LinuxPPS NTPsec support

From LinuxPPS
Jump to: navigation, search


NTPsec is a secure, hardened, and improved implementation of Network Time Protocol derived from NTP Classic, Dave Mills’s original.
This page is a work in progress and describes ways of getting the NTPsec project's ntpd to work.

Getting the code

See for downloads and git repositories.

Compiling the code

See for information.
What it comes down to after getting the code:

./waf configure
./waf build

This will compile NTPsec with support for NMEA+PPS and a few generic clocks like the Expert MouseCLock. After compiling you can now install the results with:

./waf install

Depending on your distribution and/or OS you can find startup scripts for e.g. systemd in the source tree.

Configuration of NTPsec's ntpd

The source tree has some default config files under ./etc/ntp.d.
When you want to use a GPS receiver like e.g. Garmin's GPS18 we could use a /etc/ntp.conf like:

driftfile /var/lib/ntp/drift

restrict default nomodify nopeer noquery
restrict -6 default nomodify nopeer noquery
disable monitor

restrict -6 ::1

restrict mask nomodify

# this is the Expert MouseCLock 
refclock generic subtype 14 minpoll 4 flag3 0 flag2 0 flag1 0 time1 0.16958333

# this is the NMEA reflock for the Garmin GPS18
refclock nmea unit 0 mode 7 flag3 0 flag2 0 flag1 1 time1 0.00000006 time2 0.260 baud 4800

# some servers
server minpoll 4 iburst

Configuration of udev for NTPsec's ntpd and serial GPS

In /etc/udev/rules.d/09-pps.rules we have:

KERNEL=="ttyS0", SYMLINK+="gps0"
KERNEL=="pps0",	 OWNER="root", GROUP="tty", MODE="0660", SYMLINK+="gpspps0"
KERNEL=="ttyS0", RUN+="/bin/setserial -v /dev/%k low_latency irq 4"
KERNEL=="ttyS0", RUN+="/sbin/ldattach 18 /dev/%k &"

This is to make the necessary links and generate the pps device in /dev.
Reload udev and trigger using: udevadm control --reload-rules && udevadm trigger.

Starting ntpd using systemd for chroot

Using the default ntpd.service file, as found in the ntpsec git tree, we cannot start ntpd in a chroot without some changes.
So in /etc/systemd/system/ntpd.service.d/ we place a file with any name and this content:

ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS

In /etc/sysconfig/ntpd we can then put stuff to be used for our chroot like:

# Drop root to id 'ntp:ntp' by default.
OPTIONS="-g -N -p /var/run/ -i /chroot/ntpd"

Files in chroot for ntpsec's ntpd

In /chroot/ntpd/dev/ we have these special files so that ntpd can run:

srw-rw-rw- 1 ntp  root       0 Mar 10 12:11 log
lrwxrwxrwx 1 root root       4 Mar  9 11:18 gpspps0 -> pps0
lrwxrwxrwx 1 root root       5 Mar  9 11:17 gps0 -> ttyS0
crw-r--r-- 1 ntp  ntp    4, 64 Mar  9 11:17 ttyS0
crw-r--r-- 1 ntp  ntp  252,  0 Mar  9 11:17 pps0
crw-r--r-- 1 ntp  ntp    1,  3 Mar  9 10:21 null

You can create the device files using mknod.
Please note the ownership permissions.