Cyrille37 wrote:
> Hello
> I've just joined the pool with a server running ntpd 4.2.4p4.
> I would like to have done well, so I post here the configuration for
> comments if needed.
>
> 1/ ntpd is lauched with option -g
>
> 2/ here is ntpd.conf :
>
> statsdir /var/log/ntpstats/
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable

Since you aren't running a clock driver, clockstats won't generate anything.

> driftfile /etc/ntp.drift

I've been told it's bad practice to allow ntpd to write to /etc . You
should use /var/lib/ntp.drift or something similar.

You also don't have a logfile specified.

> server ntp.via.ecp.fr iburst dynamic
> server ntp.obspm.fr iburst dynamic
> server ntp1.belbone.be iburst dynamic
> server ntp1.kamino.fr iburst dynamic
> server timeserver.ntp.ch iburst dynamic
> server canon.inria.fr
> server ntp.probe-networks.de

According to the documentation, the dynamic option isn't supported in the
current implementation. You should use iburst on all your servers.

> restrict -4 default kod notrap nomodify nopeer noquery
> restrict -6 default kod notrap nomodify nopeer noquery

You don't specify -4 or -6 with restrict. And don't use the 'noquery'
option as that turns off 'ntpq' and 'ntpdc' queries. A lot of operators
like to know information about their clients. Plus, if you set:

restrict default kod notrap nomodify nopeer noquery

You won't be able to query your server from the local machine, unless you
specify a restriction for it.

Set it up like this:

# Default access restrictions (applies to all clients, local or not)
restrict default kod nopeer nomodify notrap

# Allow localhost unrestricted access
restrict 127.0.0.1


So to summarize, here is a fixed ntp.conf:


# Default access restrictions (applies to all clients)
restrict default kod nopeer nomodify notrap

# Allow localhost unrestricted access
restrict 127.0.0.1

server ntp.via.ecp.fr iburst
server ntp.obspm.fr iburst
server ntp1.belbone.be iburst
server ntp1.kamino.fr iburst
server timeserver.ntp.ch iburst
server canon.inria.fr iburst
server ntp.probe-networks.de iburst

driftfile /var/lib/ntp.drift

logfile /var/log/ntp/ntp.log

statsdir /var/log/ntp/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable


--
Dennis Hilberg, Jr. timekeeper(at)dennishilberg(dot)com
NTP Server Information: http://saturn.dennishilberg.com/ntp.php

Dennis Hilberg, Jr. wrote:
> statsdir /var/log/ntp/
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable

Oops, might as well remove the 'clockstats' option:

statsdir /var/log/ntpstats/
statistics loopstats peerstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable

--
Dennis Hilberg, Jr. timekeeper(at)dennishilberg(dot)com
NTP Server Information: http://saturn.dennishilberg.com/ntp.php

"Dennis Hilberg, Jr." wrote:

> Cyrille37 wrote:
> > restrict -4 default kod notrap nomodify nopeer noquery
> > restrict -6 default kod notrap nomodify nopeer noquery
>
> You don't specify -4 or -6 with restrict.

Yes you do, otherwise it assumes IPv4, certainly for "default";
bug still open: https://support.ntp.org/bugs/show_bug.cgi?id=320

--
Ronan Flood

Ronan Flood wrote:
> "Dennis Hilberg, Jr." wrote:
>
>> Cyrille37 wrote:
>>> restrict -4 default kod notrap nomodify nopeer noquery
>>> restrict -6 default kod notrap nomodify nopeer noquery
>> You don't specify -4 or -6 with restrict.
>
> Yes you do, otherwise it assumes IPv4, certainly for "default";
> bug still open: https://support.ntp.org/bugs/show_bug.cgi?id=320

Oops! Sorry, I was going off the documentation, which doesn't mention IPv4
or IPv6 for 'restrict':
http://www.eecis.udel.edu/~mills/ntp/html/accopt.html , unless I missed it
somewhere else . Thanks for the clarification.

