1ntpd(8) System Manager's Manual ntpd(8)
2
6 ntpd - Network Time Protocol (NTP) daemon
7
10 ntpd [ -46aAbdDgLmnNqx ] [ -c conffile ] [ -f driftfile ] [ -i jaildir
11 ] [ -I iface ] [ -k keyfile ] [ -l logfile ] [ -p pidfile ] [ -P prior‐
12 ity ] [ -r broadcastdelay ] [ -s statsdir ] [ -t key ] [ -u
13 user[:group] ] [ -U interface_update_interval ] [ -v variable ] [ -V
14 variable ]
15
18 The ntpd program is an operating system daemon which sets and maintains
19 the system time of day in synchronism with Internet standard time
20 servers. It is a complete implementation of the Network Time Protocol
21 (NTP) version 4, but also retains compatibility with version 3, as
22 defined by RFC-1305, and version 1 and 2, as defined by RFC-1059 and
23 RFC-1119, respectively. ntpd does most computations in 64-bit floating
24 point arithmetic and does relatively clumsy 64-bit fixed point opera‐
25 tions only when necessary to preserve the ultimate precision, about 232
26 picoseconds. While the ultimate precision is not achievable with ordi‐
27 nary workstations and networks of today, it may be required with future
28 gigahertz CPU clocks and gigabit LANs.
29
32 The ntpd program operates by exchanging messages with one or more con‐
33 figured servers at designated poll intervals. When started, whether for
34 the first or subsequent times, the program requires several exchanges
35 from the majority of these servers so the signal processing and mitiga‐
36 tion algorithms can accumulate and groom the data and set the clock. In
37 order to protect the network from bursts, the initial poll interval for
38 each server is delayed an interval randomized over a few seconds. At
39 the default initial poll interval of 64s, several minutes can elapse
40 before the clock is set. The initial delay to set the clock can be
41 reduced using the iburst keyword with the server configuration command,
42 as described on the Configuration Options page.
43 Most operating systems and hardware of today incorporate a time-of-year
45 (TOY) chip to maintain the time during periods when the power is off.
46 When the machine is booted, the chip is used to initialize the operat‐
47 ing system time. After the machine has synchronized to a NTP server,
48 the operating system corrects the chip from time to time. In case there
49 is no TOY chip or for some reason its time is more than 1000s from the
50 server time, ntpd assumes something must be terribly wrong and the only
51 reliable action is for the operator to intervene and set the clock by
52 hand. This causes ntpd to exit with a panic message to the system log.
53 The -g option overrides this check and the clock will be set to the
54 server time regardless of the chip time. However, and to protect
55 against broken hardware, such as when the CMOS battery fails or the
56 clock counter becomes defective, once the clock has been set, an error
57 greater than 1000s will cause ntpd to exit anyway.
58 Under ordinary conditions, ntpd adjusts the clock in small steps so
60 that the timescale is effectively continuous and without discontinu‐
61 ities. Under conditions of extreme network congestion, the roundtrip
62 delay jitter can exceed three seconds and the synchronization distance,
63 which is equal to one-half the roundtrip delay plus error budget terms,
64 can become very large. The ntpd algorithms discard sample offsets
65 exceeding 128 ms, unless the interval during which no sample offset is
66 less than 128 ms exceeds 900s. The first sample after that, no matter
67 what the offset, steps the clock to the indicated time. In practice
68 this reduces the false alarm rate where the clock is stepped in error
69 to a vanishingly low incidence.
70 As the result of this behavior, once the clock has been set, it very
72 rarely strays more than 128 ms, even under extreme cases of network
73 path congestion and jitter. Sometimes, in particular when ntpd is first
74 started, the error might exceed 128 ms. This may on occasion cause the
75 clock to be set backwards if the local clock time is more than 128 s in
76 the future relative to the server. In some applications, this behavior
77 may be unacceptable. If the -x option is included on the command line,
78 the clock will never be stepped and only slew corrections will be used.
79 The issues should be carefully explored before deciding to use the -x
81 option. The maximum slew rate possible is limited to 500 parts-per-mil‐
82 lion (PPM) as a consequence of the correctness principles on which the
83 NTP protocol and algorithm design are based. As a result, the local
84 clock can take a long time to converge to an acceptable offset, about
85 2,000 s for each second the clock is outside the acceptable range. Dur‐
86 ing this interval the local clock will not be consistent with any other
87 network clock and the system cannot be used for distributed applica‐
88 tions that require correctly synchronized network time.
