Eric S. Raymond writes:
> Some details aren't settled yet.  Mark wants to go to an Apache-style
> conf.d setup where all snippets in a specified directory are
> interpeted, but I'd like us to prove the general concept before I try
> getting cute with the scanner code.

Until that happens we could add a script that collects these snippets
into a single ntp.conf file instead.

> Please review.  If you have a snippet you think is generally useful
> enough to add, let's see it.

I'm not sure about that 64s part in the iburst explanatation.  My
understanding is that ntpd start up with minpoll=3, so the requests to a
server would initially be 8s apart and then growing to whatever maxpoll
is set to.  With iburst you start out with 2s spaced requests, so
essentially minpoll=1, which you can't set otherwise anymore (minpoll is
limited to at least 3 IIRC).

Proposal:

>From 2f8b18105773f9bc346e9e5e6c79feee58ee7863 Mon Sep 17 00:00:00 2001
From: Achim Gratz <strom...@stromeko.de>
Date: Sun, 12 Jun 2016 09:35:15 +0200
Subject: [PATCH 1/2] refactor logging snippets

---
 etc/use-driftfile               |  8 ++++++++
 etc/use-minimal-logging         |  8 --------
 etc/use-no-remote-configuration | 25 +++++++++++++++++++------
 etc/use-ntpstats-logging        | 18 ++++++++++++++++++
 etc/use-performance-logging     | 18 ------------------
 etc/use-verbose-logging         |  9 +++++++++
 6 files changed, 54 insertions(+), 32 deletions(-)
 create mode 100644 etc/use-driftfile
 delete mode 100644 etc/use-minimal-logging
 create mode 100644 etc/use-ntpstats-logging
 delete mode 100644 etc/use-performance-logging
 create mode 100644 etc/use-verbose-logging

diff --git a/etc/use-driftfile b/etc/use-driftfile
new file mode 100644
index 0000000..4179422
--- /dev/null
+++ b/etc/use-driftfile
@@ -0,0 +1,8 @@
+# Minimal logging - we declare a drift file and that's it.
+
+driftfile /var/lib/ntp/ntp.drift
+
+# The following sets edit modes for GNU EMACS
+# Local Variables:
+# mode:conf
+# End:
diff --git a/etc/use-minimal-logging b/etc/use-minimal-logging
deleted file mode 100644
index 4179422..0000000
--- a/etc/use-minimal-logging
+++ /dev/null
@@ -1,8 +0,0 @@
-# Minimal logging - we declare a drift file and that's it.
-
-driftfile /var/lib/ntp/ntp.drift
-
-# The following sets edit modes for GNU EMACS
-# Local Variables:
-# mode:conf
-# End:
diff --git a/etc/use-no-remote-configuration b/etc/use-no-remote-configuration
index 7d2c54e..17ffe9b 100644
--- a/etc/use-no-remote-configuration
+++ b/etc/use-no-remote-configuration
@@ -1,13 +1,26 @@
 # Exchange time with everybody, but don't allow configuration.
 # This is the right security setup for 99% of deployments.
-
-# Note: due to a bug, restrict nopeer can't be used with the pool keyword.
-restrict default kod limited nomodify notrap nopeer noquery  
+#
+restrict -4 default kod limited nomodify notrap nopeer noquery
 restrict -6 default kod limited nomodify notrap nopeer noquery
 
-# Local users may interrogate the NTP server more closely.
-restrict 127.0.0.1  
-restrict -6 ::1
+# Local users may interrogate the NTP server more closely, but make
+# changes only when authenticated.
+#
+restrict 127.0.0.1 noserve notrust
+restrict -6 ::1 noserve notrust
+
+# Authentication uses keyid 1.  If you have no key file, you can
+# create it (with an SHA1 key) with the follwing commands:
+#
+#  sudo echo "1 SHA1 $(tr -dc '[:alnum:]' < /dev/urandom | head -c 20)" > /etc/ntp.keys
+#  sudo chown :ntp /etc/ntp.keys
+#  sudo chmod o-rwx ntp.keys
+#
+keys /etc/ntp.keys              # path for keys file
+trustedkey 1                    # define trusted keys
+requestkey 1                    # key (7) for accessing server variables
+controlkey 1                    # key (6) for accessing server variables
 
 # The following sets edit modes for GNU EMACS
 # Local Variables:
diff --git a/etc/use-ntpstats-logging b/etc/use-ntpstats-logging
new file mode 100644
index 0000000..aa3caed
--- /dev/null
+++ b/etc/use-ntpstats-logging
@@ -0,0 +1,18 @@
+# Collect NTP performance statistics for analysis
+
+driftfile /var/lib/ntp/ntp.drift
+
+statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+logfile /var/log/ntpd.log  
+logconfig =syncall +clockall +peerall +sysall
+
+# The following sets edit modes for GNU EMACS
+# Local Variables:
+# mode:conf
+# End:
diff --git a/etc/use-performance-logging b/etc/use-performance-logging
deleted file mode 100644
index aa3caed..0000000
--- a/etc/use-performance-logging
+++ /dev/null
@@ -1,18 +0,0 @@
-# Collect NTP performance statistics for analysis
-
-driftfile /var/lib/ntp/ntp.drift
-
-statsdir /var/log/ntpstats/
-
-statistics loopstats peerstats clockstats
-filegen loopstats file loopstats type day enable
-filegen peerstats file peerstats type day enable
-filegen clockstats file clockstats type day enable
-
-logfile /var/log/ntpd.log  
-logconfig =syncall +clockall +peerall +sysall
-
-# The following sets edit modes for GNU EMACS
-# Local Variables:
-# mode:conf
-# End:
diff --git a/etc/use-verbose-logging b/etc/use-verbose-logging
new file mode 100644
index 0000000..c7e1f84
--- /dev/null
+++ b/etc/use-verbose-logging
@@ -0,0 +1,9 @@
+# Collect verbose NTPd logs
+
+logfile /var/log/ntpd.log  
+logconfig =syncall +clockall +peerall +sysall
+
+# The following sets edit modes for GNU EMACS
+# Local Variables:
+# mode:conf
+# End:
-- 
2.8.3

