OpenNTPD

From ArchWiki

Related articles

OpenNTPD (part of the OpenBSD project) is a daemon that can be used to synchronize the system clock to internet time servers using the Network Time Protocol, and can also act as a time server itself if needed. It implements the Simple Network Time Protocol version 4, as described in RFC:5905, and the Network Time Protocol version 3, as described in RFC:1305.

Installation

Install the openntpd package. The default configuration is actually usable if all you want is to sync the time of the local computer.

Configuration

To configure OpenNTPD, you need to edit /etc/ntpd.conf. See ntpd.conf(5) for all available options.

Tip: After configuring, check the configuration file for validity by executing: 
$ ntpd -n

Client

This article or section needs expansion.

Reason: Document HTTPS constraints. (Discuss in Talk:OpenNTPD)

To sync to a single particular server, edit the server directive. 

/etc/ntpd.conf
server time.cloudflare.com

The servers directive works the same as the server directive. However, if the DNS name resolves to multiple IP address, all of them will be synced to. The default, 2.arch.pool.ntp.org, is working and should be acceptable in most cases. You can find the server's URL in your area at www.pool.ntp.org/zone/@. 

/etc/ntpd.conf
servers 2.arch.pool.ntp.org

Any number of server or servers directives may be used.

Server

If you want the computer you run OpenNTPD on to also be a time server, simply uncomment and edit the "listen" directive.

For example: 

/etc/ntpd.conf
listen on *

will listen on all interfaces, and 

/etc/ntpd.conf
listen on 127.0.0.1
listen on ::1

will only listen on the loopback interface.

Your time server will only begin to serve time after it has synchronized itself to a high resolution. This may take hours, or days, depending on the accuracy of your system.

Usage

Start OpenNTPD at boot

Enable openntpd.service.

Making openntpd dependent upon network access

If you have intermittent network access (you roam around on a laptop, you use dial-up, etc.), it does not make sense to have openntpd running as a system daemon on start up. Here are a few ways you can control openntpd based on the presence of a network connection.

Using NetworkManager dispatcher

OpenNTPD can be brought up/down along with a network connection through the use of NetworkManager's dispatcher scripts.

Install networkmanager-dispatcher-openntpdAUR.

Using dhclient hooks

This article or section needs expansion.

Reason: hook example needed (Discuss in Talk:OpenNTPD)

Another possibility is to use dhclient hooks to start and stop openntpd. When dhclient detects a change in state, it will run the following scripts:

  • /etc/dhclient-enter-hooks
  • /etc/dhclient-exit-hooks

See dhclient-script(8).

Using dhcpcd hooks

/etc/dhcpcd.exit-hook
if $if_up; then
	systemctl start openntpd.service
elif $if_down; then
	systemctl stop openntpd.service
fi

See dhcpcd-run-hooks(8).

Troubleshooting

Error adjusting time

If you find your time set incorrectly and in the log, you see: 

openntpd adjtime failed: Invalid argument

Try: 

# ntpd -d

This is also how you would manually sync your system.

constraint: failed to load constraint ca

OpenNTPD will fail to start on a system with AppArmor if HTTPS constraints are configured in /etc/ntpd.conf. The journal will show constraint: failed to load constraint ca.

This is because AppArmor's usr.sbin.ntpd profile does not have read access to LibreSSL's CA certificate file /etc/libressl/cert.pem.[1]

The solution is to grant access with a local override: 

/etc/apparmor.d/local/usr.sbin.ntpd
...
/etc/libressl/{,cert.pem} r,

After editing, reload the AppArmor profile: 

# apparmor_parser -r /etc/apparmor.d/usr.sbin.ntpd

See also