1NTPD(8) NTPsec NTPD(8)
2
3
4
6 ntpd - Network Time Protocol service daemon
7
9 ntpd
10 [-46agGhLmnNqx] [assert] [-c conffile] [-f driftfile]
11 [-i jaildir] [-k keyfile] [-l logfile] [-p pidfile]
12 [-P priority] [-s statsdir] [-t key]
13 [-u user[:'group']] [-U interface_update_interval]
14 [-v variable] [-V variable] [server...]
15
17 The ntpd utility is an operating system daemon which sets and maintains
18 the system time of day in synchronism with Internet standard time
19 servers. It is a complete implementation of the Network Time Protocol
20 (NTP) version 4, as defined by RFC 5905, but also retains compatibility
21 with version 3, as defined by RFC 1305, and versions 1 and 2, as
22 defined by RFC 1059 and RFC 1119, respectively.
23
24 The ntpd utility can synchronize time to a theoretical precision of
25 about 232 picoseconds. In practice, this limit is unattainable due to
26 quantum limits on the clock speed of ballistic-electron logic.
27
28 Ordinarily, ntpd reads the ntp.conf(5) configuration file at startup
29 time in order to determine the synchronization sources and operating
30 modes. It is also possible to specify a working, although limited,
31 configuration entirely on the command line, obviating the need for a
32 configuration file.
33
34 The ntpd program normally operates continuously while adjusting the
35 system time and frequency, but in some cases this might not be
36 practical. With the -q option ntpd operates as in continuous mode, but
37 exits just after setting the clock for the first time. Most
38 applications will probably want to specify the iburst option with the
39 server command. With this option, a volley of messages is exchanged to
40 groom the data and set the clock in about ten seconds. With -q, if
41 nothing is heard after a few minutes, the daemon times out and exits
42 without setting the clock.
43
44 Various internal ntpd variables can be displayed and configuration
45 options altered while the ntpd is running using the ntpq(1) utility
46 program. The state of ntpd can be continuously monitored using
47 ntpmon(1).
48
49 When ntpd starts it looks at the value of umask(2), and if zero ntpd
50 will set the umask(2) to 022.
51
53 -4, --ipv4
54 Force IPv4 DNS name resolution. This option must not appear in
55 combination with any of the following options: ipv6.
56
57 Force DNS resolution of following host names on the command line to
58 the IPv4 namespace.
59
60 -6, --ipv6
61 Force IPv6 DNS name resolution. This option must not appear in
62 combination with any of the following options: ipv4.
63
64 Force DNS resolution of following host names on the command line to
65 the IPv6 namespace.
66
67 -a, --assert
68 REQUIRE(false) to test assert handler.
69
70 -c string, --configfile=string
71 configuration file name.
72
73 The name and path of the configuration file, /etc/ntp.conf by
74 default.
75
76 -d, --debug-level
77 Increase debug verbosity level. This option may appear an unlimited
78 number of times.
79
80 -D number, --set-debug-level=number
81 Set the debug verbosity level. This option may appear an unlimited
82 number of times. This option takes an integer number as its
83 argument.
84
85 -f string, --driftfile=string
86 frequency drift file name.
87
88 The name and path of the frequency file, e.g. /etc/ntp.drift. This
89 is the same operation as the driftfile configuration specification
90 in the /etc/ntp.conf file.
91
92 -g, --panicgate
93 Allow the first adjustment to be big. This option may appear an
94 unlimited number of times.
95
96 Normally, ntpd exits with a message to the system log if the offset
97 exceeds the panic threshold, which is 1000 s by default. This
98 option allows the time to be set to any value without restriction;
99 however, this can happen only once. If the threshold is exceeded
100 after that, ntpd will exit with a message to the system log. This
101 option can be used with the -q and -x options. See the tinker
102 configuration file directive for other options.
103
104 -G
105 Step any initial offset correction.
106
107 Normally, ntpd steps the time if the time offset exceeds the step
108 threshold, which is 128 ms by default, and otherwise slews the
109 time. This option forces the initial offset correction to be
110 stepped, so the highest time accuracy can be achieved quickly.
111 However, this may also cause the time to be stepped back so this
112 option must not be used if applications requiring monotonic time
113 are running. See the tinker configuration file directive for other
114 options.
