Most Linux distributions offer a Network Time Protocol (NTP) client that can be used to keep your local time up to date. The idea is that with an NTP client configured, your computer or server will periodically check in with an NTP server somewhere on the Internet and synchronize its clock to ensure it is as exact as possible. This is really important; very strange things can happen on Linux machines if the clock is off. These oddities can include things such as a node being unable to associate with a DHCP server to obtain an IP address, files becoming unsynchronized between file servers, and more. The moral of the story is this: you'll want to have NTP set up and working in your environment.
Quite a few Linux distributions that are targeted toward end-user workstations (such as Ubuntu, Linux Mint, and so on) will often set up an NTP client for you. This means that out of the box, there's a good chance that your clock is probably synchronized already, assuming of course your installation has access to the Internet. By default, these clients will connect to a distribution-specific NTP server. This can be perfectly fine, but setting up your own NTP server instead has merit. One good reason for this is that by setting up your own NTP server, you're being a good network citizen. Think about it this way. If you have a company with a hundred Linux machines, each of those machines will be checking in with a public NTP server periodically if left with the default configuration. This causes unnecessary strain on that server. If you set up your own NTP server, only one of your servers will be checking in with the public server, which means you'd be absorbing fewer of its resources. In addition, some companies do not allow public access to port 123 (the port NTP uses) for security reasons. However, perhaps a single NTP server would be allowed to access port 123, which you can then configure your clients to connect to and use NTP.
Before we get into setting up an NTP server, it's important to note that Debian and CentOS can often be the exception as to having an NTP client installed out of the box. Depending on the options and packages you selected during installation, the NTP client may or may not be functional yet. In my test environment, neither CentOS nor Debian had a working NTP client by default when I installed via a minimal installation and a net installation, respectively. However, setting up an NTP client is extremely easy. All you have to do is install NTP and enable it. This is actually one of those rare cases when both Debian and CentOS have the same name for the same package. The package is simply called ntp, so go ahead and install it if you don't already have it installed. Once installed, Debian will start the ntp daemon and enable it for you. With CentOS, execute the following commands to get it going:
# systemctl enable ntpd # systemctl start ntpd
With both distributions, the file /etc/ntp.conf will be created once the package is installed, and this file will have a default configuration that will point your NTP client to your distribution's NTP server. Feel free to take a quick look at this file, if you're curious about what it looks like. To view which server your machine is synchronizing with, along with some stats regarding its synchronization, execute the ntpq -p command.
Viewing connected NTP servers
First, let's take a quick look at what these numbers mean. The first column remote includes a list of NTP servers we're connected to, no surprises there. Next is refid, which is where those servers are connected to. The st column refers to the stratum of that server, which is a number that refers to the layer on which that time server sits. Typically, the lower the number, the better it is; as it means that the server is reasonably close to the source that is providing it time. Each server down the chain has an increased stratum; lowest doesn't always mean that the server is better, but generally speaking, lower numbers are good. The t column refers to the type. This can be unicast, broadcast, multicast, or manycast. In this case, we have u for unicast.
The when column refers to how long ago the server was last polled. In the case of the sample screenshot, each server was polled 28, 24, 21 and 61 seconds ago, respectively. This can also be listed in hours or days as well. The poll column refers to the polling frequency, which here is set to poll every 64 seconds. The reach column is an octal number, which contains the results of the most recent eight NTP updates. If all eight were successful, this value will read 377, which is as high as it can get. This means that all eight attempts received a 1 (success) which in octal, totals 377.
Finishing up, the delay field references the delay (in milliseconds) to the NTP server. The offset field corresponds to the difference between the local clock and the clock of the server. Finally, jitter refers to the network latency between you and the server.
In order to set up an NTP server, you must first install the client as was mentioned earlier in this chapter. Install it, configure the daemon to automatically start, and then start it up. After performing those tasks, you're already most of the way there (the same client is used for the server as well). Essentially, if you point your other computers to a server which has NTP installed and configured, you essentially have everything you need.
However, there are a few things that should be configured first. Mainly, the /etc/ntp.conf configuration file. This file is located in the same place on both Debian and CentOS. If you look at the file, you'll see some lines that look similar to the following:
server 0.centos.pool.ntp.org iburst server 1.centos.pool.ntp.org iburst server 2.centos.pool.ntp.org iburst server 3.centos.pool.ntp.org iburst
Here, you can see that by default, CentOS is identifying four NTP servers to synchronize with. These servers are generally fine for most use cases, but you may want to consider official NTP servers. To do so, check out the following website:
That website will allow you to view official NTP servers from the NTP Pool Project. To navigate, select your continent on the right and then your country. You should then see a list of NTP servers you can use. In my case, I get the following details:
server 0.north-america.pool.ntp.org server 1.north-america.pool.ntp.org server 2.north-america.pool.ntp.org server 3.north-america.pool.ntp.org
It's up to you whether you use the NTP servers provided by your distribution or those provided by the NTP pool project. Personally, I prefer the latter. Once you have your servers configured, there's one more change we should make. You should see a line in the configuration similar to the following in CentOS:
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
Alternatively, similar to the following in Debian:
#restrict 192.168.123.0 mask 255.255.255.0 notrust
On your NTP server, uncomment that line and change the network address to yours, as well as the subnet. Remove notrust if it is there. For reference, the line in my configuration appears as the following:
restrict 10.10.96.0 mask 255.255.252.0 nomodify notrap
With this configuration, we're restricting NTP access to local clients and also ensuring that they do not have access to change configuration on the NTP server (only read from it). Another change I like to make in NTP is to designate a log file. systemd takes care of logging with journalctl, but sometimes it's useful to have a text file to peruse in case of problems. If you'd like that, then add the following line somewhere near the top:
logfile /var/log/ntp.log
If you have any problems, check that file. Next, if you're using CentOS as your NTP server, you should enable NTP traffic through its firewall. To do that, run the following code:
firewall-cmd --add-service=ntp –permanent firewall-cmd --reload
Now that we have that out of the way, restart your NTP server. We can do so via one of the following commands (as root).
Use the systemctl restart ntpd command on CentOS, or systemctl restart ntp on Debian.
At this point, you have an NTP server. On your clients, change the server that they are configured to synchronize with to the IP of the machine you've designated as your NTP server. In my case, the command is as follows:
server 10.10.99.133
After restarting NTP, give your systems some time to synchronize. In some cases, it can take over a half an hour for them to start synchronizing. Give it a bit of time and then check your configuration to ensure that it is syncing with the ntpq -p command.
Output from a machine synchronizing with a custom NTP server
As you can see in this output of my test environment, I started up an NTP server at 10.10.99.123 that this Debian machine is synchronizing with and currently the server has a reachability of 7, but this number is slowing going up. This is fine, as the server has only been running a few minutes.
If you have any issues, make sure that port 123 is open in any firewalls you may have in your network (with CentOS as the server, make sure you've run the firewall commands that were mentioned earlier). But before you get frustrated, give it time—it's not uncommon for an NTP server to take a bit to get going when first set up. Typically, everything should get going within 20 minutes, but I've seen it take longer.