89 In spite of the above precautions, sometimes when large frequency
91 errors are present the resulting time offsets stray outside the 128-ms
92 range and an eventual step or slew time correction is required. If fol‐
93 lowing such a correction the frequency error is so large that the first
94 sample is outside the acceptable range, ntpd enters the same state as
95 when the ntp.drift file is not present. The intent of this behavior is
96 to quickly correct the frequency and restore operation to the normal
97 tracking mode. In the most extreme cases (time.ien.it comes to mind),
98 there may be occasional step/slew corrections and subsequent frequency
99 corrections. It helps in these cases to use the burst keyword when con‐
100 figuring the server.
101
104 The ntpd behavior at startup depends on whether the frequency file,
105 usually ntp.drift, exists. This file contains the latest estimate of
106 clock frequency error. When the ntpd is started and the file does not
107 exist, the ntpd enters a special mode designed to quickly adapt to the
108 particular system clock oscillator time and frequency error. This takes
109 approximately 15 minutes, after which the time and frequency are set to
110 nominal values and the ntpd enters normal mode, where the time and fre‐
111 quency are continuously tracked relative to the server. After one hour
112 the frequency file is created and the current frequency offset written
113 to it. When the ntpd is started and the file does exist, the ntpd fre‐
114 quency is initialized from the file and enters normal mode immediately.
115 After that the current frequency offset is written to the file at
116 hourly intervals.
117
120 ntpd can operate in any of several modes, including symmetric
121 active/passive, client/server broadcast/multicast and manycast, as
122 described in the Association Management page. It normally operates con‐
123 tinuously while monitoring for small changes in frequency and trimming
124 the clock for the ultimate precision. However, it can operate in a one-
125 time mode where the time is set from an external server and frequency
126 is set from a previously recorded frequency file. A broadcast/multicast
127 or manycast client can discover remote servers, compute server-client
128 propagation delay correction factors and configure itself automati‐
129 cally. This makes it possible to deploy a fleet of workstations without
130 specifying configuration details specific to the local environment.
131 By default, ntpd runs in continuous mode where each of possibly several
133 external servers is polled at intervals determined by an intricate
134 state machine. The state machine measures the incidental roundtrip
135 delay jitter and oscillator frequency wander and determines the best
136 poll interval using a heuristic algorithm. Ordinarily, and in most
137 operating environments, the state machine will start with 64s intervals
138 and eventually increase in steps to 1024s. A small amount of random
139 variation is introduced in order to avoid bunching at the servers. In
140 addition, should a server become unreachable for some time, the poll
141 interval is increased in steps to 1024s in order to reduce network
142 overhead.
143 In some cases it may not be practical for ntpd to run continuously. A
145 common workaround has been to run the ntpdate program from a cron job
146 at designated times. However, this program does not have the crafted
147 signal processing, error checking and mitigation algorithms of ntpd.
148 The -q option is intended for this purpose. Setting this option will
149 cause ntpd to exit just after setting the clock for the first time. The
150 procedure for initially setting the clock is the same as in continuous
151 mode; most applications will probably want to specify the iburst key‐
152 word with the server configuration command. With this keyword a volley
153 of messages are exchanged to groom the data and the clock is set in
154 about 10 s. If nothing is heard after a couple of minutes, the daemon
155 times out and exits. After a suitable period of mourning, the ntpdate
156 program may be retired.
157 When kernel support is available to discipline the clock frequency,
159 which is the case for stock Solaris, Tru64, Linux and FreeBSD, a useful
160 feature is available to discipline the clock frequency. First, ntpd is
161 run in continuous mode with selected servers in order to measure and
162 record the intrinsic clock frequency offset in the frequency file. It
163 may take some hours for the frequency and offset to settle down. Then
164 the ntpd is stopped and run in one-time mode as required. At each
165 startup, the frequency is read from the file and initializes the kernel
166 frequency.
