As always when you’re running own services you should update them regularly to have all known bugs fixed and security issues thwarted. Same for NTP servers based on Linux, as in my case running on Raspberry Pis. Especially when you’re actively joining the NTP pool project with your NTP servers you have to update them to the latest version of ntp since you might be misused for well-known DDoS attacks or other security related bugs.
So, what’s this all about? You can simply do an “apt-get upgrade”, don’t you? Well, unluckily the ntp packages within the Linux distributions are not always updated to the latest versions. Hence you need to compile the ntp software by yourself to have the latest release running. Still not that hard, though it requires a bit more attention.
In this post I am showing how to update a Raspberry Pi with ntp, while I am *not* using the ntp package from the Raspbian distribution, but compiling it by myself. If you’re operating an NTP appliance such as the ones from Meinberg, you must not use these procedures but their official firmware updates.
Before updating you should write down the current versions to compare them with the newer ones later on. In this case the Linux kernel as well as the ntp version:
pi@ntp2:~ $ uname -a Linux ntp2 4.4.26+ #915 Thu Oct 20 17:02:14 BST 2016 armv6l GNU/Linux pi@ntp2:~ $ ntpq -c version ntpq 4.2.8p9@1.3265-o Wed Dec 7 15:39:06 UTC 2016 (1)
Backups!
This is very important: Make a backup of everything you have done so far to an external location! Especially configuration files. As I am using ntp with static IP addresses, NTP authentication as well as SNMP for monitoring them (have a look at my other NTP blogposts), I have to save at least the following config files:
/etc/network/interfaces /etc/ntp.conf /etc/ntp.keys /etc/snmp/snmpd.conf
For example you can create a folder, copy those files, changing some ownerships and saving them via SCP to your remote location:
cd ~ mkdir NTP-Backup-DATE-OF-TODAY cp /etc/network/interfaces ~/NTP-Backup-DATE-OF-TODAY/ cp /etc/ntp.keys ~/NTP-Backup-DATE-OF-TODAY/ cp /etc/ntp.conf ~/NTP-Backup-DATE-OF-TODAY/ sudo cp /etc/snmp/snmpd.conf ~/NTP-Backup-DATE-OF-TODAY/ sudo chown pi:pi ~/NTP-Backup-DATE-OF-TODAY/snmpd.conf scp -r ~/NTP-Backup-DATE-OF-TODAY/ USER@REMOTE.SERVER.TLD:~/
Updating Linux/Raspbian
You should update the overall operating system as well. However, please verify before updating it that your ntp package is “on hold”. That means: It is NOT updated by the operating system (since those ntp packages tend to be old and outdated). If you have read my two tutorials about using a Raspi with GPS/DCF77, you already know what I’m talking about. Note the “h” in the very first column:
pi@ntp2:~ $ dpkg -l | grep ntp hi ntp 1:4.2.6.p5+dfsg-7+deb8u2 armhf Network Time Protocol daemon and utility programs
Now, in case of Debian based Linux derivatives you can do the upgrade with these two well-known commands:
sudo apt-get update sudo apt-get dist-upgrade
Updating NTP
Since you want to update ntp to its latest release, you need to download it from its homepage. At the time of writing I updated my instance to version 4.2.8p10. Of course there are newer versions out there in the meantime.
wget http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p10.tar.gz tar zxvf ntp-4.2.8p10.tar.gz cd ntp-4.2.8p10/
In the second step you need to build the ntp package. Dependent of your stratum 0 source such as DCF77 or GPS, the configure command slightly differs:
#in case of DCF77: ./configure --enable-RAWDCF --prefix=/usr #in case of GPS or a simple server without any stratum 0 source at all: ./configure --prefix=/usr
Followed by the actual build, installation and reboot. This might take some time, e.g. more than 1 hour on an old Raspberry Pi 1 B:
make sudo service ntp stop sudo make install sudo reboot
After your system is up again you can check the new versions of the kernel and ntp:
pi@ntp2:~ $ uname -a Linux ntp2 4.9.24+ #993 Wed Apr 26 17:56:54 BST 2017 armv6l GNU/Linux pi@ntp2:~ $ ntpq -c version ntpq 4.2.8p10@1.3728-o Mon May 15 18:10:56 UTC 2017 (1)
And, of course, you should also verify that your ntp server is up and running, for example with
ntpq -p.
Pitfalls
What I don’t like about remotely updating Linux servers is this:
Just updated two identical Raspberry Pis to its newest release. One lost its "predictable network interface names", falling back to eth0 instead of enxb827… Had to visit the datacenter w/ screen and keyboard. #hateit #fail #dontknowwhy
— Johannes Weber
(@webernetz) November 8, 2018
(@webernetz) Hence: If your NTP server is crucial to your network, don’t update all your instances simultaneously but wait until the first one is updated successfully and running again.
Furthermore, if you have the chance to use serial TTY consoles to access your devices in case of a network/generic failure, do so. ;) I know, this might not be necessary for your hobby Raspberry Pi projects, but maybe for your NTP appliances such as the ones from Meinberg which offer an RJ45 serial connection port.
Featured image “20120721-DSC08744” by Clemens v. Vogelsang is licensed under CC BY 2.0.