LinuxPPS NTPsec support

From LinuxPPS
Jump to: navigation, search

NTPsec

NTPsec is a secure, hardened, and improved implementation of Network Time Protocol derived from NTP Classic, Dave Mills’s original.
This page is a work in progress and describes ways of getting the NTPsec project's ntpd to work.

Getting the code

See https://www.ntpsec.org/downloads.html for downloads and git repositories.

Compiling the code

See https://docs.ntpsec.org/latest/build.html for information.
What it comes down to after getting the code:

./waf configure
    --prefix=/usr
    --enable-early-droproot\
    --refclock=nmea,generic\
    --libdir=/usr/lib64\
    --docdir=/usr/doc/ntpsec\
    --enable-doc
./waf build

This will compile NTPsec with support for NMEA+PPS and a few generic clocks like the Expert MouseCLock. After compiling you can now install the results with:

./waf install

Depending on your distribution and/or OS you can find startup scripts for e.g. systemd in the source tree.

Configuration of NTPsec's ntpd

The source tree has some default config files under ./etc/ntp.d.
When you want to use a GPS receiver like e.g. Garmin's GPS18 we could use a /etc/ntp.conf like:

driftfile /var/lib/ntp/drift

restrict default nomodify nopeer noquery
restrict -6 default nomodify nopeer noquery
disable monitor

restrict 127.0.0.1 
restrict -6 ::1

restrict 192.168.10.0 mask 255.255.255.0 nomodify

# this is the Expert MouseCLock 
refclock generic subtype 14 minpoll 4 flag3 0 flag2 0 flag1 0 time1 0.16958333

# this is the NMEA reflock for the Garmin GPS18
refclock nmea unit 0 mode 7 flag3 0 flag2 0 flag1 1 time1 0.00000006 time2 0.260 baud 4800

# some servers
server 1.2.3.4 minpoll 4 iburst
server ntp.nmi.nl

Configuration of udev for NTPsec's ntpd and serial GPS

In /etc/udev/rules.d/09-pps.rules we have:

KERNEL=="ttyS0", SYMLINK+="gps0"
KERNEL=="pps0",	 OWNER="root", GROUP="tty", MODE="0660", SYMLINK+="gpspps0"
KERNEL=="ttyS0", RUN+="/bin/setserial -v /dev/%k low_latency irq 4"
KERNEL=="ttyS0", RUN+="/sbin/ldattach 18 /dev/%k &"

This is to make the necessary links and generate the pps device in /dev.
Reload udev and trigger using: udevadm control --reload-rules && udevadm trigger.

Starting ntpd using systemd for chroot

Using the default ntpd.service file, as found in the ntpsec git tree, we cannot start ntpd in a chroot without some changes.
So in /etc/systemd/system/ntpd.service.d/ we place a file with any name and this content:

[Service]
ExecStart=
EnvironmentFile=-/etc/sysconfig/ntpd
ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS

In /etc/sysconfig/ntpd we can then put stuff to be used for our chroot like:

# Drop root to id 'ntp:ntp' by default.
OPTIONS="-g -N -p /var/run/ntpd.pid -i /chroot/ntpd"

Files in chroot for ntpsec's ntpd

In /chroot/ntpd/dev/ we have these special files so that ntpd can run:

srw-rw-rw- 1 ntp  root       0 Mar 10 12:11 log
lrwxrwxrwx 1 root root       4 Mar  9 11:18 gpspps0 -> pps0
lrwxrwxrwx 1 root root       5 Mar  9 11:17 gps0 -> ttyS0
crw-r--r-- 1 ntp  ntp    4, 64 Mar  9 11:17 ttyS0
crw-r--r-- 1 ntp  ntp  252,  0 Mar  9 11:17 pps0
crw-r--r-- 1 ntp  ntp    1,  3 Mar  9 10:21 null

You can create the device files using mknod.
Please note the ownership permissions.