ntp: pool and nopeer in ntp.conf (-current)
by drumz from LinuxQuestions.org on (#5GHCY)
I installed -current (Fri Apr 9 20:21:07 UTC 2021) last Friday (fresh install) and added these lines to the default /etc/ntp.conf:
Code:server 192.168.1.192 prefer
pool 0.us.pool.ntp.org
pool 1.us.pool.ntp.orgNote we have a local NTP server on our local network, but then I also added pool servers as a kind of backup in case the local server goes down.
After starting up ntpd and letting it run for a while, I see this endlessly in /var/log/ntp:
Code:12 Apr 15:27:14 ntpd[1648]: Soliciting pool server 159.203.82.102
12 Apr 15:28:14 ntpd[1648]: Soliciting pool server 107.172.97.205
12 Apr 15:28:21 ntpd[1648]: Soliciting pool server 194.0.5.123
12 Apr 15:29:18 ntpd[1648]: Soliciting pool server 162.159.200.123
12 Apr 15:29:27 ntpd[1648]: Soliciting pool server 103.151.145.7
12 Apr 15:30:25 ntpd[1648]: Soliciting pool server 172.86.181.76
12 Apr 15:30:34 ntpd[1648]: Soliciting pool server 138.236.128.36
12 Apr 15:31:31 ntpd[1648]: Soliciting pool server 104.171.113.34
12 Apr 15:31:40 ntpd[1648]: Soliciting pool server 50.205.57.38
12 Apr 15:32:35 ntpd[1648]: Soliciting pool server 137.190.2.4
12 Apr 15:32:44 ntpd[1648]: Soliciting pool server 69.89.207.99And further info:
Code:# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*192.168.1.192 10.223.0.8 5 u 11 64 377 0.136 +0.202 2.278
0.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
1.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000After some internet searching I found the cause of the repeated "Soliciting pool server" messages is the presence of "nopeer" in my restrict line in ntp.conf. See:
https://github.com/geerlingguy/ansib...-ntp/issues/85
https://github.com/geerlingguy/ansible-role-ntp/pull/84
https://bugs.ntp.org/show_bug.cgi?id=2657
https://unix.stackexchange.com/quest...xx-xxx-xxx-xxx
And here is what the ntp.conf man page has to say:
Code: nopeer Deny unauthenticated packets which would result in mobilizing a new
association. This includes broadcast and symmetric active packets
when a configured association does not exist. It also includes pool
associations, so if you want to use servers from a pool directive and
also want to use nopeer by default, you'll want a restrict source ...
line as well that does not include the nopeer directive.So I simply added:
Code:restrict source limited kod nomodify notrap noquery
restrict -6 source limited kod nomodify notrap noqueryTo my ntp.conf. Here is my complete /etc/ntp.conf for reference:
Code:# Sample /etc/ntp.conf: Configuration file for ntpd.
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
#server 127.127.1.0 # local clock
#fudge 127.127.1.0 stratum 10
#
# NTP server (list one or more) to synchronize with:
#server 0.pool.ntp.org iburst
#server 1.pool.ntp.org iburst
#server 2.pool.ntp.org iburst
#server 3.pool.ntp.org iburst
server 192.168.1.192 prefer
pool 0.us.pool.ntp.org
pool 1.us.pool.ntp.org
#
# Full path of a directory where statistics files should be created
#
statsdir /var/lib/ntp/stats
#
# Location of an alternate log file to be used instead of the default system syslog(3) facility
#
logfile /var/log/ntp
#
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /var/lib/ntp/drift
#
# Location of PID file
#
pidfile /var/run/ntpd.pid
#
# Uncomment to use a multicast NTP server on the local subnet:
#multicastclient 224.0.1.1 # listen on default 224.0.1.1
# Set an optional compensation for broadcast packet delay:
#broadcastdelay 0.008
#
# Keys file. If you want to diddle your server at run time, make a
# keys file (mode 640 owned by root:ntp) and define the key number to
# be used for making requests.
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will.
#
#keysdir /etc
#keys /etc/ntp.keys
#trustedkey 65535
#requestkey 65535
#controlkey 65535
#
# Don't serve time or stats to anyone else by default (more secure)
restrict default limited kod nomodify notrap nopeer noquery
restrict -6 default limited kod nomodify notrap nopeer noquery
restrict source limited kod nomodify notrap noquery
restrict -6 source limited kod nomodify notrap noquery
#
# Use these lines instead if you do want to serve time and stats to
# other machines on the network:
#restrict default limited kod nomodify notrap nopeer
#restrict -6 default limited kod nomodify notrap nopeer
#
# Trust ourselves. :-)
restrict 127.0.0.1
restrict ::1Now when starting ntpd I have a few "Soliciting pool server" messages, but then they stop (they go for less than 1 minute, and now after ntpd being up for over 12 hours there are no new messages in the logs).
