NTP does not sync when using pool.ntp.org

NTP does not sync when using pool.ntp.org

Post by bd » Sat, 04 Oct 2003 10:50:42


I am using ntp 4.1.2 on Gentoo Linux. After days of operation, it does not
sync with the pool.ntp.org servers.

ntpq -c pe
remote refid st t when poll reach delay offset
jitter
==============================================================================
midwestcs.com 0.0.0.0 16 u - 68m 0 0.000 0.000
4000.00
snm.sd.dreamhos 0.0.0.0 16 u - 68m 0 0.000 0.000
4000.00
dhcp-216-27-185 0.0.0.0 16 u - 68m 0 0.000 0.000
4000.00

/etc/ntpd.conf:
# NOTES:
# - you should only have to update the server line below
# - if you start getting lines like 'restrict' and 'fudge'
# and you didnt add them, AND you run dhcpcd on your
# network interfaces, be sure to add '-Y -N' to the
# dhcpcd_ethX variables in /etc/conf.d/net

# Name of the servers ntpd should sync with
# Please respect the access policy as stated by the responsible person.
#server clock.sjc.he.net iburst
#server ntp-2.cso.uiuc.edu iburst
#server ntp.ourconcord.net iburst
#server molecule.ecn.purdue.edu iburst
#server ntp-2.cso.uiuc.edu iburst
#server clock.nyc.he.net iburst

server us.pool.ntp.org maxpoll 12
server us.pool.ntp.org maxpoll 12
server us.pool.ntp.org maxpoll 12

##
# A list of available servers is available here:
# http://www.yqcomputer.com/ ~mills/ntp/servers.html
# Please follow the rules of engagement and use a
# Stratum 2 server (unless you qualify for Stratum 1)
##

# you should not need to modify the following paths
logfile /var/log/ntpd.log
driftfile /var/lib/misc/ntp.drift

#server ntplocal.example.com prefer
#server timeserver.example.org

# Warning: Using default NTP settings will leave your NTP
# server accessible to all hosts on the Internet.

#
# If you want to deny all machines from accessing
# your NTP server, uncomment:
#
restrict default ignore


# To only deny other machines from changing the
# configuration but allow localhost uncomment:
#
#restrict default notrust nomodify
restrict 127.0.0.1


# To allow machines within your network to synchronize
# their clocks with your server, but ensure they are
# not allowed to configure the server or used as peers
# to synchronize against, uncomment this line.
#
#restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
#restrict 127.0.0.1 mask 255.255.255.255 notrust nomodify notrap

# To only deny other machines from changing the
# configuration but allow localhost uncomment:
#
#restrict default notrust nomodify
#restrict 127.0.0.1


ntpdate is run before starting the server, on us.pool.ntp.org. What could be
preventing ntpd from syncing?
--
Question: Is it better to abide by the rules until they're changed or
help speed the change by breaking them?
 
 
 

NTP does not sync when using pool.ntp.org

Post by Nicholas S » Sat, 04 Oct 2003 11:17:31

bd < XXXX@XXXXX.COM > wrote in



<snip>


This line:


Try to change 'ignore' to 'noquery'.

 
 
 

NTP does not sync when using pool.ntp.org

Post by bd » Sun, 05 Oct 2003 05:08:36


Thanks, that fixed it.
--
A man does not look behind the door unless he has stood there himself.
-- Du Bois
 
 
 

NTP does not sync when using pool.ntp.org

Post by bd » Mon, 06 Oct 2003 06:28:27

d wrote:


Hm. After adding a 'peer' line, it broke again, ignoring the us.pool.ntp.org
server lines. I remove the peer line, and it's still broken...

My ntpd.log shows:
4 Oct 17:25:00 ntpd[16842]: signal_no_reset: signal 17 had flags 4000000
4 Oct 17:25:02 ntpd[16841]: process_private: failed auth mod_okay 0
4 Oct 17:25:02 ntpd[16842]: ntpd returns a permission denied error!
4 Oct 17:25:02 ntpd[16841]: process_private: failed auth mod_okay 0
4 Oct 17:25:02 ntpd[16842]: ntpd returns a permission denied error!
4 Oct 17:25:02 ntpd[16841]: process_private: failed auth mod_okay 0
4 Oct 17:25:02 ntpd[16842]: ntpd returns a permission denied error!
4 Oct 17:25:02 ntpd[16842]: signal_no_reset: signal 14 had flags 4000000

ntpq -c pe shows:
No association ID's returned

ntp.conf contains:
# NOTES:
# - you should only have to update the server line below
# - if you start getting lines like 'restrict' and 'fudge'
# and you didnt add them, AND you run dhcpcd on your
# network interfaces, be sure to add '-Y -N' to the
# dhcpcd_ethX variables in /etc/conf.d/net