115
116 -h, --help
117 Print a usage message summarizing options and exit.
118
119 -i string, --jaildir=string
120 Jail directory.
121
122 Chroot the server to the directory jaildir This option also implies
123 that the server attempts to drop root privileges at startup. You
124 may need to also specify a -u option. This option is only available
125 if the OS supports adjusting the clock without full root
126 privileges. This option is supported under Linux, NetBSD, and
127 Solaris.
128
129 -I iface, --interface=iface
130 Listen on an interface name or address. This option may appear an
131 unlimited number of times.
132
133 Open the network address given, or all the addresses associated
134 with the given interface name. This option may appear multiple
135 times. This option also implies not opening other addresses, except
136 wildcard and localhost. This option is deprecated. Please consider
137 using the configuration file interface command, which is more
138 versatile.
139
140 -k string, --keyfile=string
141 the path to symmetric keys.
142
143 Specify the name and path of the symmetric key file. /etc/ntp.keys
144 is a common location. This is the same operation as the keys
145 configuration file directive.
146
147 -l string, --logfile=string
148 the path to the log file.
149
150 Specify the name and path of the log file. The default is the
151 system log file. This is the same operation as the logfile
152 configuration file directive. See ntp.conf(5) for more info.
153
154 -L, --novirtualips
155 Do not listen to virtual interfaces.
156
157 Do not listen to virtual interfaces, defined as those with names
158 containing a colon. This option is deprecated. Please consider
159 using the configuration file interface command, which is more
160 versatile.
161
162 -m, --mdns
163 Register with mDNS as an NTP server.
164
165 Registers as an NTP server with the local mDNS server which allows
166 the server to be discovered via mDNS client lookup.
167
168 -n, --nofork
169 Do not fork. This option must not appear in combination with any of
170 the following options: wait-sync.
171
172 -N, --nice
173 Run at high priority.
174
175 To the extent permitted by the operating system, run ntpd at the
176 highest priority.
177
178 -p string, --pidfile=string
179 the path to the PID file.
180
181 Specify the name and path of the file used to record ntpd’s process
182 ID. This is the same operation as the pidfile configuration file
183 directive.
184
185 -P number, --priority=number
186 Process priority. This option takes an integer number as its
187 argument.
188
189 To the extent permitted by the operating system, run ntpd at the
190 specified pthread_setschedparam(SCHED_FIFO) priority.
191
192 -q, --quit
193 Set the time and quit. This option must not appear in combination
194 with wait-sync.
195
196 ntpd will not daemonize and will exit after the clock is first
197 synchronized. This behavior mimics that of the old ntpdate program,
198 which has been replaced with a shell script. The -g and -x options
199 can be used with this option. Note: The kernel time discipline is
200 disabled with this option.
201
202 -s string, --statsdir=string
203 Statistics file location.
204
205 Specify the directory path for files created by the statistics
206 facility. This is the same operation as the statsdir configuration
207 file directive.
208
209 -t tkey, --trustedkey=tkey
210 Trusted key number. This option may appear an unlimited number of
211 times.
212
213 Add the specified key number to the trusted key list.
214
215 -u string, --user=string
216 Run as userid (or userid:groupid).
217
218 Specify a user, and optionally a group, to switch to. The user and
219 group may be specified by name or numeric id. If no group is
220 specified, then the default group for userid is used. This option
221 is only available if the OS supports adjusting the clock without
222 full root privileges. This option is supported under Linux, NetBSD,
223 Solaris and other OS.
224
225 -U number, --updateinterval=number
226 interval in seconds between scans for new or dropped interfaces.
227 This option takes an integer number as its argument.
228
229 Give the time in seconds between two scans for new or dropped
230 interfaces. For systems with routing socket support, the scans will
231 be performed shortly after the interface change has been detected
232 by the system. Use 0 to disable scanning. 60 seconds is the minimum
233 time between scans.
234
235 -w number, --wait-sync=number
236 Seconds to wait for first clock sync. This option must not appear
237 in combination with any of the following options: nofork, quit.
