Eric S. Raymond writes: > Some details aren't settled yet. Mark wants to go to an Apache-style > conf.d setup where all snippets in a specified directory are > interpeted, but I'd like us to prove the general concept before I try > getting cute with the scanner code.
Until that happens we could add a script that collects these snippets into a single ntp.conf file instead. > Please review. If you have a snippet you think is generally useful > enough to add, let's see it. I'm not sure about that 64s part in the iburst explanatation. My understanding is that ntpd start up with minpoll=3, so the requests to a server would initially be 8s apart and then growing to whatever maxpoll is set to. With iburst you start out with 2s spaced requests, so essentially minpoll=1, which you can't set otherwise anymore (minpoll is limited to at least 3 IIRC). Proposal:
>From 2f8b18105773f9bc346e9e5e6c79feee58ee7863 Mon Sep 17 00:00:00 2001 From: Achim Gratz <strom...@stromeko.de> Date: Sun, 12 Jun 2016 09:35:15 +0200 Subject: [PATCH 1/2] refactor logging snippets --- etc/use-driftfile | 8 ++++++++ etc/use-minimal-logging | 8 -------- etc/use-no-remote-configuration | 25 +++++++++++++++++++------ etc/use-ntpstats-logging | 18 ++++++++++++++++++ etc/use-performance-logging | 18 ------------------ etc/use-verbose-logging | 9 +++++++++ 6 files changed, 54 insertions(+), 32 deletions(-) create mode 100644 etc/use-driftfile delete mode 100644 etc/use-minimal-logging create mode 100644 etc/use-ntpstats-logging delete mode 100644 etc/use-performance-logging create mode 100644 etc/use-verbose-logging diff --git a/etc/use-driftfile b/etc/use-driftfile new file mode 100644 index 0000000..4179422 --- /dev/null +++ b/etc/use-driftfile @@ -0,0 +1,8 @@ +# Minimal logging - we declare a drift file and that's it. + +driftfile /var/lib/ntp/ntp.drift + +# The following sets edit modes for GNU EMACS +# Local Variables: +# mode:conf +# End: diff --git a/etc/use-minimal-logging b/etc/use-minimal-logging deleted file mode 100644 index 4179422..0000000 --- a/etc/use-minimal-logging +++ /dev/null @@ -1,8 +0,0 @@ -# Minimal logging - we declare a drift file and that's it. - -driftfile /var/lib/ntp/ntp.drift - -# The following sets edit modes for GNU EMACS -# Local Variables: -# mode:conf -# End: diff --git a/etc/use-no-remote-configuration b/etc/use-no-remote-configuration index 7d2c54e..17ffe9b 100644 --- a/etc/use-no-remote-configuration +++ b/etc/use-no-remote-configuration @@ -1,13 +1,26 @@ # Exchange time with everybody, but don't allow configuration. # This is the right security setup for 99% of deployments. - -# Note: due to a bug, restrict nopeer can't be used with the pool keyword. -restrict default kod limited nomodify notrap nopeer noquery +# +restrict -4 default kod limited nomodify notrap nopeer noquery restrict -6 default kod limited nomodify notrap nopeer noquery -# Local users may interrogate the NTP server more closely. -restrict 127.0.0.1 -restrict -6 ::1 +# Local users may interrogate the NTP server more closely, but make +# changes only when authenticated. +# +restrict 127.0.0.1 noserve notrust +restrict -6 ::1 noserve notrust + +# Authentication uses keyid 1. If you have no key file, you can +# create it (with an SHA1 key) with the follwing commands: +# +# sudo echo "1 SHA1 $(tr -dc '[:alnum:]' < /dev/urandom | head -c 20)" > /etc/ntp.keys +# sudo chown :ntp /etc/ntp.keys +# sudo chmod o-rwx ntp.keys +# +keys /etc/ntp.keys # path for keys file +trustedkey 1 # define trusted keys +requestkey 1 # key (7) for accessing server variables +controlkey 1 # key (6) for accessing server variables # The following sets edit modes for GNU EMACS # Local Variables: diff --git a/etc/use-ntpstats-logging b/etc/use-ntpstats-logging new file mode 100644 index 0000000..aa3caed --- /dev/null +++ b/etc/use-ntpstats-logging @@ -0,0 +1,18 @@ +# Collect NTP performance statistics for analysis + +driftfile /var/lib/ntp/ntp.drift + +statsdir /var/log/ntpstats/ + +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable + +logfile /var/log/ntpd.log +logconfig =syncall +clockall +peerall +sysall + +# The following sets edit modes for GNU EMACS +# Local Variables: +# mode:conf +# End: diff --git a/etc/use-performance-logging b/etc/use-performance-logging deleted file mode 100644 index aa3caed..0000000 --- a/etc/use-performance-logging +++ /dev/null @@ -1,18 +0,0 @@ -# Collect NTP performance statistics for analysis - -driftfile /var/lib/ntp/ntp.drift - -statsdir /var/log/ntpstats/ - -statistics loopstats peerstats clockstats -filegen loopstats file loopstats type day enable -filegen peerstats file peerstats type day enable -filegen clockstats file clockstats type day enable - -logfile /var/log/ntpd.log -logconfig =syncall +clockall +peerall +sysall - -# The following sets edit modes for GNU EMACS -# Local Variables: -# mode:conf -# End: diff --git a/etc/use-verbose-logging b/etc/use-verbose-logging new file mode 100644 index 0000000..c7e1f84 --- /dev/null +++ b/etc/use-verbose-logging @@ -0,0 +1,9 @@ +# Collect verbose NTPd logs + +logfile /var/log/ntpd.log +logconfig =syncall +clockall +peerall +sysall + +# The following sets edit modes for GNU EMACS +# Local Variables: +# mode:conf +# End: -- 2.8.3
