Index: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
===================================================================
--- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
+++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
@@ -4237,23 +4237,10 @@
provide clock accuracy in a network.
&os; includes &man.ntpd.8; which can be configured to query
- other NTP servers in order to synchronize the
- clock on that machine or to provide time services to other
- computers in the network. The servers which are queried can be
- local to the network or provided by an ISP.
- In addition, an online
- list of publicly accessible NTP
- servers is available. When choosing a public
- NTP server, select one that is geographically
- close and review its usage policy.
+ other NTP servers to synchronize the clock on
+ that machine or to provide time services to other computers in
+ the network.
- Choosing several NTP servers is
- recommended in case one of the servers becomes unreachable or
- its clock proves unreliable. As ntpd
- receives responses, it favors reliable servers over the less
- reliable ones.
-
This section describes how to configure
ntpd on &os;. Further documentation
can be found in /usr/share/doc/ntp/ in HTML
@@ -4262,99 +4249,210 @@
NTP Configuration
- NTP
- ntp.conf
-
+ NTPOn &os;, the built-in ntpd can
- be used to synchronize a system's clock. To enable
- ntpd at boot time, add
- ntpd_enable="YES" to
- /etc/rc.conf. Additional variables can
- be specified in /etc/rc.conf. Refer to
- &man.rc.conf.5; and &man.ntpd.8; for
- details.
+ be used to synchronize a system's clock.
+ Ntpd is configured using &man.rc.conf.5;
+ variables and /etc/ntp.conf, as detailed
+ in the following sections.
- This application reads /etc/ntp.conf
- to determine which NTP servers to query.
- Here is a simple example of an
- /etc/ntp.conf:
+ Ntpd communicates with its network
+ peers using UDP packets. Any firewalls between your machine and
+ its NTP peers must be configured to allow UDP packets in and out
+ on port 123.
-
- Sample /etc/ntp.conf
+
+ The /etc/ntp.conf file
- server ntplocal.example.com prefer
-server timeserver.example.org
-server ntp2a.example.net
+ NTP
+ ntp.conf
+
-driftfile /var/db/ntp.drift
-
+ Ntpd reads
+ /etc/ntp.conf
+ to determine which NTP servers to query.
+ Choosing several NTP servers is recommended
+ in case one of the servers becomes unreachable or its clock proves
+ unreliable. As ntpd receives responses,
+ it favors reliable servers over the less reliable ones. The servers
+ which are queried can be local to the network, provided by an
+ ISP, or selected from an
+ online list of publicly accessible NTP
+ servers.
+ When choosing a public NTP server, select one
+ that is geographically close and review its usage policy. The
+ pool configuration keyword selects one or more
+ servers from a pool of servers. An
+ online list of publicly accessible NTP
+ pools
+ is available, organized by geographic area. In addition, &os;
+ provides a project-sponsored pool,
+ 0.freebsd.pool.ntp.org.
- The format of this file is described in &man.ntp.conf.5;.
- The server option specifies which servers
- to query, with one server listed on each line. If a server
- entry includes prefer, that server is
- preferred over other servers. A response from a preferred
- server will be discarded if it differs significantly from
- other servers' responses; otherwise it will be used. The
- prefer argument should only be used for
- NTP servers that are known to be highly
- accurate, such as those with special time monitoring
- hardware.
+
+ Sample /etc/ntp.conf
+ This is a simple example of an ntp.conf
+ file. It can safely be used as-is; it contains the recommended
+ restrict options for operation on a
+ publicly-accessible network connection.
+
+# Disallow ntpq control/query access. Allow peers to be added only
+# based on pool and server statements in this file.
+restrict default limited kod nomodify notrap noquery nopeer
+restrict source limited kod nomodify notrap noquery
- The driftfile entry specifies which
- file is used to store the system clock's frequency offset.
- ntpd uses this to automatically
- compensate for the clock's natural drift, allowing it to
- maintain a reasonably correct setting even if it is cut off
- from all external time sources for a period of time. This
- file also stores information about previous responses
- from NTP servers. Since this file contains
- internal information for NTP, it should not
- be modified.
+# Allow unrestricted access from localhost for queries and control.
+restrict 127.0.0.1
+restrict ::1
- By default, an NTP server is accessible
- to any network host. The restrict option
- in /etc/ntp.conf can be used to control
- which systems can access the server. For example, to deny all
- machines from accessing the NTP server, add
- the following line to
- /etc/ntp.conf:
+# Add a specific server.
+server ntplocal.example.com iburst
- restrict default ignore
+# Add FreeBSD pool servers until 3-6 good servers are available.
+tos minclock 3 maxclock 6
+pool 0.freebsd.pool.ntp.org iburst
-
- This will also prevent access from other
- NTP servers. If there is a need to
- synchronize with an external NTP server,
- allow only that specific server. Refer to &man.ntp.conf.5;
- for more information.
