In this guide, we are going to learn how to install and setup NTP Server using Chrony on CentOS 8. Chrony is an implementation of the Network Time Protocol (NTP). Compared to NTP implementation, chrony performs well in a wide range of conditions including:
- intermittent network connections,
- heavily congested networks
- changing temperatures
- systems that do not run continuously
Chrony can be used to synchronise the system clock with NTP servers, reference clocks. It can also operate as an NTPv4 server and peer to provide a time service to other computers in the network.
Setup NTP Server using Chrony on CentOS 8
Run System Update
To synchronize system packages to their latest versions, simply execute the command;
Installing Chrony on CentOS 8
Chrony suite is installed by default on RHEL derivatives, CentOS 8 included. You can however verify this by executing the command below;
rpm -q chrony
If the package is installed, you should get an output like;
Otherwise, you will get an output like;
package chrony is not installed
To see more information about Chrony;
rpm -qi chrony
Name : chrony Version : 3.5 Release : 1.el8 Architecture: x86_64 Install Date: Sun 01 Mar 2020 08:07:16 PM EAT Group : System Environment/Daemons Size : 692391 License : GPLv2 Signature : RSA/SHA256, Thu 05 Dec 2019 01:51:32 AM EAT, Key ID 05b555b38483c65d Source RPM : chrony-3.5-1.el8.src.rpm Build Date : Tue 19 Nov 2019 06:32:41 PM EAT Build Host : x86-01.mbox.centos.org Relocations : (not relocatable) Packager : CentOS Buildsys <[email protected]> Vendor : CentOS URL : https://chrony.tuxfamily.org Summary : An NTP client/server Description : chrony is a versatile implementation of the Network Time Protocol (NTP). It can synchronise the system clock with NTP servers, reference clocks (e.g. GPS receiver), and manual input using wristwatch and keyboard. It can also operate as an NTPv4 (RFC 5905) server and peer to provide a time service to other computers in the network.
If for some reasons is not installed by default, you can always install it by running the command below;
dnf install chrony
Configure Chrony as an NTP server on CentOS 8
Assuming Chrony is installed, you can now proceed to configure it to provide time synchronization.
The default configuration file of Chrony is
/etc/chrony.conf. Therefore, we will make most configuration changes in this file.
Set Time Servers
By default, Chrony uses the
2.centos.pool.ntp.org as the default time server. You need to define the time servers close to your region.
To obtain a list of NTP servers close to your region,navigate to Internet Cluster of NTP servers page and select your region. For example, if you are in Europe, below are the available NTP servers;
server 0.europe.pool.ntp.org server 1.europe.pool.ntp.org server 2.europe.pool.ntp.org server 3.europe.pool.ntp.org
To use the pool of NTP servers in your region, simply comment (Add # at the beginning) the line,
pool 2.centos.pool.ntp.org iburst replacing it as follows;
# Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). # pool 2.centos.pool.ntp.org iburst server 0.europe.pool.ntp.org server 1.europe.pool.ntp.org server 2.europe.pool.ntp.org server 3.europe.pool.ntp.org
Configure NTP Server Access Control
Chrony does not allow any access to NTP server. To restrict or control access to the
NTP service running on a system, use the allow directive. This directive simply is to designate particular servers from which NTP clients are allowed to access the computer as an NTP server.
For example, to allow all servers in the network subnet, 192.168.56.0/24 to access your NTP server;
# Allow NTP client access from local network. #allow 192.168.0.0/16 allow 192.168.56.0/24
Read more on,
Open NTP UDP Port 123 on Firewall
To be able to allow NTP clients access to your NTP server, you need to open port 123/UDP on firewall.
firewall-cmd --add-port=123/udp --permanent
Running Chrony on CentOS 8
Chronyd daemon controls the NTP implementation. As such, you can start and enable it to run on system boot by running the command below;
systemctl enable --now chronyd
systemctl status chronyd
● chronyd.service - NTP client/server Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2020-03-01 20:59:01 CET; 10s ago Docs: man:chronyd(8) man:chrony.conf(5) Process: 6685 ExecStartPost=/usr/libexec/chrony-helper update-daemon (code=exited, status=0/SUCCESS) Process: 6681 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 6683 (chronyd) Tasks: 1 (limit: 5047) Memory: 828.0K CGroup: /system.slice/chronyd.service └─6683 /usr/sbin/chronyd ...
Verify Chrony Time Synchronization
chronyc commands is be used to verify Chrony time synchronization with the help of command line options such as
sources, tracking, sourcestats.
To display information about the current time sources that chronyd is accessing, run the command;
210 Number of sources = 4 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^+ 184.108.40.206 2 6 77 30 -1023us[-1499us] +/- 124ms ^+ valoo.patate.ninja 2 6 77 29 +3687us[+3687us] +/- 123ms ^* leeto.nicolbolas.org 2 6 77 30 -79us[ -555us] +/- 75ms ^+ backup.kabelnetveendam.nl 2 6 77 30 -3653us[-4129us] +/- 146ms
The M column indicates the mode of the source;
- ^ means a server
- = means a peer
- # indicates a locally connected reference clock
The S column indicates the state of the sources;
- “*” indicates the source to which chronyd is currently synchronized.
- “+” indicates acceptable sources which are combined with the selected source.
- “-” indicates acceptable sources which are excluded by the combining algorithm.
- “?” indicates sources to which connectivity has been lost or whose packets do not pass all tests. This condition is also shown at start-up, until at least 3 samples have been gathered from it.
- “x” indicates a clock which chronyd thinks is a falseticker (its time is inconsistent with a majority of other sources).
- “~” indicates a source whose time appears to have too much variability
To display parameters about the system’s clock performance;
Reference ID : C39AAED1 (leeto.nicolbolas.org) Stratum : 3 Ref time (UTC) : Sun Mar 01 18:14:38 2020 System time : 0.001563942 seconds fast of NTP time Last offset : +0.001314329 seconds RMS offset : 0.002229846 seconds Frequency : 2.614 ppm fast Residual freq : +0.147 ppm Skew : 24.449 ppm Root delay : 0.150412217 seconds Root dispersion : 0.008927128 seconds Update interval : 128.5 seconds Leap status : Normal
For more command options, refer to
Setup NTP Client using Chrony on CentOS 8
Since our NTP server using Chrony on CentOS 8 is setup and running, it is time to verify that it can serve our NTP clients as expected.
In this demo, we are using another CentOS 8 VM as our NTP client.
Check if Chrony is installed;
rpm -q chrony
Setting NTP client on CentOS 8 is the same as setting the NTP server as described above except that the client doesn’t have access permissions set hence no server can query time information from it.
Open the configuration file and set the NTP server as shown below;
# Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). #pool 2.centos.pool.ntp.org iburst server ntp.kifarunix-demo.com iburst
Ensure that the hostname of the NTP server is resolvable, otherwise use IP address.
Verify Connection to NTP Server UDP Port 123
To verify that there is a connection from the NTP client to NTP server on UDP port 123, simply use netcat command as shown below;
dnf install nc -y
To verify connection to UDP port 123;
nc -uzv ntp.kifarunix-demo.com 123
Ncat: Connected to 192.168.56.133:123. Ncat: UDP packet sent successfully Ncat: 1 bytes sent, 0 bytes received in 2.14 seconds.
Great. You can now proceed to restart and enable chronyd to run on system boot.
systemctl restart chronyd
systemctl enable chronyd
Check NTP time synchronization
To verify that time synchronization is working, you can use the tracking or sources command with chronyc command as shown below;
Reference ID : C0A83885 (ntp.kifarunix-demo.com) Stratum : 4 Ref time (UTC) : Sun Mar 01 18:56:03 2020 System time : 0.000000034 seconds slow of NTP time Last offset : +0.000032892 seconds RMS offset : 0.000032892 seconds Frequency : 2.246 ppm fast Residual freq : +14.373 ppm Skew : 0.564 ppm Root delay : 0.151499271 seconds Root dispersion : 0.001610240 seconds Update interval : 2.0 seconds Leap status : Normal
Using the sources command;
210 Number of sources = 1 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* ntp.kifarunix-demo.com 3 6 37 7 -671ns[ -12us] +/- 77ms
Check sources statistics
210 Number of sources = 1 Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev ============================================================================== ntp.kifarunix-demo.com 5 3 70 +0.408 4.663 +24us 27us
The NTP client is now connected to our NTP server. That brings us to the end of our guide on how to setup NTP Server using Chrony on CentOS 8. We hope this was informative. Enjoy.