Saturday, July 7, 2012

Leap seconds on CentOS6/RHEL6 masterclock


Setting up handling leap seconds on Centos6/RHEL6


1. Download actual leapseconds file
# cd /etc/ntp
# wget ftp://tycho.usno.navy.mil/pub/ntp/leap-seconds.*
2. Make a symlink to the downloaded file
# ln -s leap-seconds.3535142400 ntpkey_leap
3. Generate host keys for ntpd
# ntp-keygen -H -p password
Using OpenSSL version 10000003
Generating RSA keys (512 bits)...
RSA 0 0 2       1 11 24 3 1 2
Generating new host file and link
ntpkey_host_ntptest->ntpkey_RSAkey_ntptest.3550552917
Using host key as sign key
Generating certificate RSA-MD5
X509v3 Basic Constraints: critical,CA:TRUE
X509v3 Key Usage: digitalSignature,keyCertSign
Generating new cert file and link
ntpkey_cert_ntptest->ntpkey_RSA-MD5cert_ntptest.3550552917
4. Add following lines to the ntpd.conf:
# echo >>/etc/ntpd.conf
keysdir /etc/ntp
crypto pw password
5. Restart ntpd
# /etc/init.d/ntpd restart
6. Check results
# ntpq -c "rv 0 leap,tai,leapsec,expire,update"
assID=0 status=4944 leap_add_sec, sync_telephone, 4 events, event_peer/strat_chg, leap=01, update=201206302154, leapsec=201201100000, tai=34, expire=201207061434


# ntpq -c "rv 0" | egrep "(update|leapsec|expire)"
assID=0 status=4944 leap_add_sec, sync_telephone, 4 events, event_peer/strat_chg, leap=01, update=201206302154, leapsec=201201100000, tai=34expire=201307061434 
Note that there can be a bug because two different commands give two different values for expire.


After leap second event ntpq output looks like this. Main differences to previous state are shown in green.
assID=0 status=0944 leap_none, sync_telephone, 4 events, event_peer/strat_chg, leap=00update=201206302154, leapsec=201201100000, tai=35expire=201307061434 

Kernel log reports leap second insertion as follows:
Jul  1 01:59:59 ntptest kernel: Clock: inserting leap second 23:59:60 UTC
Note that the leap second insertion is at UTC midnight.


Updating leapseconds file.

Last but not least: DO NOT FORGET to check newly published leap seconds file regularly!
Here is the latest announcement about leap second insertion.
If it refers to a newer leap second than your configured leapsecond file you sholud repeat 1-2 steps above.
ntpd doesn not need to be restarted because it will re-read the ntp_leap file on daily basis.
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)