Setup NTP Server using Chrony on CentOS 8

2
1481

In this guide, we are going to learn how to install and setup NTP Server using Chrony on CentOS 8. Chrony is an implementation of the Network Time Protocol (NTP). Compared to NTP implementation, chrony performs well in a wide range of conditions including:

  • intermittent network connections,
  • heavily congested networks
  • changing temperatures
  • systems that do not run continuously

Chrony can be used to synchronise the system clock with NTP servers, reference clocks. It can also operate as an NTPv4 server and peer to provide a time service to other computers in the network.

Setup NTP Server using Chrony on CentOS 8

Run System Update

To synchronize system packages to their latest versions, simply execute the command;

dnf update

Installing Chrony on CentOS 8

Chrony suite is installed by default on RHEL derivatives, CentOS 8 included. You can however verify this by executing the command below;

rpm -q chrony

If the package is installed, you should get an output like;

chrony-3.5-1.el8.x86_64

Otherwise, you will get an output like;

package chrony is not installed

To see more information about Chrony;

rpm -qi chrony
Name        : chrony
Version     : 3.5
Release     : 1.el8
Architecture: x86_64
Install Date: Sun 01 Mar 2020 08:07:16 PM EAT
Group       : System Environment/Daemons
Size        : 692391
License     : GPLv2
Signature   : RSA/SHA256, Thu 05 Dec 2019 01:51:32 AM EAT, Key ID 05b555b38483c65d
Source RPM  : chrony-3.5-1.el8.src.rpm
Build Date  : Tue 19 Nov 2019 06:32:41 PM EAT
Build Host  : x86-01.mbox.centos.org
Relocations : (not relocatable)
Packager    : CentOS Buildsys <[email protected]>
Vendor      : CentOS
URL         : https://chrony.tuxfamily.org
Summary     : An NTP client/server
Description :
chrony is a versatile implementation of the Network Time Protocol (NTP).
It can synchronise the system clock with NTP servers, reference clocks
(e.g. GPS receiver), and manual input using wristwatch and keyboard. It
can also operate as an NTPv4 (RFC 5905) server and peer to provide a time
service to other computers in the network.

If for some reasons is not installed by default, you can always install it by running the command below;

dnf install chrony

Configure Chrony as an NTP server on CentOS 8

Assuming Chrony is installed, you can now proceed to configure it to provide time synchronization.

The default configuration file of Chrony is /etc/chrony.conf. Therefore, we will make most configuration changes in this file.

Set Time Servers

By default, Chrony uses the 2.centos.pool.ntp.org as the default time server. You need to define the time servers close to your region.

To obtain a list of NTP servers close to your region,navigate to Internet Cluster of NTP servers page and select your region. For example, if you are in Europe, below are the available NTP servers;

server 0.europe.pool.ntp.org
server 1.europe.pool.ntp.org
server 2.europe.pool.ntp.org
server 3.europe.pool.ntp.org

To use the pool of NTP servers in your region, simply comment (Add # at the beginning) the line, pool 2.centos.pool.ntp.org iburst replacing it as follows;

vim /etc/chrony.conf
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
# pool 2.centos.pool.ntp.org iburst
server 0.europe.pool.ntp.org
server 1.europe.pool.ntp.org
server 2.europe.pool.ntp.org
server 3.europe.pool.ntp.org

Configure NTP Server Access Control

Chrony does not allow any access to NTP server. To restrict or control access to the NTP service running on a system, use the allow directive. This directive simply is to designate particular servers from which NTP clients are allowed to access the computer as an NTP server.

For example, to allow all servers in the network subnet, 192.168.56.0/24 to access your NTP server;

# Allow NTP client access from local network.
#allow 192.168.0.0/16
allow 192.168.56.0/24

Read more on, man chrony.conf.

Open NTP UDP Port 123 on Firewall

To be able to allow NTP clients access to your NTP server, you need to open port 123/UDP on firewall.

firewall-cmd --add-port=123/udp --permanent
firewall-cmd --reload

Running Chrony on CentOS 8

Chronyd daemon controls the NTP implementation. As such, you can start and enable it to run on system boot by running the command below;

systemctl enable --now chronyd
systemctl status chronyd
● chronyd.service - NTP client/server
   Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2020-03-01 20:59:01 CET; 10s ago
     Docs: man:chronyd(8)
           man:chrony.conf(5)
  Process: 6685 ExecStartPost=/usr/libexec/chrony-helper update-daemon (code=exited, status=0/SUCCESS)
  Process: 6681 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 6683 (chronyd)
    Tasks: 1 (limit: 5047)
   Memory: 828.0K
   CGroup: /system.slice/chronyd.service
           └─6683 /usr/sbin/chronyd
...

Verify Chrony Time Synchronization

chronyc commands is be used to verify Chrony time synchronization with the help of command line options such as sources, tracking, sourcestats.

