{{tag>[ntp leap second script linux]}}


===== Script & test - Get leap second file  ====
This script will download the latest leap second file. Run it weekly from cron.


====Script====
  * This script runs on RHEL7, CentOS7 (using systemd).<code>#!/bin/bash

# This script will download the latest leap second file,
# update the NTP configuration and restart ntpd.


# Leap second file location
leapremote="ftp://time.nist.gov/pub/"
#leapremote="ftp://tycho.usno.navy.mil/pub/ntp/"

# Local file name
leaplocaldir="/var/lib/ntp/"
leaplocalfile="$leaplocaldir/leap-seconds"

# Log file
logfile=/var/log/getleap.log

# Get latest leap second file
/usr/bin/lftp -e 'set net:timeout 10 ; cls -1 --perms --sort=date leap-seconds* > /tmp/leap ; exit' $leapremote
if [ $? -ne 0 ]; then
  echo "`date` - ERROR - FTP problem, exiting." | tee -a $logfile
  exit 1
else
  # find latest file, exclude symlinks, directories with same prefix
  latestleapfile=`egrep -v "^l|^d" /tmp/leap | cut -d " " -f3 | head -1`
  echo $latestleapfile > /tmp/leap
fi

if [ -f "$leaplocaldir$(cat /tmp/leap)" ]; then
  echo "`date` - OK - File $leaplocaldir$(cat /tmp/leap) already exists. Not downloading." | tee -a $logfile
else
  cd "$leaplocaldir"
  /usr/bin/lftp -e "set net:timeout 10 ; get $(cat /tmp/leap) ; exit" $leapremote
  ln -sfn "$leaplocaldir$(cat /tmp/leap)" "$leaplocalfile"
  if [ $? -eq 0 ]; then
    echo "`date` - OK - Leap second file downloaded." | tee -a $logfile
  else
    echo "`date` - ERROR - Leap second file download problem." | tee -a $logfile
    exit 1 
  fi
  systemctl restart ntpd
  if [ $? -eq 0 ]; then
    echo "`date` - OK - NTPd service restarted succesfully." | tee -a $logfile
  else
    echo "`date` - ERROR - NTPd service restart problem!" | tee -a $logfile
    exit 1
  fi
fi</code>

====SELinux module====
  * SELinux would not allow NTPd to read a link. You have to add a module to allow that:<code>module ntpleap 1.0;

require {
        type ntpd_t;
        type ntp_drift_t;
        class lnk_file read;
}

#============= ntpd_t ==============
allow ntpd_t ntp_drift_t:lnk_file read;
</code>

====Test====
  * Find TAI line in the NTPd startup log **/var/log/messages**:<code>Apr 20 13:51:14 ntp1 ntpd[19189]: 0.0.0.0 c01e 0e TAI 36 leap 201507010000 expire 201512280000</code>
  * Test with ntpq: <code>ntpq -c rv | tr " " "\n" |egrep "leap|expire|tai"
leap_none,
leap_armed,
leap=00,
tai=35,
leapsec=201507010000,
expire=201512280000</code>
  * And when leap is announced (30-06-2015)<code>$ ntpq -c rv | tr " " "\n" |egrep "leap|expire|tai"
leap_add_sec,
leap_armed,
leap=01,
tai=35,
leapsec=201507010000,
expire=201512280000
</code>
    * **leap** = warning indicator (0-3)<code>       LI       Value     Meaning
      -------------------------------------------------------
      00       0         no warning
      01       1         last minute has 61 seconds
      10       2         last minute has 59 seconds)
      11       3         alarm condition (clock not synchronized)</code>
    * **leapsec** = NTP seconds when the next leap second is/was inserted
    * **expire** = NTP seconds when the NIST leapseconds file expires
    * **tai** = TAI-UTC offset (s)
  * Test servers:<code>$ ntpq -c "lassoc" -c "mrv &1 &999 leap,srcadr,stratum"

ind assid status  conf reach auth condition  last_event cnt
===========================================================
  1 15289  941a   yes   yes  none candidate    sys_peer  1
  2 15290  961a   yes   yes  none  sys.peer    sys_peer  1
  3 15291  9324   yes   yes  none   outlyer   reachable  2
  4 15292  9417   yes   yes  none candidate rate_exceeded  1
srcadr=ntp0.nl.uu.net, leap=00, stratum=1

srcadr=ntp1.nl.uu.net, leap=00, stratum=1

srcadr=ntp.ring.nlnog.net, leap=00, stratum=1

srcadr=ntp2.polaire.nl, leap=01, stratum=1</code>