238 This option takes an integer number as its argument.
239
240 If greater than zero alters ntpd’s behavior when forking to
241 daemonize. Instead of exiting with status 0 immediately after the
242 fork, the parent waits up to the specified number of seconds for
243 the child to first synchronize the clock. The exit status is zero
244 (success) if the clock was synchronized; otherwise, it is
245 ETIMEDOUT. This provides the option for a script starting ntpd to
246 easily wait for the first set of the clock before proceeding.
247
248 -x, --slew
249 Slew up to 600 seconds.
250
251 Normally, the time is slewed if the offset is less than the step
252 threshold, which is 128 ms by default, and stepped if above the
253 threshold. This option sets the threshold to 600 s, which is well
254 within the accuracy window to set the clock manually. Note: Since
255 the slew rate of typical Unix kernels is limited to 0.5 ms/s, each
256 second of adjustment requires an amortization interval of 2000 s.
257 Thus, an adjustment as much as 600 s will take almost 14 days to
258 complete. This option can be used with the -g and -q options. See
259 the tinker configuration file directive for other options. Note:
260 The kernel time discipline is disabled with this option.
261
262 -z nvar, --var=nvar
263 make ARG an ntp variable (RW). This option may appear an unlimited
264 number of times.
265
266 -Z nvar, --dvar=ndvar
267 make ARG an ntp variable (RW|DEF). This option may appear an
268 unlimited number of times.
269
270 -V, --version
271 Output version of program and exit.
272
273 Any arguments given after options are interpreted as server addresses
274 or hostnames, with the iburst option implied. Associations with these
275 are formed before any associations implied by the configuration file.
276
278 How NTP Operates
279 The ntpd utility operates by exchanging messages with one or more
280 configured servers over a range of designated poll intervals. When
281 started, whether for the first or subsequent times, the program
282 requires several exchanges from the majority of these servers so the
283 signal processing and mitigation algorithms can accumulate and groom
284 the data and set the clock. In order to protect the network from
285 bursts, the initial poll interval for each server is delayed an
286 interval randomized over a few seconds. At the default initial poll
287 interval of 64s, several minutes can elapse before the clock is set.
288 This initial delay to set the clock can be safely and dramatically
289 reduced using the iburst keyword with the server configuration command,
290 as described in ntp.conf(5).
291
292 Most operating systems and hardware of today incorporate a time-of-year
293 (TOY) chip to maintain the time during periods when the power is off.
294 When the machine is booted, the chip is used to initialize the
295 operating system time. After the machine has synchronized to an NTP
296 server, the operating system corrects the chip from time to time. In
297 the default case, if ntpd detects that the time on the host is more
298 than 1000s from the server time, ntpd assumes something must be
299 terribly wrong, and the only reliable action is for the operator to
300 intervene and set the clock by hand. (Reasons for this include there is
301 no TOY chip, or its battery is dead, or that the TOY chip is just of
302 poor quality.) This causes ntpd to exit with a panic message to the
303 system log. The -g option overrides this check, and the clock will be
304 set to the server time regardless of the chip time (up to 68 years in
305 the past or future — this is a limitation of the NTPv4 protocol).
306 However, and to protect against broken hardware, such as when the CMOS
307 battery fails or the clock counter becomes defective, once the clock
308 has been set an error greater than 1000s will cause ntpd to exit
309 anyway.
310
311 Under ordinary conditions, ntpd adjusts the clock in small steps so
312 that the timescale is effectively continuous and without
313 discontinuities. Under conditions of extreme network congestion, the
314 roundtrip delay jitter can exceed three seconds and the synchronization
315 distance, which is equal to one-half the roundtrip delay plus error
316 budget terms, can become very large. The ntpd algorithms discard sample
317 offsets exceeding 128 ms, unless the interval during which no sample
318 offset is less than 128 ms exceeds 900s. The first sample after that,
319 no matter what the offset, steps the clock to the indicated time. In
320 practice, this reduces the false alarm rate where the clock is stepped
321 in error to a vanishingly low incidence.
