Note: This is an RHCSA 7 exam objective and an RHCE 7 exam objective.
Presentation
NTP (Network Time Protocol) is a protocol to keep servers time synchronized: one or several master servers provide time to client servers that can themselves provide time to other client servers (notion of stratus).
This tutorial deals with client side configuration, even though server configuration is not entirely different.
Two main packages are used in RHEL 7 to set up the client side:
- ntp: this is the classic package, already existing in RHEL 6, RHEL 5, etc. It can be used both as a NTP client or server.
- chrony: this is a new solution better suited for portable PC or machines with network connection problems (time synchronization is quicker). It is mainly used as a NTP client. chrony is the default package in RHEL 7 (a recent security audit has showed that chrony is pretty well written and secure).
Caution: ntpd and chronyd shouldn’t run at the same time. Choose one and only one of them! There are reports from RHCE candidates noting that one of them is purposely already running at the beginning of the exam.
Prerequisites
Before anything else, you need to assign the correct time zone.
To get the current configuration, type:
# timedatectl Local time: Sat 2015-11-07 08:17:33 EST Universal time: Sat 2015-11-07 13:17:33 UTC RTC time: Sat 2015-11-07 13:17:33 Timezone: America/New_York (EST, -0500) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: no Last DST change: DST ended at Sun 2015-11-01 01:59:59 EDT Sun 2015-11-01 01:00:00 EST Next DST change: DST begins (the clock jumps one hour forward) at Sun 2016-03-13 01:59:59 EST Sun 2016-03-13 03:00:00 EDT
To get the list of all the available time zones, type:
# timedatectl list-timezones Africa/Abidjan Africa/Accra Africa/Addis_Ababa ... America/La_Paz America/Lima America/Los_Angeles ... Asia/Seoul Asia/Shanghai Asia/Singapore ... Pacific/Tongatapu Pacific/Wake Pacific/Wallis
Finally, to set a specific time zone (here America/Los_Angeles), type:
# timedatectl set-timezone America/Los_Angeles
Then, to check your new configuration, type:
# timedatectl Local time: Sat 2015-11-07 05:32:43 PST Universal time: Sat 2015-11-07 13:32:43 UTC RTC time: Sat 2015-11-07 13:32:43 Timezone: America/Los_Angeles (PST, -0800) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: no Last DST change: DST ended at Sun 2015-11-01 01:59:59 PDT Sun 2015-11-01 01:00:00 PST Next DST change: DST begins (the clock jumps one hour forward) at Sun 2016-03-13 01:59:59 PST Sun 2016-03-13 03:00:00 PDT
The NTP Package
Install the NTP package:
# yum install -y ntp
Activate the NTP service at boot:
# systemctl enable ntpd
Start the NTP service:
# systemctl start ntpd
The NTP configuration is in the /etc/ntp.conf file:
# For more information about this file, see the man pages # ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). driftfile /var/lib/ntp/drift # Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system. restrict default nomodify notrap nopeer noquery # Permit all access over the loopback interface. This could # be tightened as well, but to do so would effect some of # the administrative functions. restrict 127.0.0.1 restrict ::1 # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). server 0.centos.pool.ntp.org iburst server 1.centos.pool.ntp.org iburst server 2.centos.pool.ntp.org iburst server 3.centos.pool.ntp.org iburst includefile /etc/ntp/crypto/pw # Key file containing the keys and key identifiers used when operating # with symmetric key cryptography. keys /etc/ntp/keys
Note: For basic configuration purpose, only the server directives could need a change to point at a different set of master time servers than the defaults specified.
To get some information about the time synchronization process, type:
# ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== *y.ns.gin.ntt.ne 192.93.2.20 2 u 47 64 377 27.136 6.958 11.322 +ns1.univ-montp3 192.93.2.20 2 u 45 64 377 34.836 -0.009 11.463 +merlin.ensma.ne 193.204.114.232 2 u 48 64 377 34.586 4.443 11.370 +obsidian.ad-not 131.188.3.220 2 u 50 64 377 22.548 4.256 12.077
Alternatively, to get a basic report, type:
# ntpstat synchronised to NTP server (129.250.35.251) at stratum 3 time correct to within 60 ms polling server every 64 s
To quickly synchronize a server, type:
# systemctl stop ntpd # ntpdate pool.ntp.org 5 Jul 10:36:58 ntpdate[2190]: adjust time server 95.81.173.74 offset -0.005354 sec # systemctl start ntpd
The Chrony Package
Alternatively, you can install the new Chrony service that is quicker to synchronize clocks in mobile and virtual systems.
