Setting Up a Virtual NTP Server on Debian
Virtualizing NTP servers has been quite a hot topic for some time, but regardless of what some people say, you can actually virtualize NTP servers, as long as you know what you’re doing. If you examine some public NTP servers more closely, you’ll actually find that a lot of them are running on AWS, which should attest to virtualizing being a possible route to go down.
There’s some things though that you might want to consider before going down this route, and some special configurations you need to do to make sure everything works as intended.
I’ll be installing NTP on Debian VM running on VMware ESXi, but the steps are quite similar for most OSs and hypervisors.
Step 1 – Installing NTP
First we need to install NTP
sudo apt-get install ntp
Step 2 – Configuring NTP
Open up the NTP configuration file in your favourite text editor
The first thing we need to do is to disable a protection feature in NTP that shuts down NTP if the system clock jumps too much. Add the following line to the top of the configuration file:
tinker panic 0
The reason for this is that VMware sometimes sets the clock when some operations are performed on a VM, such as snapshot work, vMotion and others, even though you’ve disabled host-guest clock syncronization. There’s quite a good idea behind why VMware does this, so rather than disabling it we’ll configure NTP to put on its big-boy panties and deal with it.
Next we need to add some NTP servers for the NTP daemon to syncronize with. It’s recommended that you add at least 5 for redundancy, especially if you’re using public NTP servers. As an example we’ll use the European NTP pool servers.
server 0.europe.pool.ntp.org iburst server 1.europe.pool.ntp.org iburst server 2.europe.pool.ntp.org iburst server 3.europe.pool.ntp.org iburst
The last thing is to remove any reference to the local system clock (as this is a virtual machine and the system clock is not to be trusted). In most modern distributions the standard NTP configuration doesn’t include this, but if you have any lines like these in you configuration you should remove them.
server 127.127.1.1 # LCL, local clock fudge 127.127.1.1 stratum 12 # increase stratum
As reference, here’s my configuration:
tinker panic 0 # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help driftfile /var/lib/ntp/ntp.drift # Enable this if you want statistics to be logged. #statsdir /var/log/ntpstats/ statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable # You do need to talk to an NTP server or two (or three). #server ntp.your-provider.example # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will # pick a different set every time it starts up. Please consider joining the # pool: <http://www.pool.ntp.org/join.html> server 0.europe.pool.ntp.org iburst server 1.europe.pool.ntp.org iburst server 2.europe.pool.ntp.org iburst server 3.europe.pool.ntp.org iburst # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for # details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> # might also be helpful. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1 # Clients from this (example!) subnet have unlimited access, but only if # cryptographically authenticated. #restrict 192.168.123.0 mask 255.255.255.0 notrust # If you want to provide time to your local subnet, change the next line. # (Again, the address is an example only.) #broadcast 192.168.123.255 # If you want to listen to time broadcasts on your local subnet, de-comment the # next lines. Please do this only if you trust everybody on the network! #disable auth #broadcastclient
Step 3 – Restart NTP and check your configuration
Next step is to restart NTP
And then we can query NTP to see that it has found some servers to get time from.