>From 979fcc0e13e9fbce1a9669d375b5b1f487c1b690 Mon Sep 17 00:00:00 2001
From: Achim Gratz <strom...@stromeko.de>
Date: Sun, 12 Jun 2016 09:36:25 +0200
Subject: [PATCH 2/2] rework ntppool configuration example

---
 etc/use-country-pool | 37 -------------------------------------
 etc/use-ntppool      | 42 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+), 37 deletions(-)
 delete mode 100644 etc/use-country-pool
 create mode 100644 etc/use-ntppool

diff --git a/etc/use-country-pool b/etc/use-country-pool
deleted file mode 100644
index f3f9500..0000000
--- a/etc/use-country-pool
+++ /dev/null
@@ -1,37 +0,0 @@
-# If you have no other local chimers to help NTP perform sanity checks
-# then you can use some public chimers from the NTP public pool:
-# http://www.pool.ntp.org/en/
-#
-# iburst tells it to send the first few requests at 2 second intervals rather
-# than wait for the poll interval which defaults to 64 seconds.  That greatly
-# speeds up the time for ntpd to set the system time and start responding to
-# requests.
-#
-# Notice we use the 'us' country code servers, otherwise we might get
-# pool servers from opposite sides of the planet accuracy would likely
-# be poor.  If you are not in the USA, then it will probably wrk to
-# change the 'us' to your two letter country code.
-#
-# Major Internet-using countries with pools include:
-# us gb de fr ru au at ca cn jp de fi it be br cz hk
-#
-# If you don't know your country code, find it at
-#
-# https://en.wikipedia.org/wiki/ISO_3166-1
-#
-# and then try pinging prepending it to ".pool.ntp.org" and pinging that.
-# hostname. If you get a response, you can use it.
-#
-# Note: in theory we could use the "pool" keyboard here. There is some
-# controvery over whether it is implemented correctly.  One known problem
-# (a bug in ntpd) is that it can't be used with restrict nopeer.
-#
-server 0.us.pool.ntp.org iburst
-server 1.us.pool.ntp.org iburst
-server 2.us.pool.ntp.org iburst
-server 3.us.pool.ntp.org iburst
-
-# The following sets edit modes for GNU EMACS
-# Local Variables:
-# mode:conf
-# End:
diff --git a/etc/use-ntppool b/etc/use-ntppool
new file mode 100644
index 0000000..0b2156a
--- /dev/null
+++ b/etc/use-ntppool
@@ -0,0 +1,42 @@
+# If you have no other local chimers to help NTP perform sanity checks
+# then you can use some public chimers from the NTP public pool:
+# http://www.pool.ntp.org/en/
+# Please follow the link to the "continental zones" and from there to
+# your "country zone" to select an appropriate NTP server pool for
+# your location.
+#
+# Notice we use the 'us' country code servers, otherwise we might get
+# pool servers from opposite sides of the planet and accuracy would
+# likely be poor.  If you are not in the USA, then you should change
+# the pool zone from 'us' to your continental or country zone.
+#
+# Since we use the "pool" keyword here, the restrict specifications
+# must not contain nopeer or no new associations can be mobilized.
+# Since our restrict defaults contain nopeer, specify the restrict for
+# the pool address explicitly.
+#
+# iburst tells it to send the first few requests at 2 second intervals
+# rather than wait for the poll interval which defaults to 64 seconds.
+# That greatly speeds up the time for ntpd to set the system time and
+# start responding to requests.
+#
+# One pool line is sufficent (the number of clocks can be adjusted via
+# the tos keyword if necessary).  If you have multiple local ntp
+# servers, you can chose a different pool for each to increase the
+# diversity of servers offered from the pool.
+#
+# PLEASE ADJUST THE NTP POOL ZONE
+#
+server 0.us.pool.ntp.org iburst
+restrict 0.us.pool.ntp.org notrap nomodify noquery
+#server 1.us.pool.ntp.org iburst
+#restrict 1.us.pool.ntp.org notrap nomodify noquery
+#server 2.us.pool.ntp.org iburst
+#restrict 2.us.pool.ntp.org notrap nomodify noquery
+#server 3.us.pool.ntp.org iburst
+#restrict 3.us.pool.ntp.org notrap nomodify noquery
+
+# The following sets edit modes for GNU EMACS
+# Local Variables:
+# mode:conf
+# End:
-- 
2.8.3


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Wavetables for the Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#BlofeldUserWavetables
_______________________________________________
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Reply via email to