When multiple servers are being used for the same purpose, it's important to keep their time clocks in sync. Whether it be a database, timestamped entries for an online business, or backup servers used for load balancing, consistent times are important for smooth operation. This section provides instructions on how to create and configure your own Network Time Protocol (NTP) server for basic operation. But first, you'll need to configure a client.
I'll show you how to configure a client using the GUI. This is one of the few services where client configuration is actually more awkward from the command line. Open the Date/Time Properties tool; one way is to run system-config-date from a command line console in the GUI.
I assume the information defined in the Date & Time and Time Zone tabs is already correct. (The information in the tabs should at least be close; the NTP client may have trouble if your clock is off by more than 1000 seconds.) Select the Network Time Protocol tab, as shown in Figure 13-7.
Figure 13-7: Configuring the Network Time Protocol
Make sure the Enable Network Time Protocol option is active. Your administrator (or possibly exam proctor) may tell you to use a different NTP server, which can be changed in the NTP Servers text box. If you want to find a public NTP server other than the defaults shown, refer to http://ntp.isc.org/bin/view/Servers/WebHome. Generally, you should only connect to a "Stratum Two" time server. Even then, you'll generally need to ask permission of the NTP server administrator before connecting your time server. Too many connections to an NTP server can degrade performance, leading to delays. And delays are never good for a time server.
|On the Job|| |
One option to Stratum Two servers is available from the Public NTP Time Server project, available at www.pool.ntp.org. Red Hat's default time servers for RHEL 5 are part of this project.
Once you configure a local NTP time server, you can set other NTP clients to synchronize with that server.
Under the Advanced options, unless there are problems with the initial network connection, you should select Synchronize System Clock Before Starting Service. On the other hand, this option can slow the boot process, which can be a problem during an exam.
If you select Use Local Time Source, it adds the following directive to /etc/ntp.conf:
This is an arbitrary address-yes, it's in the "loopback" IP address network, but don't confuse it with the standard loopback address of 127.0.0.1.
As defined in the Red Hat Exam Prep guide, you need to make sure the package for a service is installed. Fortunately, NTP is installed by default. If necessary, you can install or update the ntp RPM package, using the techniques described for other services in other chapters.
If there are problems with SELinux, all that is possible as of this writing is to disable SELinux protection for the NTP service. The simplest way to do so is from the command line with the setsebool command, specifically:
# setsebool -P ntpd_disable_trans 1
This command is also available in the SELinux Management Tool, under Booleans, in the SELinux Service Protection category, as "Disable SELinux Protection for ntpd daemon."
To make NTP work with a firewall, you'll need to open access in port 123, for both TCP and UDP packets. See Chapter 15 for basic instructions on this process.
Of course, if you're running NTP (or have to configure it on your exam, or in real life), you need to make sure NTP starts when Linux boots. If you've activated it with the Date/Time Properties tool, it should already be active. To make sure, the following command checks all runlevels to see when NTP is active:
# chkconfig --list ntpd
If the active runlevels aren't satisfactory, the following command activates the NTP service in runlevels 2, 3, 4, and 5:
# chkconfig ntpd on
To configure a local NTP server, you'll need to modify the configuration file, /etc/ntp.conf. I'll examine just a few details of this file; remember, all that's needed is to configure the service for basic operation. If you've run the Date/Time Configuration tool, what you see here may be different. Specifically, the Date/Time Configuration tool removes information associated with IPv6.
The first active lines configure default restrictions for IPv4 and IPv6:
restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery
The kod prevents so-called "Kiss of Death" packets from bringing down the server. The nomodify option prevents other NTP servers from modifying this one; the notrap option denies the message trap service. These options should not be changed.
But to configure a local NTP server, you don't need the nopeer and noquery options to enable others to synchronize and request information. If you believe that nobody on your LAN will attack your system with the "Kiss of Death," leave out the kod option. So to enable access to the 10.11.12.0 network with the noted subnet mask, you could add the following IPv4 directive:
restrict 10.11.12.0 mask 255.255.255.0 nomodify notrap
You can add more restrict directives, as needed for other networks that you administer. The IPv6 version of this directive would be similar on the noted subnet:
restrict -6 0011:838:0:1:: mask ffff:ffff:ffff:ffff:: kod nomodify notrap
The following default restrict directives limit administrative access to the local system for the IPv4 and IPv6 loopback addresses:
restrict 127.0.0.1 restrict -6 ::1
If you want to add a remote administrative interface, specify its IP address with another directive:
The server directives that follow specify the remote NTP servers. The defaults shown here are based on what RHEL uses on the Public NTP Server project:
server 0.rhel.pool.ntp.org server 1.rhel.pool.ntp.org server 2.rhel.pool.ntp.org
That's all you absolutely have to change to configure a local NTP server for basic operation. Of course, after saving these changes, you should activate the NTP server with a command like:
# service ntpd start