[Solved] Lost System Timing...Is this NTP configured properly?

[Augie77]

This past Friday, little Miss Bookworm, had a tantrum and tossed all her timing toys out the pram. She was put into time-out for a while until I read enough to figure it out. Luckily this involved only reading and no rithmatic. It did afford me the opportunity to remove Mint from my drive and rely only on Debian, which frankly, after only a week, I am more comfortable with.

I did add the directory var/log/ntpsec as recommended per the /etc/ntpsec/ntp.conf file, though I have not seen any logs in there. I have the ntp.conf place holder in /etc. If you have any suggestions, tips, or additional reading material, I am open to it.

Thanks for look at this for me.

----

I decided to use the time.nist.gov time server, for no particular reason other than I know it will ( I hope ) always be there.

Code: Select all

ntpq -p
     remote                                   refid      st t when poll reach   delay   offset   jitter
=======================================================================================================
 0.pool.time.nist.gov                    .DNS.           16 u    -  68m    0   0.0000   0.0000   0.0000

I am not certain why I get the insufficient permissions on the file, other than I was not at root when the below command was issued.

Code: Select all

systemctl status ntp
● ntpsec.service - Network Time Service
     Loaded: loaded (/lib/systemd/system/ntpsec.service; enabled; preset: enabled)
     Active: active (running) since Mon 2024-04-08 09:35:56 EDT; 1h 1min ago
       Docs: man:ntpd(8)
    Process: 1050 ExecStart=/usr/libexec/ntpsec/ntp-systemd-wrapper (code=exited, status=0/SUCCESS)
   Main PID: 1057 (ntpd)
      Tasks: 1 (limit: 18794)
     Memory: 12.4M
        CPU: 203ms
     CGroup: /system.slice/ntpsec.service
             └─1057 /usr/sbin/ntpd -p /run/ntpd.pid -c /etc/ntpsec/ntp.conf -g -N -u ntpsec:ntpsec

Warning: some journal files were not opened due to insufficient permissions.

The system is syncing, but no idea why NTP service is N/A.

Code: Select all

timedatectl status 
               Local time: Mon 2024-04-08 10:38:22 EDT
           Universal time: Mon 2024-04-08 14:38:22 UTC
                 RTC time: Mon 2024-04-08 14:38:22
                Time zone: US/Eastern (EDT, -0400)
System clock synchronized: yes
              NTP service: n/a
          RTC in local TZ: no

The below was from the root user. I believe the bottom two lines are from the nist main server not being known, the servers it points to are then resolved? I can
edit ntp.conf and change to those particular servers, not certain I want to do that though.

Code: Select all

systemctl status ntp
● ntpsec.service - Network Time Service
     Loaded: loaded (/lib/systemd/system/ntpsec.service; enabled; preset: enabled)
     Active: active (running) since Mon 2024-04-08 09:35:56 EDT; 1h 5min ago
       Docs: man:ntpd(8)
    Process: 1050 ExecStart=/usr/libexec/ntpsec/ntp-systemd-wrapper (code=exited, status=0/SUCCESS)
   Main PID: 1057 (ntpd)
      Tasks: 1 (limit: 18794)
     Memory: 12.4M
        CPU: 212ms
     CGroup: /system.slice/ntpsec.service
             └─1057 /usr/sbin/ntpd -p /run/ntpd.pid -c /etc/ntpsec/ntp.conf -g -N -u ntpsec:ntpsec

Apr 08 09:35:57 lou ntpd[1057]: DNS: dns_check: processing 0.pool.time.nist.gov, 1, 20921
Apr 08 09:35:57 lou ntpd[1057]: DNS: dns_check: DNS error: -2, Name or service not known
Apr 08 09:35:57 lou ntpd[1057]: DNS: dns_take_status: 0.pool.time.nist.gov=>error, 12
Apr 08 09:36:03 lou ntpd[1057]: IO: Listen normally on 4 enp0s31f6 206.248.211.38:123
Apr 08 09:36:03 lou ntpd[1057]: IO: Listen normally on 5 enp0s31f6 [fe80::aaa1:59ff:feac:557c%2]:123
Apr 08 09:36:03 lou ntpd[1057]: IO: new interface(s) found: waking up resolver
Apr 08 09:36:03 lou ntpd[1057]: DNS: dns_probe: 0.pool.time.nist.gov, cast_flags:1, flags:20921
Apr 08 09:36:03 lou ntpd[1057]: DNS: dns_check: processing 0.pool.time.nist.gov, 1, 20921
Apr 08 09:36:03 lou ntpd[1057]: DNS: dns_check: DNS error: -2, Name or service not known
Apr 08 09:36:03 lou ntpd[1057]: DNS: dns_take_status: 0.pool.time.nist.gov=>error, 12
 