>From 979fcc0e13e9fbce1a9669d375b5b1f487c1b690 Mon Sep 17 00:00:00 2001 From: Achim Gratz <strom...@stromeko.de> Date: Sun, 12 Jun 2016 09:36:25 +0200 Subject: [PATCH 2/2] rework ntppool configuration example --- etc/use-country-pool | 37 ------------------------------------- etc/use-ntppool | 42 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 37 deletions(-) delete mode 100644 etc/use-country-pool create mode 100644 etc/use-ntppool diff --git a/etc/use-country-pool b/etc/use-country-pool deleted file mode 100644 index f3f9500..0000000 --- a/etc/use-country-pool +++ /dev/null @@ -1,37 +0,0 @@ -# If you have no other local chimers to help NTP perform sanity checks -# then you can use some public chimers from the NTP public pool: -# http://www.pool.ntp.org/en/ -# -# iburst tells it to send the first few requests at 2 second intervals rather -# than wait for the poll interval which defaults to 64 seconds. That greatly -# speeds up the time for ntpd to set the system time and start responding to -# requests. -# -# Notice we use the 'us' country code servers, otherwise we might get -# pool servers from opposite sides of the planet accuracy would likely -# be poor. If you are not in the USA, then it will probably wrk to -# change the 'us' to your two letter country code. -# -# Major Internet-using countries with pools include: -# us gb de fr ru au at ca cn jp de fi it be br cz hk -# -# If you don't know your country code, find it at -# -# https://en.wikipedia.org/wiki/ISO_3166-1 -# -# and then try pinging prepending it to ".pool.ntp.org" and pinging that. -# hostname. If you get a response, you can use it. -# -# Note: in theory we could use the "pool" keyboard here. There is some -# controvery over whether it is implemented correctly. One known problem -# (a bug in ntpd) is that it can't be used with restrict nopeer. -# -server 0.us.pool.ntp.org iburst -server 1.us.pool.ntp.org iburst -server 2.us.pool.ntp.org iburst -server 3.us.pool.ntp.org iburst - -# The following sets edit modes for GNU EMACS -# Local Variables: -# mode:conf -# End: diff --git a/etc/use-ntppool b/etc/use-ntppool new file mode 100644 index 0000000..0b2156a --- /dev/null +++ b/etc/use-ntppool @@ -0,0 +1,42 @@ +# If you have no other local chimers to help NTP perform sanity checks +# then you can use some public chimers from the NTP public pool: +# http://www.pool.ntp.org/en/ +# Please follow the link to the "continental zones" and from there to +# your "country zone" to select an appropriate NTP server pool for +# your location. +# +# Notice we use the 'us' country code servers, otherwise we might get +# pool servers from opposite sides of the planet and accuracy would +# likely be poor. If you are not in the USA, then you should change +# the pool zone from 'us' to your continental or country zone. +# +# Since we use the "pool" keyword here, the restrict specifications +# must not contain nopeer or no new associations can be mobilized. +# Since our restrict defaults contain nopeer, specify the restrict for +# the pool address explicitly. +# +# iburst tells it to send the first few requests at 2 second intervals +# rather than wait for the poll interval which defaults to 64 seconds. +# That greatly speeds up the time for ntpd to set the system time and +# start responding to requests. +# +# One pool line is sufficent (the number of clocks can be adjusted via +# the tos keyword if necessary). If you have multiple local ntp +# servers, you can chose a different pool for each to increase the +# diversity of servers offered from the pool. +# +# PLEASE ADJUST THE NTP POOL ZONE +# +server 0.us.pool.ntp.org iburst +restrict 0.us.pool.ntp.org notrap nomodify noquery +#server 1.us.pool.ntp.org iburst +#restrict 1.us.pool.ntp.org notrap nomodify noquery +#server 2.us.pool.ntp.org iburst +#restrict 2.us.pool.ntp.org notrap nomodify noquery +#server 3.us.pool.ntp.org iburst +#restrict 3.us.pool.ntp.org notrap nomodify noquery + +# The following sets edit modes for GNU EMACS +# Local Variables: +# mode:conf +# End: -- 2.8.3
Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Wavetables for the Waldorf Blofeld: http://Synth.Stromeko.net/Downloads.html#BlofeldUserWavetables
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
