How to use chrony for time synchronization

How to Use Chrony for Time Synchronization Time synchronization is a critical aspect of system administration that ensures all computers in a network maintain accurate time. Chrony is a modern, versatile implementation of the Network Time Protocol (NTP) that provides superior performance and accuracy compared to traditional NTP implementations. This comprehensive guide will walk you through everything you need to know about using chrony for time synchronization, from basic installation to advanced configuration and troubleshooting. Table of Contents 1. [Introduction to Chrony](#introduction-to-chrony) 2. [Prerequisites and Requirements](#prerequisites-and-requirements) 3. [Installation and Setup](#installation-and-setup) 4. [Basic Configuration](#basic-configuration) 5. [Advanced Configuration Options](#advanced-configuration-options) 6. [Managing Chrony Services](#managing-chrony-services) 7. [Monitoring and Verification](#monitoring-and-verification) 8. [Practical Examples and Use Cases](#practical-examples-and-use-cases) 9. [Troubleshooting Common Issues](#troubleshooting-common-issues) 10. [Best Practices and Security](#best-practices-and-security) 11. [Performance Optimization](#performance-optimization) 12. [Conclusion](#conclusion) Introduction to Chrony Chrony is a pair of programs designed to maintain the accuracy of computer clocks. It consists of `chronyd`, a daemon that synchronizes the system clock with time servers, and `chronyc`, a command-line utility for monitoring and controlling the daemon. Chrony offers several advantages over traditional NTP implementations: - Better performance in intermittent network connections: Chrony can quickly resynchronize after network outages - Superior accuracy: Achieves better time accuracy, especially on systems that are not online continuously - Lower resource consumption: Uses less CPU and memory compared to traditional NTP - Faster initial synchronization: Can synchronize time much faster when starting up - Advanced filtering: Provides sophisticated algorithms to filter out unreliable time sources Prerequisites and Requirements Before installing and configuring chrony, ensure your system meets the following requirements: System Requirements - Operating System: Linux distribution (Ubuntu, CentOS, RHEL, Debian, Fedora, etc.) - Privileges: Root or sudo access for installation and configuration - Network Access: Internet connectivity to reach NTP servers (for client configuration) - Firewall: Appropriate firewall rules if running as an NTP server Knowledge Prerequisites - Basic Linux command-line skills - Understanding of system services and daemons - Familiarity with text editors (nano, vim, or emacs) - Basic networking concepts Network Requirements - Client Mode: Outbound UDP port 123 access to NTP servers - Server Mode: Inbound UDP port 123 access for clients - Firewall Configuration: Proper firewall rules for NTP traffic Installation and Setup Installing Chrony on Different Distributions Ubuntu and Debian ```bash Update package repository sudo apt update Install chrony sudo apt install chrony Enable and start the service sudo systemctl enable chrony sudo systemctl start chrony ``` CentOS, RHEL, and Fedora ```bash For CentOS/RHEL 8+ and Fedora sudo dnf install chrony For older CentOS/RHEL versions sudo yum install chrony Enable and start the service sudo systemctl enable chronyd sudo systemctl start chronyd ``` Arch Linux ```bash Install chrony sudo pacman -S chrony Enable and start the service sudo systemctl enable chronyd sudo systemctl start chronyd ``` Verifying Installation After installation, verify that chrony is properly installed and running: ```bash Check service status sudo systemctl status chronyd Verify chrony version chronyd --version Check if chronyc is available chronyc --version ``` Basic Configuration The main configuration file for chrony is typically located at `/etc/chrony.conf` or `/etc/chrony/chrony.conf`, depending on your distribution. Understanding the Configuration File Here's a basic configuration file structure: ```bash /etc/chrony.conf Use public NTP servers from pool.ntp.org pool 2.pool.ntp.org iburst Allow the system clock to be stepped in the first three updates makestep 1.0 3 Enable kernel synchronization of the real-time clock (RTC) rtcsync Enable hardware timestamping on all interfaces that support it #hwtimestamp * Increase the minimum number of selectable sources required minsources 2 Allow NTP client access from local network allow 192.168.0.0/16 Serve time even if