17.2. Understanding chrony and Its Configuration
17.2.1. Understanding chronyd
chronyd, can be monitored and controlled by the command line utility chronyc. This utility provides a command prompt which allows entering a number of commands to query the current state of
chronydand make changes to its configuration. By default,
chronydaccepts only commands from a local instance of chronyc, but it can be configured to accept monitoring commands also from remote hosts. The remote access should be restricted.
17.2.2. Understanding chronyc
chronyd, can be controlled by the command line utility chronyc. This utility provides a command prompt which allows entering a number of commands to query the current state of
chronydand to make changes to its configuration. The default configuration is for
chronydto only accept commands from a local instance of chronyc, but it can be configured to accept monitoring commands also from remote hosts. The remote access should be restricted.
17.2.3. Understanding the chrony Configuration Commands
-foption can be used to specify an alternate configuration file path. See the
chronydman page for further options. For a complete list of the directives that can be used see http://chrony.tuxfamily.org/manual.html#Configuration-file.
- Comments should be preceded by #, %, ; or !
- Optionally specify a host, subnet, or network from which to allow
NTPconnections to a machine acting as
NTPserver. The default is not to allow connections.
allow 192.0.2.0/24Use this command to grant access to a specific network.
allow 2001:0db8:85a3::8a2e:0370:7334Use this this command to grant access to an
- The UDP port number 123 needs to be open in the firewall in order to allow the client access:
firewall-cmd --zone=public --add-port=123/udpIf you want to open port 123 permanently, use the
firewall-cmd --permanent --zone=public --add-port=123/udp
- This is similar to the
allowdirective (see section
allow), except that it allows control access (rather than
NTPclient access) to a particular subnet or host. (By “control access” is meant that chronyc can be run on those hosts and successfully connect to
chronydon this computer.) The syntax is identical. There is also a
cmddeny alldirective with similar behavior to the
- Path to the directory to save the measurement history across restarts of
chronyd(assuming no changes are made to the system clock behavior whilst it is not running). If this capability is to be used (via the
dumponexitcommand in the configuration file, or the
dumpcommand in chronyc), the
dumpdircommand should be used to define the directory where the measurement histories are saved.
- If this command is present, it indicates that
chronydshould save the measurement history for each of its time sources recorded whenever the program exits. (See the
hwtimestampdirective enables hardware timestamping for extremely accurate synchronization. For more details, see
localkeyword is used to allow
chronydto appear synchronized to real time from the viewpoint of clients polling it, even if it has no current synchronization source. This option is normally used on the “master” computer in an isolated network, where several computers are required to synchronize to one another, and the “master” is kept in line with real time by manual input.An example of the command is:
local stratum 10A large value of 10 indicates that the clock is so many hops away from a reference clock that its time is unreliable. If the computer ever has access to another computer which is ultimately synchronized to a reference clock, it will almost certainly be at a stratum less than 10. Therefore, the choice of a high value like 10 for the
localcommand prevents the machine’s own time from ever being confused with real time, were it ever to leak out to clients that have visibility of real servers.
logcommand indicates that certain information is to be logged. It accepts the following options:The log files are written to the directory specified by the
- This option logs the raw
NTPmeasurements and related information to a file called
- This option logs information about the regression processing to a file called
- This option logs changes to the estimate of the system’s gain or loss rate, and any slews made, to a file called
- This option logs information about the system’s real-time clock.
- This option logs the raw and filtered reference clock measurements to a file called
- This option logs the temperature measurements and system rate compensations to a file called
logdircommand. An example of the command is:
log measurements statistics tracking
- This directive allows the directory where log files are written to be specified. An example of the use of this directive is:
chronydwill cause the system to gradually correct any time offset, by slowing down or speeding up the clock as required. In certain situations, the system clock may be so far adrift that this slewing process would take a very long time to correct the system clock. This directive forces
chronydto step system clock if the adjustment is larger than a threshold value, but only if there were no more clock updates since
chronydwas started than a specified limit (a negative value can be used to disable the limit). This is particularly useful when using reference clock, because the
initstepslewdirective only works with
NTPsources.An example of the use of this directive is:
makestep 1000 10This would step the system clock if the adjustment is larger than 1000 seconds, but only in the first ten clock updates.
- This directive sets the maximum allowed offset corrected on a clock update. The check is performed only after the specified number of updates to allow a large initial adjustment of the system clock. When an offset larger than the specified maximum occurs, it will be ignored for the specified number of times and then
chronydwill give up and exit (a negative value can be used to never exit). In both cases a message is sent to syslog.An example of the use of this directive is:
maxchange 1000 1 2After the first clock update,
chronydwill check the offset on every clock update, it will ignore two adjustments larger than 1000 seconds and exit on another one.
