On 12/21/23 15:04, Greg Wooledge wrote:
On Thu, Dec 21, 2023 at 02:51:50PM -0500, gene heskett wrote:
can us see your /etc/ntpsec/ntp.conf? And, do you have a
/var/log/ntpsec subdir ownwd by ntpsec:ntpsec?
unicorn:~$ ls -ld /var/log/ntpsec /etc/ntpsec/ntp.conf
ls: cannot access '/var/log/ntpsec': No such file or directory
-rw-r--r-- 1 root root 1922 Jan 16 2023 /etc/ntpsec/ntp.conf
My ntp.conf file was migrated from a Debian 11 /etc/ntp.conf
file, with whatever adjustments the ntp -> ntpsec transition scripts
did to it. Should be very generic, but here you go.
==============================================================================
# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
# To enable Network Time Security support as a server, obtain a certificate
# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
# nts cert CERT_FILE
# nts key KEY_FILE
# nts enable
# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
#statsdir /var/log/ntpsec/
#statistics loopstats peerstats clockstats
#filegen loopstats file loopstats type day enable
#filegen peerstats file peerstats type day enable
#filegen clockstats file clockstats type day enable
# This should be maxclock 7, but the pool entries count towards maxclock.
tos maxclock 11
# Comment this out if you have a refclock and want it to be able to discipline
# the clock by itself (e.g. if the system is not connected to the network).
tos minclock 4 minsane 3
# Specify one or more NTP servers.
# Public NTP servers supporting Network Time Security:
# server time.cloudflare.com nts
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <https://www.pool.ntp.org/join.html>
pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst
# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
# for details.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict default kod nomodify nopeer noquery limited
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
==============================================================================
Now let's look for logs.
unicorn:/var/log$ sudo grep ntpsec *
[...]
syslog.1:2023-12-16T15:01:52.641110-05:00 unicorn ntpd[815]: statistics
directory /var/log/ntpsec/ does not exist or is unwriteable, error No such file
or directory
Well, look at that. I wonder why the ntpsec package didn't create that.
Let's take a look at <https://bugs.debian.org/ntpsec> and see if there's
already a report for it.
Here we go: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049424>
"ntpsec: Missing /var/log/ntpsec is logged as an error"
So I guess one's expected to create this themselves, but only if they
care enough to do it...? Weird.
.
unforch it does not create them and in my recent experience it may run
but does not work without being able to log. I created it that subdir
and chowned it, then I went around to my other machines doing likewise
and the other machines now use this one as a stratum 2 server. by
removing the pool 0,1,2,3 entries from their ntp.conf is removing 6
other machines from the traffic into debian's ntp server pool.
Those of us with goodly sized private networks hiding behind a NATing
router should do that to reduce the load on debians ntp server pool.
Even with a stratum 2 rating, you are still within a microsecond of the
cesium beam clock in Boulder Colorado USA. When I first set it up a week
ago, I quickly found I was part of a pool and had external to my local
network clients, but I finally found how to stop that.
Cheers, Gene Heskett.
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis
