Chapter 30. Using the Chrony suite to configure NTP
Accurate timekeeping is important for a number of reasons in IT. In networking for example, accurate time stamps in packets and logs are required. In Linux systems, the
NTP protocol is implemented by a daemon running in user space.
The user space daemon updates the system clock running in the kernel. The system clock can keep time by using various clock sources. Usually, the Time Stamp Counter (TSC) is used. The TSC is a CPU register which counts the number of cycles since it was last reset. It is very fast, has a high resolution, and there are no interruptions.
In Red Hat Enterprise Linux 8, the
NTP protocol is implemented by the
chronyd daemon, available from the repositories in the
The following sections describe how to use the chrony suite to configure NTP.
30.1. Introduction to chrony suite
chrony is an implementation of the
Network Time Protocol (NTP). You can use chrony:
To synchronize the system clock with
- To synchronize the system clock with a reference clock, for example a GPS receiver
- To synchronize the system clock with a manual time input
NTPv4(RFC 5905)server or peer to provide a time service to other computers in the network
chrony performs well in a wide range of conditions, including intermittent network connections, heavily congested networks, changing temperatures (ordinary computer clocks are sensitive to temperature), and systems that do not run continuously, or run on a virtual machine.
Typical accuracy between two machines synchronized over the Internet is within a few milliseconds, and for machines on a LAN within tens of microseconds. Hardware timestamping or a hardware reference clock may improve accuracy between two machines synchronized to a sub-microsecond level.
chrony consists of
chronyd, a daemon that runs in user space, and chronyc, a command line program which can be used to monitor the performance of
chronyd and to change various operating parameters when it is running.
The chrony daemon,
chronyd, can be monitored and controlled by the command line utility chronyc. This utility provides a command prompt which allows entering a number of commands to query the current state of
chronyd and make changes to its configuration. By default,
chronyd accepts only commands from a local instance of chronyc, but it can be configured to accept monitoring commands also from remote hosts. The remote access should be restricted.
30.2. Using chronyc to control chronyd
This section describes how to control
chronyd using the chronyc command line utility.
To make changes to the local instance of
chronydusing the command line utility chronyc in interactive mode, enter the following command as
chronyc must run as
rootif some of the restricted commands are to be used.
The chronyc command prompt will be displayed as follows:
To list all of the commands, type
Alternatively, the utility can also be invoked in non-interactive command mode if called together with a command as follows:
Changes made using chronyc are not permanent, they will be lost after a
chronyd restart. For permanent changes, modify
30.3. Migrating to chrony
In Red Hat Enterprise Linux 7, users could choose between ntp and chrony to ensure accurate timekeeping. For differences between ntp and chrony,
chronyd, see Differences between ntpd and chronyd.
In Red Hat Enterprise Linux 8, ntp is no longer supported. chrony is enabled by default. For this reason, you might need to migrate from ntp to chrony.
Migrating from ntp to chrony is straightforward in most cases. The corresponding names of the programs, configuration files and services are:
Table 30.1. Corresponding names of the programs, configuration files and services when migrating from ntp to chrony
|ntp name||chrony name|
The ntpdate and sntp utilities, which are included in the
ntp distribution, can be replaced with
chronyd using the
-q option or the
-t option. The configuration can be specified on the command line to avoid reading
/etc/chrony.conf. For example, instead of running
chronyd could be started as:
# chronyd -q 'server ntp.example.com iburst' 2018-05-18T12:37:43Z chronyd version 3.3 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 +DEBUG) 2018-05-18T12:37:43Z Initial frequency -2.630 ppm 2018-05-18T12:37:48Z System clock wrong by 0.003159 seconds (step) 2018-05-18T12:37:48Z chronyd exiting
The ntpstat utility, which was previously included in the
ntp package and supported only
ntpd, now supports both
chronyd. It is available in the
30.3.1. Migration script
A Python script called
ntp2chrony.py is included in the documentation of the
chrony package (
/usr/share/doc/chrony). The script automatically converts an existing
ntp configuration to
chrony. It supports the most common directives and options in the
ntp.conf file. Any lines that are ignored in the conversion are included as comments in the generated
chrony.conf file for review. Keys that are specified in the
ntp key file, but are not marked as trusted keys in
ntp.conf are included in the generated
chrony.keys file as comments.
By default, the script does not overwrite any files. If
/etc/chrony.keys already exist, the
-b option can be used to rename the file as a backup. The script supports other options. The
--help option prints all supported options.
An example of an invocation of the script with the default
ntp.conf provided in the
ntp package is:
# python3 /usr/share/doc/chrony/ntp2chrony.py -b -v Reading /etc/ntp.conf Reading /etc/ntp/crypto/pw Reading /etc/ntp/keys Writing /etc/chrony.conf Writing /etc/chrony.keys
The only directive ignored in this case is
disable monitor, which has a chrony equivalent in the
noclientlog directive, but it was included in the default
ntp.conf only to mitigate an amplification attack.
chrony.conf file typically includes a number of
allow directives corresponding to the restrict lines in
ntp.conf. If you do not want to run
chronyd as an
NTP server, remove all
allow directives from