Skip to content

Chrony NTP Configuration

By default, the Management Console RPM based on CentOS uses chrony as the NTP client in which there are default references to public NTP servers. To configure chrony to not communicate with external time servers and adhere to your companies security policy, consider the following actions:

  1. Refer to your Security policy to ensure your NTP configuration complies to set standards. Considerations should include:

    • Confirming if your companies DNS server provides an NTP sever or server pool.

    • Remove public server pools from chrony.conf

    • Add your own public server pool to chrony.conf

    • Disabling chrony

  2. Review the current Management Console chrony configuration by entering the chronyc sources -v command from the Management Console's console to provide a verbose listing of NTP servers chrony is syncing too.

  3. Consider using internal NTP servers authorized by your companies security policy by editing the /etc/chrony.conf file.

Example

We have provided the following example of viewing and editing an NTP configuration. In this example the default ntp servers are commented out and replaced by another NTP server.

  1. Check the currently used NTP servers using chronyc sources -v.

    [kono@localhost etc]$ chronyc sources -v
    210 Number of sources = 6
    
    .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
    / .- Source state '*' = current synced, '+' = combined , '-' = not combined,
    | /   '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
    ||                                                 .- xxxx [ yyyy ] +/- zzzz
    ||      Reachability register (octal) -.           |  xxxx = adjusted offset,
    ||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
    ||                                \     |          |  zzzz = estimated error.
    ||                                 |    |           \
    MS Name/IP address         Stratum Poll Reach LastRx Last sample
    ===============================================================================
    ^* ip225.ip-54-39-173.net        2  10   377   652  +4224us[+4594us] +/-   35ms
    ^+ k8s-w02.tblflp.zone           2   9   373   147    -12ms[  -12ms] +/-   73ms
    ^- ntp2.torix.ca                 2   9   377   113  +1082us[+1082us] +/-  538ms
    ^- dns2.switch.ca                3   9   377    95   +750us[ +750us] +/-  532ms
    ^- DC01.tera.local          3   6   377    48  -1332us[-1332us] +/-   98ms
    ^- DC02.tera.local          4   6   377    45  -1014us[-1014us] +/-  135ms
    [kono@localhost etc]$
    
  2. Edit the chrony.conf file to change the referenced NTP servers using the sudo vi chrony.conf command. In this example, the public tick.usask.ca and internal 192.168.1.50 NTP servers are added. The iburst option speeds up the first synchronization and the prefer option advises chrony which NTP server you want to use if available.

    [kono@localhost etc]$ sudo vi chrony.conf
    # Use public servers from the pool.ntp.org project.
    # Please consider joining the pool (https://www.pool.ntp.org/join.html).
    
    server tick.usask.ca iburst prefer
    server 192.168.1.50 iburst
    # server 0.centos.pool.ntp.org iburst
    # server 1.centos.pool.ntp.org iburst
    # server 2.centos.pool.ntp.org iburst
    # server 3.centos.pool.ntp.org iburst
    
    # Record the rate at which the system clock gains/losses time.
    driftfile /var/lib/chrony/drift
    
    # Allow the system clock to be stepped in the first three updates
    # if its offset is larger than 1 second.
    makestep 1.0 3
    
    # Enable kernel synchronization of the real-time clock (RTC).
    rtcsync
    
    # Enable hardware timestamping on all interfaces that support it.
    #hwtimestamp *
    
    # Increase the minimum number of selectable sources required to adjust
    # the system clock.
    #minsources 2
    
    # Allow NTP client access from local network.
    #allow 192.168.0.0/16
    
    # Serve time even if not synchronized to a time source.
    #local stratum 10
    
    # Specify file containing keys for NTP authentication.
    #keyfile /etc/chrony.keys
    
    # Specify directory for log files.
    logdir /var/log/chrony
    
    # Select which information is logged.
    #log measurements statistics tracking
    
  3. Restart chrony for the changes to take effect using the command sudo systemctl restart chronyd.

    [kono@localhost etc]$ sudo systemctl restart chronyd
    ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
    Authentication is required to manage system services or units.
    Authenticating as: kono
    Password:
    ==== AUTHENTICATION COMPLETE ===
    [kono@localhost etc]$ 
    
  4. Confirm the new configuration of the chrony.conf file.

    [kono@localhost etc]$ chronyc sources -v
    210 Number of sources = 4
    
    .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
    / .- Source state '*' = current synced, '+' = combined , '-' = not combined,
    | /   '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
    ||                                                 .- xxxx [ yyyy ] +/- zzzz
    ||      Reachability register (octal) -.           |  xxxx = adjusted offset,
    ||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
    ||                                \     |          |  zzzz = estimated error.
    ||                                 |    |           \
    MS Name/IP address         Stratum Poll Reach LastRx Last sample
    ===============================================================================
    ^- stervandc01a.teradici.lo>     3   6    17     4  -1183us[-1219us] +/-  104ms
    ^* time.usask.ca                 1   6    17     3    -12us[  -48us] +/-   15ms
    ^- GSSDC01.terase.local          3   6    17     3  -4130us[-4130us] +/-  132ms
    ^- GSSDC02.terase.local          4   6    17     3  -3260us[-3260us] +/-  166ms
    [kono@localhost etc]$
    
  5. View status in real time using the command watch chronyc tracking

    [kono@localhost etc]$ watch chronyc tracking
    Every 2.0s: chronyc tracking
    
    Reference ID    : 80E99AF5 (time.usask.ca)
    Stratum         : 2
    Ref time (UTC)  : Fri Mar 22 15:50:33 2019
    System time     : 0.000050575 seconds slow of NTP time
    Last offset     : -0.000054492 seconds
    RMS offset      : 0.000197914 seconds
    Frequency       : 35.545 ppm slow
    Residual freq   : -0.001 ppm
    Skew            : 0.082 ppm
    Root delay      : 0.029674415 seconds
    Root dispersion : 0.000992690 seconds
    Update interval : 2078.7 seconds
    Leap status     : Normal
    

Disabling the Chrony

If required, disable chrony by issuing the following commands:

  1. sudo systemctl stop chronyd to stop the chronyd service

  2. sudo systemctl disable chronyd to disable the chrony service.

Issue the systemctl status chronyd command to confirm chrony is disabled.