Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / Synchronizing Time Using NTP/NTS

Synchronizing Time Using NTP/NTS

Publication Date: 12 Dec 2024
WHAT?

This article describes what time synchronization is and how to configure it.

WHY?

Keeping the system time synchronized is crucial when sharing tasks and resources with other team members over the network.

EFFORT

Up to 60 minutes to read this article and perform a basic configuration of time synchronization on your computer.

REQUIREMENTS
  • A basic knowledge of Linux system administration is required. Specific tasks require root privileges.

  • Working network connection to the internal network or Internet to reach the source time server.

1 Introduction

Maintaining an accurate and synchronized system time on the computer is vital for teamwork. Planning and calendaring applications rely on it to track time correctly and notify users about appointments on time. For clustered applications, individual host machines often require synchronized system time for mutual communication.

The built-in hardware clock is not a reliable time source. A manual correction of the system time may cause malfunction of critical applications due to sudden time leaps. Therefore, the system time needs to be synchronized against an external reliable time source over the network.

1.1 What is NTP?

The Network Time Protocol (NTP) is designed to synchronize the system time over the network. Its goal is to maintain the absolute time and use it to synchronize the system time of all machines within a network.

1.2 What is NTS?

Network Time Security (NTS) is a security extension of NTP. NTS provides mechanisms to authenticate NTP messages and encrypt them, ensuring that the time data received is both secure and authentic. NTS is designed to be backward compatible with existing NTP infrastructure. This allows for gradual deployment without requiring changes to existing NTP servers that do not support NTS.

1.3 How does NTP work?

When the NTP service is properly configured, it continuously queries and adjusts the system time with reliable time servers. Typically, home computers and other devices connected to the internet are configured to query a public time server on the Internet.

Individual devices querying a public time server
Figure 1: Individual devices querying a public time server

Conversely, desktop computers and servers that reside inside a corporate subnet are configured to query a dedicated time server within the local network. The time server itself synchronizes its time with a public time server.

Multiple hosts querying an internal time server
Figure 2: Multiple hosts querying an internal time server

1.3.1 Implementation

chrony is the default implementation of NTP in SUSE Linux Enterprise Micro. chrony includes two parts:

  • chronyd is a systemd service that can be started at boot time.

  • chronyc is a command-line interface program to monitor the performance of chronyd and to change specific operating parameters at runtime.

1.4 Benefits

Using NTP to maintain the accurate time has the following benefits:

  • People can rely on their clocks when following a planned schedule.

  • Applications can trigger scheduled desktop or system actions accurately.

  • Cluster nodes can keep their data synchronized and up to date.

  • Using an internal time server helps maintain synchronized system time in networks with restricted access to the Internet.

  • By integrating security measures into NTP through NTS, the protocol enhances its robustness and addresses the vulnerabilities associated with unsecured time synchronization.

2 Configuring NTP by adjusting /etc/chrony.conf

When chronyd starts, it reads its configuration from the /etc/chrony.conf file. The following sections list important parameters that can affect chronyd behavior.

2.1 Specifying time sources

To keep the computer clock synchronized, you need to tell chronyd what time sources to use. For this purpose, use server, pool and peer directives. You can use each of them multiple times.

The server directive tells chronyd to use a specific host as a time server by its name or IP address.

server 0.europe.pool.ntp.org offline1
server 1.europe.pool.ntp.org offline prefer2
server 192.168.2.254

1

The offline option prevents chronyd from querying the time server. This option is useful if the server is not reachable when chronyd is started. You need to put the time server online when it is reachable by using chronyc. Refer to Section 3, “Managing chronyd at runtime” for more details.

2

The prefer option tells chronyd to prefer the time source over others that do not include such an option.

The pool directive lets you specify a network name that resolves to multiple IP addresses that may change over time.

pool pool.ntp.org iburst1 maxsources 32

1

The iburst option means that chronyd starts with a burst of 4 to 8 requests to make the first update of the clock sooner.

2

The maxsources option tells chronyd to use up to three sources from the pool.

The peer directive specifies an NTP peer host instead of a time server. System time synchronization among peers uses a symmetric architecture instead of the client/server mode invoked by server and pool options. You can use peer multiple times to specify more than one peer.

peer 192.168.1.116
peer ntp.example.com

2.2 Running chronyd as an NTP server

By default, chronyd works as a client to specified NTP servers. To make it operate as an NTP server as well, add the allow directive to the /etc/chrony.conf file. It opens the NTP server port (123 by default) and responds to client requests.

You can either specify a single IP of an NTP client, or a subnet to include multiple clients. You can use the allow directive multiple times:

allow 1.2.3.4
allow 3.4.5.0/24
Tip
Tip

If you do not specify an IP address or a subnet, the stand-alone allow directive allows access from all IPv4 and IPv6 addresses.

To limit the access of the previous allow directive, use the deny directive:

allow 1.2.3.4
deny 1.2.3.0/24
allow 1.2.0.0/16

In the above example, the effect is the same regardless of the order of the three directives. The 1.2.0.0/16 subnet is allowed access except for the 1.2.3.0/24 subnet, which is denied access. However, the host 1.2.3.4 is allowed access.

