Synchronizing Time Using NTP/NTS
- WHAT?
This article describes what time synchronization is and how to configure it.
- WHY?
Keeping the system time synchronized is crucial when sharing tasks and resources with other team members over the network.
- EFFORT
Up to 60 minutes to read this article and perform a basic configuration of time synchronization on your computer.
- REQUIREMENTS
A basic knowledge of Linux system administration is required. Specific tasks require
root
privileges.Working network connection to the internal network or Internet to reach the source time server.
1 Introduction #
Maintaining an accurate and synchronized system time on the computer is vital for teamwork. Planning and calendaring applications rely on it to track time correctly and notify users about appointments on time. For clustered applications, individual host machines often require synchronized system time for mutual communication.
The built-in hardware clock is not a reliable time source. A manual correction of the system time may cause malfunction of critical applications due to sudden time leaps. Therefore, the system time needs to be synchronized against an external reliable time source over the network.
1.1 What is NTP? #
The Network Time Protocol (NTP) is designed to synchronize the system time over the network. Its goal is to maintain the absolute time and use it to synchronize the system time of all machines within a network.
1.2 What is NTS? #
Network Time Security (NTS) is a security extension of NTP. NTS provides mechanisms to authenticate NTP messages and encrypt them, ensuring that the time data received is both secure and authentic. NTS is designed to be backward compatible with existing NTP infrastructure. This allows for gradual deployment without requiring changes to existing NTP servers that do not support NTS.
1.3 How does NTP work? #
When the NTP service is properly configured, it continuously queries and adjusts the system time with reliable time servers. Typically, home computers and other devices connected to the internet are configured to query a public time server on the Internet.
Conversely, desktop computers and servers that reside inside a corporate subnet are configured to query a dedicated time server within the local network. The time server itself synchronizes its time with a public time server.
1.3.1 Implementation #
chrony
is the default implementation of NTP in SUSE Linux Enterprise Micro.
chrony
includes two parts:
chronyd
is asystemd
service that can be started at boot time.chronyc
is a command-line interface program to monitor the performance ofchronyd
and to change specific operating parameters at runtime.
1.4 Benefits #
Using NTP to maintain the accurate time has the following benefits:
People can rely on their clocks when following a planned schedule.
Applications can trigger scheduled desktop or system actions accurately.
Cluster nodes can keep their data synchronized and up to date.
Using an internal time server helps maintain synchronized system time in networks with restricted access to the Internet.
By integrating security measures into NTP through NTS, the protocol enhances its robustness and addresses the vulnerabilities associated with unsecured time synchronization.
2 Configuring NTP by adjusting /etc/chrony.conf
#
When chronyd
starts, it reads its configuration from the
/etc/chrony.conf
file. The following sections
list important parameters that can affect chronyd
behavior.
2.1 Specifying time sources #
To keep the computer clock synchronized, you need to tell chronyd
what
time sources to use. For this purpose, use server
,
pool
and peer
directives. You can
use each of them multiple times.
The server
directive tells chronyd
to use a specific
host as a time server by its name or IP address.
server 0.europe.pool.ntp.org offline1 server 1.europe.pool.ntp.org offline prefer2 server 192.168.2.254
The | |
The |
The pool
directive lets you specify a network name that
resolves to multiple IP addresses that may change over time.
pool pool.ntp.org iburst1 maxsources 32
The | |
The |
The peer
directive specifies an NTP peer host instead
of a time server. System time synchronization among
peers uses a symmetric architecture instead of the
client/server mode invoked by server
and
pool
options. You can use peer
multiple times to specify more than one peer.
peer 192.168.1.116 peer ntp.example.com
2.2 Running chronyd
as an NTP server #
By default, chronyd
works as a client to specified NTP servers. To make
it operate as an NTP server as well, add the allow
directive to the /etc/chrony.conf
file. It opens the
NTP server port (123 by default) and responds to client requests.
You can either specify a single IP of an NTP client, or a subnet to
include multiple clients. You can use the allow
directive multiple times:
allow 1.2.3.4 allow 3.4.5.0/24
If you do not specify an IP address or a subnet, the stand-alone
allow
directive allows access from all IPv4 and IPv6
addresses.
To limit the access of the previous allow
directive,
use the deny
directive:
allow 1.2.3.4 deny 1.2.3.0/24 allow 1.2.0.0/16
In the above example, the effect is the same regardless of the order of
the three directives. The 1.2.0.0/16
subnet is allowed
access except for the 1.2.3.0/24
subnet, which is
denied access. However, the host 1.2.3.4
is allowed
access.
2.3 Configuring a local reference clock #
chronyd
relies on other programs (such as gpsd
)
to access the timing data via a specific driver. Use the
refclock
directive in
/etc/chrony.conf
to specify a hardware reference
clock to be used as a time source. It has two mandatory parameters: a
driver name and a driver-specific parameter. The two parameters are
followed by zero or more refclock
options. chronyd
includes the following drivers:
- PPS
Driver for the kernel pulse per second API. For example:
refclock PPS /dev/pps0 lock NMEA refid GPS
- SHM
NTP shared memory driver. For example:
refclock SHM 0 poll 3 refid GPS1 refclock SHM 1:perm=0644 refid GPS2
- SOCK
Unix domain socket driver. For example:
refclock SOCK /var/run/chrony.ttyS0.sock
- PHC
PTP hardware clock driver. For example:
refclock PHC /dev/ptp0 poll 0 dpoll -2 offset -37 refclock PHC /dev/ptp1:nocrossts poll 3 pps
For more information on individual drivers' options, see man 8
chrony.conf
.
