1/* -*- Mode: Text -*- */ 2 3autogen definitions options; 4 5#include copyright.def 6 7prog-name = "ntpd"; 8prog-title = "NTP daemon program"; 9argument = "[ <server1> ... <serverN> ]"; 10 11#include ntpdbase-opts.def 12 13/* explain: Additional information whenever the usage routine is invoked */ 14explain = <<- _END_EXPLAIN 15 _END_EXPLAIN; 16 17doc-section = { 18 ds-type = 'DESCRIPTION'; 19 ds-format = 'mdoc'; 20 ds-text = <<- _END_PROG_MDOC_DESCRIP 21The 22.Nm 23utility is an operating system daemon which sets 24and maintains the system time of day in synchronism with Internet 25standard time servers. 26It is a complete implementation of the 27Network Time Protocol (NTP) version 4, as defined by RFC-5905, 28but also retains compatibility with 29version 3, as defined by RFC-1305, and versions 1 30and 2, as defined by RFC-1059 and RFC-1119, respectively. 31.Pp 32The 33.Nm 34utility does most computations in 64-bit floating point 35arithmetic and does relatively clumsy 64-bit fixed point operations 36only when necessary to preserve the ultimate precision, about 232 37picoseconds. 38While the ultimate precision is not achievable with 39ordinary workstations and networks of today, it may be required 40with future gigahertz CPU clocks and gigabit LANs. 41.Pp 42Ordinarily, 43.Nm 44reads the 45.Xr ntp.conf 5 46configuration file at startup time in order to determine the 47synchronization sources and operating modes. 48It is also possible to 49specify a working, although limited, configuration entirely on the 50command line, obviating the need for a configuration file. 51This may 52be particularly useful when the local host is to be configured as a 53broadcast/multicast client, with all peers being determined by 54listening to broadcasts at run time. 55.Pp 56If NetInfo support is built into 57.Nm , 58then 59.Nm 60will attempt to read its configuration from the 61NetInfo if the default 62.Xr ntp.conf 5 63file cannot be read and no file is 64specified by the 65.Fl c 66option. 67.Pp 68Various internal 69.Nm 70variables can be displayed and 71configuration options altered while the 72.Nm 73is running 74using the 75.Xr ntpq 1ntpqmdoc 76and 77.Xr ntpdc 1ntpdcmdoc 78utility programs. 79.Pp 80When 81.Nm 82starts it looks at the value of 83.Xr umask 2 , 84and if zero 85.Nm 86will set the 87.Xr umask 2 88to 022. 89 _END_PROG_MDOC_DESCRIP; 90}; 91 92doc-section = { 93 ds-type = 'USAGE'; 94 ds-format = 'mdoc'; 95 ds-text = <<- _END_MDOC_USAGE 96.Ss "How NTP Operates" 97The 98.Nm 99utility operates by exchanging messages with 100one or more configured servers over a range of designated poll intervals. 101When 102started, whether for the first or subsequent times, the program 103requires several exchanges from the majority of these servers so 104the signal processing and mitigation algorithms can accumulate and 105groom the data and set the clock. 106In order to protect the network 107from bursts, the initial poll interval for each server is delayed 108an interval randomized over a few seconds. 109At the default initial poll 110interval of 64s, several minutes can elapse before the clock is 111set. 112This initial delay to set the clock 113can be safely and dramatically reduced using the 114.Cm iburst 115keyword with the 116.Ic server 117configuration 118command, as described in 119.Xr ntp.conf 5 . 120.Pp 121Most operating systems and hardware of today incorporate a 122time-of-year (TOY) chip to maintain the time during periods when 123the power is off. 124When the machine is booted, the chip is used to 125initialize the operating system time. 126After the machine has 127synchronized to a NTP server, the operating system corrects the 128chip from time to time. 129In the default case, if 130.Nm 131detects that the time on the host 132is more than 1000s from the server time, 133.Nm 134assumes something must be terribly wrong and the only 135reliable action is for the operator to intervene and set the clock 136by hand. 137(Reasons for this include there is no TOY chip, 138or its battery is dead, or that the TOY chip is just of poor quality.) 139This causes 140.Nm 141to exit with a panic message to 142the system log. 143The 144.Fl g 145option overrides this check and the 146clock will be set to the server time regardless of the chip time 147(up to 68 years in the past or future \(em 148this is a limitation of the NTPv4 protocol). 149However, and to protect against broken hardware, such as when the 150CMOS battery fails or the clock counter becomes defective, once the 151clock has been set an error greater than 1000s will cause 152.Nm 153to exit anyway. 154.Pp 155Under ordinary conditions, 156.Nm 157adjusts the clock in 158small steps so that the timescale is effectively continuous and 159without discontinuities. 160Under conditions of extreme network 161congestion, the roundtrip delay jitter can exceed three seconds and 162the synchronization distance, which is equal to one-half the 163roundtrip delay plus error budget terms, can become very large. 