Install the Chrony service:
# yum install -y chrony
Activate the Chrony service at boot:
# systemctl enable chronyd
Start the Chrony service:
# systemctl start chronyd
The Chrony configuration is in the /etc/chrony.conf file:
# Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). server 0.centos.pool.ntp.org iburst server 1.centos.pool.ntp.org iburst server 2.centos.pool.ntp.org iburst server 3.centos.pool.ntp.org iburst # Ignore stratum in source selection. stratumweight 0 # Record the rate at which the system clock gains/losses time. driftfile /var/lib/chrony/drift # Enable kernel RTC synchronization. rtcsync # In first three updates step the system clock instead of slew # if the adjustment is larger than 10 seconds. makestep 10 3 # Listen for commands only on localhost. bindcmdaddress 127.0.0.1 bindcmdaddress ::1 keyfile /etc/chrony.keys # Specify the key used as password for chronyc. commandkey 1 # Generate command key if missing. generatecommandkey # Disable logging of client accesses. noclientlog # Send a message to syslog if a clock adjustment is larger than 0.5 seconds. logchange 0.5 logdir /var/log/chrony
Note: For basic configuration purpose, only the server directives could need a change to point at a different set of master time servers than the defaults specified.
To get information about the main time reference, type:
# chronyc tracking Reference ID : 94.23.44.157 (merzhin.deuza.net) Stratum : 3 Ref time (UTC) : Thu Jul 3 22:26:27 2014 System time : 0.000265665 seconds fast of NTP time Last offset : 0.000599796 seconds RMS offset : 3619.895751953 seconds Frequency : 0.070 ppm slow Residual freq : 0.012 ppm Skew : 0.164 ppm Root delay : 0.030609 seconds Root dispersion : 0.005556 seconds Update interval : 1026.9 seconds Leap status : Normal
To get equivalent information to the ntpq command, type:
# chronyc sources -v 210 Number of sources = 4 .-- Source mode '^' = server, '=' = peer, '#' = local clock. / .- Source state '*' = current synced, '+' = combined , '-' = not combined, | / '?' = unreachable, 'x' = time may be in error, '~' = time too variable. || .- xxxx [ yyyy ] +/- zzzz || / xxxx = adjusted offset, || Log2(Polling interval) -. | yyyy = measured offset, || \ | zzzz = estimated error. || | | MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^+ merlin.ensma.fr 2 6 77 61 +295us[+1028us] +/- 69ms ^* lafkor.de 2 6 77 61 -1371us[ -638us] +/- 65ms ^+ kimsuflol.iroqwa.org 3 6 77 61 -240us[ -240us] +/- 92ms ^+ merzhin.deuza.net 2 6 77 61 +52us[ +52us] +/- 48ms # chronyc sourcestats -v 210 Number of sources = 4 .- Number of sample points in measurement set. / .- Number of residual runs with same sign. | / .- Length of measurement set (time). | | / .- Est. clock freq error (ppm). | | | / .- Est. error in freq. | | | | / .- Est. offset. | | | | | | On the -. | | | | | | samples. \ | | | | | | | Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev ============================================================================== merlin.ensma.fr 7 5 200 0.106 6.541 +381us 176us lafkor.de 7 4 199 0.143 10.145 -916us 290us kimsuflol.iroqwa.org 7 7 200 -0.298 6.717 +69us 184us merzhin.deuza.net 7 5 200 0.585 11.293 +675us 314us
To quickly synchronize a server, type:
# ntpdate pool.ntp.org 5 Jul 10:31:06 ntpdate[2135]: step time server 193.55.167.1 offset 121873.493146 sec
Note: You don’t need to stop the Chrony service to synchronize the server.
