Keeping your clock current, automatically.

Posted by Steve on Thu 7 Oct 2004 at 07:37

If you have a system which is doing something important such as handling mail, or running as firewall, it's essential that you keep the correct date and time. This allows your logs to have the correct timestamps upon them.

If you're collecting logs from multiple hosts time becomes even more important. Having the logfiles with wrong dates and times means that you'll be comparing entries out of order.

Thankfully there exists a simple protocol for keeping the dates and times of computers connected to a network in sync. It is called NTP, the Network Time Protocol.

There are several packages related to NTP in the Debian archive, probably the simplest is the client ntpdate.

Install it by running, as root, apt-get install ntpdate, and your machine will be automatically setup to sync time from the public servers which have the name pool.ntp.org.

If you wish to change them to point to an internal time server of your own you can adjust this by editting the file /etc/default/ntpdate.

 

 


Posted by ajt (204.193.xx.xx) on Wed 4 May 2005 at 13:13
[ View Weblogs ]

I have a daily cron job that does this:

#!/bin/bash
/usr/sbin/ntpdate -s
/sbin/hwclock --adjust
/sbin/hwclock --systohc

It seems like a good idea, especially as my Compaq server drifts by as much as 2 seconds per day. -- Adam

[ Parent | Reply to this comment ]

Posted by ajt (204.193.xx.xx) on Mon 15 Aug 2005 at 09:09
[ View Weblogs ]
On second thoughts it's not such a good idea to use ntpdate on a running system, as the time shift can be large, and it can mess up cron and logging.

Better to use ntpdate on boot and then use a proper ntp daemon such as ntp-simple to carefully and slowly keep the system time correct.

See http://www.hants.lug.org.uk/cgi-bin/wiki.pl?Ntpdate

--
"It's Not Magic, It's Work"
Adam

[ Parent | Reply to this comment ]

Posted by forrest (208.42.xx.xx) on Sat 21 May 2005 at 19:06
[ View Weblogs ]
I use chrony.

It keeps track of how much your clock drifts and makes continuous corrections in between ntp updates.

[ Parent | Reply to this comment ]

Posted by Anonymous (69.207.xx.xx) on Wed 31 Aug 2005 at 12:57
I don't get it. Why not just use the ntp package? It's accurate and runs as a daemon, making small adjustments to keep your clock synced with the ntp servers you specify. ntpdate is just supposed to be for boxes that are frequently rebooted as it is intended to be run on startup not as a cron job.
If you don't want the configuration complexity, and don't mind sacrificing a few microseconds of accuracy, there is also OpenBSD's Openntp package. It's in the stable tree now.

[ Parent | Reply to this comment ]

Posted by simonw (212.24.xx.xx) on Mon 5 Sep 2005 at 09:59
[ View Weblogs ]
I'm confused - I just put the libpcre update on a Sarge box here, and it updated various ntp packages at the same time.

But Sarge NTP hasn't been updated recently.

Some sort of mirror problem perhaps?
I'm using debian.blueyonder.co.uk

The old NTP was working fine ;)

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Mon 5 Sep 2005 at 10:32
[ View Steve's Scratchpad | View Weblogs ]

The same thing happened to me too.

Running:

apt-get --print-uris upgrade -s

Shows that it it coming from Debian:

http://security.debian.org sarge/updates/main ntpdate 1:4.2.0a+stable-2sarge1

The changelog shows it is a legitimate security fix, for CAN-2005-2496. So nothing to worry about.

The only suprising thing is that I don't see an issued DSA yet...

Steve
--

[ Parent | Reply to this comment ]

Posted by Anonymous (84.45.xx.xx) on Mon 5 Sep 2005 at 20:17
Cheers Steve,

I looked at the change log as well, but I now realise I read the dates as English, when they are American, TWICE, and thought what no releases since January 9th <doh> .

Vote "ISO date format" now!

[ Parent | Reply to this comment ]

Posted by Anonymous (12.42.xx.xx) on Sun 4 Dec 2005 at 23:23
Great article very informative!

[ Parent | Reply to this comment ]

Posted by Anonymous (194.149.xx.xx) on Fri 24 Mar 2006 at 12:39
With ntp/ntpdate you may want to remove these too:

/etc/init.d/hwclock.sh
/etc/init.d/hwclockfirst.sh
/etc/rc0.d/K25hwclock.sh
/etc/rc6.d/K25hwclock.sh
/etc/rcS.d/S50hwclock.sh
/etc/rcS.d/S18hwclockfirst.sh

[ Parent | Reply to this comment ]

Posted by Anonymous (63.77.xx.xx) on Mon 17 Apr 2006 at 19:10
Works great! I just worked on a problem for 2 hours. I have an app server and database server. I would see the data in the database server but it wasn't showing up on the site! I realized the db server was 6 hours behind...

