1/* -*- Mode: Text -*- */ 2 3autogen definitions options; 4 5#include copyright.def 6 7prog-name = "ntpd"; 8prog-title = "NTP daemon program"; 9argument = "[ <server1> ... <serverN> ]"; 10 11#include ntpdbase-opts.def 12 13/* explain: Additional information whenever the usage routine is invoked */ 14explain = <<- _END_EXPLAIN 15 _END_EXPLAIN; 16 17doc-section = { 18 ds-type = 'DESCRIPTION'; 19 ds-format = 'mdoc'; 20 ds-text = <<- _END_PROG_MDOC_DESCRIP 21The 22.Nm 23utility is an operating system daemon which sets 24and maintains the system time of day in synchronism with Internet 25standard time servers. 26It is a complete implementation of the 27Network Time Protocol (NTP) version 4, as defined by RFC-5905, 28but also retains compatibility with 29version 3, as defined by RFC-1305, and versions 1 30and 2, as defined by RFC-1059 and RFC-1119, respectively. 31.Pp 32The 33.Nm 34utility does most computations in 64-bit floating point 35arithmetic and does relatively clumsy 64-bit fixed point operations 36only when necessary to preserve the ultimate precision, about 232 37picoseconds. 38While the ultimate precision is not achievable with 39ordinary workstations and networks of today, it may be required 40with future gigahertz CPU clocks and gigabit LANs. 41.Pp 42Ordinarily, 43.Nm 44reads the 45.Xr ntp.conf 5 46configuration file at startup time in order to determine the 47synchronization sources and operating modes. 48It is also possible to 49specify a working, although limited, configuration entirely on the 50command line, obviating the need for a configuration file. 51This may 52be particularly useful when the local host is to be configured as a 53broadcast/multicast client, with all peers being determined by 54listening to broadcasts at run time. 55.Pp 56If NetInfo support is built into 57.Nm , 58then 59.Nm 60will attempt to read its configuration from the 61NetInfo if the default 62.Xr ntp.conf 5 63file cannot be read and no file is 64specified by the 65.Fl c 66option. 67.Pp 68Various internal 69.Nm 70variables can be displayed and 71configuration options altered while the 72.Nm 73is running 74using the 75.Xr ntpq 1ntpqmdoc 76and 77.Xr ntpdc 1ntpdcmdoc 78utility programs. 79.Pp 80When 81.Nm 82starts it looks at the value of 83.Xr umask 2 , 84and if zero 85.Nm 86will set the 87.Xr umask 2 88to 022. 89 _END_PROG_MDOC_DESCRIP; 90}; 91 92doc-section = { 93 ds-type = 'USAGE'; 94 ds-format = 'mdoc'; 95 ds-text = <<- _END_MDOC_USAGE 96.Ss "How NTP Operates" 97The 98.Nm 99utility operates by exchanging messages with 100one or more configured servers over a range of designated poll intervals. 101When 102started, whether for the first or subsequent times, the program 103requires several exchanges from the majority of these servers so 104the signal processing and mitigation algorithms can accumulate and 105groom the data and set the clock. 106In order to protect the network 107from bursts, the initial poll interval for each server is delayed 108an interval randomized over a few seconds. 109At the default initial poll 110interval of 64s, several minutes can elapse before the clock is 111set. 112This initial delay to set the clock 113can be safely and dramatically reduced using the 114.Cm iburst 115keyword with the 116.Ic server 117configuration 118command, as described in 119.Xr ntp.conf 5 . 120.Pp 121Most operating systems and hardware of today incorporate a 122time-of-year (TOY) chip to maintain the time during periods when 123the power is off. 124When the machine is booted, the chip is used to 125initialize the operating system time. 126After the machine has 127synchronized to a NTP server, the operating system corrects the 128chip from time to time. 129In the default case, if 130.Nm 131detects that the time on the host 132is more than 1000s from the server time, 133.Nm 134assumes something must be terribly wrong and the only 135reliable action is for the operator to intervene and set the clock 136by hand. 137(Reasons for this include there is no TOY chip, 138or its battery is dead, or that the TOY chip is just of poor quality.) 139This causes 140.Nm 141to exit with a panic message to 142the system log. 143The 144.Fl g 145option overrides this check and the 146clock will be set to the server time regardless of the chip time 147(up to 68 years in the past or future \(em 148this is a limitation of the NTPv4 protocol). 149However, and to protect against broken hardware, such as when the 150CMOS battery fails or the clock counter becomes defective, once the 151clock has been set an error greater than 1000s will cause 152.Nm 153to exit anyway. 154.Pp 155Under ordinary conditions, 156.Nm 157adjusts the clock in 158small steps so that the timescale is effectively continuous and 159without discontinuities. 