Additional Resources
You can read these Red Hat articles about leap seconds management, how to resolve leap second issues or the differences between NTP and PTP.
The xmodulo website provides a tutorial on How to set up NTP server in CentOS.
Documentation about NTP is available at the NTP Documentation Archive website and at the Tuxfamily website for Chrony.
In addition, you can read the reports from the Core Infrastructure Initiative conducting security audits of NTP and Chrony.
Beyond the exam objectives, virtualization can trigger problems (see this thread) and it is useful to know How to avoid VM clock drift.
You can also be interested in converting a Raspberry PI into a stratum 1 NTP server.
Some specific services can need to wait until the clock is synchronized: read this thread to know how to configure them.
For Peer configurations.
on master you must add the following into /etc/chrony.conf
# Allow NTP client access from local network.
allow 192.168.0.0/24
– copy the key file to the clients
– open up ntp service port firewall-cmd
On clients you must specify the following and disable “server” in /etc/chrony.conf
# Use Peer
peer 192.168.0.33
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-Setting_up_chrony_for_different_environments.html
I’m going to update the tutorial with your information. Thanks.
Nice info. Thank you.
On centos 7.1 I did not need to copy the key.
To synchronize 192.168.122.7 with an external server as usual, while synchronizing 192.168.122.2 with 192.168.122.7, we can do as follows:
____________________________________________________
on 192.168.122.7:
vi /etc/chrony.conf
### add the following line:
allow 192.168.122.2
### or, to allow the whole subnet:
### allow 192.168.122.0/24
systemctl restart chronyd
firewall-cmd –permanent –add-service=ntp
firewall-cmd –reload
____________________________________________________
on 192.168.122.2:
vi /etc/chrony.conf
### comment out all “server … ” lines;
### add the following line:
peer 192.168.122.7
systemctl restart chronyd
after 3 minutes and 18 seconds my kvm guest 192.168.122.2 synchronizes with 192.168.122.7;
journalctl | grep chronyd
chronyd[433]: Selected source 192.168.122.7
chronyc tracking
Reference ID : 192.168.122.7
Leap status : Normal
____________________________________________________
If we want to synchronize immediately, then we put this line on a startup script, f.e. /etc/profile:
chronyc -a makestep
Hello Salvador,
Did you mean that client is 192.168.122.7 and NTP server is 192.168.122.2?
If yes, am I required to change on NTP server? I think no so can we solve this problem?
Also can I stop chrony and choose ntp instead or it is not recommended?
Thanks
Thank you salvador, I tried your tips. It worked like a charm. Thank you so much.
Do we really need to install ntpd? Why can`t we just use “timedatectl set-ntp true”?
The “timedatectl set-ntp true/false” command starts/stops the ntpd or chronyd daemon.
But you still need to install the ntp or chrony package, otherwise time will drift.
Hi Certdepot,
as per verification, think the ntpd and chronyd daemon should not co exist together. Upon powering on my server the ntpd daemon is dead but enabled while the chronyd is running and enabled, have tried to start the ntpd daemon and the chronyd daemon become dead, see output below, looking forward for you advise
# systemctl status ntpd
ntpd.service – Network Time Service
Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled)
Active: inactive (dead)
# systemctl status chronyd
chronyd.service – NTP client/server
Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled)
Active: active (running) since Sun 2015-06-28 05:24:18 PHT; 5min ago
Process: 761 ExecStartPost=/usr/libexec/chrony-helper add-dhclient-servers (code=exited, status=0/SUCCESS)
Process: 719 ExecStart=/usr/sbin/chronyd -u chrony $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 728 (chronyd)
CGroup: /system.slice/chronyd.service
└─728 /usr/sbin/chronyd -u chrony
Jun 28 05:24:17 client.example.com chronyd[728]: chronyd version 1.29.1 starting
Jun 28 05:24:17 client.example.com chronyd[728]: Linux kernel major=3 minor=10 patch=0
Jun 28 05:24:17 client.example.com chronyd[728]: hz=100 shift_hz=7 freq_scale=1.00000000 nominal_tick=10000 slew_delta_tick=833 max_tick_bias=1000 shift_pll=2
Jun 28 05:24:17 client.example.com chronyd[728]: Frequency 18.842 +/- 5.623 ppm read from /var/lib/chrony/drift
Jun 28 05:24:18 client.example.com systemd[1]: Started NTP client/server.
