doc: update for separate client sockets
This commit is contained in:
Miroslav Lichvar
parent
a65686e83f
commit
ad9c360845
1 changed files with 56 additions and 47 deletions
101
chrony.texi.in
101
chrony.texi.in
|
|
@ -1117,10 +1117,11 @@ the configuration file is ignored.
|
||||||
|
|
||||||
@menu
|
@menu
|
||||||
* comments in config file:: How to write a comment
|
* comments in config file:: How to write a comment
|
||||||
* acquisitionport directive:: Set port to use for initial time probes
|
* acquisitionport directive:: Set NTP client port
|
||||||
* allow directive:: Give access to NTP clients
|
* allow directive:: Give access to NTP clients
|
||||||
* bindaddress directive:: Limit the network interface that is used for NTP
|
* bindacqaddress directive:: Limit network interface used by NTP client
|
||||||
* bindcmdaddress directive:: Limit the network interface that is used for commands
|
* bindaddress directive:: Limit network interface used by NTP server
|
||||||
|
* bindcmdaddress directive:: Limit network interface used for commands
|
||||||
* broadcast directive:: Make chronyd act as an NTP broadcast server
|
* broadcast directive:: Make chronyd act as an NTP broadcast server
|
||||||
* clientloglimit directive:: Set client log memory limit
|
* clientloglimit directive:: Set client log memory limit
|
||||||
* cmdallow directive:: Give control access to chronyc on other computers
|
* cmdallow directive:: Give control access to chronyc on other computers
|
||||||
|
|
@ -1159,7 +1160,7 @@ the configuration file is ignored.
|
||||||
* noclientlog directive:: Prevent chronyd from gathering data about clients
|
* noclientlog directive:: Prevent chronyd from gathering data about clients
|
||||||
* peer directive:: Specify an NTP peer
|
* peer directive:: Specify an NTP peer
|
||||||
* pidfile directive:: Specify the file where chronyd's pid is written
|
* pidfile directive:: Specify the file where chronyd's pid is written
|
||||||
* port directive:: Set port to use for NTP packets
|
* port directive:: Set NTP server port
|
||||||
* refclock directive:: Specify a reference clock
|
* refclock directive:: Specify a reference clock
|
||||||
* reselectdist directive:: Set improvement in distance needed to reselect a source
|
* reselectdist directive:: Set improvement in distance needed to reselect a source
|
||||||
* rtcautotrim directive:: Specify threshold at which RTC is trimmed automatically
|
* rtcautotrim directive:: Specify threshold at which RTC is trimmed automatically
|
||||||
|
|
@ -1192,15 +1193,14 @@ Any line with this format will be ignored.
|
||||||
@c {{{ acquisitionport directive
|
@c {{{ acquisitionport directive
|
||||||
@node acquisitionport directive
|
@node acquisitionport directive
|
||||||
@subsection acquisitionport
|
@subsection acquisitionport
|
||||||
@code{chronyd} uses a separate client-side port for the rapid-fire
|
By default, @code{chronyd} uses a separate client socket for each configured
|
||||||
measurements requested with the @code{initstepslew} directive
|
server and their source port is chosen arbitrarily by the operating system.
|
||||||
(@pxref{initstepslew directive}). Normally, that port is chosen
|
However, you can use the @code{acquisitionport} directive to explicitly specify
|
||||||
arbitrarily by the operating system. However, you can use
|
a port and use only one socket (per IPv4/IPv6 address family) for all
|
||||||
@code{acquisitionport} to explicitly specify a port. This may be useful
|
configured servers. This may be useful for getting through firewalls.
|
||||||
for getting through firewalls.
|
|
||||||
|
|
||||||
Do not make acquisition and regular NTP service (@pxref{port directive})
|
It may be set to the same port as used by the NTP server (@pxref{port
|
||||||
use the same port.
|
directive}) to use only one socket for all NTP packets.
|
||||||
|
|
||||||
An example of the @code{acquisitionport} command is
|
An example of the @code{acquisitionport} command is
|
||||||
|
|
||||||
|
|
@ -1208,7 +1208,7 @@ An example of the @code{acquisitionport} command is
|
||||||
acquisitionport 1123
|
acquisitionport 1123
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
This would change the port used for rapid queries to udp/1123. You
|
This would change the source port used for client requests to udp/1123. You
|
||||||
could then persuade the firewall administrator to let that port through.