- One of
chronyd's tasks is to work out how fast or slow the computer’s clock runs relative to its reference sources. In addition, it computes an estimate of the error bounds around the estimated value. If the range of error is too large, it indicates that the measurements have not settled down yet, and that the estimated gain or loss rate is not very reliable. The
maxupdateskewparameter is the threshold for determining whether an estimate is too unreliable to be used. By default, the threshold is 1000 ppm. The format of the syntax is:
maxupdateskew skew-in-ppmTypical values for skew-in-ppm might be 100 for a dial-up connection to servers over a telephone line, and 5 or 10 for a computer on a LAN. It should be noted that this is not the only means of protection against using unreliable estimates. At all times,
chronydkeeps track of both the estimated gain or loss rate, and the error bound on the estimate. When a new estimate is generated following another measurement from one of the sources, a weighted combination algorithm is used to update the master estimate. So if
chronydhas an existing highly-reliable master estimate and a new estimate is generated which has large error bounds, the existing master estimate will dominate in the new master estimate.
minsourcesdirective sets the minimum number of sources that need to be considered as selectable in the source selection algorithm before the local clock is updated.The format of the syntax is:
minsources number-of-sourcesBy default, number-of-sources is 1. Setting minsources to a larger number can be used to improve the reliability, because multiple sources will need to correspond with each other.
- This directive, which takes no arguments, specifies that client accesses are not to be logged. Normally they are logged, allowing statistics to be reported using the clients command in chronyc.
chronydselects synchronization source from available sources, it will prefer the one with minimum synchronization distance. However, to avoid frequent reselecting when there are sources with similar distance, a fixed distance is added to the distance for sources that are currently not selected. This can be set with the
reselectdistoption. By default, the distance is 100 microseconds.The format of the syntax is:
stratumweightdirective sets how much distance should be added per stratum to the synchronization distance when
chronydselects the synchronization source from available sources.The format of the syntax is:
stratumweight dist-in-secondsBy default, dist-in-seconds is 1 millisecond. This means that sources with lower stratum are usually preferred to sources with higher stratum even when their distance is significantly worse. Setting
stratumweightto 0 makes
chronydignore stratum when selecting the source.
rtcfiledirective defines the name of the file in which
chronydcan save parameters associated with tracking the accuracy of the system’s real-time clock (RTC). The format of the syntax is:
chronydsaves information in this file when it exits and when the
writertccommand is issued in chronyc. The information saved is the RTC’s error at some epoch, that epoch (in seconds since January 1 1970), and the rate at which the RTC gains or loses time. Not all real-time clocks are supported as their code is system-specific. Note that if this directive is used then the real-time clock should not be manually adjusted as this would interfere with chrony's need to measure the rate at which the real-time clock drifts if it was adjusted at random intervals.
rtcsyncdirective is present in the
/etc/chrony.conffile by default. This will inform the kernel the system clock is kept synchronized and the kernel will update the real-time clock every 11 minutes.
17.2.4. Security with chronyc
chronydin two ways:
- Internet Protocol (IPv4 or IPv6,
- Unix domain socket, which is accessible locally by the
rootor chrony user.
/var/run/chrony/chronyd.sock. If this connection fails, which can happen for example when chronyc is running under a non-root user, chronyc tries to connect to 127.0.0.1 and then ::1.
chronyd, are allowed from the network:
- manual list
chronydaccepts these commands can be configured with the
cmdallowdirective in the configuration file of
chronyd, or the
cmdallowcommand in chronyc. By default, the commands are accepted only from localhost (127.0.0.1 or ::1).
chronydresponds with a
Not authorisederror, even if it is from localhost.
Procedure 17.1. Accessing chronyd remotely with chronyc
- Allow access from both IPv4 and IPv6 addresses by adding the following to the
- Allow commands from the remote IP address, network, or subnet by using the
Example 17.1.Add the following content to the
- Open port 323 in the firewall to connect from a remote system.
firewall-cmd --zone=public --add-port=323/udpIf you want to open port 323 permanently, use the
firewall-cmd --permanent --zone=public --add-port=323/udp
allowdirective is for
NTPaccess whereas the
cmdallowdirective is to enable receiving of remote commands. It is possible to make these changes temporarily using chronyc running locally. Edit the configuration file to make permanent changes.