NTP service

1. About

TL;DR

The Network Time Protocol (NTP) is used for clock synchronization between computers. It can synchronize all participating computers over the network to within a few milliseconds of Coordinated Universal Time (UTC) using accurate time servers.

2. Systems

2.1 Frontend

FQDN IPv6 IPv4
ntp.bfh.info
ipv6.ntp.bfh.info
ipv4.ntp.bfh.info

2.2 Backend

Warning
Always use the frontend DNS record

Never use the backend nodes directly:

  • backend may change without notice at any time (e.g. IP addresses, DNS records, configuration, etc.)
  • backend has no legacy support or grace periods, changes are implemented instantly
  • backend can be rebootet without notice at any time
  • backend access will soon be restricted

FQDN IPv6 IPv4
node1.ntp.bfh.info 2a07:6b40::41 147.87.0.41
node2.ntp.bfh.info 2a07:6b40::42 147.87.0.42
node3.ntp.bfh.info 2a07:6b40::43 147.87.0.43
node4.ntp.bfh.info 2a07:6b40::44 147.87.0.44

3. Features

3.1 Protocols

  • NTPv4 (UDP) on port 123 (frontend and backends)

  • NTS with NTS-KE (TCP) on port 4460 (frontend and backends)

3.2 ACLs

  • queries are accepted from 2a07:6b40::/29, 147.87.0.0/16 and 10.0.0.0/8 only, everything else is denied

3.3 Time sources

  • using vendor zone from pool.ntp.org as time source

3.4 Details

  • hardware timestamping on network cards for better accuracy of synchronization

  • leap smearing for leap seconds (on 30th of June and 31th of December)

4. Operations

4.1 Query time server


    # from BFH internal network only
    ntpdate -q ntp.bfh.info

4.2 Show connected clients


    ssh node1.ntp.bfh.info watch -n1 sudo chronyc clients
    ssh node2.ntp.bfh.info watch -n1 sudo chronyc clients
    ssh node3.ntp.bfh.info watch -n1 sudo chronyc clients
    ssh node4.ntp.bfh.info watch -n1 sudo chronyc clients

4.3 Verify NTS


    sudo chronyd -Q -t 3 'server ntp.bfh.info iburst nts maxsamples 1'

6. Backlog

Legacy

  • n/a

Setup

  • regenerate containers with Debian 12

  • uppgrade to current chrony

  • creating proxy.ntp.bfh.info

  • load balancing proxy.ntp.bfh.info

  • enabling rate limiting

  • restricting backend subnet access to frontend and management only

Features

  • anycasting ntp.bfh.info

  • adding additional alternative time sources for resilience

  • test environment

  • benchmarking

Known issues

  • downstream: chrony operation needs special handling for TLS certificates (see #1013882)