--
Dennis Hilberg, Jr. timekeeper(at)dennishilberg(dot)com
NTP Server Information: http://saturn.dennishilberg.com/ntp.php

On 2007-11-08, Dennis Hilberg, Jr.
wrote:

> Ronan Flood wrote:
>
>> "Dennis Hilberg, Jr." wrote:
>>
>>> You don't specify -4 or -6 with restrict.
>>
>> Yes you do, otherwise it assumes IPv4, certainly for "default"; bug
>> still open: https://support.ntp.org/bugs/show_bug.cgi?id=320
>
> Oops! Sorry, I was going off the documentation,
> which doesn't mention IPv4 or IPv6 for 'restrict':
> http://www.eecis.udel.edu/~mills/ntp/html/accopt.html , unless I
> missed it somewhere else . Thanks for the clarification.

See the Community Supported Documentation about ntpd Access Restrictions
at http://support.ntp.org/Support/AccessRestrictions

--
Steve Kostecke
NTP Public Services Project - http://support.ntp.org/

Thank you very much Dennis for your corrections !

Best regards
Cyrille.

On 7 nov, 22:02, "Dennis Hilberg, Jr."
wrote:
> Cyrille37 wrote:
> > Hello
> > I've just joined the pool with a server running ntpd 4.2.4p4.
> > I would like to have done well, so I post here the configuration for
> > comments if needed.
>
> > 1/ ntpd is lauched with option -g
>
> > 2/ here is ntpd.conf :
>
> > statsdir /var/log/ntpstats/
> > statistics loopstats peerstats clockstats
> > filegen loopstats file loopstats type day enable
> > filegen peerstats file peerstats type day enable
> > filegen clockstats file clockstats type day enable
>
> Since you aren't running a clock driver, clockstats won't generate anything.
>
> > driftfile /etc/ntp.drift
>
> I've been told it's bad practice to allow ntpd to write to /etc . You
> should use /var/lib/ntp.drift or something similar.
>
> You also don't have a logfile specified.
>
> > server ntp.via.ecp.fr iburst dynamic
> > server ntp.obspm.fr iburst dynamic
> > server ntp1.belbone.be iburst dynamic
> > server ntp1.kamino.fr iburst dynamic
> > server timeserver.ntp.ch iburst dynamic
> > server canon.inria.fr
> > server ntp.probe-networks.de
>
> According to the documentation, the dynamic option isn't supported in the
> current implementation. You should use iburst on all your servers.
>
> > restrict -4 default kod notrap nomodify nopeer noquery
> > restrict -6 default kod notrap nomodify nopeer noquery
>
> You don't specify -4 or -6 with restrict. And don't use the 'noquery'
> option as that turns off 'ntpq' and 'ntpdc' queries. A lot of operators
> like to know information about their clients. Plus, if you set:
>
> restrict default kod notrap nomodify nopeer noquery
>
> You won't be able to query your server from the local machine, unless you
> specify a restriction for it.
>
> Set it up like this:
>
> # Default access restrictions (applies to all clients, local or not)
> restrict default kod nopeer nomodify notrap
>
> # Allow localhost unrestricted access
> restrict 127.0.0.1
>
> So to summarize, here is a fixed ntp.conf:
>
> # Default access restrictions (applies to all clients)
> restrict default kod nopeer nomodify notrap
>
> # Allow localhost unrestricted access
> restrict 127.0.0.1
>
> server ntp.via.ecp.fr iburst
> server ntp.obspm.fr iburst
> server ntp1.belbone.be iburst
> server ntp1.kamino.fr iburst
> server timeserver.ntp.ch iburst
> server canon.inria.fr iburst
> server ntp.probe-networks.de iburst
>
> driftfile /var/lib/ntp.drift
>
> logfile /var/log/ntp/ntp.log
>
> statsdir /var/log/ntp/
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
>
> --
> Dennis Hilberg, Jr. timekeeper(at)dennishilberg(dot)com
> NTP Server Information: http://saturn.dennishilberg.com/ntp.php