NTP Server Configuration on Linux — CentOS and Ubuntu

Introduction

In this article we will learn what the Network Time Protocol (NTP) is and how to install it on the two Linux distributions most commonly used on Liquid Web’s servers. We will be focusing on using CentOS 7 and Ubuntu 18.04 servers, but the process is largely the same on other recent versions of each. Before we start, make sure we are familiar with using SSH (Secure Shell) as we’ll need it to connect to the server. Here’s a link to one of our articles on the basics of SSH if you are unfamiliar with its usage.

We’ll be connecting to the server as the root user to simplify things. If you are not comfortable in the terminal, you may want to employ a user account that has sudo privileges. The commands we’ll go through will be the same, but you will need to prepend the commands with the sudo command. If you intend to modify the NTP server configuration files on Linux, you may also need some familiarity with a command line based text editor, such as nano or vim. Here is an article which can explain this more in detail.

We’ll go through the CentOS installation in a bit more detail and explain some concepts along the way, then just show a similar installation on Ubuntu.

What is NTP?

Its name is fairly self-explanatory — the Network Time Protocol is a protocol used to synchronize internal clock times on computers in a network. This applies to synchronizing clock times with a server on the Internet, as well as synchronizing machines on a local network. It’s typically used in a client-server configuration, but also supports peer-to-peer time synchronization. NTP is used to sync to Coordinated Universal Time (UTC), while timezone management is handled by the operating system. Keeping correct time is particularly important for logging, networking, and even more so on clustered and distributed computer systems. 

Now, we can’t really install a protocol but what we will actually be installing is the NTP daemon, or ntpd. Daemons are operating system programs that run in the background without needing any intervention. While computers are very intelligent, they are still just machines which are subject to small fluctuations in the electronic components. This can cause a time drift . A time drift is a small inconsistency in timekeeping. The NTP daemon will handle clock time syncing automatically by querying an NTP server at regular time intervals to correct those discrepancies. 

Installing and Configuring NTP server on Linux for CentOS 7

CentOS comes with an alternative implementation of the Network Time Protocol right out of the box, called chrony. It expands upon ntpd’s functionality somewhat, but ntpd may still be preferred in some instances.

Disabling Chrony

In order to set up ntpd, (network protocol time daemon) we’ll first need to disable the chrony daemon. This is needed as both daemons use the same protocol and port, so they cannot work together. We’ll do so with the following commands: systemctl stop chronyd and systemctl disable chrony commands:

[root@CentOS ~]# systemctl stop chronyd
[root@CentOS ~]# systemctl disable chronyd
Removed symlink /etc/systemd/system/multi-user.target.wants/chronyd.service.

Keep in mind that if we are not logged in as the root user, we will need to run these commands as a user with sudo privileges. As an example, we’ll check the chronyd service status while logged in as an alternative user with sudo privileges.

[user@host ~]$ sudo systemctl status chronyd
● chronyd.service - NTP client/server
   Loaded: loaded (/usr/lib/systemd/system/chronyd.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
 	Docs: man:chronyd(8)
       	man:chrony.conf(5)
[...]

Installing ntpd

Installations on CentOS and other RedHat based distributions are typically best handled best using the yum tool. We’ll be using the yum install -y command. The -y flag is used to auto-confirm on any prompts.

[root@CentOS ~]# yum install -y ntp

Yum automatically handles dependencies for us, so any missing packages that ntpd needs to run will be installed as well. We should see something similar to this at the end of the command output.

Installed:
  ntp.x86_64 0:4.2.6p5-29.el7.centos

Dependency Installed:
  autogen-libopts.x86_64 0:5.18-5.el7           	

  ntpdate.x86_64 0:4.2.6p5-29.el7.centos

Complete!

Don’t worry if it doesn’t install any dependencies as this simply means we already had all the prerequisites installed. 

Configuring ntpd and Checking the Firewall

We can leave the ntpd server configuration on Linux as is, or we can change which timeservers our ntpd service will query. Generally we will want to use a timeserver that is close to either our location or the servers' location. The ntp pool project is a good place to begin learning more about this topic.

To make the change, we will need to open the /etc/ntpd.conf file with our preferred CLI text editor (Nano or Vim) and edit the following lines.

server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

For the purposes of this article, we’ll be using the default timeservers noted above.

