Why is ntpd not updating the time on my server?

Solution 1:

You can enable logging in ntpd by adding this to ntp.conf:

logfile /var/log/ntpd.log

Source: ntp manual

If you turn off ntpd, can you update the clock by command line? If you run the ntpdate command and receive an error like so:

# ntpdate ntp.ubuntu.com
10 Jan 23:47:57 ntpdate[26284]: Can't adjust the time of day: Operation not permitted

This means that you are probably on a VPS, and in that case you can not modify the system clock - this can only be done on the host machine.

Solution 2:

Alright folks, in the time since asking this question, I've reinstalled ntp with the default vendor (Ubuntu 10.0.4) config and let it run for a few days. As of this writing, ntpdate -q ntp.ubuntu.com shows that my time is accurate to within 0.000216 seconds. So, the problems I was having must have been with my customized config (where I was trying to make it impossible for external hosts to query my server, which I'm already doing with my firewall so I'm not too worried about). Here is the Ubuntu 10.0.4 ntp.conf in its entirety, with comments removed:

driftfile /var/lib/ntp/ntp.drift

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

server ntp.ubuntu.com

restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

restrict 127.0.0.1
restrict ::1

I welcome feedback on how this config might be improved.

I also made a ticket with my VPS provider asking them for a detailed recommendation on the best thing to do. I pointed them to this thread, and some other documentation indicating that maybe the CPU allocation would cause a timing problem. Here is what they said:

The latest kernels should not lock your system to our dom0's clock, to be on the safe side you can set xen.independent_wallclock = 1 in your sysctl.conf. This will make sure the server instance isn't following the clock on the host server.

and:

I think you may be mis-understanding the exact degree to which this issue affects NTP clients in a virtualized environment. In my experience on a virtualized system on a Xen host (such as our setup at Rackspace Cloud) the inaccuracy inherited by not having a dedicated system clock to process the interrupts amounts to fractions of a second, even on highly loaded systems. This slight inaccuracy is easily managed by NTP even if it is only set to update the servers time once per day (or even less frequent than that).

---

Solution 3:

One of your comments says you are running on a vhost. In this case, you are probably not going to have much success because your vhost's sense of time is going to be dependent both on the real host it is running on and by how busy overall the vhost is.

Depending on the virtualization used, the vhost may not get a steady share of interrupts in a given time period. This will make the clock run faster, or slower, than is really happening. Since ntp is trying to measure changes on the assumption that your clock is a fixed-rate faster or slower than the rest of the world, this speeding up and slowing down will give ntp fits and it will probably eventually just give up, with the result that ntp -np shows time servers that ntp has deemed unsuitable.

Your best bet if this is the case is probably a brute-force rdate -s $server every so often (like every six hours) to yank the clock around by its nose so that it doesn't drift excessively out of sync. But fine-grained accuracy is probably out of reach.

---

Solution 4:

Things I've found in the past, when I used ntpd instead of openntpd:

1. You need to permit access to localhost for ntpd to start properly and actually do stuff

   restrict 127.0.0.1
   restrict ::1
   

2. Although you can use hostnames for server rules, opening back up holes to talk with those servers means using restrict which requires IP addresses, so I ended up having to use IPs for everything anyway.

3. You don't mention using restrict to open access back up to your servers. That's an issue. Try blocks such as the following:

   # ntp.xs4all.nl
   server          194.109.22.18
   restrict        194.109.22.18
   

4. You need multiple peers or servers for ntpd, since it tries to use majority-rules voting to deal with a bad actor. So a minimum of 4, to still be able to have a majority when you lose one, preferably 5.

5. To lock down the default access, I could use:

   restrict default notrust nomodify
   

   so as to still be able to query, but I ended up using restrict default ignore as you do when ntpd 4.2 changed the meaning of notrust. sigh

6. If you're not providing time-service to others, then you probably don't need the full power of regular ntpd and you should consider openntpd instead. Written by the OpenBSD crew, it's a far more minimal implementation, using privilege separation and a much simpler config file. It allegedly won't provide the highly precise time that ntpd will, but it's easily good enough for a regular server or workstation.

---

Solution 5:

• If ntpd wouldn't be able to connect with the remote server, you wouldn't see an offset for that server.
• If ntpq would be blocked by ntpd, you would see a clear error message from ntpq.
• If some other service would set also the time (like vmware tools), you would see a jumping offset for the server (run ntpq -p every 70 seconds).

The reach 7 in ntpq output indicated, that you let ntpd only run for around 4 minutes. 7 is 111 binary, which means the server was reached already 3 times. ntp reaches out every 64 seconds (poll value) and waited already 30 seconds (when value) since the last contact.

The offset -0.136 indicated, that the system is already synchronized. Only ntpd hasn't marked the server as source, yet. Just give it more time and a little star will appear.

So, actually your ntpd was syncing. But ntpd doesn't usually sync in one big jump (like ntpdate), but tries to adjust the time slowly and ensures over several cycles, that the time is stable.

PS: I am aware, that the question is very old. But the issue is timeless. And all the other answers are just misleading IMHO. ntpd is even recommended by VMWare to keep the time in sync.