Setting Up a Virtual NTP Server on Debian

Clock

Virtualizing NTP servers has been quite a hot topic for some time, but regardless of what some people say, you can actually virtualize NTP servers, as long as you know what you’re doing. If you examine some public NTP servers more closely, you’ll actually find that a lot of them are running on AWS, which should attest to virtualizing being a possible route to go down.

There’s some things though that you might want to consider before going down this route, and some special configurations you need to do to make sure everything works as intended.

I’ll be installing NTP on Debian VM running on VMware ESXi, but the steps are quite similar for most OSs and hypervisors.

Step 1 – Installing NTP

First we need to install NTP

sudo apt-get install ntp

Step 2 – Configuring NTP

Open up the NTP configuration file in your favourite text editor

nano /etc/ntp.conf

The first thing we need to do is to disable a protection feature in NTP that shuts down NTP if the system clock jumps too much. Add the following line to the top of the configuration file:

tinker panic 0

The reason for this is that VMware sometimes sets the clock when some operations are performed on a VM, such as snapshot work, vMotion and others, even though you’ve disabled host-guest clock syncronization. There’s quite a good idea behind why VMware does this, so rather than disabling it we’ll configure NTP to put on its big-boy panties and deal with it.

Next we need to add some NTP servers for the NTP daemon to syncronize with. It’s recommended that you add at least 5 for redundancy, especially if you’re using public NTP servers. As an example we’ll use the European NTP pool servers.

server 0.europe.pool.ntp.org iburst
server 1.europe.pool.ntp.org iburst
server 2.europe.pool.ntp.org iburst
server 3.europe.pool.ntp.org iburst

The last thing is to remove any reference to the local system clock (as this is a virtual machine and the system clock is not to be trusted). In most modern distributions the standard NTP configuration doesn’t include this, but if you have any lines like these in you configuration you should remove them.

server 127.127.1.1		# LCL, local clock
fudge  127.127.1.1 stratum 12	# increase stratum

As reference, here’s my configuration:

tinker panic 0
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift


# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable


# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example

# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>

server 0.europe.pool.ntp.org iburst
server 1.europe.pool.ntp.org iburst
server 2.europe.pool.ntp.org iburst
server 3.europe.pool.ntp.org iburst


# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust


# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

Step 3 – Restart NTP and check your configuration

Next step is to restart NTP

/etc/init.d/ntp restart

And then we can query NTP to see that it has found some servers to get time from.

ntpq -p

 

Advertisements
No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s