322
323 As the result of this behavior, once the clock has been set it very
324 rarely strays more than 128 ms even under extreme cases of network path
325 congestion and jitter. Sometimes, in particular, when ntpd is first
326 started without a valid drift file on a system with a large intrinsic
327 drift the error might grow to exceed 128 ms, which would cause the
328 clock to be set backwards if the local clock time is more than 128 ms
329 in the future relative to the server. In some applications, this
330 behavior may be unacceptable. There are several solutions, however. If
331 the -x option is included on the command line, the clock will never be
332 stepped and only slew corrections will be used. But this choice comes
333 at a cost that should be carefully explored before deciding to use the
334 -x option. The maximum slew rate possible is limited to 500
335 parts-per-million (PPM) as a consequence of the correctness principles
336 on which the NTP protocol and algorithm design are based. As a result,
337 the local clock can take a long time to converge to an acceptable
338 offset, about 2,000 s for each second the clock is outside the
339 acceptable range. During this interval, the local clock will not be
340 consistent with any other network clock and the system cannot be used
341 for distributed applications that require correctly synchronized
342 network time.
343
344 In spite of the above precautions, sometimes when large frequency
345 errors are present the resulting time offsets stray outside the 128-ms
346 range and an eventual step or slew time correction is required. If
347 following such a correction the frequency error is so large that the
348 first sample is outside the acceptable range, ntpd enters the same
349 state as when the ntp.drift file is not present. The intent of this
350 behavior is to quickly correct the frequency and restore operation to
351 the normal tracking mode. In the most extreme cases, there may be
352 occasional step/slew corrections and subsequent frequency corrections.
353 It helps in these cases to use the burst keyword when configuring the
354 server, but ONLY when you have permission to do so from the owner of
355 the target host.
356
357 Finally, in the past, many startup scripts would run a separate utility
358 to get the system clock close to correct before starting ntpd(8), but
359 this was never more than a mediocre hack and is no longer needed. If
360 you are following the best current practice <#starting> and you still
361 need to set the system time before starting ntpd, please open a bug
362 report and document what is going on, and then look at using ntpdig(1).
363
364 There is a way to start ntpd(8) that often addresses all of the
365 problems mentioned above.
366
367 Starting NTP (Best Current Practice)
368 First, use the iburst option on your server and pool entries.
369
370 If you can also keep a good ntp.drift file then ntpd(8) will
371 effectively "warm-start" and your system’s clock will be stable in
372 under 11 seconds' time.
373
374 As soon as possible in the startup sequence, start ntpd(8) with at
375 least the -g and perhaps the -N options. Then, start the rest of your
376 "normal" processes. This will give ntpd(8) as much time as possible to
377 get the system’s clock synchronized and stable.
378
379 Finally, if you have processes like dovecot or database servers that
380 require monotonically-increasing time, run ntpwait(8) as late as
381 possible in the boot sequence (perhaps with the -v flag) and after
382 ntpwait(8) exits successfully it is as safe as it will ever be to start
383 any processes that require stable time.
384
385 Frequency Discipline
386 The ntpd behavior at startup depends on whether the frequency file,
387 usually ntp.drift, exists. This file contains the latest estimate of
388 clock frequency error. When the ntpd is started and the file does not
389 exist, the ntpd enters a special mode designed to quickly adapt to the
390 particular system clock oscillator time and frequency error. This takes
391 approximately 15 minutes, after which the time and frequency are set to
392 nominal values and the ntpd enters normal mode, where the time and
393 frequency are continuously tracked relative to the server. After one
394 hour the frequency file is created and the current frequency offset
395 written to it. When the ntpd is started and the file does exist, the
396 ntpd frequency is initialized from the file and enters normal mode
397 immediately. After that, the current frequency offset is written to the
398 file at hourly intervals.
399
400 Operating Modes
401 ntpd normally operates continuously while monitoring for small changes
402 in frequency and trimming the clock for the ultimate precision.
403 However, it can operate in a one-time mode where the time is set from
404 an external server and frequency is set from a previously recorded
405 frequency file.
406
407 By default, ntpd runs in continuous mode where each of possibly several
408 external servers is polled at intervals determined by an intricate
409 state machine. The state machine measures the incidental roundtrip
410 delay jitter and oscillator frequency wander and determines the best
411 poll interval using a heuristic algorithm. Ordinarily, and in most
412 operating environments, the state machine will start with 64s intervals
413 and eventually increase in steps to 1024s. A small amount of random
414 variation is introduced in order to avoid bunching at the servers. In
415 addition, should a server become unreachable for some time, the poll
416 interval is increased in steps to 1024s in order to reduce network
417 overhead.