167
170 This version of NTP includes an intricate state machine to reduce the
171 network load while maintaining a quality of synchronization consistent
172 with the observed jitter and wander. There are a number of ways to tai‐
173 lor the operation in order enhance accuracy by reducing the interval or
174 to reduce network overhead by increasing it. However, the user is
175 advised to carefully consider the consequences of changing the poll
176 adjustment range from the default minimum of 64 s to the default maxi‐
177 mum of 1,024 s. The default minimum can be changed with the tinker min‐
178 poll command to a value not less than 16 s. This value is used for all
179 configured associations, unless overridden by the minpoll option on the
180 configuration command. Note that most device drivers will not operate
181 properly if the poll interval is less than 64 s and that the broadcast
182 server and manycast client associations will also use the default,
183 unless overridden.
184 In some cases involving dial up or toll services, it may be useful to
186 increase the minimum interval to a few tens of minutes and maximum
187 interval to a day or so. Under normal operation conditions, once the
188 clock discipline loop has stabilized the interval will be increased in
189 steps from the minimum to the maximum. However, this assumes the
190 intrinsic clock frequency error is small enough for the discipline loop
191 correct it. The capture range of the loop is 500 PPM at an interval of
192 64s decreasing by a factor of two for each doubling of interval. At a
193 minimum of 1,024 s, for example, the capture range is only 31 PPM. If
194 the intrinsic error is greater than this, the drift file ntp.drift will
195 have to be specially tailored to reduce the residual error below this
196 limit. Once this is done, the drift file is automatically updated once
197 per hour and is available to initialize the frequency on subsequent
198 daemon restarts.
199
202 In scenarios where a considerable amount of data are to be downloaded
203 or uploaded over telephone modems, timekeeping quality can be seriously
204 degraded. This occurs because the differential delays on the two direc‐
205 tions of transmission can be quite large. In many cases the apparent
206 time errors are so large as to exceed the step threshold and a step
207 correction can occur during and after the data transfer is in progress.
208 The huff-n'-puff filter is designed to correct the apparent time offset
210 in these cases. It depends on knowledge of the propagation delay when
211 no other traffic is present. In common scenarios this occurs during
212 other than work hours. The filter maintains a shift register that
213 remembers the minimum delay over the most recent interval measured usu‐
214 ally in hours. Under conditions of severe delay, the filter corrects
215 the apparent offset using the sign of the offset and the difference
216 between the apparent delay and minimum delay. The name of the filter
217 reflects the negative (huff) and positive (puff) correction, which
218 depends on the sign of the offset.
219 The filter is activated by the tinker command and huffpuff keyword, as
221 described in the Miscellaneous Options page.
222
225 If NetInfo support is built into ntpd, then ntpd will attempt to read
226 its configuration from the NetInfo if the default ntp.conf file cannot
227 be read and no file is specified by the -c option.
228 In contexts where a host name is expected, a -4 qualifier preceding the
230 host name forces DNS resolution to the IPv4 namespace, while a -6 qual‐
231 ifier forces DNS resolution to the IPv6 namespace.
232 Various internal ntpd variables can be displayed and configuration
234 options altered while the ntpd is running using the ntpq and ntpdc
235 utility programs.
236 When ntpd starts it looks at the value of umask, and if zero ntpd will
238 set the umask to 022.
239
242 -4 Force DNS resolution of host names to the IPv4 namespace.
243 -6 Force DNS resolution of host names to the IPv6 namespace.
245 -a Require cryptographic authentication for broadcast client, mul‐
247 ticast client and symmetric passive associations. This is the
248 default.
249 -A Do not require cryptographic authentication for broadcast
251 client, multicast client and symmetric passive associations.
252 This is almost never a good idea.
253 -b Enable the client to synchronize to broadcast servers.
255 -c conffile
257 Specify the name and path of the configuration file, default
258 /etc/ntp.conf.
259 -d Specify debugging mode. This option may occur more than once,
261 with each occurrence indicating greater detail of display.
262 -D level
264 Specify debugging level directly.
265 -f driftfile
267 Specify the name and path of the frequency file. This is the
268 same operation as the driftfile driftfile configuration com‐
269 mand.
270 -g Normally, ntpd exits with a message to the system log if the
272 offset exceeds the panic threshold, which is 1000 s by default.
273 This option allows the time to be set to any value without
274 restriction; however, this can happen only once. If the thresh‐
275 old is exceeded after that, ntpd will exit with a message to
276 the system log. This option can be used with the -q and -x
277 options. See the tinker command for other options.