Furthermore, I now have this from "ntpq -p":
Code:# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*192.168.1.192 10.223.0.8 5 u 72 1024 377 0.256 -0.845 1.835
0.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
1.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
+buf.frangipani. 209.51.161.238 2 u 273 1024 377 70.595 +11.283 0.960
+any.time.nl 216.218.254.202 2 u 858 1024 337 27.963 +12.047 2.362
+ac-ntp0.net.cmu 128.237.148.140 2 u 189 1024 377 83.728 +12.470 2.043
+rain.bz .PPS. 1 u 171 1024 377 62.423 +7.414 1.342
+linode1.ernest- 198.72.72.10 3 u 389 1024 377 67.088 +2.838 4.477
+ntp1.wiktel.com .PPS. 1 u 17 1024 377 72.491 +14.773 3.929
+pool-71-168-219 216.239.35.0 2 u 620 1024 377 75.745 +15.078 1.360
+108.61.73.243 209.51.161.238 2 u 167 1024 377 71.452 +11.775 3.502
+23.157.160.168 209.51.161.238 2 u 400 1024 377 67.018 +12.803 2.087
+50-205-244-112- 50.205.244.27 2 u 334 1024 377 64.412 +9.239 1.717
+time.cloudflare 10.72.8.8 3 u 294 1024 377 62.264 +17.625 2.604
+b1-66er.matrix. 129.6.15.30 2 u 447 1024 367 74.696 +13.364 2.108
+ntp.xtom.com 204.123.2.72 2 u 428 1024 377 25.001 +11.803 1.973
+44.190.40.123 216.218.254.202 2 u 460 1024 377 25.530 +10.815 2.528
+dev1.sjelab.net 10.252.0.245 2 u 403 1024 377 25.660 +14.126 1.204
+c-68-54-100-49. 128.10.252.6 2 u 587 1024 377 86.784 +4.900 3.302
+h69-130-244-141 64.250.105.237 3 u 323 1024 377 62.259 +16.595 3.760
+198.255.68.106 164.67.62.194 2 u 137 1024 377 44.574 -2.824 2.327My question for those more familiar with ntp:
1) Should I have been worried about all those log entries? I think so, because I think it indicates my computer was spamming the pool servers (not being nice).
2) Are those added lines ("restrict source limited kod nomodify notrap noquery") "safe"?
3) And request for -current: Should those 2 added lines also be included in Slackware's default /etc/ntp.conf, perhaps commented out and with a comment explaining they should be used if using "pool" servers? Something like: "Additionally use these lines if using the "pool" command; see the "nopeer" entry in the ntp.conf man page."
Code:server 192.168.1.192 prefer
pool 0.us.pool.ntp.org
pool 1.us.pool.ntp.orgNote we have a local NTP server on our local network, but then I also added pool servers as a kind of backup in case the local server goes down.
After starting up ntpd and letting it run for a while, I see this endlessly in /var/log/ntp:
Code:12 Apr 15:27:14 ntpd[1648]: Soliciting pool server 159.203.82.102
12 Apr 15:28:14 ntpd[1648]: Soliciting pool server 107.172.97.205
12 Apr 15:28:21 ntpd[1648]: Soliciting pool server 194.0.5.123
12 Apr 15:29:18 ntpd[1648]: Soliciting pool server 162.159.200.123
12 Apr 15:29:27 ntpd[1648]: Soliciting pool server 103.151.145.7
12 Apr 15:30:25 ntpd[1648]: Soliciting pool server 172.86.181.76
12 Apr 15:30:34 ntpd[1648]: Soliciting pool server 138.236.128.36
12 Apr 15:31:31 ntpd[1648]: Soliciting pool server 104.171.113.34
12 Apr 15:31:40 ntpd[1648]: Soliciting pool server 50.205.57.38
12 Apr 15:32:35 ntpd[1648]: Soliciting pool server 137.190.2.4
12 Apr 15:32:44 ntpd[1648]: Soliciting pool server 69.89.207.99And further info:
Code:# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*192.168.1.192 10.223.0.8 5 u 11 64 377 0.136 +0.202 2.278
0.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
1.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000After some internet searching I found the cause of the repeated "Soliciting pool server" messages is the presence of "nopeer" in my restrict line in ntp.conf. See:
https://github.com/geerlingguy/ansib...-ntp/issues/85
https://github.com/geerlingguy/ansible-role-ntp/pull/84
https://bugs.ntp.org/show_bug.cgi?id=2657
https://unix.stackexchange.com/quest...xx-xxx-xxx-xxx
And here is what the ntp.conf man page has to say:
Code: nopeer Deny unauthenticated packets which would result in mobilizing a new
association. This includes broadcast and symmetric active packets
when a configured association does not exist. It also includes pool
associations, so if you want to use servers from a pool directive and
also want to use nopeer by default, you'll want a restrict source ...
line as well that does not include the nopeer directive.So I simply added:
Code:restrict source limited kod nomodify notrap noquery
restrict -6 source limited kod nomodify notrap noqueryTo my ntp.conf. Here is my complete /etc/ntp.conf for reference:
Code:# Sample /etc/ntp.conf: Configuration file for ntpd.