To display information about the current time sources that chronyd is accessing, run the command;

chronyc sources
210 Number of sources = 4
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^+ 85.129.0.126                  2   6    77    30  -1023us[-1499us] +/-  124ms
^+ valoo.patate.ninja            2   6    77    29  +3687us[+3687us] +/-  123ms
^* leeto.nicolbolas.org          2   6    77    30    -79us[ -555us] +/-   75ms
^+ backup.kabelnetveendam.nl     2   6    77    30  -3653us[-4129us] +/-  146ms

The column indicates the mode of the source;

  • ^ means a server
  • = means a peer
  • # indicates a locally connected reference clock

The S column indicates the state of the sources;

  • “*” indicates the source to which chronyd is currently synchronized.
  • “+” indicates acceptable sources which are combined with the selected source.
  • “-” indicates acceptable sources which are excluded by the combining algorithm.
  • “?” indicates sources to which connectivity has been lost or whose packets do not pass all tests. This condition is also shown at start-up, until at least 3 samples have been gathered from it.
  • “x” indicates a clock which chronyd thinks is a falseticker (its time is inconsistent with a majority of other sources).
  • “~” indicates a source whose time appears to have too much variability

To display parameters about the system’s clock performance;

chronyc tracking
Reference ID    : C39AAED1 (leeto.nicolbolas.org)
Stratum         : 3
Ref time (UTC)  : Sun Mar 01 18:14:38 2020
System time     : 0.001563942 seconds fast of NTP time
Last offset     : +0.001314329 seconds
RMS offset      : 0.002229846 seconds
Frequency       : 2.614 ppm fast
Residual freq   : +0.147 ppm
Skew            : 24.449 ppm
Root delay      : 0.150412217 seconds
Root dispersion : 0.008927128 seconds
Update interval : 128.5 seconds
Leap status     : Normal

For more command options, refer to man chronyc.

Setup NTP Client using Chrony on CentOS 8

Since our NTP server using Chrony on CentOS 8 is setup and running, it is time to verify that it can serve our NTP clients as expected.

In this demo, we are using another CentOS 8 VM as our NTP client.

Check if Chrony is installed;

rpm -q chrony
chrony-3.5-1.el8.x86_64

Setting NTP client on CentOS 8 is the same as setting the NTP server as described above except that the client doesn’t have access permissions set hence no server can query time information from it.

Open the configuration file and set the NTP server as shown below;

vim /etc/chrony.conf
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#pool 2.centos.pool.ntp.org iburst
server ntp.kifarunix-demo.com iburst

Ensure that the hostname of the NTP server is resolvable, otherwise use IP address.

Verify Connection to NTP Server UDP Port 123

To verify that there is a connection from the NTP client to NTP server on UDP port 123, simply use netcat command as shown below;

dnf install nc -y

To verify connection to UDP port 123;

nc -uzv ntp.kifarunix-demo.com 123
Ncat: Connected to 192.168.56.133:123.
Ncat: UDP packet sent successfully
Ncat: 1 bytes sent, 0 bytes received in 2.14 seconds.

Great. You can now proceed to restart and enable chronyd to run on system boot.

systemctl restart chronyd
systemctl enable chronyd

Check NTP time synchronization

To verify that time synchronization is working, you can use the tracking or sources command with chronyc command as shown below;

chronyc tracking
Reference ID    : C0A83885 (ntp.kifarunix-demo.com)
Stratum         : 4
Ref time (UTC)  : Sun Mar 01 18:56:03 2020
System time     : 0.000000034 seconds slow of NTP time
Last offset     : +0.000032892 seconds
RMS offset      : 0.000032892 seconds
Frequency       : 2.246 ppm fast
Residual freq   : +14.373 ppm
Skew            : 0.564 ppm
Root delay      : 0.151499271 seconds
Root dispersion : 0.001610240 seconds
Update interval : 2.0 seconds
Leap status     : Normal

Using the sources command;

chronyc sources
210 Number of sources = 1
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^* ntp.kifarunix-demo.com        3   6    37     7   -671ns[  -12us] +/-   77ms

Check sources statistics

chronyc sourcestats
210 Number of sources = 1
Name/IP Address            NP  NR  Span  Frequency  Freq Skew  Offset  Std Dev
==============================================================================
ntp.kifarunix-demo.com      5   3    70     +0.408      4.663    +24us    27us

The NTP client is now connected to our NTP server. That brings us to the end of our guide on how to setup NTP Server using Chrony on CentOS 8. We hope this was informative. Enjoy.

Related Tutorials

Setup NTP server Using NTPd on Debian 10 Buster

Configure NTP Server using NTPd on Fedora 30

How to Install and Configure NTP Server Using NTPd on Fedora 29/Fedora 28

How to Install and Configure NTP Server Using Chrony on Fedora 29/Fedora 28

2 COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here