Installing and Configuring NTP on an ESX host
search cancel

Installing and Configuring NTP on an ESX host

book

Article ID: 341445

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

This article provides steps to install and configure NTP on an ESX 2.x and 3.0.x host.

Note: For ESX 3.5 and above, NTP can be configured from vSphere Client and no longer requires manual configuration. For more information, see the documentation for your version of ESX.

Warning: The example server names are subject to change without notice. Ensure that all NTP servers are accessible at time of implementation, and are checked on a frequent basis. Use resolution names and avoid the use of hard coded addresses. Upon initial design make certain that you plan for sufficient redundancy on your NTP pool as well.

Environment

VMware ESX Server 2.1.x
VMware ESX Server 3.0.x
VMware ESX Server 3.5.x
VMware ESX Server 2.5.x

Resolution

Beginning with ESX Server 2.0.1, NTP is installed by default during the installation of ESX.

Note: For ESX Server 2.0.0, see the instructions later in this article to install and configure NTP.

Configuring NTP on ESX 2.0.1 and Later

To configure NTP on the service console, you must:

  1. Edit these configuration files:
  2. For ESX Server 3.0 only, run the command:

    Note: This command opens the appropriate ports and enables the NTP daemon to talk with the external server.

    [root@esxhost]# esxcfg-firewall --enableService ntpClient

  3. Restart ntpd.

Editing /etc/ntp.conf

Specify a pool of NTP servers to which your ESX system will sync. For more information about using NTP server pools, see http://www.pool.ntp.org/use.html.

  1. Log in to the service console as the root user.
  2. Make a backup copy of the /etc/ntp.conf by running the command:

    cp /etc/ntp.conf /etc/ntp.conf.bk

  3. Edit the contents of the default /etc/ntp.conf file (which the ESX installation creates for you), so the file looks like this:

    restrict 127.0.0.1
    restrict default kod nomodify notrap
    server 0.vmware.pool.ntp.org
    server 1.vmware.pool.ntp.org
    server 2.vmware.pool.ntp.org
    driftfile /var/lib/ntp/drift

    Notes:
    • ESX 3.0.2 and older versions use /etc/ntp/drift as the location for the driftfile.

    • restrict – The first restrict is required because ntpd needs to resolve hostname addresses via the loopback network. If this entry does not exist, the system log (/var/log/messages) will show something like this:

      ntpd_initres: ntpd returns a permission denied error

      For systems directly connected to the Internet, the second restrict line provides a basic level of protection from general UDP spoofing of NTP.

    • kod – Sends a KoD packet when an access violation occurs.

    • nomodify – Denies ntpq and ntpdc queries that attempt to modify the run-time configuration of the server. Queries that return information are permitted.

    • notrap – Declines to provide mode 6 control message trap service to matching hosts. The trap service is a subsystem of the ntpdq control message protocol, which is intended for use by remote event logging programs.

For better protection, you may want to add noquery, which prevents remote queries, and nopeer, which prevents a host from trying to peer with your server and to allow a rogue server to control the clock.

For a full description of these access control commands, see http://www.eecis.udel.edu/~mills/ntp/html/accopt.html.

The 0, 1, and 2.vmware.pool.ntp.org names point to a random set of servers that change every hour.

The driftfile line indicates the name of the file where the value for the system's clock drift (frequency error) is stored. For a more complete definition of driftfile, see http://www.eecis.udel.edu/~mills/ntp/html/notes.html.

Editing /etc/ntp/step-tickers

Perform these steps as the root user on the service console:

  1. Make a backup copy of your /etc/ntp/step-tickers file with the command:

    cp /etc/ntp/step-tickers /etc/ntp/step-tickers.bk

  2. Edit /etc/ntp/step-tickers so that the file looks like this example:

    0.vmware.pool.ntp.org
    1.vmware.pool.ntp.org
    2.vmware.pool.ntp.org

ESX 3.0 Only: Enabling NTP Client for Firewall

As noted earlier in this article, remember to run the this command to open the appropriate ports and enable the NTP daemon to talk with the external server:
[root@esxhost]# esxcfg-firewall --enableService ntpClient

Restarting and monitoring the NTP service

Perform these steps as root on the service console:

  1. After you have edited the /etc/ntp.conf and /etc/ntp/step-tickers files, restart the NTP service.

    • To restart the service immediately, run the command:

      service ntpd restart

    • To enable the NTP daemon to autostart when the server is rebooted, run the command:

      chkconfig --level 345 ntpd on

  2. Set the local hardware clock to the NTP synchronized local system time. Run the command:

    hwclock --systohc

    As ntpd successfully polls NTP servers, the kernel automatically sets the hardware clock to the system clock time periodically.

  3. Monitor the NTP service as desired:

    • To see the offset (in seconds) between the local clock and the source clock, run the command:

      ntpdate -q time_server_name_or_ip_address

      If the correction resulting from synchronizing the local clock with the time server is large enough, it could affect the operating systems or applications running in virtual machines when they synchronize their clocks with the ESX Server system on which they are running.

    • To watch the status of the ntpd process, run the command:

      watch "ntpq -p"

      Press Ctrl+C to stop watching the process.

      Note the information in these columns:

      • The character in the first column indicates the quality of the source.
      • The asterisk ( * ) indicates the source is the current reference.
      • remote lists the IP address or host name of the source.
      • when indicates how many seconds have passed since the source was polled.
      • poll indicates the polling interval. This value increases depending on the accuracy of the local clock.
      • reach is an octal number that indicates reachability of the source. A value of 377 indicates the source has answered the last eight consecutive polls.
      • offset is the time difference between the source and the local clock in milliseconds.

      Note: If ntpq -p returns ntpq: read: Connection refused, check /var/log/messages for a more detailed error message.
For additional documentation on NTP, see the NTP documentation.

ESX Server 2.0.0

To install and configure NTP on the console operating system (service console):

  1. Log in to the console as the root user.
  2. Mount the ESX Server CD on the console:

    mount /mnt/cdrom

  3. Change directory to the /mnt/cdrom/RedHat/RPMS directory.
  4. Install the NTP package by running the command:

    rpm -Uhv ntp-*.i386.rpm

  5. Change directory to the /etc directory.
  6. Locate the ntp.conf file (after the rpm installation) in the /etc directory (you changed into this directory in step 5). Edit this file running the command:

    vi ntp.conf

  7. Find the the line that reads:

    server 127.127.1.0 # local clock

    Change it to:

    server 192.6.38.127 # This is an example only

  8. Save the file.
  9. Create a file named step-tickers in the /etc/ntp directory. In this file, list the host name of your reference time server.
  10. To enable the ntp daemon to autostart when the server is rebooted, run the command:

    chkconfig ntpd on

  11. To start the ntp daemon immediately without rebooting, run the command:

    /etc/rc.d/init.d/ntpd start

    The time drift corrects after a while.

  12. Wait a few seconds (up to a minute), then run the command:

    ntpq -p

    This lists the current status.

  13. Unmount the ESX Server CD by running the command:

    umount /mnt/cdrom
These examples use a source server IP address obtained from a list of open access NTP servers. You may select one that suits you from http://support.ntp.org/bin/view/Servers/WebHome.

Additional Information

For translated versions of this article, see:
Powered by Wolken Software