How to use ESXi 5 as an NTP server - OR - How to permanently add custom firewall rules?

Recently my attention was caught by a question posted to the VMware Community forums that sounds odd at first sight: Is it possible to configure ESXi 5.0 to act as a NTP server?

I wondered why should you try to do this? On the one hand it is not recommended to use ESXi for anything else than the task that it was designed for: being a hypervisor. On the other hand it is not recommended to run a VM as NTP server, because exact timekeeping can be quite a challenge in VMs as they do not own a real hardware clock timer. So, should you run a physical box just for NTP? Small shops that have reached 100% virtualization run only ESXi on their remaining physical servers. So I can understand people considering an exception and wanting to run an ESXi host as NTP server - it is a very lightweight service anyway ...

Now back to the question ..., and the answer is: Yes, it is. In fact it is very easy to do this, because once you have configured ESXi 5.0 to act as a NTP client it will also automatically act as a NTP server! The NTP daemon (/sbin/ntpd) does both at the same time, and its configuration file (/etc/ntp.conf) even allows any other machine to query it by default. There is only one hurdle: the ESXi 5.0 firewall.
By default it blocks the port for incoming NTP queries (UDP port 123). We need to create a custom firewall extension to open that port. KB2005304 explains how to do this. Basically you need to create a custom XML configuration file in the directory /etc/vmware/firewall, e.g. /etc/vmware/firewall/ntpd.xml with the following contents:

<!-- Firewall configuration information for NTP Daemon -->
<ConfigRoot>
  <service>
      <id>NTP Daemon</id>
      <rule id='0000'>
          <direction>inbound</direction>
          <protocol>udp</protocol>
          <porttype>dst</porttype>
          <port>123</port>
      </rule>
      <enabled>false</enabled>
      <required>false</required>
  </service>
</ConfigRoot>

(Take care when you copy or modify this: The XML tags are case sensitive!)

Then load the new configuration by running the following command inside a ESXi shell:
  esxcli network firewall refresh

After that you can see the custom firewall rule in the firewall properties dialog of the vSphere client:

Custom "NTP Daemon" firewall rule
 Enable the rule, and you are done ...
... until the next reboot of the host, because User defined xml firewall configurations are not persistent across ESXi host reboots. The KB article that describes this problem also includes a work-around to resolve it: Put the XML file on a shared datastore and modify the /etc/rc.local boot script to copy the file to the correct location on every reboot.

This works, but I personally consider this an ugly hack, because this modification is not inherent in the system but introduces a dependency to an external resource (the datastore). So I created a VIB file that you can effectively install on ESXi and that will permanently add the XML file to the system.
Run the following commands inside an ESXi shell to install the VIB file:

   esxcli software acceptance set --level CommunitySupported
   esxcli software vib install -v http://files.v-front.de/fwenable-ntpd-1.2.0.x86_64.vib

The first command  is needed for ESXi to accept the custom VIB, because it does not include a trusted signature file. The second command will download and install the VIB file (Note: you can also download the file with a browser, store it on a local datastore and reference the local file with the install command).
The installation will not require the host to be in maintenance mode and it will be immediately effective without the need to reboot the host! It will also automatically reload the firewall rules, so the only step left is to enable the rule in the vSphere client.

By the way, I created this VIB file with a new and improved version of my TGZ2VIB5 script that I currently work on. Once I have finished this new version and made it available here I will also post a detailed description of how I created the VIB file.

20 comments:

  1. Brill. I Need this. Perfect. ( Monioring NTP host time via NTPD / Nagios ).

    ReplyDelete
  2. Replies
    1. I haven't tried it, but it should also work with ESXi 5.1.

      Delete
    2. yest, it's work on 5.1

      Delete
  3. I'm behind a firewall so this solution is exactly what I wanted.
    I tried to install the VIB (copied locally to my datastore) and I get this message:

    esxcli software vib install -v fwenable-ntpd-1.2.0.x86_64.vib
    [VibFormatError]
    Bad VIB archive header
    filename = fwenable-ntpd-1.2.0.x86_64.vib
    Please refer to the log file for more details.

    ReplyDelete
    Replies
    1. Probably the vib file got corrupted when you transferred it to the host.
      Be sure to transfer it in binary mode. In your web browser right-click on the URL displayed in the post and choose "Save as..".

      Delete
    2. Has it been tested on ESXi 5.5.0?

