Do I need to run ntpd in my EC2 instance?

amazon-ec2 ntpd

I'm working on getting some servers running in the EC2 environment and I'm noticing some errors with ntpd trying to sync (using CentOS).

I was reading on this site and the impression I get is that I don't need to run ntpd since EC2 is Xen and the host takes care of the time for the virtual servers.
http://support.ntp.org/bin/view/Support/KnownOsIssues

Is this accurate or do I need to figure out how to get around the error I'm having?
cap_set_proc() failed to drop root privileges
It looks like it involves building a new kernel and other stuff I'd rather not do if I don't have to.


You shouldn't need to. The clock of your EC2 instance will be synchronized to the Xen Dom0. You can verify this by checking that the contents of /proc/sys/xen/independent_wallclock are 0.


Yes, you need to run ntpd.

My clock was 18.5 seconds off on an EC2 micro instance (running Ubuntu UEC Maverick) with 5 days uptime.

After shutting down and starting again, it was back to normal, so there seems to be some kind of drift.

This is despite /sys/devices/system/clocksource/clocksource0/current_clocksource saying xen, by the way. I'm not sure why it's not working.

Installing the ntp package has solved the problem for me. The clock stays accurate, and there's nothing suspicious in the syslog that might indicate a conflict with Xen's clock synchronization. (It uses ntp.ubuntu.com as its server. I'm not sure if there's an NTP server in the AWS network that I could use instead, but the Ubuntu server will do nicely for now.)

Update: I've recently observed that on my (newer?) instances the clock stays accurate automatically, without ntp running. Judging by the comments, this doesn't seem to be the case for everyone though, so it's probably still best to use ntp just in case.


We run Linux ec2 instances from small to extra large and I just did a check to make sure they were in sync.

All servers were running the ntp daemon connecting to amazon specific pools.

server 0.amazon.pool.ntp.org iburst
server 1.amazon.pool.ntp.org iburst
server 2.amazon.pool.ntp.org iburst
server 3.amazon.pool.ntp.org iburst

This may not have been the case before bug I just wanted to make sure whoever stumbles across this in the future has up to date information.


You have to configure ntpd on all instances. If you do not your servers' time will start drifting.

You have to allow UDP 123 to the public internet, as described in the user guide under Configuring Network Time Protocol.

If your instances are inside a VPC, you may want to dedicate an instance to be your NTP server, only expose that instance to the internet and let the others sync against it.

Related

Anonymizing OpenVPN Allow SSH Access to Internal Server
Troubleshooting a "slow" network
How to determine the best byte size for the dd command
OpenVPN client-to-client
ZFS endless resilvering
Reliability of ssd drives
How do I make RabbitMQ listen only to localhost?
unable to connect to public postgresql rds instance
Changing Servers - Redirect to new IP = No Downtime?
How can I block all but three ports in Ubuntu?
Debugging iptables and common firewall pitfalls?
Writing to stdin of background process