For ntpd to be able to sync time effectively, it needs to be able to communicate with an external network resource in order to synchronize with authoritative NTP servers. What this means is that we must ensure that port 123 is open for outbound UDP traffic. The port only needs to be open for inbound traffic if our server is going to be configured as a timeserver.

The majority of our CentOS cPanel and Plesk servers come with csf firewall. There are other firewalls in use so these steps may differ depending on which firewall is installed on our system. To check if port 123 is open we can run the following command.

[root@CentOS ~]# grep UDP_ /etc/csf/csf.conf
UDP_IN = “20,21,53”
UDP_OUT = “20,21,53,113,123,873,6277”

Or, if firewalld is running, we can use this command.

[root@host ~]# firewall-cmd --list-ports | grep -i udp
20/udp
21/udp
123/udp
[root@host ~]#

The output may not be the same for everyone, but as long as that port 123 is listed in the UDP_OUT section we should be fine. If the port is missing, we will need to add the port in the csf.conf file using a text editor or via WHM and then reload the firewall rules with the csf -r command. Also, if using firewalld and the port is not open, we can also run this command to open the port.

[root@host ~]# firewall-cmd --zone=public --add-port=123/udp --permanent

We’re almost ready! The last thing we need to do is select a timezone. As we previously learned, ntpd doesn’t actually keep track of our local time, it only syncs to UTC. The operating system's clock needs to be configured to use the desired timezone. We can check the current time, date and timezone using the timedatectl command.

[root@host ~]# timedatectl
      Local time: Thu 2020-03-12 15:43:55 EDT
  Universal time: Thu 2020-03-12 19:43:55 UTC
        RTC time: Thu 2020-03-12 19:43:56
       Time zone: America/New_York (EDT, -0400)
     NTP enabled: no
NTP synchronized: no
 RTC in local TZ: no
      DST active: yes
 Last DST change: DST began at
                  Sun 2020-03-08 01:59:59 EST
                  Sun 2020-03-08 03:00:00 EDT
 Next DST change: DST ends (the clock jumps one hour backwards) at
                  Sun 2020-11-01 01:59:59 EDT
                  Sun 2020-11-01 01:00:00 EST
[root@host ~]#

Let’s look for our timezone. The list of available ones is huge, so it’s best to use the following command to search for a major city in our timezone. Just copy the command and replace the city name and it should give us the name of the timezone.

[root@host ~]# timedatectl list-timezones | grep Detroit
America/Detroit
[root@host ~]#

To set the listed timezone, we need to issue this command.

[root@host ~]# timedatectl set-timezone America/Detroit
[root@host ~]#

Of course, we should use the timezone name we received from the output in the previous command for our server.

Activating ntpd

Now that we’ve done all the prep work, lets go ahead and activate the ntpd service. The systemctl start ntpd command will start the ntp daemon for this session. The systemctl enable ntpd command tells the operating system to start it every time the computer boots up. 

[root@host ~]# systemctl start ntpd
[root@host ~]# systemctl enable ntpd
Created symlink from /etc/systemd/system/multi-user.target.wants/ntpd.service to /usr/lib/systemd/system/ntpd.service.

We can confirm the service is running using the systemctl status ntpd command.

[root@host ~]# systemctl status ntpd
● ntpd.service - Network Time Service
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-03-12 19:03:45 EDT; 2min 49s ago
 Main PID: 23029 (ntpd)
   CGroup: /system.slice/ntpd.service
       	└─23029 /usr/sbin/ntpd -u ntp:ntp -g

[...]

And that’s it, we’re up and running! It will take some time for it to fully sync due to how NTP functions, but no further action is needed.

Installing and Configuring NTP server on Linux for Ubuntu

Installing and configuring NTP on Ubuntu is very similar to installing it on CentOS. If you have come to this article just for this section and find something that is unclear, check the previous section above as it may be explained in further detail there.

Ubuntu also has an alternative implementation of NTP in the form of the systemd-timesyncd module. This isn’t exclusive to Ubuntu, but it is typically enabled on Ubuntu by default.

Disabling timesyncd

First we will check if timesyncd is active using the timedatectl command.

