OpenNTPD

From ArchWiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

OpenNTPD (part of the OpenBSD project) is a daemon that can be used to synchronize the system clock to internet time servers using the Network Time Protocol, and can also act as a time server itself if needed. It implements the Simple Network Time Protocol version 4, as described in RFC 5905, and the Network Time Protocol version 3, as described in RFC 1305.

Installation

Install the openntpd package. The default configuration is actually usable if all you want is to sync the time of the local computer.

Configuration

To configure OpenNTPD, you need to edit /etc/ntpd.conf. See ntpd.conf(5) for all available options.

Tip: After configuring, check the configuration file for validity by executing:
$ ntpd -n

Client

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Document HTTPS constraints. (Discuss in Talk:OpenNTPD)

To sync to a single particular server, uncomment and edit the "server" directive.

/etc/ntpd.conf
server ntp.example.org

The "servers" directive works the same as the "server" directive, however, if the DNS name resolves to multiple IP address, ALL of them will be synced to. The default, "pool.ntp.org" is working and should be acceptable in most cases. You can find the server's URL in your area at www.pool.ntp.org/zone/@.

/etc/ntpd.conf
servers pool.ntp.org

Any number of "server" or "servers" directives may be used.

Server

If you want the computer you run OpenNTPD on to also be a time server, simply uncomment and edit the "listen" directive.

For example:

/etc/ntpd.conf
listen on *

will listen on all interfaces, and

/etc/ntpd.conf
listen on 127.0.0.1
listen onĀ ::1

will only listen on the loopback interface.

Your time server will only begin to serve time after it has synchronized itself to a high resolution. This may take hours, or days, depending on the accuracy of your system.

Usage

Start OpenNTPD at boot

Enable openntpd.service.

Making openntpd dependent upon network access

If you have intermittent network access (you roam around on a laptop, you use dial-up, etc), it does not make sense to have openntpd running as a system daemon on start up. Here are a few ways you can control openntpd based on the presence of a network connection.

Using NetworkManager dispatcher

OpenNTPD can be brought up/down along with a network connection through the use of NetworkManager's dispatcher scripts.

Install networkmanager-dispatcher-openntpdAUR.

Using wicd

Create these two scripts and mark them executable using chmod.

/etc/wicd/scripts/postconnect/openntpd-start.sh
#!/bin/sh
systemctl start openntpd.service
/etc/wicd/scripts/predisconnect/openntpd-stop.sh
#!/bin/sh
systemctl stop openntpd.service

Using dhclient hooks

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: hook example needed (Discuss in Talk:OpenNTPD)

Another possibility is to use dhclient hooks to start and stop openntpd. When dhclient detects a change in state it will run the following scripts:

  • /etc/dhclient-enter-hooks
  • /etc/dhclient-exit-hooks

See dhclient-script(8)

Using dhcpcd hooks

/etc/dhcpcd.exit-hook
if $if_up; then
	systemctl start openntpd.service
elif $if_down; then
	systemctl stop openntpd.service
fi

See dhcpcd-run-hooks(8)

Troubleshooting

Error adjusting time

If you find your time set incorrectly and in log you see:

openntpd adjtime failed: Invalid argument

Try:

# ntpd -d

This is also how you would manually sync your system.

constraint: failed to load constraint ca

OpenNTPD will fail to start on a system with AppArmor if HTTPS constraints are configured in /etc/ntpd.conf. Journal will show constraint: failed to load constraint ca.

This is because AppArmor's usr.sbin.ntpd profile does not have read access to LibreSSL's CA certificate file /etc/libressl/cert.pem.[1]

The solution is to grant access with a local override:

/etc/apparmor.d/local/usr.sbin.ntpd
...
/etc/libressl/{,cert.pem} r,

After editing, reload the AppArmor profile:

# apparmor_parser -r /etc/apparmor.d/usr.sbin.ntpd

See also