160Under conditions of extreme network 161congestion, the roundtrip delay jitter can exceed three seconds and 162the synchronization distance, which is equal to one-half the 163roundtrip delay plus error budget terms, can become very large. 164The 165.Nm 166algorithms discard sample offsets exceeding 128 ms, 167unless the interval during which no sample offset is less than 128 168ms exceeds 900s. 169The first sample after that, no matter what the 170offset, steps the clock to the indicated time. 171In practice this 172reduces the false alarm rate where the clock is stepped in error to 173a vanishingly low incidence. 174.Pp 175As the result of this behavior, once the clock has been set it 176very rarely strays more than 128 ms even under extreme cases of 177network path congestion and jitter. 178Sometimes, in particular when 179.Nm 180is first started without a valid drift file 181on a system with a large intrinsic drift 182the error might grow to exceed 128 ms, 183which would cause the clock to be set backwards 184if the local clock time is more than 128 s 185in the future relative to the server. 186In some applications, this behavior may be unacceptable. 187There are several solutions, however. 188If the 189.Fl x 190option is included on the command line, the clock will 191never be stepped and only slew corrections will be used. 192But this choice comes with a cost that 193should be carefully explored before deciding to use 194the 195.Fl x 196option. 197The maximum slew rate possible is limited 198to 500 parts-per-million (PPM) as a consequence of the correctness 199principles on which the NTP protocol and algorithm design are 200based. 201As a result, the local clock can take a long time to 202converge to an acceptable offset, about 2,000 s for each second the 203clock is outside the acceptable range. 204During this interval the 205local clock will not be consistent with any other network clock and 206the system cannot be used for distributed applications that require 207correctly synchronized network time. 208.Pp 209In spite of the above precautions, sometimes when large 210frequency errors are present the resulting time offsets stray 211outside the 128-ms range and an eventual step or slew time 212correction is required. 213If following such a correction the 214frequency error is so large that the first sample is outside the 215acceptable range, 216.Nm 217enters the same state as when the 218.Pa ntp.drift 219file is not present. 220The intent of this behavior 221is to quickly correct the frequency and restore operation to the 222normal tracking mode. 223In the most extreme cases 224(the host 225.Cm time.ien.it 226comes to mind), there may be occasional 227step/slew corrections and subsequent frequency corrections. 228It 229helps in these cases to use the 230.Cm burst 231keyword when 232configuring the server, but 233ONLY 234when you have permission to do so from the owner of the target host. 235.Pp 236Finally, 237in the past many startup scripts would run 238.Xr ntpdate 1ntpdatemdoc 239to get the system clock close to correct before starting 240.Xr ntpd 1ntpdmdoc , 241but this was never more than a mediocre hack and is no longer needed. 242.Pp 243There is a way to start 244.Xr ntpd 1ntpdmdoc 245that often addresses all of the problems mentioned above. 246.Ss "Starting NTP (Best Current Practice)" 247First, use the 248.Cm iburst 249option on your 250.Cm server 251entries. 252.Pp 253If you can also keep a good 254.Pa ntp.drift 255file then 256.Xr ntpd 1ntpdmdoc 257will effectively "warm-start" and your system's clock will 258be stable in under 11 seconds' time. 259.Pp 260As soon as possible in the startup sequence, start 261.Xr ntpd 1ntpdmdoc 262with at least the 263.Fl g 264and perhaps the 265.Fl N 266options. 267Then, 268start the rest of your "normal" processes. 269This will give 270.Xr ntpd 1ntpdmdoc 271as much time as possible to get the system's clock synchronized and stable. 272.Pp 273Finally, 274if you have processes like 275.Cm dovecot 276or database servers 277that require 278monotonically-increasing time, 279run 280.Xr ntp-wait 1ntp-waitmdoc 281as late as possible in the boot sequence 282(perhaps with the 283.Fl v 284flag) 285and after 286.Xr ntp-wait 1ntp-waitmdoc 287exits successfully 288it is as safe as it will ever be to start any process that require 289stable time. 290.Ss "Frequency Discipline" 291The 292.Nm 293behavior at startup depends on whether the 294frequency file, usually 295.Pa ntp.drift , 296exists. 297This file 298contains the latest estimate of clock frequency error. 299When the 300.Nm 301is started and the file does not exist, the 302.Nm 303enters a special mode designed to quickly adapt to 304the particular system clock oscillator time and frequency error. 305This takes approximately 15 minutes, after which the time and 306frequency are set to nominal values and the 307.Nm 308enters 309normal mode, where the time and frequency are continuously tracked 310relative to the server. 