|
could then persuade the firewall administrator to let that port through.
|
||||||
@c }}}
|
@c }}}
|
||||||
@c {{{ allow
|
@c {{{ allow
|
||||||
|
|
@ -1281,19 +1281,28 @@ directive}) is used in the configuration file, each of the computers
|
||||||
listed in that directive must allow client access by this computer for
|
listed in that directive must allow client access by this computer for
|
||||||
it to work.
|
it to work.
|
||||||
@c }}}
|
@c }}}
|
||||||
|
@c {{{ bindacqaddress
|
||||||
|
@node bindacqaddress directive
|
||||||
|
@subsection bindacqaddress
|
||||||
|
The @code{bindacqaddress} directive sets the network interface to which will
|
||||||
|
@code{chronyd} bind its NTP client sockets. The syntax is similar to the
|
||||||
|
@code{bindaddress} and @code{bindcmdaddress} directives.
|
||||||
|
|
||||||
|
For each of IPv4 and IPv6 protocols, only one @code{bindacqaddress}
|
||||||
|
directive can be specified.
|
||||||
|
@c }}}
|
||||||
@c {{{ bindaddress
|
@c {{{ bindaddress
|
||||||
@node bindaddress directive
|
@node bindaddress directive
|
||||||
@subsection bindaddress
|
@subsection bindaddress
|
||||||
The bindaddress allows you to restrict the network interface to which
|
The @code{bindaddress} directive allows you to restrict the network interface
|
||||||
chronyd will listen for NTP packets. This provides an additional level of
|
to which @code{chronyd} will listen for NTP requests. This provides an
|
||||||
access restriction above that available through the 'deny' mechanism.
|
additional level of access restriction above that available through the
|
||||||
|
@code{deny} mechanism.
|
||||||
|
|
||||||
Suppose you have a local ethernet with addresses in the 192.168.1.0
|
Suppose you have a local ethernet with addresses in the 192.168.1.0
|
||||||
subnet together with a dial-up connection. The ethernet interface's IP
|
subnet together with an internet connection. The ethernet interface's IP
|
||||||
address is 192.168.1.1. Suppose (for some reason) you want to block all
|
address is 192.168.1.1. Suppose you want to block all access through the
|
||||||
access through the dialup connection (note, this will even block replies
|
internet connection. You could add the line
|
||||||
from servers on the dialup side, so you will not be able to synchronise
|
|
||||||
to an external source). You could add the line
|
|
||||||
|
|
||||||
@example
|
@example
|
||||||
bindaddress 192.168.1.1
|
bindaddress 192.168.1.1
|
||||||
|
|
@ -1301,9 +1310,10 @@ bindaddress 192.168.1.1
|
||||||
|
|
||||||
to the configuration file.
|
to the configuration file.
|
||||||
|
|
||||||
This directive affects NTP (UDP port 123) packets. If no @code{bindcmdaddress}
|
This directive affects NTP (UDP port 123 by default) packets. If no
|
||||||
directive is present, the address supplied by @code{bindaddress} will be used
|
@code{bindcmdaddress} directive is present, the address supplied by
|
||||||
to control binding of the command socket (UDP port 323) as well.
|
@code{bindaddress} will be used to control binding of the command socket (UDP
|
||||||
|
port 323 by default) as well.
|
||||||
|
|
||||||
The @code{bindaddress} directive has been found to cause problems when used on
|
The @code{bindaddress} directive has been found to cause problems when used on
|
||||||
computers that need to pass NTP traffic over multiple network interfaces (e.g.
|
computers that need to pass NTP traffic over multiple network interfaces (e.g.
|
||||||
|
|
@ -1313,34 +1323,34 @@ more likely to be successful.
|
||||||
|
|
||||||
For each of IPv4 and IPv6 protocols, only one @code{bindaddress}
|
For each of IPv4 and IPv6 protocols, only one @code{bindaddress}
|
||||||
directive can be specified.
|
directive can be specified.