# Name of the servers ntpd should sync with
# Please respect the access policy as stated by the responsible person.
#server clock.sjc.he.net iburst
#server ntp-2.cso.uiuc.edu iburst
#server ntp.ourconcord.net iburst
#server molecule.ecn.purdue.edu iburst
#server ntp-2.cso.uiuc.edu iburst
#server clock.nyc.he.net iburst

server us.pool.ntp.org maxpoll 12
server us.pool.ntp.org maxpoll 12
server us.pool.ntp.org maxpoll 12

##
# A list of available servers is available here:
# http://www.eecis.udel.edu/~mills/ntp/servers.html
# Please follow the rules of engagement and use a
# Stratum 2 server (unless you qualify for Stratum 1)
##

# you should not need to modify the following paths
logfile /var/log/ntpd.log
driftfile /var/lib/misc/ntp.drift

#server ntplocal.example.com prefer
#server timeserver.example.org

# Warning: Using default NTP settings will leave your NTP
# server accessible to all hosts on the Internet.

#
# If you want to deny all machines from accessing
# your NTP server, uncomment:
#
#restrict default ignore
restrict default noquery nomodify

# To only deny other machines from changing the
# configuration but allow localhost uncomment:
#
#restrict default notrust nomodify
restrict 127.0.0.1 nomodify


# To allow machines within your network to synchronize
# their clocks with your server, but ensure they are
# not allowed to configure the server or used as peers
# to synchronize against, uncomment this line.
#
#restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
#restrict 127.0.0.1 mask 255.255.255.255 notrust nomodify notrap

# To only deny other machines from changing the
# configuration but allow localhost uncomment:
#
#restrict default notrust nomodify
#restrict 127.0.0.1


The peer computer also broken in a similar way, but it used the first server
line instead. It also continued to be broken after I reverted the changes,
but its log does not show the permission denied errors. How do I fix this?

--
BOFH Excuse #109:

The electricity substation in the car park blew up.

 
 
 

NTP does not sync when using pool.ntp.org

Post by mike coo » Tue, 07 Oct 2003 03:02:44

Whilst I have sync from other sources, I am also seeing the same problem
with one of the pool.ntp.org addresses that has been assigned. Is there
a problem with the assignment?

remote refid st t when poll reach delay offset jitter
==============================================================================
LOCAL(0) LOCAL(0) 10 l 56 64 377 0.000 0.000 0.004
+SHM(0) .DCF. 0 l 35 64 377 0.000 -0.328 0.055
*SHM(1) .DCF. 0 l 36 64 377 0.000 0.340 0.026
clock2.redhat.c 0.0.0.0 16 u - 68m 0 0.000 0.000 4000.00
++++++++++++++++

+topaz.ad1810.co utserv.mcc.ac.u 3 u 22 64 377 70.132 2.717
0.145
-clock2.redhat.c .CDMA. 1 u 48 64 377 164.060 6.505 0.025
NTP.MCAST.NET 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00

So for some reason I got two addresses mapping to clock2.redhat.com but
only one is good.

Any ideas?
 
 
 

NTP does not sync when using pool.ntp.org

Post by Dale Worle » Tue, 07 Oct 2003 21:26:37

mike cook < XXXX@XXXXX.COM > writes:

My recollection is that if you have one address listed as a server
twice, one of them will "reach" and the other won't. OTOH, you *are*
getting timing information from clock2.redhat.com, so it's OK. The
real problem is that pool.ntp.org is giving you the same address
twice.

Dale
 
 
 

NTP does not sync when using pool.ntp.org

Post by Adrian 'Da » Wed, 08 Oct 2003 02:32:35

Clinging to sanity, Dale Worley mumbled in his beard:


This is a problem we can't solve without ntpd knowing about DNS round robin
explicitly (to my knowledge, nobody is working on this right now, though).
This behaviour depends heavily on your local resolver library (and possible
cache daemon) and the caching nameservers in the chain from your site to
the authoritative servers for pool.ntp.org.

This is one of the reason why I recommend use of pool.n.o as default config
for those who want ntp to 'just work', but recommend manually selecting
timeservers for anybody interested enough to tweak their ntp.conf (the DNS
zones at pool.n.o can be a good starting point for this, though).