311After one hour the frequency file is 312created and the current frequency offset written to it. 313When the 314.Nm 315is started and the file does exist, the 316.Nm 317frequency is initialized from the file and enters normal mode 318immediately. 319After that the current frequency offset is written to 320the file at hourly intervals. 321.Ss "Operating Modes" 322The 323.Nm 324utility can operate in any of several modes, including 325symmetric active/passive, client/server broadcast/multicast and 326manycast, as described in the 327.Qq Association Management 328page 329(available as part of the HTML documentation 330provided in 331.Pa /usr/share/doc/ntp ) . 332It normally operates continuously while 333monitoring for small changes in frequency and trimming the clock 334for the ultimate precision. 335However, it can operate in a one-time 336mode where the time is set from an external server and frequency is 337set from a previously recorded frequency file. 338A 339broadcast/multicast or manycast client can discover remote servers, 340compute server-client propagation delay correction factors and 341configure itself automatically. 342This makes it possible to deploy a 343fleet of workstations without specifying configuration details 344specific to the local environment. 345.Pp 346By default, 347.Nm 348runs in continuous mode where each of 349possibly several external servers is polled at intervals determined 350by an intricate state machine. 351The state machine measures the 352incidental roundtrip delay jitter and oscillator frequency wander 353and determines the best poll interval using a heuristic algorithm. 354Ordinarily, and in most operating environments, the state machine 355will start with 64s intervals and eventually increase in steps to 3561024s. 357A small amount of random variation is introduced in order to 358avoid bunching at the servers. 359In addition, should a server become 360unreachable for some time, the poll interval is increased in steps 361to 1024s in order to reduce network overhead. 362.Pp 363In some cases it may not be practical for 364.Nm 365to run 366continuously. 367A common workaround has been to run the 368.Xr ntpdate 1ntpdatemdoc 369program from a 370.Xr cron 8 371job at designated 372times. 373However, this program does not have the crafted signal 374processing, error checking and mitigation algorithms of 375.Nm . 376The 377.Fl q 378option is intended for this purpose. 379Setting this option will cause 380.Nm 381to exit just after 382setting the clock for the first time. 383The procedure for initially 384setting the clock is the same as in continuous mode; most 385applications will probably want to specify the 386.Cm iburst 387keyword with the 388.Ic server 389configuration command. 390With this 391keyword a volley of messages are exchanged to groom the data and 392the clock is set in about 10 s. 393If nothing is heard after a 394couple of minutes, the daemon times out and exits. 395After a suitable 396period of mourning, the 397.Xr ntpdate 1ntpdatemdoc 398program may be 399retired. 400.Pp 401When kernel support is available to discipline the clock 402frequency, which is the case for stock Solaris, Tru64, Linux and 403.Fx , 404a useful feature is available to discipline the clock 405frequency. 406First, 407.Nm 408is run in continuous mode with 409selected servers in order to measure and record the intrinsic clock 410frequency offset in the frequency file. 411It may take some hours for 412the frequency and offset to settle down. 413Then the 414.Nm 415is 416stopped and run in one-time mode as required. 417At each startup, the 418frequency is read from the file and initializes the kernel 419frequency. 420.Ss "Poll Interval Control" 421This version of NTP includes an intricate state machine to 422reduce the network load while maintaining a quality of 423synchronization consistent with the observed jitter and wander. 424There are a number of ways to tailor the operation in order enhance 425accuracy by reducing the interval or to reduce network overhead by 426increasing it. 427However, the user is advised to carefully consider 428the consequences of changing the poll adjustment range from the 429default minimum of 64 s to the default maximum of 1,024 s. 430The 431default minimum can be changed with the 432.Ic tinker 433.Cm minpoll 434command to a value not less than 16 s. 435This value is used for all 436configured associations, unless overridden by the 437.Cm minpoll 438option on the configuration command. 439Note that most device drivers 440will not operate properly if the poll interval is less than 64 s 441and that the broadcast server and manycast client associations will 442also use the default, unless overridden. 