ntp offset with stratum 1 , when using stratum 2

Question

I was searching for a solution but didn't find clear answer.

In my company, all our servers are syncing time with one of our private ntp servers (which are stratum 3 if I'm correct).

These stratum 3 servers are of course configured to get time of some public NTP servers (stratum 2 if i'm correct)

because of some regulations related to our business, we need to constantly be sure that our client servers don't have big offset with the stratum 2 servers.

So we are monitoring that, but the offset our client servers are seeing are only the offset with our stratum 5 servers, is there something to do to get the offset with stratum 2 servers, even if it's configured to use internal stratum 3 servers? Note that our client servers don't have internet access and the goal is to stay like that.

I was wondering if there is something to do, on our client servers, to get the offset with stratum 2. by doing a calculation? (offset client srv + offset stratum 3?) any other possibilities?

I imagine this is a concern several company have, a solution should exist

thx a lot in advance

edit : I changed the stratum number that I wrote at the beginning, at my understanding was nto correct at this time

Actually I don't quite understand the question: The Offset shown in `ntpq` the the offset from the reference time, not the offset to the next higher (lower) stratum. So why do you care about stratum-2 servers? — U. Windl, Dec 30 '19 at 14:08

score 2 · Answer 1 · answered Mar 13 '19 at 20:00

Root dispersion of 81 ms over the Internet is quite believable. The stratum 0 may be halfway around the world. Total error adds up over multiple hops.

Consider adding a NTP hardware appliance, with radio receivers and a decent oscillator. Your performance requirements justify the cost and inconvenience. Bonus, it doesn't require Internet to work, but keep your Internet sources too.

Paul Gear · Answer 2 · 2019-03-15T20:19:21.850

1

This is answered at Verify internal NTP server is sending the correct time?. Short summary:

Make sure you have a good configuration.
NTP already monitors offset from its upstream stratum as part of its normal operation, so all you need is to use an appropriate tool to extract that information and plug it into your alerting/telemetry system.

Your ntpq output shows a stratum 3 server with a system offset of less than 1 millisecond difference. That is about as good as you can expect over Internet links without implementing special measures. The root dispersion is a bit high, but that's almost entirely due to your upstreams, since your delay to them is only a bit over 2 ms.

If you configure your internal systems to sync with your stratum 3 servers, and they show a similar system offset, then you have achieved your goal. But make sure you have at least 4 public stratum 1/2 servers and at least 4 internal servers as well.

Don't forget to read the NTP Best Current Practices draft RFC, which explains why you need multiple sources and why monitoring is important.