(Hmm. One thing you might want to try: have a wrapper script around ntp
startup to change resolv.conf before starting ntpd to use one of the
pool.ntp.org nameservers directly, and then changing it back after ntpd has
made its DNS lookups).

greets
-- vbi

--
featured link: http://www.yqcomputer.com/
 
 
 

NTP does not sync when using pool.ntp.org

Post by maye » Fri, 10 Oct 2003 21:33:16


This is not a round-robin issue per se. NTP will read the conf file and
parse each line and look up each IP name and make a call to the resolver
and get an address. It calls the resolver each time it gets an address;
it's not smart enough to remember that it had previously looked up that
address. However, the resolver may well remember and have cached the
answer in which case it will return the same answer each time. In addition,
the DNS being used as a nameserver may return the same answer from cache
for each of these lookups.

In summary, you can't depend on NTP getting different IP addresses each
time it looks up a name. It depends on the O/S, the resolver, and the
nameservers being used by the system, each of which may be different.

Danny
 
 
 

NTP does not sync when using pool.ntp.org

Post by Dale Worle » Fri, 10 Oct 2003 22:55:44


XXXX@XXXXX.COM (Danny Mayer) writes:

I don't remember whether someone has suggested this before, but one
solution would be to define "pool1.ntp.org", "pool2.ntp.org", and
"pool3.ntp.org" to be round-robins with exactly the same sets of
names. That way,

server pool1.ntp.org
server pool2.ntp.org
server pool3.ntp.org

would defeat most resolver deficiencies.

Dale
 
 
 

NTP does not sync when using pool.ntp.org

Post by Adrian 'Da » Sat, 11 Oct 2003 01:16:00

Clinging to sanity, Dale Worley mumbled in his beard:


Yes, it was suggested (and it did even exist in the very beginning - and I
may think about it again in the future).

The main reason why this doesn't exist right now is:
To achieve the desired effect, {1,2,3}.pool.ntp.org would need to be
disjunct. But since we want load balancing, and not just load every server
in the pool, we would need to have a few names in each zone still - so we'd
need >30 servers - for each zone (continental, country zones, too!).

With currently 90 servers in toto, I don't think this works.

The question is, of course: how important is consistency? If you say 'not
important', then I could introduce
{1,2,3}[.{north-america,europe,us,ch,nl}].pool.ntp.org now, and the rest
later (I have recently switched to a database storage, so it would be less
work than with the previous file-based scheme). The main problem after this
would then be to have this documented.

cheers
-- vbi

--
featured link: http://www.yqcomputer.com/
 
 
 

NTP does not sync when using pool.ntp.org

Post by Jan Ceulee » Sat, 11 Oct 2003 02:02:44


Would it not be sufficient to do as Dale suggested and list the same
servers in each of the 3 pools? The probability that the queries would
return the same server twice or even three times would be remote (or
certainly more remote than is the case without the pool repetition
mechanism), and perhaps this probability could be reduced still further
by listing the servers in a different order in each of the pools.

(Note that I do not purport to be a DNS expert).

Jan
 
 
 

NTP does not sync when using pool.ntp.org

Post by mike coo » Sat, 11 Oct 2003 03:03:47

the workaround is to use ntpdc to unconfig and addserver to
dynamically re-select independent servers when you see this happening.
painless.
 
 
 

NTP does not sync when using pool.ntp.org

Post by Dale Worle » Sat, 11 Oct 2003 09:20:02

Adrian 'Dagurashibanipal' von Bidder < XXXX@XXXXX.COM > writes:

It's not as bad as it looks -- if we list the same 100 servers for all
three lists, and can get the lists to be handed out at random, there
is a 97% chance of the three names resolving differently.

If we use *four* aliases, there is a 94% chance that they all return
different addresses, and a 99.93% chance that they will return at
least three different addresses.

The remaining problem is that if some intermediate cache hands out the
same addresses for all four names. We can reduce that by putting the
addresses for each alias in different orders. Then there is only a
problem if the intermediate cache sorts the addresses, which is
possible. One possible way to avoid that problem would be to leave
one address off the second name, two off the third name, and three off
the fourth name, so that if the server is maintaining four counters to
cycle through the four (sorted) lists, the pointers can't stay
synchronized with each other for more than one cycle through the
lists.

Dale
 
 
 

NTP does not sync when using pool.ntp.org

Post by Adrian 'Da » Sun, 12 Oct 2003 01:03:09

Clinging to sanity, Dale Worley mumbled in his beard:


Except that I won't list all 100 servers in the zone at any given time. At
32 servers (compiled-in default), bind stops rotating the entries, and at
some other number, I think there will be a switch from UDP to TCP queries.
Bothe I want to avoid. Currently, I have max. 15 servers per name.

cheers
-- vbi

--
Why are you so hard to ignore?