      Delete
  4. Hi, this is awesome, but while installing im getting this error:

    esxcli software vib install -v fwenable-ntpd-1.2.0.x86_64.vib
    [VibDownloadError]
    ('fwenable-ntpd-1.2.0.x86_64.vib', '', "[Errno 4] IOError: ")
    url = fwenable-ntpd-1.2.0.x86_64.vib
    Please refer to the log file for more details.

    I'm not quit getting this /var/log/vmware/fwenable-ntpd-1.2.0.x86_64.vib ...
    I downlaoded an transfered it to my server via winscp.

    ReplyDelete
    Replies
    1. Hi Anonymous,

      you need to specify the full path to the VIB file (e.g. /vmfs/volumes/your_datastore/fwenable-ntpd-1.2.0.x86_64.vib). If you use the file name only then esxcli will look for it in /var/log/vmware.

      Andreas

      Delete
  5. Hello Andreas,

    i tried to install your intresting ntp-firewall-patch on ESXi 5.1 - but got this error message:

    esxcli software vib install -v file://fwenable-ntpd-1.2.0.x86_64.vib
    [IndexError]
    string index out of range
    Please refer to the log file for more details.

    the esxcli.log contains:
    [root ERROR] install failed: [IndexError]
    string index out of range
    Please refer to the log file for more details.

    Can you help me?

    Andreas G.

    ReplyDelete
    Replies
    1. Hi Andreas,

      omit the file:// prefix and specify the full path to the file.
      Also make sure that you downloaded the file correctly in binary format. Go to http://vibsdepot.v-front.de/wiki/index.php/Fw-ntpd and right-click/SaveAs on the VIB file.

      Andreas

      Delete
  6. We are considering this as an option for our current data center time situation as our whole environment aside from the network gear is virtualized.

    Under ESX the console actually became the first virtual machine once the hypervisor was loaded. Under ESXi I don't know if this is still true, but if it is, and we configure ntpd on ESXi to be our NTP source in our data center...aren't we essentially still putting our NTP source in a virtual machine?

    If you've done this are you seeing drift on busy ESXi hosts?

    ReplyDelete
    Replies
    1. Hi John,

      no, ESXi no longer has a service console VM. The NTP daemon runs as a user world in the context of the VMkernel. So it does not use an emulated clock timer and should not be affected by time drift (provided that it sync's with other accurate time sources).
      I haven't tested it myself over a longer period though.

      Andreas

      Delete
  7. Curious, I just tested using ESXi 5.1 as an NTP server with no firewall or other mods at all, and it just worked.

    Couldn't be any easier, didn't need to do a thing.

    ReplyDelete
  8. I can't seem to get my NTP clients to sync with my ESXi 5.1 NTP server. I've enabled port 123 incoming/outgoing in ESXi and it's running as an NTP client with no NTP server in its NTP server list (since it IS an NTP server). Is this the correct configuration?

    In Windows, I've tried using:
    -Date/Time settings (right-click on notification area-->Adjust date/time-->Internet Time-->set as IP of server) -- syncing fails
    -Group Policy Editor (Computer Configuration\Administrative Templates\System\Windows Time Service, currently disabled though) -- syncing fails
    -Registry editor (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\ settings) -- syncing fails
    -Command Prompt, using:
    w32tm /config /manualpeerlist: /syncfromflags:MANUAL /reliable:yes /update
    net stop w32time && net start w32time

    This updates the registry correctly, but whenever I use the command "w32tm /query /source" the source is always Local CMOS clock no matter what, and it doesn't sync when I run "w32tm /resync /rediscover"

    Running "w32tm /monitor /computers:" gives me the current time of the ESXi server, so obviously port 123 must be open if I can query it.

    Any ideas?

    ReplyDelete
  9. Never mind--I had to set my server's upstream NTP server as its own clock: 127.127.1.0. This isn't recommended by VMware, but it works.

    ReplyDelete
  10. It probably goes without saying, but I presume the reasons for doing this would be for VMs on which the VMTools cannot be installed. Otherwise you can simply go into the VM settings under VM Tools and set the VM to synchronize with the host. Then the hosts are synchronized to an NTP server elsewhere. Speaking from ESXi 5.5...

    ReplyDelete
    Replies
    1. Hi Anonymous,

      No, VMware does not recommend using the VMware Tools for time sync, but NTP or other OS specific methods instead. See http://kb.vmware.com/kb/1318 and http://kb.vmware.com/kb/1006427.

      Andreas

      Delete
  11. Thanks Andreas! Works great for me! :)

    ReplyDelete

***** All comments will be moderated! *****
- Please post only comments or questions that are related to this post's contents!
- Advertising and link spamming will not be tolerated!