|
||||||
|
|
||||||
@c }}}
|
@c }}}
|
||||||
@c {{{ bindcmdaddress
|
@c {{{ bindcmdaddress
|
||||||
@node bindcmdaddress directive
|
@node bindcmdaddress directive
|
||||||
@subsection bindcmdaddress
|
@subsection bindcmdaddress
|
||||||
The bindcmdaddress allows you to restrict the network interface to which
|
The @code{bindcmdaddress} directive allows you to restrict the network
|
||||||
chronyd will listen for command packets (issued by chronyc).
|
interface to which @code{chronyd} will listen for command packets (issued by
|
||||||
|
@code{chronyc}). This provides an additional level of access restriction above
|
||||||
|
that available through @code{cmddeny} mechanism.
|
||||||
|
|
||||||
Suppose you have a local ethernet with addresses in the 192.168.1.0 subnet
|
Suppose you want to block all access except from localhost. You
|
||||||
together with a dial-up connection. The ethernet interface's IP address is
|
could add the lines
|
||||||
192.168.1.1. Suppose you want to block all access through the dialup
|
|
||||||
connection. You could add the line
|
|
||||||
|
|
||||||
@example
|
@example
|
||||||
bindcmdaddress 192.168.1.1
|
bindcmdaddress 127.0.0.1
|
||||||
|
bindcmdaddress ::1
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
to the configuration file.
|
to the configuration file.
|
||||||
|
|
||||||
The @code{bindcmdaddress} directive has been found to cause problems when used
|
|
||||||
on computers that need to pass command traffic over multiple network
|
|
||||||
interfaces. It is, therefore, not particularly useful. Use of the
|
|
||||||
@code{cmdallow} and @code{cmddeny} directives together with a network firewall
|
|
||||||
is more likely to be successful.
|
|
||||||
|
|
||||||
For each of IPv4 and IPv6 protocols, only one @code{bindcmdaddress}
|
For each of IPv4 and IPv6 protocols, only one @code{bindcmdaddress}
|
||||||
directive can be specified.
|
directive can be specified.
|
||||||
|
|
||||||
|
The default values are set by the @code{bindaddress} directive.
|
||||||
|
|
||||||
|
The @code{bindcmdaddress} directive has been found to cause problems when used
|
||||||
|
on computers that need to pass command traffic over multiple network
|
||||||
|
interfaces. Use of the @code{cmdallow} and @code{cmddeny} directives together
|
||||||
|
with a network firewall is more likely to be successful.
|
||||||
@c }}}
|
@c }}}
|
||||||
@c {{{ broadcast directive
|
@c {{{ broadcast directive
|
||||||
@node broadcast directive
|
@node broadcast directive
|
||||||
|
|
@ -2462,14 +2472,13 @@ pidfile /var/tmp/chronyd.pid
|
||||||
@c {{{ port
|
@c {{{ port
|
||||||
@node port directive
|
@node port directive
|
||||||
@subsection port
|
@subsection port
|
||||||
This option allows you to configure the port used for the NTP service
|
This option allows you to configure the port on which @code{chronyd}
|
||||||
on your machine.
|
will listen for NTP requests.
|
||||||
|
|
||||||
The compiled in default is udp/123, the standard NTP port. It is
|
The compiled in default is udp/123, the standard NTP port. If set to 0,
|
||||||
unlikely that you would ever need to change this value. A possible
|
@code{chronyd} will not open the server socket and will operate strictly in a
|
||||||
exception would be if you wanted to operate strictly in client-only
|
client-only mode. The source port used in NTP client requests can be set by
|
||||||
mode and never be available as a server to ntpd clients. If set to 0,
|
the @code{acquisitionport} directive.
|
||||||
the kernel will assign a random port.
|
|
||||||
|
|
||||||
An example of the port command is
|
An example of the port command is
|
||||||
|
|
||||||
|
|
@ -2477,7 +2486,7 @@ An example of the port command is
|
||||||
port 11123
|
port 11123
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
This would change the NTP port served by chronyd on the computer to
|
This would change the NTP port served by @code{chronyd} on the computer to
|
||||||
udp/11123.
|
udp/11123.
|
||||||
@c }}}
|
@c }}}
|
||||||
@c {{{ refclock
|
@c {{{ refclock
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue