdir /var/log/ntp/
    > statistics loopstats peerstats clockstats
    > filegen loopstats file loopstats type day enable
    > filegen peerstats file peerstats type day enable
    >
    > --
    > Dennis Hilberg, Jr. timekeeper(at)dennishilberg(dot)com
    > NTP Server Information: http://saturn.dennishilberg.com/ntp.php




+ Reply to Thread