clockd.conf - Clockwork Master configuration file




clockd(1) reads its configuration from /etc/clockwork/clockd.conf (unless a different file is specified with the -c option).

Valid configuration directives, and their meanings, are as follows:

listen - Listen directive

This specifies what interfaces/addresses clockd should bind to, for inbound connections from cogd agents. The default port is 2314, and most of the time you'll want to listen on any available interface. This is the default, \fI*:2314\fB.

manifest - Policy Manifest File

The manifest contains all of the policy definitions, and what clients they should be given to.

copydown - Copydown Source Directory

Clients connecting to clockd start their configuration runs by performing a COPYDOWN, in which they copy static files (usually gatherer scripts) locally.

This setting determines what files are included in the copydown archive. Paths will be relative to the client's copydown setting.

Defaults to /etc/clockwork/gather.d.

security.strict - Security Mode

When clients connect, clockd will always check that they have a secured channel (thus validating their public/private keypair). For production sites, it is also a good idea to check that the client has been pre-authenticated, by checking against a list of trusted public key fingerprints, the so-called trust database, or trustdb.

Setting security.strict to yes (the default) engages this behavior.

Environments (usually not mission-critical, like testbeds and experimental labs) can bypass this extra security by setting security.strict to no. This is not recommended for production deployments!

security.trusted - Trust Database

Under strict mode, the trust database is consulted to ensure that remote clients are trusted to receive policy and file data, which could contain sensitive and/or privileged information.

The trust database can be managed by hand, or by cw-trust(1).

Defaults to /etc/clockwork/certs/trusted.

security.cert - Master Certificate

This certificate is used to identify this clockd instance to connecting clients. It must contain both the public and private keys.

Defaults to /etc/clockwork/certs/clockd.

ccache.connections - Connection Cache Entries

This configuration option lets you size the connection cache to the infrastructure. For each client that connects, clockd keeps an entry in the connection cache to keep track of the generated policy, known facts, etc. Cache entries are purged regularly, pursuant to ccache.expiration, to make room for new client connections.

The value chosen for the connection cache size depends on the number of concurrent clients you expect clockd to service. For most environments the default size of 2048 entries should be sufficient.

ccache.expiration - Connection Cache Expiration
clockd keeps track of each client that connects, by storing their state information in an entry in the connection cache. This configuration option lets you adjust how soon clockd will try to reclaim stale entries for use in new client connections.

This value is specified in seconds.

pidfile - PID file for storing the daemon process ID

Defaults to /var/run/

syslog.ident - Syslog identity string

Defaults to clockd.

syslog.facility - Syslog facility for logging

Defaults to daemon.

syslog.level - Log level

Valid values are:


Fatal issues that cause immediate termination.


Non-fatal issues that prevent proper system operation.


Minor problems that do not hinder system operation.


Informational messages that assist in system diagnostics.


More in-depth informational messages, for troubleshooting.


Messages for chasing down bugs.

Each level includes all "more important" levels. warning will log critical and error messages. notice is everything but debugging messages, etc.

A good starting point is warning; default is error.


Here is the default configuration, made explicit:

listen              *:2314
pidfile             /var/run/
manifest            /etc/clockwork/manifest.pol
copydown            /etc/clockwork/gather.d

security.strict     yes
security.trusted    /etc/clockwork/certs/trusted
security.cert       /etc/clockwork/certs/clockd

ccache.connections  2048
ccache.expiration   600

syslog.ident        clockd
syslog.facility     daemon
syslog.level        error


clockwork(7), clockd(1), clockd.conf(5) and cogd.conf(5)


Clockwork was designed and written by James Hunt.

The Clockwork website is licensed under the Creative Commons Attribution-NoDerivs 3.0 United States License