164The 165.Nm 166algorithms discard sample offsets exceeding 128 ms, 167unless the interval during which no sample offset is less than 128 168ms exceeds 900s. 169The first sample after that, no matter what the 170offset, steps the clock to the indicated time. 171In practice this 172reduces the false alarm rate where the clock is stepped in error to 173a vanishingly low incidence. 174.Pp 175As the result of this behavior, once the clock has been set it 176very rarely strays more than 128 ms even under extreme cases of 177network path congestion and jitter. 178Sometimes, in particular when 179.Nm 180is first started without a valid drift file 181on a system with a large intrinsic drift 182the error might grow to exceed 128 ms, 183which would cause the clock to be set backwards 184if the local clock time is more than 128 s 185in the future relative to the server. 186In some applications, this behavior may be unacceptable. 187There are several solutions, however. 188If the 189.Fl x 190option is included on the command line, the clock will 191never be stepped and only slew corrections will be used. 192But this choice comes with a cost that 193should be carefully explored before deciding to use 194the 195.Fl x 196option. 197The maximum slew rate possible is limited 198to 500 parts-per-million (PPM) as a consequence of the correctness 199principles on which the NTP protocol and algorithm design are 200based. 201As a result, the local clock can take a long time to 202converge to an acceptable offset, about 2,000 s for each second the 203clock is outside the acceptable range. 204During this interval the 205local clock will not be consistent with any other network clock and 206the system cannot be used for distributed applications that require 207correctly synchronized network time. 208.Pp 209In spite of the above precautions, sometimes when large 210frequency errors are present the resulting time offsets stray 211outside the 128-ms range and an eventual step or slew time 212correction is required. 213If following such a correction the 214frequency error is so large that the first sample is outside the 215acceptable range, 216.Nm 217enters the same state as when the 218.Pa ntp.drift 219file is not present. 220The intent of this behavior 221is to quickly correct the frequency and restore operation to the 222normal tracking mode. 223In the most extreme cases 224(the host 225.Cm time.ien.it 226comes to mind), there may be occasional 227step/slew corrections and subsequent frequency corrections. 228It 229helps in these cases to use the 230.Cm burst 231keyword when 232configuring the server, but 233ONLY 234when you have permission to do so from the owner of the target host. 235.Pp 236Finally, 237in the past many startup scripts would run 238.Xr ntpdate 1ntpdatemdoc 239to get the system clock close to correct before starting 240.Xr ntpd 1ntpdmdoc , 241but this was never more than a mediocre hack and is no longer needed. 242If you are following the instructions in 243.Sx "Starting NTP (Best Current Practice)" 244and you still need to set the system time before starting 245.Nm , 246please open a bug report and document what is going on, 247and then look at using 248.Xr sntp 1sntpmdoc . 249.Pp 250There is a way to start 251.Xr ntpd 1ntpdmdoc 252that often addresses all of the problems mentioned above. 253.Ss "Starting NTP (Best Current Practice)" 254First, use the 255.Cm iburst 256option on your 257.Cm server 258entries. 259.Pp 260If you can also keep a good 261.Pa ntp.drift 262file then 263.Xr ntpd 1ntpdmdoc 264will effectively "warm-start" and your system's clock will 265be stable in under 11 seconds' time. 266.Pp 267As soon as possible in the startup sequence, start 268.Xr ntpd 1ntpdmdoc 269with at least the 270.Fl g 271and perhaps the 272.Fl N 273options. 274Then, 275start the rest of your "normal" processes. 276This will give 277.Xr ntpd 1ntpdmdoc 278as much time as possible to get the system's clock synchronized and stable. 279.Pp 280Finally, 281if you have processes like 282.Cm dovecot 283or database servers 284that require 285monotonically-increasing time, 286run 287.Xr ntp-wait 1ntp-waitmdoc 288as late as possible in the boot sequence 289(perhaps with the 290.Fl v 291flag) 292and after 293.Xr ntp-wait 1ntp-waitmdoc 294exits successfully 295it is as safe as it will ever be to start any process that require 296stable time. 297.Ss "Frequency Discipline" 298The 299.Nm 300behavior at startup depends on whether the 301frequency file, usually 302.Pa ntp.drift , 303exists. 304This file 305contains the latest estimate of clock frequency error. 306When the 307.Nm 308is started and the file does not exist, the 309.Nm 310enters a special mode designed to quickly adapt to 311the particular system clock oscillator time and frequency error. 312This takes approximately 15 minutes, after which the time and 313frequency are set to nominal values and the 314.Nm 315enters 316normal mode, where the time and frequency are continuously tracked 317relative to the server. 318After one hour the frequency file is 319created and the current frequency offset written to it. 320When the 321.Nm 322is started and the file does exist, the 323.Nm 324frequency is initialized from the file and enters normal mode 325immediately. 326After that the current frequency offset is written to 327the file at hourly intervals. 328.Ss "Operating Modes" 329The 330.Nm 331utility can operate in any of several modes, including 332symmetric active/passive, client/server broadcast/multicast and 333manycast, as described in the 334.Qq Association Management 335page 336(available as part of the HTML documentation 337provided in 338.Pa /usr/share/doc/ntp ) . 339It normally operates continuously while 340monitoring for small changes in frequency and trimming the clock 341for the ultimate precision. 342However, it can operate in a one-time 343mode where the time is set from an external server and frequency is 344set from a previously recorded frequency file. 345A 346broadcast/multicast or manycast client can discover remote servers, 347compute server-client propagation delay correction factors and 348configure itself automatically. 349This makes it possible to deploy a 350fleet of workstations without specifying configuration details 351specific to the local environment. 352.Pp 353By default, 354.Nm 355runs in continuous mode where each of 356possibly several external servers is polled at intervals determined 357by an intricate state machine. 358The state machine measures the 359incidental roundtrip delay jitter and oscillator frequency wander 360and determines the best poll interval using a heuristic algorithm. 361Ordinarily, and in most operating environments, the state machine 362will start with 64s intervals and eventually increase in steps to 3631024s. 364A small amount of random variation is introduced in order to 365avoid bunching at the servers. 366In addition, should a server become 367unreachable for some time, the poll interval is increased in steps 368to 1024s in order to reduce network overhead. 369.Pp 370In some cases it may not be practical for 371.Nm 372to run continuously. 373A common workaround has been to run the 374.Xr ntpdate 1ntpdatemdoc 375or 376.Xr sntp 1sntpmdoc 377programs from a 378.Xr cron 8 379job at designated 380times. 381However, these programs do not have the crafted signal 382processing, error checking or mitigation algorithms of 383.Nm . 384The 385.Fl q 386option is intended for this purpose. 387Setting this option will cause 388.Nm 389to exit just after 390setting the clock for the first time. 391The procedure for initially 392setting the clock is the same as in continuous mode; most 393applications will probably want to specify the 394.Cm iburst 395keyword with the 396.Ic server 397configuration command. 398With this 399keyword a volley of messages are exchanged to groom the data and 400the clock is set in about 10 s. 401If nothing is heard after a 402couple of minutes, the daemon times out and exits. 403After a suitable 404period of mourning, the 405.Xr ntpdate 1ntpdatemdoc 406program will be 407retired. 408.Pp 409When kernel support is available to discipline the clock 410frequency, which is the case for stock Solaris, Tru64, Linux and 411.Fx , 412a useful feature is available to discipline the clock 413frequency. 414First, 415.Nm 416is run in continuous mode with 417selected servers in order to measure and record the intrinsic clock 418frequency offset in the frequency file. 419It may take some hours for 420the frequency and offset to settle down. 421Then the 422.Nm 423is 424stopped and run in one-time mode as required. 425At each startup, the 426frequency is read from the file and initializes the kernel 427frequency. 428.Ss "Poll Interval Control" 429This version of NTP includes an intricate state machine to 430reduce the network load while maintaining a quality of 431synchronization consistent with the observed jitter and wander. 432There are a number of ways to tailor the operation in order enhance 433accuracy by reducing the interval or to reduce network overhead by 434increasing it. 435However, the user is advised to carefully consider 436the consequences of changing the poll adjustment range from the 437default minimum of 64 s to the default maximum of 1,024 s. 438The 439default minimum can be changed with the 440.Ic tinker 441.Cm minpoll 442command to a value not less than 16 s. 443This value is used for all 444configured associations, unless overridden by the 445.Cm minpoll 446option on the configuration command. 447Note that most device drivers 448will not operate properly if the poll interval is less than 64 s 449and that the broadcast server and manycast client associations will 450also use the default, unless overridden. 