The atomic clock program can be run periodically by cron to synchronize your system's clock with one of the net-based atomic clocks. Typically, one would edit crontab to poll the atomic clock once a day.
/usr/bin/atomclock-poll:
A script that can be run a regular intervals (e.g. daily) by cron to poll a net-based atomic clock and synchronize the local machine's clock.
#!/bin/sh
#
# Script to synchronize the server's clock with the atomic clock at CMU.
#
# Should be run at regular intervals from cron. It will connect to the
# atomic clock at CMU and set the system time. If this works, it will then
# set the hardware clock so that reboots in between will get the correct
# time.
#
#
# We may be using diald. By pinging the time server, we get diald to dial up
# the PPP link. The ping may fail but it brings up the link
#
ping -c1 -w120 clock-1.cs.cmu.edu
#
# Get the correct time from the clock server. If that works, the hardware
# clock is set.
#
if rdate -p -s clock-1.cs.cmu.edu; then
/sbin/hwclock --systohc
fi
If you run the atomic clock synchronization script on a Samba server (see below) and would like all of your NT-based networked machines to synchronize their clocks with the one on the Samba server and thus the atomic clock, create a batch file (in some common directory) and hook it in as follows:
synchclock.bat:
NET TIME \\samba-server /SET /YES
Create a shortcut to synchclock.bat in:
\winnt\Profiles\All Users\Start Menu\Programs\Startup
This will run synchclock at startup on each machine where it is installed.
Note that you may need to map a drive and supply a username/password before you run the "NET TIME" command because the username/password may be different on the Samba server than what the NT machine remembers and the command will fail. Mapping the drive kludges around this.
If, instead of the atomic clock program, you'd like to run NTP, obtain the latest version of the source from http://www.ntp.org/downloads.html.
Build the source as follows:
./configure --prefix=/usr --enable-linuxcaps
make
Note that it is important, if you wish to run NTP as some other user besides root, that you include "--enable-linuxcaps". You will need to have a version of libcap available and your kernel will have to be compiled with CONFIG_SECURITY_CAPABILITIES. If you cannot get this option to build properly, you cannot use "-u ntp" in the startup options (see /etc/sysconfig/ntpd below).
If you have an old version of NTP installed by an OS RPM, do the following:
rm -f /usr/sbin/ntp*
rm -f /etc/ntp/ntpservers
Install the new build as root:
su
make install
/etc/rc.d/init.d/ntpd:
If you use the pre-existing OS ntpd script but build NTP yourself with /usr/bin as the install directory, you'll need to change /usr/sbin to /usr/bin in the ntpd script.
Run the usual chkconfig:
chkconfig --add ntpd
chkconfig ntpd on
/etc/sysconfig/ntpd:
If you are using a later version of NTP, you may have to modify the default RedHat file. Earlier versions of this file included:
OPTIONS="-U ntp"
With the later versions of NTP, the "-U" option's meaning has changed. To get the same effect, change the OPTIONS line to read:
OPTIONS="-u ntp"
The latest RedHat/CentOS RPM installations have the following sysconfig options settings:
OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid -g"
This is a good example to follow. It runs NTP under the ntp user and group, sets the PID file to "/var/run/ntpd.pid" and allows a large clock slew to be dealt with one time only. This later option is useful if the system has been down for a long time and the clock hasn't been keeping up. It allows NTP to correct the problem instead of just bailing out.
If you do choose either of the "-u" options, you'll have to add an ntp user and group. We do so like this, if they don't already exist:
su
/usr/sbin/groupadd -g 38 -r ntp
/usr/sbin/useradd -c "Network Time Protocol" -g ntp -M -N -r \
-s /sbin/nologin -u 38 ntp
/etc/ntp.conf (probably):
/etc/ntp/ntp.conf (possibly):
Hack this file to describe the synchronization server to be used by this machine. For the local master, it should be some machine, out in networkland, that is close by, that can supply time synchronization information to your machine.