not synchronized to a time source local stratum 10 Specify file containing keys for NTP authentication #keyfile /etc/chrony.keys Get TAI-UTC offset and leap seconds from the system tz database leapsectz right/UTC Specify directory for log files logdir /var/log/chrony Select which information is logged #log measurements statistics tracking ``` Basic Client Configuration For a basic NTP client setup, create or modify `/etc/chrony.conf`: ```bash NTP servers to synchronize with pool 0.pool.ntp.org iburst pool 1.pool.ntp.org iburst pool 2.pool.ntp.org iburst pool 3.pool.ntp.org iburst Make steps larger than 1 second makestep 1.0 3 Enable kernel synchronization rtcsync Specify drift file driftfile /var/lib/chrony/drift Log directory logdir /var/log/chrony ``` Applying Configuration Changes After modifying the configuration file: ```bash Restart the chrony service sudo systemctl restart chronyd Verify the service is running sudo systemctl status chronyd ``` Advanced Configuration Options Server Configuration To configure chrony as an NTP server: ```bash /etc/chrony.conf for NTP server Upstream NTP servers server 0.pool.ntp.org iburst server 1.pool.ntp.org iburst server 2.pool.ntp.org iburst Allow clients from specific networks allow 192.168.1.0/24 allow 10.0.0.0/8 Serve time even if not synchronized local stratum 10 Enable NTP authentication (optional) keyfile /etc/chrony.keys commandkey 1 Log client connections log statistics measurements tracking Set maximum number of samples maxsamples 8 Configure step threshold makestep 0.1 3 ``` Hardware Timestamping For improved accuracy on supported network interfaces: ```bash Enable hardware timestamping on specific interface hwtimestamp eth0 Enable on all supported interfaces hwtimestamp * Check if hardware timestamping is supported sudo ethtool -T eth0 ``` PPS (Pulse Per Second) Configuration For systems with GPS or other PPS sources: ```bash Configure PPS reference refclock PPS /dev/pps0 lock NMEA refid GPS refclock SHM 0 offset 0.5 delay 0.2 refid NMEA noselect Set PPS as preferred reference prefer GPS ``` Managing Chrony Services Service Management Commands ```bash Start chrony service sudo systemctl start chronyd Stop chrony service sudo systemctl stop chronyd Restart chrony service sudo systemctl restart chronyd Enable automatic startup sudo systemctl enable chronyd Disable automatic startup sudo systemctl disable chronyd Check service status sudo systemctl status chronyd View service logs sudo journalctl -u chronyd -f ``` Configuration Reload To reload configuration without restarting: ```bash Send SIGHUP to reload configuration sudo systemctl reload chronyd Or use chronyc sudo chronyc reload sources ``` Monitoring and Verification Using chronyc for Monitoring The `chronyc` command provides extensive monitoring capabilities: ```bash Check synchronization sources chronyc sources Detailed source information chronyc sources -v Show source statistics chronyc sourcestats Display tracking information chronyc tracking Show current activity chronyc activity ``` Understanding chronyc Output Sources Command Output ```bash $ chronyc sources 210 Number of sources = 4 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^+ ntp1.example.com 2 6 377 45 +123us[ +156us] +/- 15ms ^* ntp2.example.com 2 6 377 46 -234us[ -201us] +/- 12ms ^+ ntp3.example.com 1 6 377 47 +456us[ +489us] +/- 18ms ^- ntp4.example.com 3 6 377 48 +2.1ms[+2.13ms] +/- 25ms ``` Column Explanations: - M: Mode indicator (^ = server, = = peer) - S: Source state (* = current best, + = acceptable, - = rejected) - Stratum: Distance from reference clock - Poll: Polling interval in seconds (log2) - Reach: Reachability register (octal) - LastRx: Time since last received packet - Last sample: Offset and jitter measurements Tracking Command Output ```bash $ chronyc tracking Reference ID : C0A80101 (192.168.1.1) Stratum : 3 Ref time (UTC) : Thu Mar 15 10:30:45 2024 System time : 0.000123456 seconds fast of NTP time Last offset : +0.000234567 seconds RMS offset : 0.000345678 seconds Frequency : 15.123 ppm slow Residual freq : +0.456 ppm Skew : 0.789 ppm Root delay : 0.012345678 seconds Root dispersion : 0.023456789 seconds Update interval : 64.0 seconds Leap status : Normal ``` Continuous Monitoring Set up continuous monitoring with watch: ```bash Monitor sources continuously watch -n 5 'chronyc sources' Monitor tracking information watch -n 10 'chronyc tracking' ``` Practical Examples and Use Cases Example 1: Basic Home Network Setup For a home network with one server and multiple clients: Server Configuration (`/etc/chrony.conf`): ```bash External time sources pool pool.ntp.org iburst Allow local network clients allow 192.168.1.0/24 Serve time locally if external sources fail local stratum 10 Basic settings makestep 1.0 3 rtcsync driftfile /var/lib/chrony/drift ``` Client Configuration (`/etc/chrony.conf`): ```bash Use local server as primary source server 192.168.1.100 iburst prefer Backup external sources pool pool.ntp.org iburst Basic settings makestep 1.0 3 rtcsync driftfile /var/lib/chrony/drift ``` Example 2: Enterprise Network with Multiple Servers For a large enterprise network with redundant NTP servers: Primary Server Configuration: ```bash Stratum 1 servers server time.nist.gov iburst server time.google.com iburst server pool.ntp.org iburst Allow enterprise network allow 10.0.0.0/8 allow 172.16.0.0/12 allow 192.168.0.0/16 Security settings bindaddress 10.1.1.10 port 123 Logging log statistics measurements tracking logdir /var/log/chrony ``` Secondary Server Configuration: ```bash Primary internal server server 10.1.1.10 iburst prefer External backup sources server time.nist.gov iburst server time.google.com iburst Serve to network allow 10.0.0.0/8 Increased stratum for hierarchy local stratum 12 ``` Example 3: GPS Time Server For a GPS-based time server setup: ```bash GPS PPS reference refclock PPS /dev/pps0 refid GPS precision 1e-7 GPS NMEA data refclock SHM 0 refid NMEA offset 0.5 delay 0.2 noselect External sources for backup server pool.ntp.org iburst Network access allow 192.168.0.0/16 High precision settings maxdistance 0.1 maxdelay 0.01 ``` Troubleshooting Common Issues Issue 1: Chrony Not Synchronizing Symptoms: System time remains incorrect, no synchronization occurring. Diagnosis Commands: ```bash Check service status sudo systemctl status chronyd View detailed source information chronyc sources -v Check tracking status chronyc tracking View logs sudo journalctl -u chronyd --no-pager ``` Common Solutions: 1. Firewall Issues: ```bash Allow NTP traffic (Ubuntu/Debian) sudo ufw allow ntp For iptables sudo iptables -A OUTPUT -p udp --dport 123 -j ACCEPT sudo iptables -A INPUT -p udp --sport 123 -j ACCEPT ``` 2. Network Connectivity: ```bash Test NTP server connectivity ntpdate -q pool.ntp.org Check DNS resolution nslookup pool.ntp.org ``` 3. Configuration Errors: ```bash Validate configuration sudo chronyd -Q -f /etc/chrony.conf Check for syntax errors sudo chrony -n -d ``` Issue 2: Large Time Offset Symptoms: System time is significantly different from actual time. Solutions: 1. Manual Time Step: ```bash Force immediate synchronization sudo chronyc makestep Or use makestep in configuration echo "makestep 1.0 -1" >> /etc/chrony.conf ``` 2. Reset Drift File: ```bash Stop chrony sudo systemctl stop chronyd Remove drift file sudo rm /var/lib/chrony/drift Restart chrony sudo systemctl start chronyd ``` Issue 3: High Jitter or Unstable Synchronization Diagnosis: ```bash Check source statistics chronyc sourcestats -v Monitor tracking over time watch -n 5 'chronyc tracking' ``` Solutions: 1. Improve Source Selection: ```bash Use geographically closer servers server 0.us.pool.ntp.org iburst server 1.us.pool.ntp.org iburst Increase minimum sources minsources 3 ``` 2. Adjust Polling Settings: ```bash Set maximum polling interval maxpoll 10 Set minimum polling interval minpoll 4 ``` Issue 4: Permission and Access Issues Symptoms: Chrony daemon fails to start or access files. Solutions: 1. File Permissions: ```bash Fix chrony directory permissions sudo chown -R chrony:chrony /var/lib/chrony sudo chmod 755 /var/lib/chrony Fix log directory sudo chown -R chrony:chrony /var/log/chrony sudo chmod 755 /var/log/chrony ``` 2. SELinux Issues (RHEL/CentOS): ```bash Check SELinux denials sudo ausearch -m avc -ts recent | grep chronyd Set appropriate SELinux contexts sudo restorecon -R /var/lib/chrony sudo restorecon -R /etc/chrony.conf ``` Best Practices and Security Security Considerations 1. Access Control: ```bash Restrict client access allow 192.168.1.0/24 deny all Bind to specific interfaces bindaddress 192.168.1.100 ``` 2. Authentication: ```bash Enable NTP authentication keyfile /etc/chrony.keys commandkey 1 Create key file echo "1 SHA1 HEX:1234567890ABCDEF1234567890ABCDEF12345678" | sudo tee /etc/chrony.keys sudo chmod 640 /etc/chrony.keys sudo chown root:chrony /etc/chrony.keys ``` 3. Rate Limiting: ```bash Limit client request rate ratelimit interval 3 burst 8 Set maximum clients clientloglimit 100 ``` Performance Optimization 1. Hardware Timestamping: ```bash Enable for supported interfaces hwtimestamp eth0 Check support sudo ethtool -T eth0 | grep PTP ``` 2. CPU Scheduling: ```bash Set real-time priority echo "sched_priority 1" >> /etc/chrony.conf Lock memory pages echo "lock_all" >> /etc/chrony.conf ``` 3. Network Optimization: ```bash Use burst mode for faster synchronization server pool.ntp.org iburst Optimize polling intervals minpoll 4 maxpoll 9 ``` Monitoring and Alerting Set up monitoring scripts: ```bash #!