[Aki]

Hello,

According to your logs:

Code: Select all

Apr 08 09:35:57 lou ntpd[1057]: DNS: dns_check: processing 0.pool.time.nist.gov, 1, 20921
Apr 08 09:35:57 lou ntpd[1057]: DNS: dns_check: DNS error: -2, Name or service not known
Apr 08 09:35:57 lou ntpd[1057]: DNS: dns_take_status: 0.pool.time.nist.gov=>error, 12
[..]
Apr 08 09:36:03 lou ntpd[1057]: DNS: dns_probe: 0.pool.time.nist.gov, cast_flags:1, flags:20921
Apr 08 09:36:03 lou ntpd[1057]: DNS: dns_check: processing 0.pool.time.nist.gov, 1, 20921
Apr 08 09:36:03 lou ntpd[1057]: DNS: dns_check: DNS error: -2, Name or service not known
Apr 08 09:36:03 lou ntpd[1057]: DNS: dns_take_status: 0.pool.time.nist.gov=>error, 12

The name 0.pool.time.nist.gov of the ntp server is unknown. For example:

Code: Select all

$ ntpdig 0.pool.time.nist.gov
ntpdig: lookup of 0.pool.time.nist.gov failed, errno -2 = Name or service not known
ntpdig: no eligible servers

while:

Code: Select all

$ ntpdig time.nist.gov
2024-04-08 20:19:02.552135 (+0200) -0.015481 +/- 0.105696 time.nist.gov 132.163.96.4 s1 no-leap

or:

Code: Select all

$ ntpdig 0.debian.pool.ntp.org
2024-04-08 20:20:35.409808 (+0200) +0.024334 +/- 0.063763 0.debian.pool.ntp.org 85.199.214.99 s1 no-leap

[Augie77]

Aki ... yep, I figured that out a bit ago, I think. In the ntp.conf file I had used server 0.pool.time.nist.gov prefer iburst which is incorrect it seems. I changed that to
pool time.nist.gov iburst and the results are below. I think I have it correct now.

Code: Select all

systemctl status ntp
● ntpsec.service - Network Time Service
     Loaded: loaded (/lib/systemd/system/ntpsec.service; enabled; preset: enabled)
     Active: active (running) since Mon 2024-04-08 15:18:40 EDT; 9s ago
       Docs: man:ntpd(8)
    Process: 31256 ExecStart=/usr/libexec/ntpsec/ntp-systemd-wrapper (code=exited, status=0/SUCCESS)
   Main PID: 31261 (ntpd)
      Tasks: 1 (limit: 18794)
     Memory: 10.6M
        CPU: 57ms
     CGroup: /system.slice/ntpsec.service
             └─31261 /usr/sbin/ntpd -p /run/ntpd.pid -c /etc/ntpsec/ntp.conf -g -N -u ntpsec:ntpsec

 ntpd[31261]: IO: Listening on routing socket on fd #22 for interface updates
 ntpd[31261]: INIT: MRU 10922 entries, 13 hash bits, 65536 bytes
 ntpd[31261]: INIT: Built with OpenSSL 3.0.9 30 May 2023, 30000090
 ntpd[31261]: INIT: Running with OpenSSL 3.0.11 19 Sep 2023, 300000b0
 ntpd[31261]: NTSc: Using system default root certificates.
 ntpd[31261]: DNS: dns_probe: time.nist.gov, cast_flags:8, flags:101
 ntpd[31261]: DNS: dns_check: processing time.nist.gov, 8, 101
 ntpd[31261]: DNS: Pool taking: 132.163.96.6
 ntpd[31261]: DNS: Pool taking: 2610:20:6f97:97::4
 ntpd[31261]: DNS: dns_take_status: time.nist.gov=>good, 8

ntpq -p
     remote                                   refid      st t when poll reach   delay   offset   jitter
=======================================================================================================
 time.nist.gov                           .POOL.          16 p    -  256    0   0.0000   0.0000   0.0002
+time-e-b.nist.gov                       .NIST.           1 u   43   64    1  48.2605 121.8131   0.0164
 time-d-wwv.nist.gov                     .INIT.          16 u    -   64    0   0.0000   0.0000   0.0002



timedatectl status
               Local time: Mon 2024-04-08 15:20:09 EDT
           Universal time: Mon 2024-04-08 19:20:09 UTC
                 RTC time: Mon 2024-04-08 19:20:09
                Time zone: US/Eastern (EDT, -0400)
System clock synchronized: yes
              NTP service: n/a
          RTC in local TZ: no

P.S. big thanks to @sunrat for the new inline code feature.