Look at the following lists of public NTP servers. Usually, you will want to pick a stratum 2 server (which means that your local master will run at stratum 3 and all machines synchronizing to it will run at stratum 4). However, if you are running a machine that allows public access to other NTP servers, you may be able to run at stratum 2 and synchronize to a stratum 1 machine.
http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
http://support.ntp.org/bin/view/Servers/StratumTwoTimeServers
Here is a sample NTP config file for a local master server at stratum 3. Note that the "restrict" line for the reference server must use an IP address, not a host name, since DNS lookups aren't allowed (its a security hole):
# Prohibit general access to this service.
restrict default ignore
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service. Do not permit those systems to modify the
# configuration of this service. Also, do not use those
# systems as peers for synchronization.
#
restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
# --- OUR TIMESERVERS -----
# Use this or remove the default restrict line at the head of this file.
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
#
# The restrict line only allows access to our server by the servers listed.
# This must be by IP address, since it is a big security hole to allow a DNS
# lookup for a trusted server (or so it would seem). So, you must look up
# the IP address of all the servers you'll use and, if any of them changes,
# you're screwed. C'est la vie.
#
# The servers to synchronize with, on the other hand, can be given via
# symbolic names that are resolved via DNS. Fat lot of good it will do you
# but at least you'll remember what they're called so that you can look them
# up again when they silently stop working.
#
# restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noquery
# server mytrustedtimeserverip
restrict 209.51.161.238 mask 255.255.255.255 nomodify notrap noquery
restrict 66.92.68.11 mask 255.255.255.255 nomodify notrap noquery
restrict 132.236.56.250 mask 255.255.255.255 nomodify notrap noquery
server clock.nyc.he.net minpoll 6 maxpoll 16
# Stratum 1, primary (14 hop)
server time.keneli.org minpoll 6 maxpoll 16
# Stratum 1, primary (10+ hop
server cudns.cit.cornell.edu minpoll 6 maxpoll 16
# Stratum 2, backup (16 hop)
# --- NTP MULTICASTCLIENT ---
#
#multicastclient # listen on default 224.0.1.1
# restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
# --- GENERAL CONFIGURATION ---
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
#
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /etc/ntp/drift
#broadcastdelay 0.008
#
# Authentication delay. If you use, or plan to use someday, the
# authentication facility you should make the programs in the auth_stuff
# directory and figure out what this number should be on your machine.
#
#authenticate yes
authenticate no
#
# Keys file. If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
#keys /etc/ntp/keys
Using this config file, NTP will automatically synchronize with the publicly available atomic clock(s) and then serve time signals to the local network.
Only one master server on the local network need run an NTP daemon that synchronizes with the outside world. All of the other machines can use ntpdate to synchronize with the local NTP server, thereby reducing network traffic. Alternately, the local machines can run ntpd at a lower stratum than the master local server and synchronize with it that way.
For a local server at stratum 4, replace the stratum 1/2 server (e.g. clock.nyc.he.net) with the local stratum 3 server (e.g. 192.168.1.1) in the above file. For example:
restrict 192.168.1.1 mask 255.255.255.255 nomodify notrap noquery
server 192.168.1.1 minpoll 6 maxpoll 16
If you wish to run NTP as a local master server but don't wish to enable all of the packet traffic that is generated by NTP, you can allow NTP to run off the local machine's system clock and then periodically set the clock via a cron job (see the script for setting the clock, below). Here is the NTP config file for the free-running NTP:
#
# Prohibit general access to this service.
#
restrict default ignore
#
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
#
restrict 127.0.0.1
# -- CLIENT NETWORK -------
#
# Permit systems on this network to synchronize with this
# time service. Do not permit those systems to modify the
# configuration of this service. Also, do not use those
# systems as peers for synchronization.
#
restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
# --- OUR TIMESERVERS -----
#
# We don't have any timeservers. NTP will run as a service based on the
# local clock. I know. This is bad news. However, this machine has only a
# dialup connection to the Internet, managed by diald. We don't want diald
# to bring up the connection, every time NTP takes it into its head to poll
# one of its time servers.
#
# By running off the local clock, we can run "ntpd -q" via a cron job to set
# the local clock while still serving as an NTP server for the local net.
#
# restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noquery
# server mytrustedtimeserverip
# --- NTP MULTICASTCLIENT ---
#
# multicastclient # listen on default 224.0.1.1
# restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap