4a008e51e3
* Reorganized docs * Fixed internal links in basic usage * fixed the docker-compose command and volume for docs * fixed docs tests * fix travis docs test * tox ini file * fixed readme localhost links * edited tox and test docs to previous state * Fix tests errors related to docs reorganization Signed-off-by: David Dashyan <mail@davie.li> * Added ansible script installation option Signed-off-by: Lana Ivina <lana@ipdb.io> * Added ansible script to network setup guide Signed-off-by: Lana Ivina <lana@ipdb.io> * Hid the non-working button for now. Signed-off: Lana Ivina <lana@ipdb.io> * Try now button Co-authored-by: David Dashyan <mail@davie.li>
3.4 KiB
Notes on NTP Daemon Setup
There are several NTP daemons available, including:
- The reference NTP daemon (
ntpd) from ntp.org; see their support website - chrony
- OpenNTPD
- Maybe NTPsec, once it's production-ready
- Maybe Ntimed, once it's production-ready
- More
We suggest you run your NTP daemon in a mode which will tell your OS kernel to handle leap seconds in a particular way: the default NTP way, so that system clock adjustments are localized and not spread out across the minutes, hours, or days surrounding leap seconds (e.g. "slewing" or "smearing"). There's a nice Red Hat Developer Blog post about the various options.
Use the default mode with ntpd and chronyd. For another NTP daemon, consult its documentation.
It's tricky to make an NTP daemon setup secure. Always install the latest version and read the documentation about how to configure and run it securely. See the notes on firewall setup.
Amazon Linux Instances
If your BigchainDB node is running on an Amazon Linux instance (i.e. a Linux instance packaged by Amazon, not Canonical, Red Hat, or someone else), then an NTP daemon should already be installed and configured. See the EC2 documentation on Setting the Time for Your Linux Instance.
That said, you should check which NTP daemon is installed. Is it recent? Is it configured securely?
The Ubuntu ntp Packages
The Ubuntu ntp packages are based on the reference implementation of NTP.
The following commands will uninstall the ntp and ntpdate packages, install the latest ntp package (which might not be based on the latest ntpd code), and start the NTP daemon (a local NTP server). (ntpdate is not reinstalled because it's deprecated and you shouldn't use it.)
sudo apt-get --purge remove ntp ntpdate
sudo apt-get autoremove
sudo apt-get update
sudo apt-get install ntp
# That should start the NTP daemon too, but just to be sure:
sudo service ntp restart
You can check if ntpd is running using sudo ntpq -p.
You may want to use different NTP time servers. You can change them by editing the NTP config file /etc/ntp.conf.
Note: A server running an NTP daemon can be used by others for DRDoS amplification attacks. The above installation procedure should install a default NTP configuration file /etc/ntp.conf with the lines:
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
Those lines should prevent the NTP daemon from being used in an attack. (The first line is for IPv4, the second for IPv6.)
There are additional things you can do to make NTP more secure. See the NTP Support Website for more details.