443.Pp 444In some cases involving dial up or toll services, it may be 445useful to increase the minimum interval to a few tens of minutes 446and maximum interval to a day or so. 447Under normal operation 448conditions, once the clock discipline loop has stabilized the 449interval will be increased in steps from the minimum to the 450maximum. 451However, this assumes the intrinsic clock frequency error 452is small enough for the discipline loop correct it. 453The capture 454range of the loop is 500 PPM at an interval of 64s decreasing by a 455factor of two for each doubling of interval. 456At a minimum of 1,024 457s, for example, the capture range is only 31 PPM. 458If the intrinsic 459error is greater than this, the drift file 460.Pa ntp.drift 461will 462have to be specially tailored to reduce the residual error below 463this limit. 464Once this is done, the drift file is automatically 465updated once per hour and is available to initialize the frequency 466on subsequent daemon restarts. 467.Ss "The huff-n'-puff Filter" 468In scenarios where a considerable amount of data are to be 469downloaded or uploaded over telephone modems, timekeeping quality 470can be seriously degraded. 471This occurs because the differential 472delays on the two directions of transmission can be quite large. 473In 474many cases the apparent time errors are so large as to exceed the 475step threshold and a step correction can occur during and after the 476data transfer is in progress. 477.Pp 478The huff-n'-puff filter is designed to correct the apparent time 479offset in these cases. 480It depends on knowledge of the propagation 481delay when no other traffic is present. 482In common scenarios this 483occurs during other than work hours. 484The filter maintains a shift 485register that remembers the minimum delay over the most recent 486interval measured usually in hours. 487Under conditions of severe 488delay, the filter corrects the apparent offset using the sign of 489the offset and the difference between the apparent delay and 490minimum delay. 491The name of the filter reflects the negative (huff) 492and positive (puff) correction, which depends on the sign of the 493offset. 494.Pp 495The filter is activated by the 496.Ic tinker 497command and 498.Cm huffpuff 499keyword, as described in 500.Xr ntp.conf 5 . 501 _END_MDOC_USAGE; 502}; 503 504doc-section = { 505 ds-type = 'FILES'; 506 ds-format = 'mdoc'; 507 ds-text = <<- _END_MDOC_FILES 508.Bl -tag -width /etc/ntp.drift -compact 509.It Pa /etc/ntp.conf 510the default name of the configuration file 511.It Pa /etc/ntp.drift 512the default name of the drift file 513.It Pa /etc/ntp.keys 514the default name of the key file 515.El 516 _END_MDOC_FILES; 517}; 518 519doc-section = { 520 ds-type = 'SEE ALSO'; 521 ds-format = 'mdoc'; 522 ds-text = <<- _END_MDOC_SEE_ALSO 523.Xr ntp.conf 5 , 524.Xr ntpdate 1ntpdatemdoc , 525.Xr ntpdc 1ntpdcmdoc , 526.Xr ntpq 1ntpqmdoc 527.Pp 528In addition to the manual pages provided, 529comprehensive documentation is available on the world wide web 530at 531.Li http://www.ntp.org/ . 532A snapshot of this documentation is available in HTML format in 533.Pa /usr/share/doc/ntp . 534.Rs 535.%A David L. Mills 536.%T Network Time Protocol (Version 1) 537.%O RFC1059 538.Re 539.Rs 540.%A David L. Mills 541.%T Network Time Protocol (Version 2) 542.%O RFC1119 543.Re 544.Rs 545.%A David L. Mills 546.%T Network Time Protocol (Version 3) 547.%O RFC1305 548.Re 549.Rs 550.%A David L. Mills 551.%A J. Martin, Ed. 552.%A J. Burbank 553.%A W. Kasch 554.%T Network Time Protocol Version 4: Protocol and Algorithms Specification 555.%O RFC5905 556.Re 557.Rs 558.%A David L. Mills 559.%A B. Haberman, Ed. 560.%T Network Time Protocol Version 4: Autokey Specification 561.%O RFC5906 562.Re 563.Rs 564.%A H. Gerstung 565.%A C. Elliott 566.%A B. Haberman, Ed. 567.%T Definitions of Managed Objects for Network Time Protocol Version 4: (NTPv4) 568.%O RFC5907 569.Re 570.Rs 571.%A R. Gayraud 572.%A B. Lourdelet 573.%T Network Time Protocol (NTP) Server Option for DHCPv6 574.%O RFC5908 575.Re 576 _END_MDOC_SEE_ALSO; 577}; 578 579doc-section = { 580 ds-type = 'BUGS'; 581 ds-format = 'mdoc'; 582 ds-text = <<- _END_MDOC_BUGS 583The 584.Nm 585utility has gotten rather fat. 586While not huge, it has gotten 587larger than might be desirable for an elevated-priority 588.Nm 589running on a workstation, particularly since many of 590the fancy features which consume the space were designed more with 591a busy primary server, rather than a high stratum workstation in 592mind. 593 _END_MDOC_BUGS; 594}; 595 596doc-section = { 597 ds-type = 'NOTES'; 598 ds-format = 'mdoc'; 599 ds-text = <<- _END_MDOC_NOTES 600This document corresponds to version #VERSION# of NTP. 601Portions of this document came from FreeBSD. 602 _END_MDOC_NOTES; 603}; 604