1

During a server bootstrap process, I want to explicitly run ntpdate rather than rely on the ntp daemon. However, the clock can be severely skewed at this point in time, which causes an error when executing sudo ntpdate address.of.ntp.server. I noticed that after running this command multiple times, it eventually works, possibly due to a number of samples accumulating with the same date, however I can't find this specification. What I want is to just take one sample, force ntpdate to accept the response, and then start ntp via sudo service ntp start. How can I do this?

EDIT: I tried sudo ntpd -g -q as suggested, but I still get the following error in /var/log/syslog:

Sep 26 12:14:29 jd-0922-node1 ntpd[22239]: ntpd 4.2.6p5@1.2349-o Wed Oct  9 19:08:06 UTC 2013 (1)
Sep 26 12:14:29 jd-0922-node1 ntpd[22239]: proto: precision = 0.115 usec
Sep 26 12:14:29 jd-0922-node1 kernel: [173176.189773] type=1400 audit(1411758869.717:48): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=22239 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 26 12:14:29 jd-0922-node1 kernel: [173176.189779] type=1400 audit(1411758869.717:49): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=22239 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 26 12:14:29 jd-0922-node1 ntpd[22239]: ntp_io: estimated max descriptors: 1024, initial socket boundary: 16
Sep 26 12:14:29 jd-0922-node1 ntpd[22239]: unable to bind to wildcard address 0.0.0.0 - another process may be running - EXITING
jonderry
  • 197
  • 4
  • 13
  • 1
    There hasn't been a good reason to do this for many years now. The ntp service handles this case already. (You may want to specify appropriate options, such as `-g`.) – David Schwartz Sep 24 '14 at 02:52
  • Is there a way to synchronously update the time via `ntp` to ensure the clock is corrected before proceeding? – jonderry Sep 24 '14 at 06:07
  • 2
    Yes. Start `ntp` and then wait for it to report that it is synchronized. There used to be a tool called [ntp-wait](http://linux.die.net/man/8/ntp-wait) for this. It was a fairly [trivial perl script](https://stuff.mit.edu/afs/athena/system/amd64_deb50/os/usr/sbin/ntp-wait). – David Schwartz Sep 24 '14 at 06:26
  • This doesn't work for me. It just loops forever complaining of "Connection refused", even though `ntpdate` works. – jonderry Sep 24 '14 at 21:58
  • You have to bring it up to date. Modify the `$cmd` line to what is appropriate for your platform. – David Schwartz Sep 24 '14 at 22:01
  • I meant that I tried it but I still receive an error (i.e., still haven't resolved the root problem). – jonderry Sep 27 '14 at 05:26

1 Answers1

2

It sounds like your clock is off by more than the panic threshold. However this does not explain why multiple ntpdate invocations would fix things. To be honest I can not think of any error that would be overcome by multiple ntpdate invocations.

Regardless ntpdate has been deprecated. I think that the most likely explanation is that your clock exceeds the panic threshold. You need to supply the -g option to ntpd when it starts up. Edit `/etc/default/ntp' and make sure the following line is present:

 NTPD_OPTS='-g'

docs for -g :

-g  Normally, ntpd  exits with  a message  to the  system log  if
    the  offset exceeds  the  panic  threshold, which  is  1000 s  by
    default.  This  option allows  the time  to be  set to  any value
    without restriction; however, this can  happen only once.  If the
    threshold is exceeded  after that, ntpd will exit  with a message
    to the sys‐ tem log.  This option  can be used with the -q and -x
    options.

It would be easier to make a recommendation if you listed the actual error messages that you received with ntpdate. Is there any chance you saw something about slew instead of skew?

UPDATE:

You are not starting/stopping ntpd correctly. The reason it could not bind to the address when you used sudo is because ntpd was already running. I did not suggest that you use sudo ntpd -g -q To be honest I never mentioned -q at all, I have no idea why you do not want to run ntpd continuously. Using the one shot clock correction and quit is a bad idea. I really think you need to assess why you think this one time mode is preferable to running ntpd continuously.

Without further adeiu:

  1. Edit /etc/default/ntp and make sure it has NTPD_OPTS='-g'
  2. Restart the ntp service: sudo service ntp restart
  3. Enjoy accurate time

I say this with all due respect and a sincere desire to help you out: It seems like you are new to linux administration in general and are not at all familiar with ntpd. So I would like to strongly urge you to rethink why you only want ntpd to set the clock once and then quit. This is far from best practices. In my experience if I ever think I need to do something counter to best practices I like to make sure I am confident that my situation is dramatically different from the rest of the world. Once you have ntpd setup correctly it will discipline your clock and you will never need to worry about it. Your clock will slowly stray from UTC if you do the one shot deal.

dfc
  • 1,341
  • 8
  • 16
  • If ntpdate is deprecated is there another solution to quickly set date based on ntp? Solutions proposed have included ntpq, but these are all very slow compared to ntpdate, which typically syncs the date in a matter of milliseconds when configured to use one sample (very good for a fast bootstrap process for a new machine with a clock that may be far off initially -- even if it's off by up to ~10ms or so initially). – jonderry Sep 26 '14 at 18:50
  • `ntpd -g` will set your clock "to any value without restriction" upon bootup. After that ntpd will quietly run in the background and discipline the clock. Trust me you want `ntpd -g` – dfc Sep 26 '14 at 18:56
  • I added an edit to the question. For some reason `ntpd` doesn't seem to work (complaint seems to be `unable to bind to wildcard address 0.0.0.0`). – jonderry Sep 26 '14 at 19:44
  • So you never mentioned that you had installed ntp from source or that you have apparmor turned on without an appropriate profile for ntpd. Why did you not use ntpd provided by ubuntu? – dfc Sep 26 '14 at 23:56
  • I need to check, but I think whatever version I'm using is standard with an Ubuntu 14.04 install or at least the default apt repositories. I don't recall doing anything "non-default" with regard to ntp-related installation. – jonderry Sep 27 '14 at 05:34
  • My mistake, I was trying to respond while running out the door. The binary is /usr/sbin/ntpd so it is probably the default ubuntu installation. However it still does not make any sense why the apparmor profile is complaining about /usr/local. I updated my answer – dfc Sep 27 '14 at 05:43
  • BTW, I do want to run ntp continuously. However, I also want to run it synchronously when the machine is started for the first time. The reason for this is that other services need to start after this, and they must not have a badly incorrect time when they are run. Hence, I want to sync the clock once, and then continue to keep it in sync in the background. If I only keep it in sync in the background, I don't know when it is safe to start the other services that depend on the time being correct. – jonderry Sep 28 '14 at 19:41