/bin/bash /usr/local/bin/chrony-monitor.sh OFFSET=$(chronyc tracking | grep "System time" | awk '{print $4}') OFFSET_NUM=$(echo $OFFSET | sed 's/[^0-9.-]//g') if (( $(echo "$OFFSET_NUM > 0.1" | bc -l) )); then echo "WARNING: Time offset too large: $OFFSET" # Send alert (email, SNMP, etc.) fi SOURCES=$(chronyc sources | grep -c "^\^[*+]") if [ $SOURCES -lt 2 ]; then echo "WARNING: Insufficient good time sources: $SOURCES" fi ``` Backup and Recovery 1. Configuration Backup: ```bash Create configuration backup sudo cp /etc/chrony.conf /etc/chrony.conf.backup.$(date +%Y%m%d) Backup drift file sudo cp /var/lib/chrony/drift /var/lib/chrony/drift.backup ``` 2. Disaster Recovery: ```bash Emergency time sync script #!/bin/bash sudo systemctl stop chronyd sudo ntpdate -s pool.ntp.org sudo systemctl start chronyd ``` Performance Optimization Fine-tuning Chrony Parameters 1. Polling Optimization: ```bash Optimize for stable networks minpoll 6 # 64 seconds minimum maxpoll 10 # 1024 seconds maximum For unstable networks minpoll 4 # 16 seconds minimum maxpoll 8 # 256 seconds maximum ``` 2. Source Selection: ```bash Require minimum sources for synchronization minsources 3 Maximum sources to consider maxsources 10 Combine multiple sources combinelimit 3 ``` 3. Accuracy Improvements: ```bash Reduce maximum distance maxdistance 0.1 Set maximum delay maxdelay 0.3 Improve frequency estimation maxdrift 500 ``` System-level Optimizations 1. Kernel Configuration: ```bash Disable NTP in kernel (let chrony handle it) echo 'kernel.ntp_enabled = 0' >> /etc/sysctl.conf Optimize network buffer sizes echo 'net.core.rmem_max = 16777216' >> /etc/sysctl.conf echo 'net.core.wmem_max = 16777216' >> /etc/sysctl.conf ``` 2. Process Priority: ```bash Set chrony process priority echo 'sched_priority 1' >> /etc/chrony.conf Lock memory to prevent swapping echo 'lock_all' >> /etc/chrony.conf ``` Conclusion Chrony is a powerful and flexible time synchronization solution that offers significant advantages over traditional NTP implementations. Throughout this comprehensive guide, we've covered everything from basic installation to advanced configuration, troubleshooting, and optimization techniques. Key Takeaways 1. Installation and Setup: Chrony is available on all major Linux distributions and can be easily installed using package managers. 2. Configuration Flexibility: The configuration file allows for extensive customization, from simple client setups to complex server hierarchies. 3. Superior Performance: Chrony excels in environments with intermittent connectivity and provides faster convergence times. 4. Monitoring Capabilities: The chronyc utility provides comprehensive monitoring and diagnostic tools. 5. Security Features: Built-in authentication, access controls, and rate limiting help secure your time infrastructure. Next Steps After implementing chrony in your environment, consider these next steps: 1. Implement Monitoring: Set up automated monitoring and alerting for time synchronization issues. 2. Security Hardening: Apply security best practices including authentication and access controls. 3. Performance Tuning: Fine-tune parameters based on your specific network conditions and requirements. 4. Documentation: Document your configuration and procedures for team members and future reference. 5. Regular Maintenance: Establish procedures for regular configuration reviews and updates. Additional Resources - Official Documentation: [chrony.tuxfamily.org](https://chrony.tuxfamily.org/) - NTP Pool Project: [pool.ntp.org](https://pool.ntp.org/) - Time Synchronization Best Practices: Consult your organization's IT security policies - Network Time Security: RFC 8915 for NTS (Network Time Security) implementation By following this guide and implementing the best practices outlined, you'll have a robust, accurate, and secure time synchronization infrastructure that will serve your organization's needs effectively. Remember that time synchronization is critical for many applications, including logging, authentication, distributed systems, and compliance requirements, making proper implementation essential for any production environment.