418
419 In some cases, it may not be practical for ntpd to run continuously.
420 The -q option is provided to support running ntpd periodically from a
421 cron(8) job. Setting this option will cause ntpd to exit just after
422 setting the clock for the first time. The procedure for initially
423 setting the clock is the same as in continuous mode; most applications
424 will probably want to specify the iburst keyword with the server
425 configuration command. With this keyword, a volley of messages are
426 exchanged to groom the data and the clock is set in about 10 sec. If
427 nothing is heard after a couple of minutes, the daemon times out and
428 exits.
429
430 When kernel support is available to discipline the clock frequency,
431 which is the case for stock Solaris, Linux, and FreeBSD, a useful
432 feature is available to discipline the clock frequency. First, ntpd is
433 run in continuous mode with selected servers in order to measure and
434 record the intrinsic clock frequency offset in the frequency file. It
435 may take some hours for the frequency and offset to settle down. Then
436 the ntpd is stopped and run in one-time mode as required. At each
437 startup, the frequency is read from the file and initializes the kernel
438 frequency.
439
440 Poll Interval Control
441 This version of NTP includes an intricate state machine to reduce the
442 network load while maintaining a quality of synchronization consistent
443 with the observed jitter and wander. There are a number of ways to
444 tailor the operation in order enhance accuracy by reducing the interval
445 or to reduce network overhead by increasing it. However, the user is
446 advised to carefully consider the consequences of changing the poll
447 adjustment range from the default minimum of 64 s to the default
448 maximum of 1,024 s. The default minimum can be changed with the tinker
449 minpoll command to a value not less than 16 s. This value is used for
450 all configured associations, unless overridden by the minpoll option on
451 the configuration command. Note that most device drivers will not
452 operate properly if the poll interval is less than 64 s and that the
453 broadcast server and manycast client associations will also use the
454 default unless overridden.
455
456 In some cases involving dial up or toll services, it may be useful to
457 increase the minimum interval to a few tens of minutes and maximum
458 interval to a day or so. Under normal operation conditions, once the
459 clock discipline loop has stabilized the interval will be increased in
460 steps from the minimum to the maximum. However, this assumes the
461 intrinsic clock frequency error is small enough for the discipline loop
462 correct it. The capture range of the loop is 500 PPM at an interval of
463 64s decreasing by a factor of two for each doubling of the interval. At
464 a minimum of 1,024 s, for example, the capture range is only 31 PPM. If
465 the intrinsic error is greater than this, the drift file ntp.drift will
466 have to be specially tailored to reduce the residual error below this
467 limit. Once this is done, the drift file is automatically updated once
468 per hour and is available to initialize the frequency on subsequent
469 daemon restarts.
470
471 The huff-n'-puff Filter
472 In scenarios where a considerable amount of data are to be downloaded
473 or uploaded over telephone modems, timekeeping quality can be seriously
474 degraded. This occurs because the differential delays on the two
475 directions of transmission can be quite large. In many cases, the
476 apparent time errors are so large as to exceed the step threshold and a
477 step correction can occur during and after the data transfer is in
478 progress.
479
480 The huff-n'-puff filter is designed to correct the apparent time offset
481 in these cases. It depends on knowledge of the propagation delay when
482 no other traffic is present. In common scenarios, this occurs during
483 other than work hours. The filter maintains a shift register that
484 remembers the minimum delay over the most recent interval measured
485 usually in hours. Under conditions of severe delay, the filter corrects
486 the apparent offset using the sign of the offset and the difference
487 between the apparent delay and minimum delay. The name of the filter
488 reflects the negative (huff) and positive (puff) correction, which
489 depends on the sign of the offset.
490
491 The filter is activated by the tinker command and huffpuff keyword, as
492 described in ntp.conf(5).
