kotfu.net

Now that my firewall cluster is working better, I can add some additional critical services to it. For a long time I have run a time server on a machine on my network so we can have consistant accurate time. I thought I would move this over to my firewall cluster, giving me redundant time servers. The setup was pretty easy.
First, get the xntpd package for OpenBSD from your favorite mirror. OpenNTPD is fine, but the lack of the ntpq command is enough for me to not use it. Once you have xntpd installed, we need to get it set up so it will run when you boot.
Add the following lines to /etc/rc.conf.local:

# flags to get xntpd started
xntpd=YES
xntpdate_flags="pool.ntp.org"

Then add the following to /etc/rc.local:

# xntpd stuff
# run ntpdate prior to ntpd
if [ $securelevel -le 1 -a X"${xntpdate_flags}" != X"NO" \
-a -x /usr/local/sbin/ntpdate ]; then
echo -n ' ntpdate'
/usr/local/sbin/ntpdate -b ${xntpdate_flags} >/dev/null
fi
if [ X"${xntpd}" == X"YES" -a -x /usr/local/sbin/ntpd \
-a -e /etc/ntp.conf ]; then
xntpd_flags="-p /var/run/ntpd.pid"
if [ $securelevel -ge 1 ]; then
xntpd_flags="${xntpd_flags} -x"
fi
echo -n ' ntpd'; /usr/local/sbin/ntpd ${xntpd_flags}
fi

Now that it will start and run, we just need a config file. OpenNTPD uses /etc/ntpd.conf as it’s configuration file, xntpd uses /etc/ntp.conf. Here’s my ntp.conf file from one of the machines in the cluster:

# /etc/ntp.conf:  Configuration file for ntpd.
#
logfile         /var/log/ntpd.log
driftfile       /etc/ntp.drift
keys            /etc/ntp.keys
# set up our keys for run time modification
requestkey 137
controlkey 137
trustedkey 137
#enable auth
# time servers
server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
# use local system clock if all else fails
server 127.127.1.0 iburst
fudge 127.127.1.0 stratum 11
# restrict who can get time from us
restrict 127.0.0.1
restrict 192.168.13.0 mask 255.255.255.0
restrict default nomodify nopeer

Note how I am using pool.ntp.org as my time servers. This gets me a randomly assigned time server each time I boot the machine. The config file on the other machine in the cluster is exactly the same, except that I am not using the ntp pool. I found several restricted time servers, and have acquired permission to utilize their services. This means that I will be sure and have different time sources on each of my time servers.
Notice also how I have the:

# use local system clock if all else fails
server 127.127.1.0 iburst
fudge 127.127.1.0 stratum 11

section in the file. This makes it so that if I lose internet connectivity, this time server will look at the local clock for a time source, so at least all the machines on my network will drift time together. The other machine in the cluster has it’s local clock set to stratum 10, so there will only be one “master” local clock.
All the clients on my network now have a simple configuration file to use these two new time servers. It looks like this:

# /etc/ntp.conf:  Configuration file for ntpd.
#
logfile         /var/log/ntpd.log
driftfile       /etc/ntp.drift
keys            /etc/ntp.keys
# set up our keys for run time modification
requestkey 137
controlkey 137
trustedkey 137
#enable auth
# time servers
server tick.kotfu.net iburst
server tock.kotfu.net iburst
# use local system clock if all else fails
server 127.127.1.0 iburst
fudge 127.127.1.0 stratum 13
# restrict who can get time from us
restrict 127.0.0.1
restrict 192.168.13.0 mask 255.255.255.0
restrict default nomodify nopeer noquery noserve

Now I have my own redundant, reliable time services for my home network.