[root@host ~]# timedatectl
                  	Local time: Mon 2020-03-09 23:44:50 UTC
              	Universal time: Mon 2020-03-09 23:44:50 UTC
                    	RTC time: Mon 2020-03-09 23:44:50
                   	Time zone: UTC (UTC, +0000)
   	System clock synchronized: yes
systemd-timesyncd.service active: yes
             	RTC in local TZ: no
root@ubuntu1804:~#

If we see the system clock is synchronized and the systemd-timesyncd.service active lines return a “yes”, that means the system is currently syncing to a timeserver using timesyncd. Just as ntpd cannot run alongside chrony on CentOS, it is also unable to run alongside timesyncd on Ubuntu. We’ll disable timesyncd with the following command.

[root@host ~]# timedatectl set-ntp no

If we run timedatectl again, we’ll see a difference at the bottom of the output.

       System clock synchronized: yes
systemd-timesyncd.service active: no
             	 RTC in local TZ: no

Systemd-timesyncd.service active is now returning “no”, meaning timesyncd has been disabled.

Firewall Settings

On Ubuntu, we usually don’t need to check the firewall settings since its firewall defaults to allowing outbound connections. This is especially true if timesyncd was already working correctly. However, in case it was not enabled, we can easily allow ntpd to communicate with the authoritative time servers. Running this command will set it up to behavior as in the previous installation.

[root@host ~]# ufw allow out 123/udp

If our server will be used as a timeserver, we will need to allow both inbound and outbound connections to port 123, which is very similar to the command above.

[root@host ~]# ufw allow 123/udp

Installing ntpd

Ubuntu and other Debian based Linux distributions primarily use the apt (or apt-get) tool to install and manage packages. So, the first thing we need to do is update our package lists using the apt update command. This ensures we’re getting the most recent versions of the software we are looking to install.

[root@host ~]# apt update
[...]
Reading package lists... Done
Building dependency tree
Reading state information... Done
88 packages can be upgraded. Run 'apt list --upgradable' to see them.

Now we can install the ntp package. We’ll use the -y flag again to auto-confirm any interactive prompts. We will see that apt automatically manages installing dependencies just like yum.

[root@host ~]# apt install -y ntp
Reading package lists... Done
Building dependency tree
Reading state information... Done
[...]
The following additional packages will be installed:
  libopts25 sntp
Suggested packages:
  ntp-doc
The following NEW packages will be installed:
  libopts25 ntp sntp
[...]

Activating ntpd

A minor difference is that apt will start and enable the ntpd service immediately after the installation.

[root@host ~]# systemctl status ntp
● ntp.service - Network Time Service
   Loaded: loaded (/lib/systemd/system/ntp.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2020-03-10 00:29:09 UTC; 3min 56s ago
 	Docs: man:ntpd(8)
 Main PID: 15183 (ntpd)
	Tasks: 2 (limit: 2317)
   CGroup: /system.slice/ntp.service
       	└─15183 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 111:118

[...]

After ntp has been set up and activated we can check ntpd’s connections to other time servers using the ntpq -p command.

[root@host ~]# ntpq -p
 	remote       refid  	st t when poll reach   delay  offset jitter
========================================================================
 0.ubuntu.pool.n .POOL.      	16 p	-   64	0	0.000	0.000   0.000
 1.ubuntu.pool.n .POOL.      	16 p	-   64	0	0.000	0.000   0.000
 2.ubuntu.pool.n .POOL.      	16 p	-   64	0	0.000	0.000   0.000
 3.ubuntu.pool.n .POOL.      	16 p	-   64	0	0.000	0.000   0.000
 ntp.ubuntu.com  .POOL.      	16 p	-   64	0	0.000	0.000   0.000

[...]

We can make changes to the ntp servers and change our server’s timezone the same way as described in the CentOS segment above, the difference being that the ntp server configuration file for Linux is located at /etc/ntp.conf on Ubuntu.

On both distributions, make sure to reload the ntpd service because any changes to the config file while the service is running will need to be saved or the settings will not take effect. We can also reload the service using the systemctl reload ntp command.

Manual Sync

In case we ever need to manually initialize a ntp sync, we can do so in three simple steps. This works on both distributions. 

Step 1. Stop the ntpd service.

[root@host ~]# systemctl stop ntpd

Step 2. Run the ntpd -gq command to force a manual time sync.

[root@host ~]# ntpd -gq
ntpd: time slew +0.001347s

Step 3. Restart the ntpd service.

[root@host ~]# systemctl start ntpd

If you are experiencing any problems or have any questions about this topic, give us a call today at 800.580.4985, or open a chat or ticket with us to speak with one of our knowledgeable Systems Administrators!