SLAC CPE Software Engineering Group
Stanford Linear Accelerator Center
System Admin

MCC NTP Configuration

SLAC Detailed
SLAC Computing
Software Home
Software Detailed
 

 

26-Aug-2022

The Network Time Protocol (NTP) is used to synchronize the time of a computer client to a server or reference time source. It provides client accuracies within a millisecond on LANs. Typical NTP
configurations utilize multiple servers and diverse network paths in order to achieve high accuracy and reliability.

There are two servers on LCLSDMZ, providing System Services, including NTP, to clients on controls networks. The servers are only accessible by root, and there are no NFS mounts to any servers.  Security updates will follow the same update rules as our LCLSDMZ Taylor'd servers.  We have up to 10 days for high security patches to be applied. 

The two servers are mccsrv01 as the primary and mccsrv02 as the secondary. For testing, we use lcls-prod01 for the secondary.

Basic Configuration:

- create a file /etc/ntp/step-tickers to include all time server IPs, so that clock will be reset immediately upon start of the daemon.

On ntp servers (mccsrv01 and mccsrv02)

[root@mccsrv01 rc3.d]# cat /etc/ntp/step-tickers (Use current NTP servers)
134.79.110.75
134.79.110.10
134.79.110.138
134.79.110.201

On ntp clients

$ cat /etc/ntp/step-tickers
134.79.151.12

134.79.151.13


- cd /var
- mkdir ntp
- mkdir ntp/ntpstats
- chown -R ntp:ntp ntp

NTP is started at boot time. /sbin/chkconfig --list | grep ntp

Primary NTP Server Configuration (mccsrv01):

- Configure /etc/ntp.conf as the following (Use current data for time servers)

#
# NTP.CONF
#

# a list of time servers

server 134.79.18.40
server 134.79.18.41
server 134.79.18.34
server 134.79.18.35

# also use the local system clock (127.127.1.0) as a timeserver; use fudge to say the

# local clock is stratum 10, which has a much lower priority than the time servers listed above.

# Thus, the local system clock is used as a time server, only if disconnected from SCCS.

server 127.127.1.0
fudge 127.127.1.0 stratum 10

# ntp daemon logging is redirected to /var/log/ntp.log

driftfile /var/ntp/ntp.drift
statsdir /var/ntp/ntpstats/

logfile /var/log/ntp.log

# logconfig tell ntpd what to log, not where to log. "where to log" is determined by syslog facility.

# not sure if this is needed, since we have "logfile /var/log/ntp.log"


logconfig -syncstatus

# "restrict default ignore": prohibits general access to ntpd (the ntp service).

# "restrict 127.0.0.1 nomodify notrap nopeer": disallow local host to modify ntpd.

#  disallow the time servers to query (i.e. ntpq, ntpdc, ntptrace and etc. queries), and modify ntpd.

restrict default ignore
restrict 127.0.0.1 nomodify notrap nopeer
restrict 134.79.18.40 noquery nomodify notrap nopeer
restrict 134.79.18.41 noquery nomodify notrap nopeer
restrict 134.79.18.34 noquery nomodify notrap nopeer
restrict 134.79.18.35 noquery nomodify notrap nopeer


# here is to configure mccsrv01 as a time server to serve clients on LCLSCA, LCLSDMZ, and etc

# for time (notice that noquery has been removed), but disallow modify ntpd.


restrict 172.27.0.0 mask 255.255.0.0 nomodify notrap
restrict 134.79.151.0 mask 255.255.255.0 nomodify notrap
restrict 134.79.176.0 mask 255.255.252.0 nomodify notrap
restrict 134.79.48.0 mask 255.255.252.0 nomodify notrap

Secondary NTP Server Configuration (mccsrv02)

The NTP configuration is all the same as mccsrv01, the primary NTP server, except for adding one line in /etc/ntp.conf:

# use mccsrv01 as the time server, if disconnected from SCCS. Thus, the primary and secondary

# always stay in sync.

peer 134.79.151.12

 

NTP Clients Configuration (e.g. lcls-srv20)

- Configure /etc/ntp.conf as the following

 

#
# NTP.CONF
#
server 134.79.151.12 #mccsrv01
server 134.79.151.13 #mccsrv02
server 134.79.151.11 #mcc

driftfile /var/ntp/ntp.drift
statsdir /var/ntp/ntpstats/
logfile /var/log/ntp.log

restrict default ignore
restrict 127.0.0.1 nomodify notrap nopeer
restrict 134.79.151.12 noquery nomodify notrap nopeer
restrict 134.79.151.13 noquery nomodify notrap nopeer
restrict 134.79.151.11 noquery nomodify notrap nopeer

 

Test and Debug

- On servers

[root@mccsrv01 rc3.d]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
+ns3.slac.stanfo 172.18.196.24 2 u 70 128 377 0.194 0.121 0.270
+ns4.slac.stanfo 172.18.196.24 2 u 9 128 377 0.182 0.144 0.023
-lbns1.slac.stan 172.18.196.24 2 u 22 128 377 0.201 0.091 0.047
*lbns2.slac.stan 172.18.196.24 2 u 12 128 377 0.189 0.143 0.012
LOCAL(0) LOCAL(0) 10 l 58 64 377 0.000 0.000 0.001

jingchen@lcls-prod01 $ ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*ns3.slac.stanfo 172.18.196.24 2 u 260 1024 377 0.337 -0.101 0.042
-ns4.slac.stanfo 172.18.196.24 2 u 611 1024 377 0.311 -0.035 0.053
+lbns1.slac.stan 172.18.196.24 2 u 23 1024 377 0.288 -0.091 0.003
+lbns2.slac.stan 172.18.196.24 2 u 307 1024 377 0.305 -0.067 0.037
-mccsrv01.slac.s 134.79.18.35 3 u 541 1024 377 2.220 0.865 0.532

- On clients

[root@lcls-srv20 rc3.d]# /usr/sbin/ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
+mccsrv01.slac.s 134.79.18.35 3 u 407 1024 377 0.149 1.161 0.099
+lcls-prod01.sla 134.79.18.40 3 u 153 1024 377 0.165 1.381 0.140
*mcc.slac.stanfo 134.79.18.40 3 u 415 1024 377 0.610 2.953 0.471

*: the source you are synchronized to.

 

[jingchen@lcls-srv01 ~]$ ntpstat
synchronised to NTP server (134.79.151.12) at stratum 4
time correct to within 82 ms
polling server every 1024 s
[jingchen@lcls-srv01 ~]$ echo $?
0
If exit status 0 – Clock is synchronised


 

 


 

Programmers' Guides, Users' Guides, Requirements, Design, Papers, Administration, How-To, Hardware, IOC, Database

 

[SLAC CPE Software Engineering Group][ SLAC Home Page]

 


Created by: Ken Brobeck  26-Apr-2010;

Modified by: Jingchen Zhou 26-August-2010