time, chrony & ntp

We have 3 commands that tell us the current date and time: timedatectl, date hwclock.

# timedatectl
.     Local time: Sun 2015­04­12 22:13:30 CEST
. Universal time: Sun 2015­04­12 20:13:30 UTC
.       RTC time: Sun 2015­04­12 20:13:30
.       Timezone: Europe/Zurich (CEST, +0200)
.    NTP enabled: yes
NTP synchronized: yes
.RTC in local TZ: no
.     DST active: yes
.Last DST change: DST began at
.                 Sun 2015­03­29 01:59:59 CET
.                 Sun 2015­03­29 03:00:00 CEST
.Next DST change: DST ends (the clock jumps one hour backwards) at
.                 Sun 2015­10­25 02:59:59 CEST
.                 Sun 2015­10­25 02:00:00 CET
# date
Sun 12 Apr 22:13:46 CEST 2015
# hwclock
Sun 12 Apr 2015 22:20:01 CEST ­0.192551 seconds

The first 2 extract the date & time as is set in the OS. The 3rd one shows the date & time as per the hardware clock.

We also have several ways of changing both the OS and hardware datetimes:

# timedatectl set­-time 22:30:00               → changes OS time
# timedatectl set­-time 2015­04­07               → changes OS date
# timedatectl set­-time ' 2015­04­07 22:30:00'   → changes date & time
# timedatectl set­-local­-rtc true              → uses local time instead of UTC
# timedatectl set-­local­-rtc false             → uses UTC instead of local time
# timedatectl list­-timezones                  → list time zones
# timedatectl set-­timezone 'Europe/Zurich'    → sets time zone
# timedatectl set-­ntp [ true | false ]        → enables/disables NTP
# date ­--­set 23:30:00                         → sets local time
# date ­­--set 2015­04­09                         → sets date
# date ­­--set 2015­04­09 23:30:00                → sets date & time
# hwclock ­­--set --­­date “21 Oct 2014 20:31”    → sets date & time in hardware clock
# hwclock ­­--systohc                            → synchronises HW clock to OS
# hwclock ­­--hctosys                           → synchronises OS to HW clock

There are two time daemons we can use: chronyd and ntpd. Chronyd is more suitable for systems that are offline every so often because its synchronisation algorithms are far more aggressive. Ntpd is better for servers that are rarely offline.

The configuration file from chronyd is /etc/chrony.conf. The following file would be a minimalistic version with just the must-have parameters:

# cat /etc/chrony.conf
server 0.rhel.pool.ntp.org iburst
server 1.rhel.pool.ntp.org iburst
server 2.rhel.pool.ntp.org iburst
server 3.rhel.pool.ntp.org offline
keyfile /etc/chrony.keys
commandkey 1
driftfile /var/lib/chrony/drift

The servers specified should be accessible and running the NTP server daemon. We can use the iburst option to speed up the synchronisation, or the offline option to disable synchronisation unless there is Internet connectivity.

The keyfile points to the file with the key used for administration purposes:

# cat /etc/chrony.keys
#1 a_key
1 SHA1 HEX:3989E5715A7DFF630E0294CF7A852FE336C0DABE
2 passw0rd9
3 MD5 ASCII: blabliblu

The commandkey specifies the ID of the keyfile that should be used for authentication purposes.

The driftfile is used and needed by chrony to keep track of the time deviations.

Some other parameters we can use would be:

- allow: states the host, subnet or network from which NTP connections to this server can be made. For example, allow would permit connections from any host in the /16 network.

- cmdallow/cmddeny: same syntax as allow, but it enables administrative control rather than just NTP client connections.

- local: used to indicate that this is a master time server. For example, local stratum 10 would indicate to NTP clients that this is a master server but that it is 10 hops away from a reliable real time source and therefore it should not be too trusted.

- log [ measuraments | statistics | tracking | rtc | refclocks | tempcomp ]: used to specify what kind of info we want logged.

- logdir: by default it is set to /var/log/chrony

If we are going to be using one or more local NTP masters, then we need to setup the chrony.keys &
chrony.conf accordingly. We should make sure that the keys file is the same across all the state (or at least with the same ID-hash-password that should be used for authentication purposes). For instance:

server key 10
peer key 10

The entries above in chrony.conf state that any NTP communication with NTP server or peers should use the authentication key with ID 10.

If we have the keys file laid out above and we want to connect to the chronyc command line to do some administration tasks, then we have to use the hashauth to set the hash and the password command:

[root@rhel7test]# cat /etc/chrony.keys
1 SHA1 HEX:3989E5715A7DFF630E0294CF7A852FE336C0DABE
2 password980
[root@rhel7test]# chronyc
chrony version 1.29.1
Copyright (C) 1997­2003, 2007, 2009­2013 Richard P. Curnow and others
chrony comes with ABSOLUTELY NO WARRANTY. This is free software, and
you are welcome to redistribute it under certain conditions. See the
GNU General Public License version 2 for details.
chronyc> authhash SHA1
chronyc> password HEX:3989E5715A7DFF630E0294CF7A852FE336C0DABE
200 OK

We need that authentication unless we already are root. Then we can connect without password with the chronyc -a command.

