Page MenuHomeFreeBSD

Modernize ntp.conf to use the ntpd pool feature.
ClosedPublic

Authored by ian on Dec 31 2016, 9:53 PM.

Details

Summary

Our current ntp.conf file configures 3 servers from freebsd.pool.ntp.org using 3 separate 'server' config lines. That can be replaced with a single 'pool' line in modern ntpd.

More than just making the config smaller, the pool feature in ntpd has one major advantage over configuring 3 separate servers from a pool: if a server that was added using a 'pool' statement provides bad time (initially or at some later date), ntpd automatically discards it and configures a new different server from the pool without needing to be restarted.

These changes also add a 'tos' line to control how many pool servers get added, a 'restrict source' line that is required to allow ntpd to add new peers from the pool, and it deletes a 'restrict 127.127.1.0' line that does nothing and should never have been there (127.127.1.0 is not a valid IP address, it's a refclock identifier).

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

ian updated this revision to Diff 23494.Dec 31 2016, 9:53 PM
ian retitled this revision from to Modernize ntp.conf to use the ntpd pool feature..
ian updated this object.
ian edited the test plan for this revision. (Show Details)
ian added reviewers: cy, secteam.
ian set the repository for this revision to rS FreeBSD src repository.
ian updated this revision to Diff 23495.Dec 31 2016, 10:02 PM

Attach the right diff: the 'restrict source' line has to come after 'restrict default' to have the right effect.

roberto accepted this revision.Jan 1 2017, 12:21 AM
roberto edited edge metadata.

Looks good to me, thanks.

This revision is now accepted and ready to land.Jan 1 2017, 12:21 AM
cy accepted this revision.Jan 1 2017, 12:58 AM
cy edited edge metadata.

Looks good. Should we keep a server statement as a comment to document the alternative "old" method? Not a must have though. Either way looks good.

delphij added a subscriber: delphij.Jan 1 2017, 6:33 AM
delphij added inline comments.
etc/ntp.conf
22 ↗(On Diff #23495)

Is the change from 3 (technically there should be 4 for servers) to only 1 intentional?

(Note that I noticed that recent ntp versions is not working very well with pool configuration, but didn't get a chance to trace that down yet).

roberto added a comment.EditedJan 1 2017, 12:32 PM

I haven't changed my configuration yet to check but I did notice that 0.freebsd.pool.ntp.org does return 4 IPv4 addresses.

ian added a comment.Jan 1 2017, 4:14 PM
In D9011#186047, @cy wrote:

Looks good. Should we keep a server statement as a comment to document the alternative "old" method? Not a must have though. Either way looks good.

I thought about adding an example of explicit server config, but it seems confusing to use the pool servers as an example of a non-pool config, and I'm afraid if we used any non-pool real servers, people would just uncomment them and slam somebody's server. Maybe an example with a couple obviously-made-up server names would work.

etc/ntp.conf
22 ↗(On Diff #23495)

It's not a change to 1 server -- because of the "tos minclock 3 maxclock 6" line, ntpd will automatically add 5 servers from freebsd.pool.ntp.org, then if those 5 don't give at least 3 that are providing good time, it will add even more (and eventually drop off the ones that provide lower-quality time). Maybe I should move the "tos" line and its comment to be above the pool statement, so that the comment about automatically getting 3-5 servers is sort of already in scope in your mind when you read the pool comments.

To avoid a lot of traffic at startup, ntpd adds servers from the pool in groups of 4, so when it first starts it adds 4 servers and does iburst (8-packet) exchanges with them. After 4 polling cycles (4 minutes, basically), it will add another group of 4 (or as many more needed to reach the goal of at least 3 good out of 5 total).

I agree that 4 is a good minimum number of servers. I like 5 a wee bit better because of ntpd's majority rule on leap seconds -- it requires more than half, and the comparison in the code is >, not >=, so 3 out of 4 servers would have to be signaling a leap second to be believed. Having an odd number gives an automatic tie-breaker.

ian updated this revision to Diff 23515.Jan 1 2017, 6:00 PM
ian edited edge metadata.

Move the tos line and its comment block to the top of the file, so that the later comments about how many pool servers get added make more sense when you're reading the file top to bottom like a first-time user might do.

Update comments to make it more clear that a single pool statement configures multiple servers.

Add an example of specifying a specific server, along with comments about how doing so interacts with also configuring a pool. (And make sure the server example uses a non-existant domain in case someone blindly uncomments it.)

This revision now requires review to proceed.Jan 1 2017, 6:00 PM
cy accepted this revision.Jan 1 2017, 6:16 PM
cy edited edge metadata.

Looks good.

This revision is now accepted and ready to land.Jan 1 2017, 6:16 PM
roberto accepted this revision.Jan 1 2017, 6:24 PM
roberto edited edge metadata.

Fine with me that way, thanks.

This revision was automatically updated to reflect the committed changes.