View Full Version : Time Sync problems
I've noticed that the internal server time is 3 minutes adrift of the NTP time servers and it isn't possible within Plesk control panel to set a NTP time-server to correct this.
This could have severe implications for anyone using kerberos or other time-sensitive services.
I tried starting the ntpd daemon included in the VE image, using /etc/init.d/ntpd start but it fails with:
ntpd 4.2.0a@1.1196-r Fri May 12 09:51:35 EDT 2006 (1)
precision = 2.000 usec
Listening on interface wildcard, 0.0.0.0#123
Listening on interface lo, 127.0.0.1#123
Listening on interface venet0, 127.0.0.1#123
kernel time sync status 0040
getaddrinfo: "127.0.0.1" invalid host address, ignored
Cannot find user `ntp'
parent died before we finished, exiting
I checked /etc/passwd and the ntp user exists. I did some searching and discovered this is some kind of bug, but there doesn't seem to have been a fix published - at least that I could identify.
Affinity/Gate need to set the host server(s) to sync time with a valid Stratus-2 NTP server as per www.pool.ntp.org (http://www.pool.ntp.org) so that the VE times are automatically in sync.
I've discovered a solution to this, but thats led to other problems some of which would need to be applied on the host OS. I'm working through them slowly.
It seems that the error Cannot find user 'ntp' is caused by:
For some unknown reason, ntpd.c gets null response from getpwnam(user). *user is "ntp" and user ntp exists in /etc/passwd. A test program doing the exact same thing returns a valid passwd struct.
The solution is to run a shell command within the option string in /etc/sysconfig/ntpd
# comment out broken options (userid not found)
# OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid"
OPTIONS="-u `getent passwd ntp|cut -f 3 -d :`"
In the bash shell, anything surrounded by back-ticks (`) is treated as a command that should be executed and its output replaces the back-ticked command.
In this case getent retrieves the ntp user line from /etc/passwd database and passes it to cut which extracts the 3rd field (-f 3) where each field is delimited by a colon (-d : ).
The 3rd field is the UID (User ID) of the ntp user.
With that solved, a new error appears in /var/log/messages:
ntpd 4.2.0a@1.1196-r Fri May 12 09:51:35 EDT 2006 (1)
precision = 2.000 usec
Listening on interface wildcard, 0.0.0.0#123
Listening on interface lo, 127.0.0.1#123
Listening on interface venet0, 127.0.0.1#123
kernel time sync status 0040
getaddrinfo: "127.0.0.1" invalid host address, ignored
cap_set_proc() failed to drop root privileges: Operation not permitted
parent died before we finished, exiting
This problem is due to the module capability not being loaded when the kernel has been compiled with CONFIG_SECURITY (See Failed to drop root privileges (http://gentoo-wiki.com/HOWTO_NTP#Failed_to_drop_root_privileges)).
As this is running in a virtual environment we cannot load modules, so Gate/Affinity support need to apply
$ modprobe capability
on the host and ensure this is executed on booting using chkconfig.
For the time being I'm allowing ntpd to run as root but it would be safer to run with restricted privileges.
/etc/sysconfig/ntpd
# Drop root to id 'ntp:ntp' by default.
#OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid"
#OPTIONS="-u `getent passwd ntp|cut -f 3 -d :`"
OPTIONS="-p /var/run/ntpd.pid"
# Set to 'yes' to sync hw clock after successful ntpdate
SYNC_HWCLOCK=no
/etc/ntp.step-tickers tells ntpd which server to use if, when it starts, the time of the local system is so far out that the regular adjustment would not be made.
0.north-america.pool.ntp.org
/etc/ntp.conf
restrict 127.0.0.1
# --- OUR TIMESERVERS -----
restrict 0.north-america.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
restrict 1.north-america.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
restrict 2.north-america.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
server 0.north-america.pool.ntp.org
server 1.north-america.pool.ntp.org
server 2.north-america.pool.ntp.org
driftfile /var/lib/ntp/drift
keys /etc/ntp/keys
ntpd is now running but there is an issue with resolving the servers!
getaddrinfo: "127.0.0.1" invalid host address, ignored
getaddrinfo: "0.north-america.pool.ntp.org" invalid host address, ignored
getaddrinfo: "1.north-america.pool.ntp.org" invalid host address, ignored
getaddrinfo: "2.north-america.pool.ntp.org" invalid host address, ignored
The firewall isn't the issue, as this works:
$ ntpq -p 0.north-america.pool.ntp.org
remote refid st t when poll reach delay offset jitter
==============================================================================
*bonehed.lcs.mit .CDMA. 1 u 767 1024 377 6.633 -0.071 0.299
nist1-ny.glasse .ACTS. 1 u 26h 512 0 13.502 2.518 0.000
+avi-lis.gw.ligh .CDMA. 1 u 685 1024 377 15.709 -0.620 0.240
+hickory.cc.colu 128.59.39.48 2 u 622 1024 377 13.404 0.127 0.370
-cudns.cit.corne 192.5.41.209 2 u 672 1024 377 15.712 -1.317 0.061
LOCAL(1) .LOCL. 10 l - 64 377 0.000 0.000 0.002
Well, after all that, I finally discover that time-sync can only be applied to the hardware itself!
Gate/Affinity Techies - PLEASE configure the VPS host OS to sync its clock accurately
My previous articles show how to do it!
Lastly, how to remove the startup script for ntpd:
$ chkconfig --del ntpd
vBulletin v3.5.1, Copyright ©2000-2008, Jelsoft Enterprises Ltd.