20

I’m using AWS and am on an EC2 server …

[dalvarado@mymachine ~]$ uname -a
Linux mydomain.org 3.14.33-26.47.amzn1.x86_64 #1 SMP Wed Feb 11 22:39:25 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

My clock is off by a minute ro so despite the fact that I already have NTPD installed and running

[dalvarado@mymachine ~]$ sudo service ntpd status
ntpd (pid  22963) is running...

It would appear ntp packets are blocked or there is some other problem because I get this error …

[dalvarado@mymachine ~]$ sudo ntpdate pool.ntp.org
 2 Apr 16:43:50 ntpdate[23748]: no server suitable for synchronization found

Does anyone know with AWS if there’s another server I should be contacting for NTP info or if there are other additional configurations I need?

Thanks, - Dave

Edit: Including the output from the comment ...

[dalvarado@mymachine ~]$ sudo ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 173.44.32.10    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 deekayen.net    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 dhcp-147-115-21 .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 time-b.timefreq .INIT.          16 u    - 1024    0    0.000    0.000   0.000

Second edit:

Below are the contents of the /etc/ntp.conf file

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1 
restrict ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.amazon.pool.ntp.org iburst
server 1.amazon.pool.ntp.org iburst
server 2.amazon.pool.ntp.org iburst
server 3.amazon.pool.ntp.org iburst

#broadcast 192.168.1.255 autokey    # broadcast server
#broadcastclient            # broadcast client
#broadcast 224.0.1.1 autokey        # multicast server
#multicastclient 224.0.1.1      # multicast client
#manycastserver 239.255.254.254     # manycast server
#manycastclient 239.255.254.254 autokey # manycast client

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography. 
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats

# Enable additional logging.
logconfig =clockall =peerall =sysall =syncall

# Listen only on the primary network interface.
interface listen eth0
interface ignore ipv6

# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor

and below is the output from "ntpq -p"

sudo ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 173.44.32.10    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 deekayen.net    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 dhcp-147-115-21 .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 time-b.timefreq .INIT.          16 u    - 1024    0    0.000    0.000   0.000
Dave A
  • 2,490
  • 9
  • 36
  • 54
  • 2
    It sounds like you may have been too restrictive with your security groups or network acls. I have no issues with the default `ntpd` servers on EC2 instances. – Michael - sqlbot Apr 02 '15 at 22:35

3 Answers3

15

(2018) Amazon now recommend "just" using their 169.254.169.123 NTP server because

Your instance does not require access to the internet, and you do not have to configure your security group rules or your network ACL rules to allow access.

(It looks like the link-local "Amazon Time Sync Service" was introduced in late 2017)

Note: The 169.254.169.123 server does "leap smearing" and SHOULD NOT be mixed with other (non-Amazon) NTP servers from out on the internet that aren't doing the smearing exactly the same way. Amazon also recommend using chrony instead of ntpd unless you are stuck in a legacy situation where chrony is unavailable as compared to ntpd, chrony is faster at achieving synchronization, more accurate and more robust.

Anon
  • 4,044
  • 2
  • 26
  • 46
13

Yes, you should be using at least 3 and ideally 5 or more servers which are a low stratum and a close (round trip time) to your instance.

Amazon provide some documents which detail how to configure ntp. It should be noted that you don't need to use the pool servers listed - they are a front for the public ntp pool which Amazon load balance to; you can pick any servers you like, just remember to update your security/ACL settings for any new addresses.

The output you provided 

[dalvarado@mymachine ~]$ sudo ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 173.44.32.10    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 deekayen.net    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 dhcp-147-115-21 .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 time-b.timefreq .INIT.          16 u    - 1024    0    0.000    0.000   0.000

Shows that the servers you have configured are not reachable.

Refid=.INIT. means you have not yet initialised comms to the referenced server. You poll them every 1024 sec but they all have reach=0 thus you can't reach them and are not receiving the time from any server. That's why your clock is still wrong.

It maybe you have your firewall/network security setup too harsh and you are blocking access to those hosts, or more likely the port.

Do some network level diag as it would appear that's where your problem lies - also please include your ntp.conf and the output from ntpq -pcrv if you need further help.

Once you fix the reachability issue, check the numbers in ntpq -p are showing valid data and you should find your problem sorted and clock gets kept in check as expected.

Just a warning to folks about using the AWS time service at 169.254.169.123; This server is not a true ntp server as it doest not correctly handle leap seconds. Instead the AWS server does 'leap smearing'.

This may or may not be suitable for your setup, and you should never mix normal NTP and leap smeared NTP servers together in the same config, or the same timing domain. You should pick one standard and stick to it to avoid any problems.

user3788685
  • 2,483
  • 5
  • 19
  • 37
  • I added the contents of the ntp.conf file as well as the output from "ntpq -pcrv" into my question. Regarding the network issues, what needs to happen in order to reach the hosts? Does a port need to be unblocked? I'm unfamiliar with how Amazon governs network issues. – Dave A Apr 07 '15 at 18:58
  • 1
    Yes, I can ping those hosts ok. It doesn't appear that UDP is open for outbound access, but I'm not sure if I'm checking that properly. This call "nc 0.amazon.pool.ntp.org 123 < /dev/null; echo $?" returns "1", indicating UDP is not open. – Dave A Apr 08 '15 at 22:00
  • 2
    We had previously been blocking UDP access in our network ACL settings. Opening that up solved the problem. – Dave A Apr 09 '15 at 20:41
9

Amazon documents NTP here. They include NTP configuration with their Amazon linux distributions. An Amazon instance that I have currently running lists these servers in /etc/ntp.conf, which is also what their documentation recommends:

server 0.amazon.pool.ntp.org iburst 
server 1.amazon.pool.ntp.org iburst
server 2.amazon.pool.ntp.org iburst 
server 3.amazon.pool.ntp.org iburst
Bruce P
  • 17,554
  • 7
  • 59
  • 69
  • 3
    Hi, Yes, my /etc/ntpd.conf also has thees servers listed. So why is my time still lagging by a couple of minutes from what the actual time is? – Dave A Apr 03 '15 at 13:11
  • 2
    @DaveA did you solve this issue? Let me know if you found a solution. – Robert Dec 13 '16 at 18:13
  • 2
    @DaveA ntpd will not correct huge clock offsets. If you want to do that, you should stop ntpd, run `sudo ntpdate 0.amazon.pool.ntp.org` to make the clock close to correct, and then start ntpd again. – mortehu Sep 11 '17 at 01:40