{{tag>[ntp leap second script linux]}}
===== Script & test - Get leap second file ====
This script will download the latest leap second file. Run it weekly from cron.
====Script====
* This script runs on RHEL7, CentOS7 (using systemd).#!/bin/bash
# This script will download the latest leap second file,
# update the NTP configuration and restart ntpd.
# Leap second file location
leapremote="ftp://time.nist.gov/pub/"
#leapremote="ftp://tycho.usno.navy.mil/pub/ntp/"
# Local file name
leaplocaldir="/var/lib/ntp/"
leaplocalfile="$leaplocaldir/leap-seconds"
# Log file
logfile=/var/log/getleap.log
# Get latest leap second file
/usr/bin/lftp -e 'set net:timeout 10 ; cls -1 --perms --sort=date leap-seconds* > /tmp/leap ; exit' $leapremote
if [ $? -ne 0 ]; then
echo "`date` - ERROR - FTP problem, exiting." | tee -a $logfile
exit 1
else
# find latest file, exclude symlinks, directories with same prefix
latestleapfile=`egrep -v "^l|^d" /tmp/leap | cut -d " " -f3 | head -1`
echo $latestleapfile > /tmp/leap
fi
if [ -f "$leaplocaldir$(cat /tmp/leap)" ]; then
echo "`date` - OK - File $leaplocaldir$(cat /tmp/leap) already exists. Not downloading." | tee -a $logfile
else
cd "$leaplocaldir"
/usr/bin/lftp -e "set net:timeout 10 ; get $(cat /tmp/leap) ; exit" $leapremote
ln -sfn "$leaplocaldir$(cat /tmp/leap)" "$leaplocalfile"
if [ $? -eq 0 ]; then
echo "`date` - OK - Leap second file downloaded." | tee -a $logfile
else
echo "`date` - ERROR - Leap second file download problem." | tee -a $logfile
exit 1
fi
systemctl restart ntpd
if [ $? -eq 0 ]; then
echo "`date` - OK - NTPd service restarted succesfully." | tee -a $logfile
else
echo "`date` - ERROR - NTPd service restart problem!" | tee -a $logfile
exit 1
fi
fi
====SELinux module====
* SELinux would not allow NTPd to read a link. You have to add a module to allow that:module ntpleap 1.0;
require {
type ntpd_t;
type ntp_drift_t;
class lnk_file read;
}
#============= ntpd_t ==============
allow ntpd_t ntp_drift_t:lnk_file read;
====Test====
* Find TAI line in the NTPd startup log **/var/log/messages**:Apr 20 13:51:14 ntp1 ntpd[19189]: 0.0.0.0 c01e 0e TAI 36 leap 201507010000 expire 201512280000
* Test with ntpq: ntpq -c rv | tr " " "\n" |egrep "leap|expire|tai"
leap_none,
leap_armed,
leap=00,
tai=35,
leapsec=201507010000,
expire=201512280000
* And when leap is announced (30-06-2015)$ ntpq -c rv | tr " " "\n" |egrep "leap|expire|tai"
leap_add_sec,
leap_armed,
leap=01,
tai=35,
leapsec=201507010000,
expire=201512280000
* **leap** = warning indicator (0-3) LI Value Meaning
-------------------------------------------------------
00 0 no warning
01 1 last minute has 61 seconds
10 2 last minute has 59 seconds)
11 3 alarm condition (clock not synchronized)
* **leapsec** = NTP seconds when the next leap second is/was inserted
* **expire** = NTP seconds when the NIST leapseconds file expires
* **tai** = TAI-UTC offset (s)
* Test servers:$ ntpq -c "lassoc" -c "mrv &1 &999 leap,srcadr,stratum"
ind assid status conf reach auth condition last_event cnt
===========================================================
1 15289 941a yes yes none candidate sys_peer 1
2 15290 961a yes yes none sys.peer sys_peer 1
3 15291 9324 yes yes none outlyer reachable 2
4 15292 9417 yes yes none candidate rate_exceeded 1
srcadr=ntp0.nl.uu.net, leap=00, stratum=1
srcadr=ntp1.nl.uu.net, leap=00, stratum=1
srcadr=ntp.ring.nlnog.net, leap=00, stratum=1
srcadr=ntp2.polaire.nl, leap=01, stratum=1