278 -i jaildir
280 Chroot the server to the directory jaildir. This option also
281 implies that the server attempts to drop root privileges at
282 startup (otherwise, chroot gives very little additional secu‐
283 rity), and it is only available if the OS supports to run the
284 server without full root privileges. You may need to also spec‐
285 ify a -u option.
286 -I iface
288 Listen on interface. This option may appear an unlimited number
289 of times.
290 -k keyfile
292 Specify the name and path of the symmetric key file, default
293 /etc/ntp/keys. This is the same operation as the keys keyfile
294 configuration command.
295 -l logfile
297 Specify the name and path of the log file. The default is the
298 system log file. This is the same operation as the logfile log‐
299 file configuration command.
300 -L Do not listen to virtual IPs. The default is to listen.
302 -m Lock memory.
304 -n Don't fork.
306 -N To the extent permitted by the operating system, run the ntpd
308 at the highest priority.
309 -p pidfile
311 Specify the name and path of the file used to record the ntpd
312 process ID. This is the same operation as the pidfile pidfile
313 configuration command.
314 -P priority
316 To the extent permitted by the operating system, run the ntpd
317 at the specified priority.
318 -q Exit the ntpd just after the first time the clock is set. This
320 behavior mimics that of the ntpdate program, which is to be
321 retired. The -g and -x options can be used with this option.
322 Note: The kernel time discipline is disabled with this option.
323 -r broadcastdelay
325 Specify the default propagation delay from the broadcast/multi‐
326 cast server to this client. This is necessary only if the delay
327 cannot be computed automatically by the protocol.
328 -s statsdir
330 Specify the directory path for files created by the statistics
331 facility. This is the same operation as the statsdir statsdir
332 configuration command.
333 -t key Add a key number to the trusted key list. This option can occur
335 more than once.
336 -u user[:group]
338 Specify a user, and optionally a group, to switch to. This
339 option is only available if the OS supports to run the server
340 without full root privileges. Currently, this option is sup‐
341 ported under NetBSD (configure with --enable-clockctl) and
342 Linux (configure with --enable-linuxcaps).
343 -U interface update interval
345 Number of seconds to wait between interface list scans to pick
346 up new and delete network interface. Set to 0 to disable
347 dynamic interface list updating. The default is to scan every 5
348 minutes.
349 -v variable
351 -V variable
353 Add a system variable listed by default.
354 -x Normally, the time is slewed if the offset is less than the
356 step threshold, which is 128 ms by default, and stepped if
357 above the threshold. This option sets the threshold to 600 s,
358 which is well within the accuracy window to set the clock manu‐
359 ally. Note: Since the slew rate of typical Unix kernels is lim‐
360 ited to 0.5 ms/s, each second of adjustment requires an amorti‐
361 zation interval of 2000 s. Thus, an adjustment as much as 600 s
362 will take almost 14 days to complete. This option can be used
363 with the -g and -q options. See the tinker command for other
364 options. Note: The kernel time discipline is disabled with this
365 option.
366
369 Ordinarily, ntpd reads the ntp.conf configuration file at startup time
370 in order to determine the synchronization sources and operating modes.
371 It is also possible to specify a working, although limited, configura‐
372 tion entirely on the command line, obviating the need for a configura‐
373 tion file. This may be particularly useful when the local host is to be
374 configured as a broadcast/multicast client, with all peers being deter‐
375 mined by listening to broadcasts at run time.
376 Usually, the configuration file is installed in the /etc directory, but
378 could be installed elsewhere (see the -c conffile command line option).
379 The file format is similar to other Unix configuration files - comments
380 begin with a # character and extend to the end of the line; blank lines
381 are ignored.
382 Configuration commands consist of an initial keyword followed by a list
384 of arguments, some of which may be optional, separated by whitespace.
385 Commands may not be continued over multiple lines. Arguments may be
386 host names, host addresses written in numeric, dotted-quad form, inte‐
387 gers, floating point numbers (when specifying times in seconds) and
388 text strings. Optional arguments are delimited by [ ] in the following
389 descriptions, while alternatives are separated by |. The notation [ ...
390 ] means an optional, indefinite repetition of the last item before the
391 [ ... ].
392
395 ntp.conf(5), ntpq(8), ntpdc(8)
396 Primary source of documentation: /usr/share/doc/ntp-*
398 This file was automatically generated from HTML source.
400 ntpd(8)