Chrony NTP Configuration¶
By default, the Management Console RPM based on CentOS uses chrony as the NTP client in which there are default references to public NTP servers. To configure chrony to not communicate with external time servers and adhere to your companies security policy, consider the following actions:
-
Refer to your Security policy to ensure your NTP configuration complies to set standards. Considerations should include:
-
Confirming if your companies DNS server provides an NTP sever or server pool.
-
Remove public server pools from chrony.conf
-
Add your own public server pool to chrony.conf
-
-
Review the current Management Console chrony configuration by entering the
chronyc sources -vcommand from the Management Console's console to provide a verbose listing of NTP servers chrony is syncing too. -
Consider using internal NTP servers authorized by your companies security policy by editing the /etc/chrony.conf file.
Example
We have provided the following example of viewing and editing an NTP configuration. In this example the default ntp servers are commented out and replaced by another NTP server.
-
Check the currently used NTP servers using
chronyc sources -v.[kono@localhost etc]$ chronyc sources -v 210 Number of sources = 6 .-- Source mode '^' = server, '=' = peer, '#' = local clock. / .- Source state '*' = current synced, '+' = combined , '-' = not combined, | / '?' = unreachable, 'x' = time may be in error, '~' = time too variable. || .- xxxx [ yyyy ] +/- zzzz || Reachability register (octal) -. | xxxx = adjusted offset, || Log2(Polling interval) --. | | yyyy = measured offset, || \ | | zzzz = estimated error. || | | \ MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* ip225.ip-54-39-173.net 2 10 377 652 +4224us[+4594us] +/- 35ms ^+ k8s-w02.tblflp.zone 2 9 373 147 -12ms[ -12ms] +/- 73ms ^- ntp2.torix.ca 2 9 377 113 +1082us[+1082us] +/- 538ms ^- dns2.switch.ca 3 9 377 95 +750us[ +750us] +/- 532ms ^- DC01.tera.local 3 6 377 48 -1332us[-1332us] +/- 98ms ^- DC02.tera.local 4 6 377 45 -1014us[-1014us] +/- 135ms [kono@localhost etc]$ -
Edit the chrony.conf file to change the referenced NTP servers using the
sudo vi chrony.confcommand. In this example, the public tick.usask.ca and internal 192.168.1.50 NTP servers are added. The iburst option speeds up the first synchronization and the prefer option advises chrony which NTP server you want to use if available.[kono@localhost etc]$ sudo vi chrony.conf # Use public servers from the pool.ntp.org project. # Please consider joining the pool (https://www.pool.ntp.org/join.html). server tick.usask.ca iburst prefer server 192.168.1.50 iburst # server 0.centos.pool.ntp.org iburst # server 1.centos.pool.ntp.org iburst # server 2.centos.pool.ntp.org iburst # server 3.centos.pool.ntp.org iburst # Record the rate at which the system clock gains/losses time. driftfile /var/lib/chrony/drift # Allow the system clock to be stepped in the first three updates # if its offset is larger than 1 second. makestep 1.0 3 # Enable kernel synchronization of the real-time clock (RTC). rtcsync # Enable hardware timestamping on all interfaces that support it. #hwtimestamp * # Increase the minimum number of selectable sources required to adjust # the system clock. #minsources 2 # Allow NTP client access from local network. #allow 192.168.0.0/16 # Serve time even if not synchronized to a time source. #local stratum 10 # Specify file containing keys for NTP authentication. #keyfile /etc/chrony.keys # Specify directory for log files. logdir /var/log/chrony # Select which information is logged. #log measurements statistics tracking -
Restart chrony for the changes to take effect using the command
sudo systemctl restart chronyd.[kono@localhost etc]$ sudo systemctl restart chronyd ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units === Authentication is required to manage system services or units. Authenticating as: kono Password: ==== AUTHENTICATION COMPLETE === [kono@localhost etc]$ -
Confirm the new configuration of the chrony.conf file.
[kono@localhost etc]$ chronyc sources -v 210 Number of sources = 4 .-- Source mode '^' = server, '=' = peer, '#' = local clock. / .- Source state '*' = current synced, '+' = combined , '-' = not combined, | / '?' = unreachable, 'x' = time may be in error, '~' = time too variable. || .- xxxx [ yyyy ] +/- zzzz || Reachability register (octal) -. | xxxx = adjusted offset, || Log2(Polling interval) --. | | yyyy = measured offset, || \ | | zzzz = estimated error. || | | \ MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^- stervandc01a.teradici.lo> 3 6 17 4 -1183us[-1219us] +/- 104ms ^* time.usask.ca 1 6 17 3 -12us[ -48us] +/- 15ms ^- GSSDC01.terase.local 3 6 17 3 -4130us[-4130us] +/- 132ms ^- GSSDC02.terase.local 4 6 17 3 -3260us[-3260us] +/- 166ms [kono@localhost etc]$ -
View status in real time using the command
watch chronyc tracking[kono@localhost etc]$ watch chronyc tracking Every 2.0s: chronyc tracking Reference ID : 80E99AF5 (time.usask.ca) Stratum : 2 Ref time (UTC) : Fri Mar 22 15:50:33 2019 System time : 0.000050575 seconds slow of NTP time Last offset : -0.000054492 seconds RMS offset : 0.000197914 seconds Frequency : 35.545 ppm slow Residual freq : -0.001 ppm Skew : 0.082 ppm Root delay : 0.029674415 seconds Root dispersion : 0.000992690 seconds Update interval : 2078.7 seconds Leap status : Normal
Disabling the Chrony¶
If required, disable chrony by issuing the following commands:
-
sudo systemctl stop chronydto stop the chronyd service -
sudo systemctl disable chronydto disable the chrony service.
Issue the systemctl status chronyd command to confirm chrony is disabled.