NTPsec is a NTPd Network Time Server with TLS 1.3 security added to it. This allows for secure syncing/peering between 2 time servers.
- Main git repo: https://gitlab.com/rouing/docker-ntpsec/
- Mirrored git repo: https://github.com/rouing/docker-ntpsec/
- NTPsec issues: https://gitlab.com/NTPsec/ntpsec/-/issues
- NTPsec Docker issues: https://gitlab.com/rouing/docker-ntpsec/-/issues
- NTPsec Documentation: https://docs.ntpsec.org/latest/NTS-QuickStart.html
- IETF NTS Draft: https://tools.ietf.org/html/draft-ietf-ntp-using-nts-for-ntp-28
latest
,alpine
,alpine-latest
,alpine3
,alpine3.12
,alpine3.12.0
,1.1.9-alpine
,1.1.9-alpine3
,1.1.9-alpine3.12
,1.1.9-alpine3.12.0
alpine-edge
,1.1.9-alpine-edge
centos
,centos-latest
,centos8
,centos8.2
,1.1.9-centos
,1.1.9-centos8
,1.1.9-centos8.2
debian
,debian-latest
,debian-slim
,debian10-slim
,debian10.4-slim
,1.1.9-debian
,1.1.9-debian-slim
,1.1.9-debian10-slim
,1.1.9-debian10.4-slim
debian-buster
,debian10
,debian10.4
,1.1.9-debian10
,1.1.9-debian10.4
debian-testing
,1.1.9-debian-testing
debian-testing-slim
,1.1.9-debian-testing-slim
# Run
docker run -it --rm --name ntpsec -p123:123/udp -p123:123/tcp -v /var/lib/ntp:/var/lib/ntp --cap-add SYS_TIME --cap-add SYS_NICE --cap-add NET_RAW --cap-add NET_BIND_SERVICE ardoin/ntpsec
# Run detached
docker run -d --rm --name ntpsec -p123:123/udp -p123:123/tcp -v /var/lib/ntp:/var/lib/ntp --cap-add SYS_TIME --cap-add SYS_NICE --cap-add NET_RAW --cap-add NET_BIND_SERVICE ardoin/ntpsec
# Run detached, use host network and limit logfile size
docker run -d --rm --name ntpsec --net=host -v /var/lib/ntp:/var/lib/ntp --cap-add SYS_TIME --cap-add SYS_NICE --log-opt max-size=1m --log-opt max-file=3 ardoin/ntpsec
# BYO (bring your own) config file
docker run -it --rm --name ntpsec -p123:123/udp -p123:123/tcp -v /etc/ntp.conf:/etc/ntp.conf -v /var/lib/ntp:/var/lib/ntp --cap-add SYS_TIME --cap-add SYS_NICE --cap-add NET_RAW --cap-add NET_BIND_SERVICE ardoin/ntpsec
# Or your own arguments
docker run -it --rm --name ntpsec -p123:123/udp -p123:123/tcp -v /var/lib/ntp:/var/lib/ntp --cap-add SYS_TIME --cap-add SYS_NICE --cap-add NET_RAW --cap-add NET_BIND_SERVICE ardoin/ntpsec --help
--cap-add NET_RAW --cap-add NET_BIND_SERVICE
are needed due to a bug with user namespaces, docker, and the linux kernel for now. Fix is on the way!
-v /var/lib/ntp:/var/lib/ntp
mounts the folder that holds the drift file specific to that machine. Highly recommend you dont touch this.
driftfile /var/lib/ntp/ntp.drift # This should be bind mounted to your host as it is specific to the host its running on.
# Analyitcs
# statsdir /var/log/ntpstats/
# Pure Logs
#statistics loopstats peerstats clockstats
#filegen loopstats file loopstats type day enable
#filegen peerstats file peerstats type day enable
#filegen clockstats file clockstats type day enable
#logfile /var/log/ntpd.log
#logconfig =syncall +clockall +peerall +sysall
# The interface directive is great when your docker is in host net mode. (It works)
#interface ignore all # Do no engage(ignore) all interfaces
#interface listen eth1 # Listen to that one interface with the public IP.
# The last one overwrites the first one
#server clock.nyc.he.net iburst #CDMA, Stratum 1, iburst is a better disconnect netflow.
#server time.cloudflare.com:1234 iburst nts #NTS Protocol Enabled, TLS1.3 Only by Default, Port 123 over TCP(!)
pool 0.pool.ntp.org iburst prefer # Prefer
pool 1.pool.ntp.org iburst
pool 2.pool.ntp.org iburst
# Enable NTS
nts enable (Mandatory for NTS)
# SSL Cert that is your Key (Mandatory for NTS Server(?))
nts key /etc/letsencrypt/live/can.be.yours/privkey.pem
# Full Chain Cert (Mandatory for NTS Server(?))
nts cert /etc/letsencrypt/live/can.be.yours/fullchain.pem
# Where auth cookies are stored (Mandatory for NTS)
nts cookie /var/lib/ntp/nts-keys
# Default safe security settings
restrict default kod limited nomodify nopeer noquery
restrict 127.0.0.1
# Remove all restrictions for things like some LAN machines.
# Remote ntpq control
#unrestrict another.host.local
Reduce Conntrack Flooding
# disable conntrack on NTP port 123 (UDP for NTP, TCP for NTS)
$ iptables -t raw -A PREROUTING -p udp -m udp --dport 123 -j NOTRACK
$ iptables -t raw -A OUTPUT -p udp -m udp --sport 123 -j NOTRACK
$ iptables -t raw -A PREROUTING -p tcp -m tcp --dport 123 -j NOTRACK
$ iptables -t raw -A OUTPUT -p tcp -m tcp --sport 123 -j NOTRACK