493
495 ┌─────────────────┬───────────────────┬────────┬─────────────┐
496 │ │ │ │ │
497 │File │ Default │ Option │ Option │
498 ├─────────────────┼───────────────────┼────────┼─────────────┤
499 │ │ │ │ │
500 │configuration │ /etc/ntp.conf │ -c │ conffile │
501 │file │ │ │ │
502 ├─────────────────┼───────────────────┼────────┼─────────────┤
503 │ │ │ │ │
504 │configuration │ /etc/ntp.d │ -c │ conffile │
505 │directory │ │ │ │
506 ├─────────────────┼───────────────────┼────────┼─────────────┤
507 │ │ │ │ │
508 │frequency file │ none │ -f │ driftfile │
509 ├─────────────────┼───────────────────┼────────┼─────────────┤
510 │ │ │ │ │
511 │leapseconds file │ none │ │ leapfile │
512 ├─────────────────┼───────────────────┼────────┼─────────────┤
513 │ │ │ │ │
514 │process ID file │ none │ -p │ pidfile │
515 ├─────────────────┼───────────────────┼────────┼─────────────┤
516 │ │ │ │ │
517 │log file │ system log │ -l │ logfile │
518 ├─────────────────┼───────────────────┼────────┼─────────────┤
519 │ │ │ │ │
520 │include file │ none │ none │ includefile │
521 ├─────────────────┼───────────────────┼────────┼─────────────┤
522 │ │ │ │ │
523 │statistics path │ /var/log/ntpstats │ -s │ statsdir │
524 ├─────────────────┼───────────────────┼────────┼─────────────┤
525 │ │ │ │ │
526 │keys file │ none │ -k │ keys │
527 └─────────────────┴───────────────────┴────────┴─────────────┘
528
529 Configuration files are parsed according to the following rules:
530
531 1. The plain config file (normally /etc/ntp.conf but the path can be
532 overridden by the -c option) is read first if it exists.
533
534 2. Then the configuration directory, if it exists, is scanned.
535 Normally this directory is /etc/ntp.d, but if the -c option is
536 specified the /etc will be specified by the directory name of the
537 -c argument.
538
539 3. Each file beneath the configuration directory with the extension
540 ".conf" is interpreted. Files are interpreted in ASCII sort order
541 of their pathnames. Files with other extensions or no extensions
542 are ignored.
543
545 SIGQUIT, SIGINT, and SIGTERM will cause ntpd to clean up and exit.
546
547 SIGHUP checks various things that would otherwise require restarting
548 ntpd.
549
550 It will reopen the log file if it has changed and check for a new
551 leapseconds file if one was specified.
552
553 If the NTS server is enabled, it will reload the certificate file if it
554 has changed. (It doesn’t check for a new key file, but reloads it when
555 it reloads the certificate file.)
556
557 It will also retry any pending DNS or NTS lookups.
558
559 On most systems, you can send SIGHUP to ntpd with
560
561 # killall -HUP ntpd
562
563 If built with debugging enabled (waf configured with --enable-debug)
564 SIGUSR1 will increase the debug level by 1 and SIGUSR2 will decrease it
565 by 1. This may be helpful if you are running with -n, either just to
566 see the logging on your screen or with gdb.
567
569 The -V option is not backward-compatible with its use (as the
570 equivalent of -Z) in older versions.
571
573 RFC 1059
574 David L. Mills, Network Time Protocol (Version 1), RFC 1059
575
576 RFC 1119
577 David L. Mills, Network Time Protocol (Version 2), RFC 1119
578
579 RFC 1305
580 David L. Mills, Network Time Protocol (Version 3), RFC 1305
581
582 RFC 5905
583 David L. Mills and J. Martin, Ed. and J. Burbank and W. Kasch,
584 Network Time Protocol Version 4: Protocol and Algorithms
585 Specification, RFC 5905
586
587 RFC 5907
588 H. Gerstung and C. Elliott and B. Haberman, Ed., Definitions
589 of Managed Objects for Network Time Protocol Version 4: (NTPv4),
590 RFC 5907
591
592 RFC 5908
593 R. Gayraud and B. Lourdelet, Network Time Protocol (NTP)
594 Server Option for DHCPv6, RFC 5908
595
597 One of the following exit values will be returned:
598
599 0 (EXIT_SUCCESS)
600 Successful program execution.
601
602 1 (EXIT_FAILURE)
603 Execution failed - examine system logfiles.
604
606 ntp.conf(5), ntpq(1), ntpdig(1).
607
608
609
610NTPsec 2021-02-01 NTPD(8)