2.4 Activating offline time sources #
Although chronyd
starts up normally on a system that boots without a
network connection, it cannot access the time servers specified in
/etc/chrony.conf
. To prevent chronyd
from trying to
query inaccessible time servers, use the offline
option
next to the time source directive, for example:
server ntp.example.org offline
chronyd
then does not try to poll the server until it is enabled using
the following command:
#
chronyc online ntp.example.org
When the auto_offline
option is set instead of the
offline
option, chronyd
assumes that the time server
has gone offline when two requests have been sent to it without
receiving a response. This option avoids the need to run the
offline
command from chronyc
when disconnecting the
network link.
3 Managing chronyd
at runtime #
3.1 What is chronyc
? #
chronyc
is the client part of the chrony
NTP implementation. You can
use the chronyc
command to change the behavior of the chronyd
service
at runtime. It also generates status reports about the operation of
chronyd
.
Changes made using chronyc
are not permanent. They are lost after the
next chronyd
restart. For permanent changes, modify
/etc/chrony.conf
as described in
Section 2, “Configuring NTP by adjusting /etc/chrony.conf
”.
3.2 How does chronyc
work? #
You can run chronyc
either in an interactive or non-interactive mode.
To run chronyc
interactively, enter chronyc
on the command line and
press Enter. It displays a prompt and waits for your
command input. For example, to check how many NTP sources are online or
offline, run the activity
command:
#
chronyc
chronyc> activity 200 OK 4 sources online 2 sources offline 1 sources doing burst (return to online) 1 sources doing burst (return to offline) 0 sources with unknown address
To exit chronyc
's prompt, enter quit
or
exit
.
If you do not need to use the interactive prompt, enter the command directly, for example:
#
chronyc
activity
4 The chronyd
systemd
service #
The main part of chrony
is the chronyd
systemd
service that runs
in the background and synchronizes system time with selected time
servers. You can use the following systemd
commands to operate the
chronyd
service:
systemctl status chronyd.service
Prints extended information about the current status of the
chronyd
service.systemctl is-enabled chronyd.service
Checks whether the automatic start of the
chronyd
service at system boot is enabled.systemctl enabled chronyd.service
Enables the automatic start of the
chronyd
service at system boot.systemctl disable chronyd.service
Disables the automatic start of the
chronyd
service at system boot.systemctl is-active chronyd.service
Checks whether the
chronyd
service was started and is running.systemctl start chronyd.service
Starts the
chronyd
service.systemctl stop chronyd.service
Stops the
chronyd
service.systemctl restart chronyd.service
Restarts the
chronyd
service and reloads/etc/chronyd.conf
.
5 Troubleshooting #
In case of errors, check the following.
Verify that your computer is connected to a network and that the network is configured correctly:
>
sudo
systemctl status network.service ● NetworkManager.service - Network Manager Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2021-08-07 20:09:44 CEST; 4 days ago [...]Verify that the time servers that you entered as a time source exist and are reachable over the network. For example:
>
ping pool.ntp.org PING pool.ntp.org (85.199.214.101) 56(84) bytes of data. 64 bytes from 85.199.214.101 (85.199.214.101): icmp_seq=1 ttl=37 time=29.9 ms [...]If the
firewalld
service is active on your computer, verify that the NTP service is allowed.Verify that the
chronyd
service is running:>
sudo
systemctl status chronyd.service ● chronyd.service - NTP client/server Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2021-08-07 20:09:44 CEST; 4 days ago [...]If the system time on a virtualized guest diverges from the exact time, make sure that the VM Host Server system time is synchronized with a valid time server and that the guest is synchronized with the same time source as the host.
If the NTP service fails to start properly during system boot, it can be caused by network switches configured to use the
Spanning Tree Protocol
while ports are not configured asEdge Ports
butPortfast
. In this case, it can take up to a minute until the network connectivity is established.If the NTP service fails to start during system boot when the NetworkManager is used, edit the
/etc/sysconfig/network/config
file and change the value ofNM_ONLINE_TIMEOUT
value to 30. If the problem persists, increase the timeout value by 15 and try again.If NTP sources cannot be reached, identify them with the following command:
>
chronyc sources -v [...] MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* time.mydomain.com 3 10 377 81 -5354us[-8257us] +/- 191ms ^? ntp1.example.com 0 10 0 - +0ns[ +0ns] +/- 0ns ^? 77.177.77.177 0 10 0 - +0ns[ +0ns] +/- 0ns ^? ntp3.example.com 0 10 0 - +0ns[ +0ns] +/- 0ns ^? ntp4.example.net 0 10 0 - +0ns[ +0ns] +/- 0ns ^? 2a02:3d8:1::1:1 0 6 0 - +0ns[ +0ns] +/- 0ns ^? ntp2.example.org 0 10 0 - +0ns[ +0ns] +/- 0nsIn this case, the only server that is really serving time is
time.mydomain.com
. It is necessary to generally troubleshoot the network connection to the failing remote NTP time sources.
6 For more information #
Securing your computer with
firewalld
is described in https://documentation.suse.com/sles/html/SLES-all/cha-security-firewall.html#sec-security-firewall-firewalld.Commands for operating
systemd
services are listed in https://susedoc.github.io/doc-modular/main/html/reference-systemctl-enable-disable-services/.For a complete reference, see related manual pages:
For a complete list of configuration directives, run
man 1 chrony.conf
.For a complete list of
chronyc
commands, runman 1 chronyc
.For a complete list of
chronyd
command-line options, runman 8 chronyd
.
7 Legal Notice #
Copyright© 2006–2024 SUSE LLC and contributors. All rights reserved.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.
For SUSE trademarks, see https://www.suse.com/company/legal/. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.
All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors, nor the translators shall be held liable for possible errors or the consequences thereof.