edited Mar 15 '19 at 20:19

answered Mar 13 '19 at 11:00

Paul Gear

3,938
15
36

Hi Paul,thx for your answer. I'm surprised I have a big "root dispersion value" (0.19151 s) on a client srv. If I look at the offset on my NTP server (offset -0.003075 sec), and the offset on the cleint srv (0.007211 sec), this is quite a big difference. I got them by running "ntpdate -q" at the same time (yeah I know it's not accurate at 100% but it can give us a good idea I think, and even if i look at the loopstat file, I see same kind of offset). Do you know why? FYi the regulation ask us to be under 0.05s of offset, so if I use the root distance I will always be alerted^^ thx – vercetty92 Mar 13 '19 at 13:58
damn I'm noticing that my "stratum" understanding was not so good. Example on my final server (ntp client): ntpstat synchronised to NTP server (10.243.144.1) at stratum 5 time correct to within 81 ms polling server every 32 s so in fact my goal is to have the offset with stratum 4 (the public server that my stratum 5 is using), and not stratum 1 ...if "root dispersion" is the offset with stratum 0, it maybe explain why I have a big value (as stratum 0 is several hops far...no?) if it's correct, is there a way to have the offset with stratum 4? – vercetty92 Mar 13 '19 at 15:47
Please edit your question to add the new details and format them legibly. – John Mahowald Mar 13 '19 at 19:04
@vercetty92: If your regulators are asking for offset, you should give them the system offset value. It sounds like you are well within their regulations, but post the output of `ntpq -npc rv` and we can confirm for sure. – Paul Gear Mar 13 '19 at 23:33
Hi, I have edited the question with the good stratum number. Here is the output requested: https://pastebin.com/zzMhzem6 so now the question is, how to get the offset my server have with stratum 2, while he is syncing with stratum 3^^ thx – vercetty92 Mar 14 '19 at 14:01
Hi All! any eventual solution on your side? Thx a lot in advance – vercetty92 Mar 15 '19 at 15:15
I've updated my answer based on your `ntpq` output. – Paul Gear Mar 16 '19 at 08:56
Hi Paul, yes I am using 5 public NIST servers as source on my stratum3. Today I only have 2 stratum 3 but I will have 4 soon. You said that I "achieved my goal", but I still don't have the solution retrieve the offset my client servers have with the stratum 2 NIST servers? thx a lot in advance – vercetty92 Mar 16 '19 at 16:10
The offsets from your peers are the 2nd last column in your `ntpq` output. In the example you've shown, your peer offsets are -0.720 & -0.782 milliseconds. The example looks like a client system, so run the same thing on your stratum 2 servers and you'll see the offsets from NIST's servers. – Paul Gear Mar 17 '19 at 00:34
Hi Paul, yes the ouput provided was from a client system. "so run the same thing on your stratum 2 servers" --> I guess you mean on my stratum 3 servers (10.123.33.1 & 10.123.33.8). The thing is that if I run the same thing on my stratum 3 servers, I will get these offset with stratum2, and not the offset of my client servers. And the goal is, if possible, to get the offset my client servers have with,stratum 2 (NIST), this is what the regulators want us to be able to report. So yes we could calcule offset1 + offset 2 but it's quite tricky. – vercetty92 Mar 17 '19 at 15:40
one solution would be to stop using our private stratum 3 servers and directly use the NIST stratum 2 servers, but it's a pity to have all our server targeting directly internet public NIST servers only for that....this is why I was looking for a good solution, while our client servers can continue to use our private stratum 3 servers.. – vercetty92 Mar 17 '19 at 15:41
On my systems, NIST servers show up as stratum 1, so I'm assuming your DMZ NTP servers are stratum 2. But yes, run `ntpq -npc rv` on them and you'll see the offsets from NIST. It should be totally acceptable to your regulators for you to report your DMZ server offsets from NIST, and your client offsets from your DMZ servers, since that's the way NTP is supposed to work. Or you could just add the values and get the maximums and minimums. But don't try to point all of your internal clients at NIST - they'll rate limit you very quickly. – Paul Gear Mar 18 '19 at 07:21

score 1 · Answer 3 · answered Mar 14 '19 at 14:14

1

Have you ever considerated about using a GPS receiver (probably coupled with gpsd) as a time source for your NTP?

answered Mar 14 '19 at 14:14

JucaPirama

265
1
7

no because the regulator ask us to use the public NIST servers (which are stratum 2) – vercetty92 Mar 14 '19 at 15:12

score 0 · Answer 4 · answered Mar 20 '19 at 15:09

ok I found the solution!. I can ask to my stratum n-1 what is the offset he have with stratum n-2 using ntpdc command, then I can look on peerstat file what the offset my client server have with the stratum n-1. I did a little script:

#!/bin/bash
#determine the IP of the currently used stratum n-1 srv as NTP source
used_ntp_source=`ntpq -np | grep "*" | awk '{print $1}' | sed 's/*//'`

#determine the offset between used stratum n-1 srv and the stratum n-2 (in seconds)
offset_between_stratn_1_and_stratn_2=`ntpdc -np $used_ntp_source | grep "*" | awk '{print \$7}'`

#determine the offset between localhost and the stratum n-1  srv (in seconds),looking in the last 20 lines of peerstats file, but keeping only the last one
local_offset_with_stratn_1=`tail -20 /var/log/ntpstats/peerstats | grep $used_ntp_source | tail -1 | awk '{print $5}'`

#calculation
calculated_offset=$(python -c "from decimal import Decimal; print(Decimal('$offset_between_stratn_1_and_stratn_2') + Decimal('$local_offset_with_stratn_1'))")

echo "the calculated offset is $calculated_offset"

ntp offset with stratum 1 , when using stratum 2

4 Answers4