Home / server / Questions / 879164
Accepted
Kai Giebeler
Asked: 2017-10-19 13:05:08 +0800 CST

Using host as ntp-client and lxc-router as ntp-server

  • 772

I installed ntpd on my Debian host machine to keep the hardware RTC "up-to-date". By sharing the system's clock the time gets automatically propagated to all installed containers (lxc). One of those containers runs my router.

I'd like to use this router to propagate its time to all interested devices in my networks, so they don't need an internet connection by themselves. I don't want to use the host as server (hopefully disabled by interface ignore all).

How can I install and configure a pure ntp-server in a container, which takes the system's clock as its only reference? It shall never set the clock by itself.

How can I install and configure a pure ntp-client, which doesn't accept incoming connections from other peers and leaks as few informations as possible?

debian

2 Answers

  1. Best Answer

    The configuration of NTP deviates from what I'd call intuitive. It installs, by default, a client which reads and writes the system's clock and starts listening on all interfaces and bridges and eagerly uses them to provide informations about its status without authentication.

    I had a hard time gathering all informations and documentation to get this (hopefully) right. Even the default configuration file contained several statements that aren't covered by the man-pages.

    The following configuration seems to work fine without providing excessive informations and services.

    This is the configuration to be installed on the host machine to enforce a client-only operation:

    >> my-host:/etc/ntp.conf

# stop listening for incoming connections an all interfaces including 0.0.0.0 and [::]
interface ignore all
interface ignore wildcard

# only allow listening on the interface used to contact the time servers
interface listen 10.2.20.2

# your pools or servers
pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst

# by default drop all incoming connections on all interfaces
restrict default ignore

# unrestriced control for local connections
restrict 127.0.0.1
restrict ::1

# Needed for adding pool entries
restrict source notrap nomodify noquery

    Restarting the service gives us a comprehensible list of listening sockets. (my-host:ntp cannot be avoided because of the way NTPd works.)

    my-host:# netstat -a|grep ntp
udp        0      0 my-host:ntp   0.0.0.0:*
udp        0      0 localhost:ntp 0.0.0.0:*
udp6       0      0 localhost:ntp [::]:*

    This is the configuration to be installed on the router-container to enforce a server-only operation (backed by the system's clock as source of time, thanks to @BillThor):

    >> router:/etc/ntp.conf

# don't update the system's clock
disable kernel

# local clock as preferred and only source
server 127.127.1.0 prefer

# stop listening for incoming connections an all interfaces including 0.0.0.0 and [::]
interface ignore all
interface ignore wildcard

# whitelist addresses to listen on for NTP clients
interface listen 10.1.2.1
interface listen 10.2.2.2
interface listen 10.3.2.3
interface listen 10.4.2.4
interface listen 10.5.2.5

# set "serve" as the only permission given to all listening interfaces per default
restrict default kod notrap nomodify nopeer noquery limited

# unrestriced control for local connections
restrict 127.0.0.1
restrict ::1

# broadcast time (optional)
broadcast 10.1.255.255
broadcast 10.2.255.255
broadcast 10.3.255.255
broadcast 10.4.255.255
broadcast 10.5.255.255

    Restarting the service gives us the local clock as preferred source and a list of (optional) broadcast targets

    router:# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*LOCAL(0)        .LOCL.           5 l   16   64    3    0.000    0.000   0.000
 10.1.255.255    .BCST.          16 B    -   64    0    0.000    0.000   0.000
 10.2.255.255    .BCST.          16 B    -   64    0    0.000    0.000   0.000
 10.3.255.255    .BCST.          16 B    -   64    0    0.000    0.000   0.000
 10.4.255.255    .BCST.          16 B    -   64    0    0.000    0.000   0.000
 10.5.255.255    .BCST.          16 B    -   64    0    0.000    0.000   0.000

    ... and a comprehensible list of listening sockets to serve the local network.

    router:# netstat -a|grep ntp
udp        0      0 router-lan5:ntp 0.0.0.0:*
udp        0      0 router-lan4:ntp 0.0.0.0:*
udp        0      0 router-lan3:ntp 0.0.0.0:*
udp        0      0 router-lan2:ntp 0.0.0.0:*
udp        0      0 router-lan1:ntp 0.0.0.0:*
udp        0      0 localhost:ntp   0.0.0.0:*
udp6       0      0 localhost:ntp   [::]:*

    The disable kernel (thanks to @PaulGear) prohibits the daemon from setting the system's clock which isn't allowed within a typical container. Otherwise it floods the log with:

    ntpd[1568]: adj_systime: Operation not permitted

    On startup there are still some harmless glitches, I don't know how to get rid of:

    ntpd[1568]: start_kern_loop: ntp_loopfilter.c line 1119: ntp_adjtime: Operation not permitted
ntpd[1568]: set_freq: ntp_loopfilter.c line 1082: ntp_adjtime: Operation not permitted
    • 2

  2. Just add the local clock as the server and disable all servers. Fudge the priority so if anyone includes your host as a server they don't think you are running and atomic clock. This is the configuration I use for my servers:

    # Fallback to local clock if all else fails
server  127.127.1.0     # local clock
fudge   127.127.1.0 stratum 10

    To prevent serving time use a restrict clause. 

    restrict 192.168.0.0    mask 255.255.0.0     notrap nomodify nopeer noserve

    Documentation is at ntp.org.

    • 1