[Augie77]

Actually, I still did not like the look of the above so I went back and made the pool line look like this pool time.nist.gov iburst prefer.
Now, I have the ' * ' by a server and that seems to be much better.

Code: Select all

ntpq -p
     remote                                   refid      st t when poll reach   delay   offset   jitter
=======================================================================================================
 time.nist.gov                           .POOL.          16 p    -  256    0   0.0000   0.0000   0.0002
*time-e-b.nist.gov                       .NIST.           1 u   56   64  377  48.2030 122.1964  78.8280
 time-d-wwv.nist.gov                     .INIT.          16 u    - 1024    0   0.0000   0.0000   0.0002
+time-a-wwv.nist.gov                     .NIST.           1 u    5   64  377  44.7581 119.2116  89.2718
 time-e-g.nist.gov                       .INIT.          16 u    -   64    0   0.0000   0.0000   0.0002
+time-d-wwv.nist.gov                     .NIST.           1 u   42   64   77  50.2550  24.3240  71.6861
 time-e-b.nist.gov                       .INIT.          16 u    -   64    0   0.0000   0.0000   0.0002

Code: Select all

systemctl status ntp

● ntpsec.service - Network Time Service
     Loaded: loaded (/lib/systemd/system/ntpsec.service; enabled; preset: enabled)
     Active: active (running) since Mon 2024-04-08 15:18:40 EDT; 29min ago
       Docs: man:ntpd(8)
    Process: 31256 ExecStart=/usr/libexec/ntpsec/ntp-systemd-wrapper (code=exited, status=0/SUCCESS)
   Main PID: 31261 (ntpd)
      Tasks: 1 (limit: 18794)
     Memory: 10.5M
        CPU: 171ms
     CGroup: /system.slice/ntpsec.service
             └─31261 /usr/sbin/ntpd -p /run/ntpd.pid -c /etc/ntpsec/ntp.conf -g -N -u ntpsec:ntpsec

 ntpd[31261]: DNS: dns_probe: time.nist.gov, cast_flags:8, flags:101
 ntpd[31261]: DNS: dns_check: processing time.nist.gov, 8, 101
 ntpd[31261]: DNS: Pool skipping: 132.163.97.4
 ntpd[31261]: DNS: Pool taking: 2610:20:6f96:96::6
 ntpd[31261]: DNS: dns_take_status: time.nist.gov=>good, 8
 ntpd[31261]: DNS: dns_probe: time.nist.gov, cast_flags:8, flags:101
 ntpd[31261]: DNS: dns_check: processing time.nist.gov, 8, 101
 ntpd[31261]: DNS: Pool taking: 128.138.141.172
 ntpd[31261]: DNS: Pool skipping: 2610:20:6f96:96::6
 ntpd[31261]: DNS: dns_take_status: time.nist.gov=>good, 8

Code: Select all

timedatectl status
               Local time: Mon 2024-04-08 15:51:34 EDT
           Universal time: Mon 2024-04-08 19:51:34 UTC
                 RTC time: Mon 2024-04-08 19:51:34
                Time zone: US/Eastern (EDT, -0400)
System clock synchronized: yes
              NTP service: n/a
          RTC in local TZ: no

[Augie77]

Looks like it is polling every 4 minutes...