We can use the help command within chronyc to get an overview of the options we can use and what they do. Some of those options are shown below:

# chronyc tracking
Reference ID : (ntp.maillink.ch)
Stratum : 2
Ref time (UTC)  : Mon Apr 13 10:37:18 2015
System time     : 0.000026386 seconds slow of NTP time
Last offset     : 0.000015600 seconds
RMS offset      : 0.000094428 seconds
Frequency       : 8.934 ppm fast
Residual freq   : ­-0.000 ppm
Skew            : 0.034 ppm
Root delay      : 0.009427 seconds
Root dispersion : 0.001886 seconds
Update interval : 1041.9 seconds
Leap status     : Normal
# chronyc sources
210 Number of sources = 4
MS Name/IP address       Stratum Poll Reach LastRx Last sample
^­- ntpv6.tbw.ch                2   10   377   553   ­-798us[ ­803us]  +/­ 18ms
^­- eudyptula.init7.net         2   10   377  -653    ­448us[ ­453us]  +/­ 39ms
^­- ns1.nexellent.net           2   10   377   712  +1876us[+1871us] +/­ 40ms
^* ntp.maillink.ch             1   10   377    99   -­118us[ ­123us]  +/­ 7899us

The 1st character of the sources output can be “#” (local time source), “^” (NTP server) or “=” (NTP peer).

The 2nd character can be “+” (acceptable source), “-” (excluded source), “*” (source chosen for synchronisation),“?” (lost connectivity), “x” (inconsistent time) or “~” (unreliable time).

The poll field shows the polling interval in power of 2 seconds (i.e. 10 = 2^10 = 1024 seconds).

The reach field is in octal number but a 377 indicates that the last 8 transmissions have been OK.

A similar option would be:

# chronyc sourcestats
210 Number of sources = 4
Name/IP Address         NP NR Span Frequency Freq Skew   Offset Std Dev
ntpv6.tbw.ch            11  6 172m   ­0.042     0.185     ­851us    486us
eudyptula.init7.net     40 21 11h ­   0.007     0.028 ­     40us    579us
ns1.nexellent.net       64 31 18h ­   0.006     0.021   +2771us    871us
ntp.maillink.ch         50 21 14h ­   0.001     0.030 ­     23ns    916us

If we want the clock synchronised immediately to a local time source, we can achieve that with the chronyc -a makestep command.

The NTP time stratum is:

- stratum 0: atomic clocks, GPS and mobile phone systems.
- stratum 1: those connected directly to stratum 0
- stratum 2: those connected directly to stratum 1
- (...)
- stratum 15 is the lowest
- stratum 16 means time unsynchronised

The NTP client configuration file is /etc/ntp.conf. A typical such file would be:

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict ::1
# Hosts on local network are less restricted. (allowed to query time and statistics)
#restrict mask nomodify notrap
# restrict mask (administration allowed from this host)
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.rhel.pool.ntp.org iburst
server 1.rhel.pool.ntp.org iburst
server 2.rhel.pool.ntp.org iburst
server 3.rhel.pool.ntp.org iburst
#broadcast autokey
# broadcast server
# broadcast client
#broadcast autokey
# multicast server
# multicast client
# manycast server
#manycastclient autokey # manycast client
# Enable public key cryptography.
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE­2013­5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor

We can check the status of the NTP client with in 2 ways:

# systemctl status ntpd.service
ntpd.service ­ Network Time Service
.  Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled)
.  Active: active (running) since Mon 2015­04­13 13:53:06 CEST; 6s ago
. Process: 2029 ExecStart=/usr/sbin/ntpd ­u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
.Main PID: 2030 (ntpd)
CGroup: /system.slice/ntpd.service
. └─ 2030 /usr/sbin/ntpd ­u ntp:ntp ­g
Apr 13 13:53:06 rhel.bogomips.net ntpd[2030]: Listen and drop on 1 v6wildcard :: UDP 123
Apr 13 13:53:06 rhel.bogomips.net ntpd[2030]: Listen normally on 2 lo UDP 123
Apr 13 13:53:06 rhel.bogomips.net ntpd[2030]: Listen normally on 3 eno16780032 UDP 123
Apr 13 13:53:06 rhel.bogomips.net ntpd[2030]: Listen normally on 4 lo ::1 UDP 123
Apr 13 13:53:06 rhel.bogomips.net ntpd[2030]: Listen normally on 5 eno16780032 fe80::250:56ff:fe87:cd19 UDP 123
Apr 13 13:53:06 rhel.bogomips.net ntpd[2030]: Listening on routing socket on fd #22 for interface updates
Apr 13 13:53:07 rhel.bogomips.net ntpd[2030]: c016 06 restart
Apr 13 13:53:07 rhel.bogomips.net ntpd[2030]: c012 02 freq_set kernel 0.000 PPM
Apr 13 13:53:07 rhel.bogomips.net ntpd[2030]: c011 01 freq_not_set
Apr 13 13:53:07 rhel.bogomips.net ntpd[2030]: c614 04 freq_mode
# ntpstat
synchronised to NTP server ( at stratum 3
.  time correct to within 3949 ms
.  polling server every 64 s

There is just one additional configuration file we should be aware of, /etc/sysconfig/ntpd, which is used to pass arguments to the ntpd daemon at boot time.

root:/tmp> cat /etc/sysconfig/ntpd
# Command line options for ntpd

The file /etc/sysconfig/ntpdate is deprecated in the latests Linux kernels.


<< LDAP client                      networking tools >>