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
#server 127.127.1.0 # local clock
#fudge 127.127.1.0 stratum 10
#
# NTP server (list one or more) to synchronize with:
#server 0.pool.ntp.org iburst
#server 1.pool.ntp.org iburst
#server 2.pool.ntp.org iburst
#server 3.pool.ntp.org iburst
server 192.168.1.192 prefer
pool 0.us.pool.ntp.org
pool 1.us.pool.ntp.org
#
# Full path of a directory where statistics files should be created
#
statsdir /var/lib/ntp/stats
#
# Location of an alternate log file to be used instead of the default system syslog(3) facility
#
logfile /var/log/ntp
#
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /var/lib/ntp/drift
#
# Location of PID file
#
pidfile /var/run/ntpd.pid
#
# Uncomment to use a multicast NTP server on the local subnet:
#multicastclient 224.0.1.1 # listen on default 224.0.1.1
# Set an optional compensation for broadcast packet delay:
#broadcastdelay 0.008
#
# Keys file. If you want to diddle your server at run time, make a
# keys file (mode 640 owned by root:ntp) and define the key number to
# be used for making requests.
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will.
#
#keysdir /etc
#keys /etc/ntp.keys
#trustedkey 65535
#requestkey 65535
#controlkey 65535
#
# Don't serve time or stats to anyone else by default (more secure)
restrict default limited kod nomodify notrap nopeer noquery
restrict -6 default limited kod nomodify notrap nopeer noquery
restrict source limited kod nomodify notrap noquery
restrict -6 source limited kod nomodify notrap noquery
#
# Use these lines instead if you do want to serve time and stats to
# other machines on the network:
#restrict default limited kod nomodify notrap nopeer
#restrict -6 default limited kod nomodify notrap nopeer
#
# Trust ourselves. :-)
restrict 127.0.0.1
restrict ::1Now when starting ntpd I have a few "Soliciting pool server" messages, but then they stop (they go for less than 1 minute, and now after ntpd being up for over 12 hours there are no new messages in the logs).
Furthermore, I now have this from "ntpq -p":
Code:# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*192.168.1.192 10.223.0.8 5 u 72 1024 377 0.256 -0.845 1.835
0.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
1.us.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
+buf.frangipani. 209.51.161.238 2 u 273 1024 377 70.595 +11.283 0.960
+any.time.nl 216.218.254.202 2 u 858 1024 337 27.963 +12.047 2.362
+ac-ntp0.net.cmu 128.237.148.140 2 u 189 1024 377 83.728 +12.470 2.043
+rain.bz .PPS. 1 u 171 1024 377 62.423 +7.414 1.342
+linode1.ernest- 198.72.72.10 3 u 389 1024 377 67.088 +2.838 4.477
+ntp1.wiktel.com .PPS. 1 u 17 1024 377 72.491 +14.773 3.929
+pool-71-168-219 216.239.35.0 2 u 620 1024 377 75.745 +15.078 1.360
+108.61.73.243 209.51.161.238 2 u 167 1024 377 71.452 +11.775 3.502
+23.157.160.168 209.51.161.238 2 u 400 1024 377 67.018 +12.803 2.087
+50-205-244-112- 50.205.244.27 2 u 334 1024 377 64.412 +9.239 1.717
+time.cloudflare 10.72.8.8 3 u 294 1024 377 62.264 +17.625 2.604
+b1-66er.matrix. 129.6.15.30 2 u 447 1024 367 74.696 +13.364 2.108
+ntp.xtom.com 204.123.2.72 2 u 428 1024 377 25.001 +11.803 1.973
+44.190.40.123 216.218.254.202 2 u 460 1024 377 25.530 +10.815 2.528
+dev1.sjelab.net 10.252.0.245 2 u 403 1024 377 25.660 +14.126 1.204
+c-68-54-100-49. 128.10.252.6 2 u 587 1024 377 86.784 +4.900 3.302
+h69-130-244-141 64.250.105.237 3 u 323 1024 377 62.259 +16.595 3.760
+198.255.68.106 164.67.62.194 2 u 137 1024 377 44.574 -2.824 2.327My question for those more familiar with ntp:
1) Should I have been worried about all those log entries? I think so, because I think it indicates my computer was spamming the pool servers (not being nice).
2) Are those added lines ("restrict source limited kod nomodify notrap noquery") "safe"?
3) And request for -current: Should those 2 added lines also be included in Slackware's default /etc/ntp.conf, perhaps commented out and with a comment explaining they should be used if using "pool" servers? Something like: "Additionally use these lines if using the "pool" command; see the "nopeer" entry in the ntp.conf man page."