Thanks for this and this great site.

[ Parent | Reply to this comment ]

Posted by Anonymous (80.65.xx.xx) on Fri 28 Apr 2006 at 11:48
Hi all,

thanks for the tips.

I personally opted for the "easy way" thanks to

apt-get install ntp-simple ntpdate

and just specifying the desired server in both /etc/ntp.conf and /etc/default/ntpdate

Works well IMHO ...

[ Parent | Reply to this comment ]

Posted by Anonymous (70.145.xx.xx) on Mon 19 Mar 2007 at 16:19
This is not as simple as the article makes it seem. I give the instructions on this page a 1/5.

[ Parent | Reply to this comment ]

Posted by Steve (80.68.xx.xx) on Mon 19 Mar 2007 at 16:20
[ View Steve's Scratchpad | View Weblogs ]

I shall look forward to reading your fully comprehensive article then ...

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (77.98.xx.xx) on Wed 31 Oct 2007 at 02:45
It doesn't take a guru to work out that you have to execute "ntpdate pool.ntp.org" at the prompt after downloading it through apt.

[ Parent | Reply to this comment ]

Posted by Anonymous (131.215.xx.xx) on Wed 14 Nov 2007 at 00:31
No. It is not necessary.

after "apt-get install ntpdate", a script, called "ntpdate", will be put in
/etc/network/if-up.d/ if you use LAN, or in /etc/ppp/ip-up.d/ if you use a modem.

Thus ntpdate can sync your system whenever you are connecting to internet

[ Parent | Reply to this comment ]

Posted by Anonymous (91.125.xx.xx) on Mon 18 Feb 2008 at 20:20
the article i was using just said "apt-get intall ntpdate" it did not take a guru to guess it would download and install an ntp client AND RUN IT.
Except the only reason I ended up at this page is it was not changing the time, ran "ntpdate pool.ntp.org" and bobs your auntie

[ Parent | Reply to this comment ]

Posted by Anonymous (189.146.xx.xx) on Wed 11 Jul 2007 at 01:46
I am working on a virtual server, i dont have access to hwclock and my clock system keeps out of date, what can i do ?

[ Parent | Reply to this comment ]

Posted by Anonymous (84.76.xx.xx) on Sun 22 Jul 2007 at 21:32
You need to put the correct time in the main machine, like hypervisor machine in the case of xen... and this time will be updated in all the virtual machines..

[ Parent | Reply to this comment ]

Posted by Anonymous (203.199.xx.xx) on Tue 23 Oct 2007 at 13:02
we can use traceroute command to see the nearest time server to pool.ntp.org and then edit the ntpdate file.This worked for me

[ Parent | Reply to this comment ]

Posted by Anonymous (77.225.xx.xx) on Thu 21 Jun 2012 at 10:05
the order on my server to keep it on time is just:

ntpdate-debian

[ Parent | Reply to this comment ]

Posted by tglassey (67.180.xx.xx) on Wed 12 Sep 2012 at 21:32
The problem you face is that NTP is not an authoritative source of time no matter what you do to it. There is a fundamental disconnect in the use of NTP as it sits today as a source of provable time.

What we suggest also is that any anonymizer functions - i.e. what POOL is - is architecturally a mistake. Time *** MUST *** come from places which are full partners of the clients they support. This is about non-anonymous time, time that is provable and time which comes from authoritative sources.

For instance - is any GNSS an authoritative source of time? No... why? Because the chain of custody was broken in orbit (or at the transmitter). The time that GNSS based services provide is maybe accurate but it tied to the "Because I said so" evidence model and that's worthless (no actually its worse than worthless - its an actually threat) to any real audit perspective or profile trying to prove TIME AS EVIDENCE.

As to why this is so important - distributed systems use time as their trust anchor. Distributed Logging Systems (all of them) rely on your having the correct time or their code doesnt work. In fact simple offsets between systems may be what was responsible for the crash in the market two weeks ago.

This isnt stuff we get to guess about anymore. The reality is that provable time is key to everything. That means you take time from either professional timekeepers or the governments and pretty much no one else who wont be accountable for how accurate that time is.

Todd Glassey//

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 496 votes ~ 5 comments )