-
+# Use a local leap-seconds file.
+leapfile "/var/db/ntpd.leap-seconds.list"
- To allow machines within the network to synchronize their
- clocks with the server, but ensure they are not allowed to
- configure the server or be used as peers to synchronize
- against, instead use:
+ The format of this file is described in &man.ntp.conf.5;.
+ The descriptions below provide a quick overview of just the
+ keywords used in the sample file above.
- restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
+ By default, an NTP server is accessible
+ to any network host. The restrict keyword
+ controls which systems can access the server. Multiple
+ restrict entries are supported, each one
+ refining the restrictions given in previous statements. The
+ values shown in the example grant the local system full query
+ and control access, while allowing remote systems only the
+ ability to query the time. For more details, refer to the
+ Access Control Support subsection of
+ &man.ntp.conf.5;.
- where 192.168.1.0 is the local
- network address and 255.255.255.0 is the network's
- subnet mask.
+ The server keyword specifies a single
+ server to query. The file can contain multiple server keywords,
+ with one server listed on each line. The pool
+ keyword specifies a pool of servers.
+ Ntpd will add one or more
+ servers from this pool as needed to reach the number of peers
+ specified using the tos minclock value. The
+ iburst keyword directs
+ ntpd to perform a burst of eight quick
+ packet exchanges with a server when contact is first established,
+ to help quickly synchronize system time.
- Multiple restrict entries are
- supported. For more details, refer to the Access
- Control Support subsection of
- &man.ntp.conf.5;.
+ The leapfile keyword specifies the location
+ of a file containing information about leap seconds. The file is
+ updated automatically by &man.periodic.8;. The file location
+ specified by this keyword must match the location set in the
+ ntp_db_leapfile variable in
+ /etc/rc.conf.
+
- Once ntpd_enable="YES" has been added
- to /etc/rc.conf,
- ntpd can be started now without
- rebooting the system by typing:
+
+ NTP entries in /etc/rc.conf
- &prompt.root; service ntpd start
+ NTP
+ rc.conf
+
+
+ Set ntpd_enable=YES to start
+ ntpd at boot time. Once
+ ntpd_enable=YES has been added
+ to /etc/rc.conf,
+ ntpd can be started immediately without
+ rebooting the system by typing:
+
+ &prompt.root; service ntpd start
+
+ Only ntpd_enable must be set to use ntpd.
+ The rc.conf variables listed below may also be
+ set as needed.
+
+ Set ntpd_sync_on_start=YES to allow
+ ntpd to step the clock any amount, one
+ time at startup. Normally ntpd will
+ log an error message and exit if the clock is off by more than
+ 1000 seconds. This option is especially useful on systems without
+ a battery-backed realtime clock.
+
+ Set ntpd_oomprotect=YES to protect the
+ ntpd daemon from being killed by
+ the system attempting to recover from an Out Of Memory
+ (OOM) condition.
+
+ Set ntpd_config= to the location of
+ an alternate ntp.conf file.
+
+ Set ntpd_flags= to contain any other
+ ntpd flags as needed, but avoid using
+ these flags which are managed internally by
+ /etc/rc.d/ntpd:
+
+
+ -p (pid file location)
+
+ -c (set ntpd_config=
+ instead)
+
+
+
+
+ Ntpd and the unpriveleged
+ ntpd user
+
+ Ntpd on &os; can start and
+ run as an unpriveleged user. Doing so requires the
+ &man.mac.ntpd.4; policy module. The
+ /etc/rc.d/ntpd startup script first
+ examines the NTP configuration. If possible, it loads the
+ mac_ntpd module, then starts
+ ntpd as unpriveleged user
+ ntpd (user id 123).
+ To avoid problems with file and directory access, the startup
+ script will not automatically start
+ ntpd as ntpd
+ when the configuration contains any file-related options.
+
+ The presence of any of the following in
+ ntpd_flags requires manual configuration
+ as described below to run as the ntpd user:
+
+ -f or --driftfile
+ -i or --jaildir
+ -k or --keyfile
+ -l or --logfile
+ -s or --statsdir
+
+
+ The presence of any of the following keywords in
+ ntp.conf requires manual configuration
+ as described below to run as the ntpd user:
+
+ crypto
+ driftfile
+ key
+ logdir
+ statsdir
+
+
+ To manually configure ntpd
+ to run as user ntpd you must:
+
+ Ensure that the ntpd
+ user has access to all the files and directories specified
+ in the configuration.
+ Arrange for the mac_ntpd
+ module to be loaded or compiled into the kernel. See
+ &man.mac.ntpd.4; for details.
+ Set ntpd_user="ntpd" in
+ /etc/rc.conf
+
+