2.3 Configuring a local reference clock

chronyd relies on other programs (such as gpsd) to access the timing data via a specific driver. Use the refclock directive in /etc/chrony.conf to specify a hardware reference clock to be used as a time source. It has two mandatory parameters: a driver name and a driver-specific parameter. The two parameters are followed by zero or more refclock options. chronyd includes the following drivers:

PPS

Driver for the kernel pulse per second API. For example:

refclock PPS /dev/pps0 lock NMEA refid GPS
SHM

NTP shared memory driver. For example:

refclock SHM 0 poll 3 refid GPS1
refclock SHM 1:perm=0644 refid GPS2
SOCK

Unix domain socket driver. For example:

refclock SOCK /var/run/chrony.ttyS0.sock
PHC

PTP hardware clock driver. For example:

refclock PHC /dev/ptp0 poll 0 dpoll -2 offset -37
refclock PHC /dev/ptp1:nocrossts poll 3 pps
Tip
Tip

For more information on individual drivers' options, see man 8 chrony.conf.

2.4 Activating offline time sources

Although chronyd starts up normally on a system that boots without a network connection, it cannot access the time servers specified in /etc/chrony.conf. To prevent chronyd from trying to query inaccessible time servers, use the offline option next to the time source directive, for example:

server ntp.example.org offline

chronyd then does not try to poll the server until it is enabled using the following command:

# chronyc online ntp.example.org
Tip
Tip

When the auto_offline option is set instead of the offline option, chronyd assumes that the time server has gone offline when two requests have been sent to it without receiving a response. This option avoids the need to run the offline command from chronyc when disconnecting the network link.

3 Managing chronyd at runtime

3.1 What is chronyc?

chronyc is the client part of the chrony NTP implementation. You can use the chronyc command to change the behavior of the chronyd service at runtime. It also generates status reports about the operation of chronyd.

Note
Note: Temporary changes

Changes made using chronyc are not permanent. They are lost after the next chronyd restart. For permanent changes, modify /etc/chrony.conf as described in Section 2, “Configuring NTP by adjusting /etc/chrony.conf.

3.2 How does chronyc work?

You can run chronyc either in an interactive or non-interactive mode. To run chronyc interactively, enter chronyc on the command line and press Enter. It displays a prompt and waits for your command input. For example, to check how many NTP sources are online or offline, run the activity command:

# chronyc
chronyc> activity
200 OK
4 sources online
2 sources offline
1 sources doing burst (return to online)
1 sources doing burst (return to offline)
0 sources with unknown address

To exit chronyc's prompt, enter quit or exit.

If you do not need to use the interactive prompt, enter the command directly, for example:

# chronyc activity

4 The chronyd systemd service

The main part of chrony is the chronyd systemd service that runs in the background and synchronizes system time with selected time servers. You can use the following systemd commands to operate the chronyd service:

systemctl status chronyd.service

Prints extended information about the current status of the chronyd service.

systemctl is-enabled chronyd.service

Checks whether the automatic start of the chronyd service at system boot is enabled.

systemctl enabled chronyd.service

Enables the automatic start of the chronyd service at system boot.

systemctl disable chronyd.service

Disables the automatic start of the chronyd service at system boot.

systemctl is-active chronyd.service

Checks whether the chronyd service was started and is running.

systemctl start chronyd.service

Starts the chronyd service.

systemctl stop chronyd.service

Stops the chronyd service.

systemctl restart chronyd.service

Restarts the chronyd service and reloads /etc/chronyd.conf.

5 Troubleshooting

In case of errors, check the following.

  • Verify that your computer is connected to a network and that the network is configured correctly:

    > sudo systemctl status network.service
    ● NetworkManager.service - Network Manager
         Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; vendor preset: disabled)
         Active: active (running) since Sat 2021-08-07 20:09:44 CEST; 4 days ago
    [...]
  • Verify that the time servers that you entered as a time source exist and are reachable over the network. For example:

    > ping pool.ntp.org
    PING pool.ntp.org (85.199.214.101) 56(84) bytes of data.
    64 bytes from 85.199.214.101 (85.199.214.101): icmp_seq=1 ttl=37 time=29.9 ms
    [...]
  • If the firewalld service is active on your computer, verify that the NTP service is allowed.

  • Verify that the chronyd service is running:

    > sudo systemctl status chronyd.service
    ● chronyd.service - NTP client/server
         Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: disabled)
         Active: active (running) since Sat 2021-08-07 20:09:44 CEST; 4 days ago
     [...]
  • If the system time on a virtualized guest diverges from the exact time, make sure that the VM Host Server system time is synchronized with a valid time server and that the guest is synchronized with the same time source as the host.

  • If the NTP service fails to start properly during system boot, it can be caused by network switches configured to use the Spanning Tree Protocol while ports are not configured as Edge Ports but Portfast. In this case, it can take up to a minute until the network connectivity is established.

  • If the NTP service fails to start during system boot when the NetworkManager is used, edit the /etc/sysconfig/network/config file and change the value of NM_ONLINE_TIMEOUT value to 30. If the problem persists, increase the timeout value by 15 and try again.

  • If NTP sources cannot be reached, identify them with the following command:

    > chronyc sources -v
    [...]
    MS Name/IP address         Stratum Poll Reach LastRx Last sample
    ===============================================================================
    ^* time.mydomain.com             3  10   377    81  -5354us[-8257us] +/-  191ms
    ^? ntp1.example.com              0  10     0     -     +0ns[   +0ns] +/-    0ns
    ^? 77.177.77.177                 0  10     0     -     +0ns[   +0ns] +/-    0ns
    ^? ntp3.example.com              0  10     0     -     +0ns[   +0ns] +/-    0ns
    ^? ntp4.example.net              0  10     0     -     +0ns[   +0ns] +/-    0ns
    ^? 2a02:3d8:1::1:1               0   6     0     -     +0ns[   +0ns] +/-    0ns
    ^? ntp2.example.org              0  10     0     -     +0ns[   +0ns] +/-    0ns

    In this case, the only server that is really serving time is time.mydomain.com. It is necessary to generally troubleshoot the network connection to the failing remote NTP time sources.

6 For more information