451.Pp 452In some cases involving dial up or toll services, it may be 453useful to increase the minimum interval to a few tens of minutes 454and maximum interval to a day or so. 455Under normal operation 456conditions, once the clock discipline loop has stabilized the 457interval will be increased in steps from the minimum to the 458maximum. 459However, this assumes the intrinsic clock frequency error 460is small enough for the discipline loop correct it. 461The capture 462range of the loop is 500 PPM at an interval of 64s decreasing by a 463factor of two for each doubling of interval. 464At a minimum of 1,024 465s, for example, the capture range is only 31 PPM. 466If the intrinsic 467error is greater than this, the drift file 468.Pa ntp.drift 469will 470have to be specially tailored to reduce the residual error below 471this limit. 472Once this is done, the drift file is automatically 473updated once per hour and is available to initialize the frequency 474on subsequent daemon restarts. 475.Ss "The huff-n'-puff Filter" 476In scenarios where a considerable amount of data are to be 477downloaded or uploaded over telephone modems, timekeeping quality 478can be seriously degraded. 479This occurs because the differential 480delays on the two directions of transmission can be quite large. 481In 482many cases the apparent time errors are so large as to exceed the 483step threshold and a step correction can occur during and after the 484data transfer is in progress. 485.Pp 486The huff-n'-puff filter is designed to correct the apparent time 487offset in these cases. 488It depends on knowledge of the propagation 489delay when no other traffic is present. 490In common scenarios this 491occurs during other than work hours. 492The filter maintains a shift 493register that remembers the minimum delay over the most recent 494interval measured usually in hours. 495Under conditions of severe 496delay, the filter corrects the apparent offset using the sign of 497the offset and the difference between the apparent delay and 498minimum delay. 499The name of the filter reflects the negative (huff) 500and positive (puff) correction, which depends on the sign of the 501offset. 502.Pp 503The filter is activated by the 504.Ic tinker 505command and 506.Cm huffpuff 507keyword, as described in 508.Xr ntp.conf 5 . 509 _END_MDOC_USAGE; 510}; 511 512doc-section = { 513 ds-type = 'FILES'; 514 ds-format = 'mdoc'; 515 ds-text = <<- _END_MDOC_FILES 516.Bl -tag -width /etc/ntp.drift -compact 517.It Pa /etc/ntp.conf 518the default name of the configuration file 519.It Pa /etc/ntp.drift 520the default name of the drift file 521.It Pa /etc/ntp.keys 522the default name of the key file 523.El 524 _END_MDOC_FILES; 525}; 526 527doc-section = { 528 ds-type = 'SEE ALSO'; 529 ds-format = 'mdoc'; 530 ds-text = <<- _END_MDOC_SEE_ALSO 531.Xr ntp.conf 5 , 532.Xr ntpdate 1ntpdatemdoc , 533.Xr ntpdc 1ntpdcmdoc , 534.Xr ntpq 1ntpqmdoc , 535.Xr sntp 1sntpmdoc 536.Pp 537In addition to the manual pages provided, 538comprehensive documentation is available on the world wide web 539at 540.Li http://www.ntp.org/ . 541A snapshot of this documentation is available in HTML format in 542.Pa /usr/share/doc/ntp . 543.Rs 544.%A David L. Mills 545.%T Network Time Protocol (Version 1) 546.%O RFC1059 547.Re 548.Rs 549.%A David L. Mills 550.%T Network Time Protocol (Version 2) 551.%O RFC1119 552.Re 553.Rs 554.%A David L. Mills 555.%T Network Time Protocol (Version 3) 556.%O RFC1305 557.Re 558.Rs 559.%A David L. Mills 560.%A J. Martin, Ed. 561.%A J. Burbank 562.%A W. Kasch 563.%T Network Time Protocol Version 4: Protocol and Algorithms Specification 564.%O RFC5905 565.Re 566.Rs 567.%A David L. Mills 568.%A B. Haberman, Ed. 569.%T Network Time Protocol Version 4: Autokey Specification 570.%O RFC5906 571.Re 572.Rs 573.%A H. Gerstung 574.%A C. Elliott 575.%A B. Haberman, Ed. 576.%T Definitions of Managed Objects for Network Time Protocol Version 4: (NTPv4) 577.%O RFC5907 578.Re 579.Rs 580.%A R. Gayraud 581.%A B. Lourdelet 582.%T Network Time Protocol (NTP) Server Option for DHCPv6 583.%O RFC5908 584.Re 585 _END_MDOC_SEE_ALSO; 586}; 587 588doc-section = { 589 ds-type = 'BUGS'; 590 ds-format = 'mdoc'; 591 ds-text = <<- _END_MDOC_BUGS 592The 593.Nm 594utility has gotten rather fat. 595While not huge, it has gotten 596larger than might be desirable for an elevated-priority 597.Nm 598running on a workstation, particularly since many of 599the fancy features which consume the space were designed more with 600a busy primary server, rather than a high stratum workstation in 601mind. 602 _END_MDOC_BUGS; 603}; 604 605doc-section = { 606 ds-type = 'NOTES'; 607 ds-format = 'mdoc'; 608 ds-text = <<- _END_MDOC_NOTES 609Portions of this document came from FreeBSD. 610 _END_MDOC_NOTES; 611}; 612