chrony

From Gentoo Wiki
Jump to:navigation Jump to:search

chrony is a versatile implementation of the Network Time Protocol (NTP). It can synchronize the system clock with NTP servers, reference clocks (e.g. GPS receiver), and manual input using wristwatch and keyboard. It can also operate as an NTPv4 (RFC 5905) server and peer to provide a time service to other computers in the network.

Installation

USE flags

USE flags for net-misc/chrony NTP client and server programs

caps Use Linux capabilities library to control privilege
cmdmon Support for command and monitoring
debug Get DEBUG_LOG output from chronyd when passing -dd parameter
html Install HTML documentation
libtomcrypt Support different hashes via dev-libs/libtomcrypt
nettle Use dev-libs/nettle for hash functions or nts
nss Use dev-libs/nss for hash functions
ntp Support for the Network Time Protocol (NTP)
nts Support for Network Time Security (NTS). Uses net-libs/gnutls
phc Support for the PTP (Precision Time Protocol) Hardware Clock (PHC) interface
pps Support for the Linux Pulse Per Second (PPS) interface
readline Enable support for libreadline, a GNU line-editing library that almost everyone wants
refclock Support for reference clocks
rtc Support for the Linux Real Time Clock interface
samba Add support for SAMBA (Windows File and Printer sharing)
seccomp Enable seccomp (secure computing mode) to perform system call filtering at runtime to increase security of programs
sechash Enable support for hashes other than MD5
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
verify-sig Verify upstream signatures on distfiles

Emerge

Install the chrony package:

root #emerge --ask net-misc/chrony

Configuration

/etc/chrony/chrony.conf is the configuration file for chronyd. The default configuration is populated with:

FILE /etc/chrony/chrony.conf
# Use public NTP servers from the pool.ntp.org project.
pool pool.ntp.org iburst

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# In first three updates step the system clock instead of slew
# if the adjustment is larger than 1 second.
makestep 1.0 3

# Enable kernel synchronization of the real-time clock (RTC).
rtcsync

hwclockfile /etc/adjtime
Note
Time zones and location of the server do not matter for the NTP protocol; it synchronizes via UTC.

On systems where a network connection is not always available at boot (laptops, etc.), it might help to change the pool line in the server configuration:

FILE /etc/chrony/chrony.conf
pool pool.ntp.org iburst auto_offline

This tells chronyd that the machine will be assumed to have gone offline when 2 requests have been sent to it without receiving a response.

Use the chronyc online command to re-enable polling (See below)

Enable Network Time Security (NTS)

NTS provides cryptographic security on NTP client-server connections using Transport Layer Security (TLS) and Authenticated Encryption with Associated Data (AEAD) RFC8915. In order to use this, set specific servers supporting NTS:

FILE /etc/chrony/chrony.conf
# List of NTS servers:

server time.cloudflare.com              iburst nts
server virginia.time.system76.com       iburst nts
server ohio.time.system76.com           iburst nts
server oregon.time.system76.com         iburst nts

server nts.netnod.se                    iburst nts

server nts.time.nl                      iburst nts

server ptbtime1.ptb.de                  iburst nts
server ptbtime2.ptb.de                  iburst nts
server ptbtime3.ptb.de                  iburst nts

# NTS cookie jar to minimise NTS-KE requests upon chronyd restart
ntsdumpdir /var/lib/chrony
Warning
Most NTP pools do not support NTS.
Tip
NTS uses TCP/4460 while standard NTP uses UDP/123.

Use UTC time

chronyd assumes by default that the RTC keeps local time (including any daylight saving changes). To use UTC instead use:

FILE /etc/chrony/chrony.conf
rtconutc

Acting as a local NTP server

By default, chronyd only synchronizes the local machine time. By adding allow and deny rules, it will act as a local NTP source:

FILE /etc/chrony/chrony.conf
# Note order does not matter for this example, order does matter with 'allow all' or 'deny all'
# Allow a specific IP
allow 192.0.2.1
# Deny the 198.51.100.0/24 subnet (example)
deny 198.51.100
# Allow all of the 192.0.2.0 subnet
allow 192.0.2

DHCP

To avoid DHCP replacing the local NTP config and the DHCP server is configured with NTP destinations (rare in home use), consider the following configuration options:

netifrc

FILE /etc/conf.d/net
dhcp="nontp"

Usage

chronyc Client Interface Tool

chronyc is a command-line interface program which can be used to monitor chronyd's performance and to change various operating parameters whilst it is running. A full list of commands can be found in the manual, man 1 chronyc

Examples:

root #chronyc offline # Set all sources offline
root #chronyc online # Set all sources online

chronyd service

OpenRC

Add chronyd to the default runlevel to have the time synchronized automatically.

root #rc-service chronyd start
root #rc-update add chronyd default

To monitor status of the server:

root #rc-service chronyd status

systemd

To run the chronyd sync service:

root #systemctl start chronyd.service

To have the chronyd sync service start at boot:

root #systemctl enable chronyd.service

To monitor status of the chronyd service:

root #systemctl status chronyd.service

See also

External resources