Code: Select all

root@augie:/home/augie# journalctl -r -t ntpd
Apr 08 16:07:30 augie ntpd[1112]: DNS: dns_take_status: time.nist.gov=>good, 8
Apr 08 16:07:30 augie ntpd[1112]: DNS: Pool taking: 2610:20:6f15:15::27
Apr 08 16:07:30 augie ntpd[1112]: DNS: Pool skipping: 132.163.96.2
Apr 08 16:07:30 augie ntpd[1112]: DNS: dns_check: processing time.nist.gov, 8, 121
Apr 08 16:07:30 augie ntpd[1112]: DNS: dns_probe: time.nist.gov, cast_flags:8, flags:121
Apr 08 16:03:14 augie ntpd[1112]: DNS: dns_take_status: time.nist.gov=>good, 8
Apr 08 16:03:14 augie ntpd[1112]: DNS: Pool taking: 2610:20:6f96:96::4
Apr 08 16:03:14 augie ntpd[1112]: DNS: Pool taking: 132.163.96.2
Apr 08 16:03:14 augie ntpd[1112]: DNS: dns_check: processing time.nist.gov, 8, 121
Apr 08 16:03:14 augie ntpd[1112]: DNS: dns_probe: time.nist.gov, cast_flags:8, flags:121
Apr 08 15:58:58 augie ntpd[1112]: DNS: dns_take_status: time.nist.gov=>good, 8
Apr 08 15:58:58 augie ntpd[1112]: DNS: Pool taking: 2610:20:6f97:97::6
Apr 08 15:58:58 augie ntpd[1112]: DNS: Pool taking: 128.138.140.44
Apr 08 15:58:58 augie ntpd[1112]: DNS: dns_check: processing time.nist.gov, 8, 121
Apr 08 15:58:58 augie ntpd[1112]: DNS: dns_probe: time.nist.gov, cast_flags:8, flags:121
Apr 08 15:58:58 augie ntpd[1112]: IO: new interface(s) found: waking up resolver

I do have one warning about restrict nopeer ignored. I read on that, did not understand it, so will go over it again.

Code: Select all

Apr 08 15:58:51 augie ntpd[1112]: CLOCK: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): loaded, expire=2024-12-28T00:00Z last=2017-01>
Apr 08 15:58:51 augie ntpd[1112]: CLOCK: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): good hash signature
Apr 08 15:58:51 augie ntpd[1112]: CONFIG: restrict nopeer ignored
Apr 08 15:58:51 augie ntpd[1112]: CONFIG: readconfig: parsing file: /etc/ntpsec/ntp.conf

[Augie77]

It looks like my timing issue has been resolved; below is the ntp.conf file from etc/ntpsec/ in the event it may be of use to someone else that wants to use the U.S. based time.nist.gov servers. I am still wondering about the 'restrict nopeer ignored' warning, but am not going to lose sleep over it just yet.

It took some reading, installing ntp, and some experimenting but it was worth the effort.

Code: Select all

# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list

# To enable Network Time Security support as a server, obtain a certificate
# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
# nts cert CERT_FILE
# nts key KEY_FILE
# nts enable

# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
statsdir /var/log/ntpsec/
#statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# This should be maxclock 7, but the pool entries count towards maxclock.
tos maxclock 11

# Comment this out if you have a refclock and want it to be able to discipline
# the clock by itself (e.g. if the system is not connected to the network).
tos minclock 4 minsane 3

# Specify one or more NTP servers.

# Public NTP servers supporting Network Time Security:
# server time.cloudflare.com nts

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <https://www.pool.ntp.org/join.html>
#
#
pool time.nist.gov iburst prefer
pool debian.pool.ntp.org iburst
pool debian.pool.ntp.org iburst
pool debian.pool.ntp.org iburst
pool debian.pool.ntp.org iburst

# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
# for details.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict default kod nomodify nopeer noquery limited

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

[donald]

@Augie77 You need to have a minimum of 4 servers to have your ntpsec (right, ntpsec right?) running properly, else the time is not valid for any machine that you are serving else your systems clock sans offset or reference clock will eventually drift.

maxclock needs to be an odd number +3 or +5 from the minclock setting.

If you have maxclock at 11 that means that your minclock is 7, meaning you have 7 active servers to query for time.

The value between is the number of servers held to query against, PLUS the pool entries. pools are one thing but servers are another. However both count for maxclock and minclock.

This would be be:

Code: Select all

server
server
server
server
server
server
server
pool
pool
pool
pool

Above shows 7 servers and 4 pool servers for a value of 11 for your maxclock.

Having NIST clocks as time sources are great but you should ALWAYS have a local stratum 1 and a distant stratum 1 in your config in addition to those entries. When your system is stable after 3+ running days, then apply the same logic with 2 stratum 2 servers. This average will give your instance the best chances of good time.

Pool servers are great and your system will do the transit math for you, but the local time from a stratum 1 clock tends to become your master clock, the one with the '*' next to it. Remember that other factors will weigh in as well like latency for example and the source your instance selects may wind up being a distant clock with the '*' due to lesser latency.

You should enable statistics, this is critical if your ntp server is the ntp source for your network. You need this setup so that you can track the performance and make adjustments to your configuration with actual and usable data.

Code: Select all

statsdir /var/log/ntp-stats/  
filegen loopstats file loopstats type week enable

If you need more help ask in the thread.


Think you are a nerd now? Wait until you make time for it.

[Aki]

@Best_Threads