Skip to content

Chrony NTP Configuration

By default, the Management Console RPM based on Rocky Linux uses chrony as the NTP client in which there are default references to public NTP servers. To configure chrony to not communicate with external time servers and adhere to your companies security policy, consider the following actions:

  1. Refer to your Security policy to ensure your NTP configuration complies to set standards. Considerations should include:

    • Confirming if your companies DNS server provides an NTP sever or server pool.

    • Remove public server pools from chrony.conf

    • Add your own public server pool to chrony.conf

    • Disabling chrony

  2. Review the current Management Console chrony configuration by entering the chronyc sources -v command from the Management Console's console to provide a verbose listing of NTP servers chrony is syncing too.

  3. Consider using internal NTP servers authorized by your companies security policy by editing the /etc/chrony.conf file.

Example

We have provided the following example of viewing and editing an NTP configuration. In this example the default ntp servers are commented out and replaced by another NTP server.

  1. Check the currently used NTP servers using chronyc sources -v.

    [admin@localhost ~]$ chronyc sources -v

.-- Source mode  '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current best, '+' = combined, '-' = not combined,
| /             'x' = may be in error, '~' = too variable, '?' = unusable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||      Reachability register (octal) -.           |  xxxx = adjusted offset,
||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
||                                \     |          |  zzzz = estimated error.
||                                 |    |           \
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^+ 66-49-211-122.cpe.distri>     3   9   377   107  +1481us[+1481us] +/-   95ms
^+ stirling.fsck.ca              2  10   377   397  +1083us[+1083us] +/-   32ms
^+ 131.153.171.22                2  10   377   323  -1233us[-1233us] +/-   46ms
^* ntp2.torix.ca                 1  10   377   560  +1036us[+1213us] +/-   29ms
[admin@localhost ~]$

  2. Edit the chrony.conf file to change the referenced NTP servers using the sudo vi chrony.conf command. In this example, the public tick.usask.ca and internal 192.168.1.50 NTP servers are added. The iburst option speeds up the first synchronization and the prefer option advises chrony which NTP server you want to use if available.

    # Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
# pool 2.rocky.pool.ntp.org iburst
server tick.usask.ca iburst prefer
server 192.168.1.50 iburst

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3

# Enable kernel synchronization of the real-time clock (RTC).
rtcsync

# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *

# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2

# Allow NTP client access from local network.
#allow 192.168.0.0/16

# Serve time even if not synchronized to a time source.
#local stratum 10

# Specify file containing keys for NTP authentication.
keyfile /etc/chrony.keys

# Get TAI-UTC offset and leap seconds from the system tz database.
leapsectz right/UTC

# Specify directory for log files.
logdir /var/log/chrony

# Select which information is logged.
#log measurements statistics tracking

  3. Restart chrony for the changes to take effect using the command sudo systemctl restart chronyd.

  4. Confirm the new configuration of the chrony.conf file.

    [admin@localhost etc]$ chronyc sources -v

  .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current best, '+' = combined, '-' = not combined,
| /             'x' = may be in error, '~' = too variable, '?' = unusable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||      Reachability register (octal) -.           |  xxxx = adjusted offset,
||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
||                                \     |          |  zzzz = estimated error.
||                                 |    |           \
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* tick.usask.ca                 1   6    17    41  +3545ns[  +33us] +/-   13ms
^- 192.168.1.50                  3   6    17    40   +411us[ +411us] +/-  126ms
[admin@localhost ~]$

  5. View status in real time using the command watch chronyc tracking

    [admin@localhost etc]$ watch chronyc tracking
Every 2.0s: chronyc tracking                                                                                                     
localhost.localdomain: Wed Mar  6 11:52:27 2024

Reference ID    : 80E99AF5 (tick.usask.ca)
Stratum         : 2
Ref time (UTC)  : Wed Mar 06 11:52:18 2024
System time     : 0.000002575 seconds slow of NTP time
Last offset     : +0.000002259 seconds
RMS offset      : 0.000026505 seconds
Frequency       : 25.173 ppm slow
Residual freq   : +0.000 ppm
Skew            : 0.168 ppm
Root delay      : 0.025361167 seconds
Root dispersion : 0.000044461 seconds
Update interval : 64.6 seconds
Leap status     : Normal

Disabling the Chrony

If required, disable chrony by issuing the following commands:

  1. sudo systemctl stop chronyd to stop the chronyd service

  2. sudo systemctl disable chronyd to disable the chrony service.

Issue the systemctl status chronyd command to confirm chrony is disabled.