Jun 28 05:24:29 client.example.com chronyd[728]: Selected source 129.250.35.251
# systemctl start ntpd
# systemctl status ntpd
ntpd.service – Network Time Service
Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled)
Active: active (running) since Sun 2015-06-28 05:29:43 PHT; 3s ago
Process: 3067 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 3068 (ntpd)
CGroup: /system.slice/ntpd.service
└─3068 /usr/sbin/ntpd -u ntp:ntp -g
Jun 28 05:29:43 client.example.com ntpd[3068]: Listen normally on 2 lo 127.0.0.1 UDP 123
Jun 28 05:29:43 client.example.com ntpd[3068]: Listen normally on 3 enp0s3 192.168.200.106 UDP 123
Jun 28 05:29:43 client.example.com ntpd[3068]: Listen normally on 4 virbr0 192.168.122.1 UDP 123
Jun 28 05:29:43 client.example.com ntpd[3068]: Listen normally on 5 lo ::1 UDP 123
Jun 28 05:29:43 client.example.com ntpd[3068]: Listen normally on 6 enp0s3 fe80::a00:27ff:fe16:46e4 UDP 123
Jun 28 05:29:43 client.example.com ntpd[3068]: Listening on routing socket on fd #23 for interface updates
Jun 28 05:29:43 client.example.com ntpd[3068]: 0.0.0.0 c016 06 restart
Jun 28 05:29:43 client.example.com ntpd[3068]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM
Jun 28 05:29:43 client.example.com ntpd[3068]: 0.0.0.0 c011 01 freq_not_set
Jun 28 05:29:44 client.example.com ntpd[3068]: 0.0.0.0 c614 04 freq_mode
# systemctl status chronyd
chronyd.service – NTP client/server
Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled)
Active: inactive (dead) since Sun 2015-06-28 05:29:43 PHT; 6s ago
Process: 761 ExecStartPost=/usr/libexec/chrony-helper add-dhclient-servers (code=exited, status=0/SUCCESS)
Process: 719 ExecStart=/usr/sbin/chronyd -u chrony $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 728 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/chronyd.service
Jun 28 05:24:17 client.example.com chronyd[728]: chronyd version 1.29.1 starting
Jun 28 05:24:17 client.example.com chronyd[728]: Linux kernel major=3 minor=10 patch=0
Jun 28 05:24:17 client.example.com chronyd[728]: hz=100 shift_hz=7 freq_scale=1.00000000 nominal_tick=10000 slew_delta_tick=833 max_tick_bias=1000 shift_pll=2
Jun 28 05:24:17 client.example.com chronyd[728]: Frequency 18.842 +/- 5.623 ppm read from /var/lib/chrony/drift
Jun 28 05:24:18 client.example.com systemd[1]: Started NTP client/server.
Jun 28 05:24:29 client.example.com chronyd[728]: Selected source 129.250.35.251
Jun 28 05:29:43 client.example.com systemd[1]: Stopping NTP client/server…
Jun 28 05:29:43 client.example.com systemd[1]: Stopped NTP client/server.
It is clear that two processes speaking the same protocol and running on the same host get into trouble.
Also, what would be the benefit?
Thanks CertDepot does this means that I can already remove the ntpd package? and stick with chronyd?
Yes, absolutely.
From where can i find the solution to the task of the day questions?
Solutions to the task of the day are available through all the website tutorials!
chrony: this is a new solution better suited for portable PC or servers with chrony is the default package in RHEL 7.
Hi CertDepot,
You mentioned that chrony is the default package in rhel 7. but base on your tutorials why we need to install the package? 🙂 Thanks!
Yes, you are right, I could have written “if not already installed!” 😉
Okay thanks. 🙂
If I have a virtual machine on a physical machine and I want the virtual machine to point to the physical host machine for its NTP service, when I edit the /etc/chrony.conf file, do I just append the physical host computers IP address into the “server pool” section?
I would append, “server 192.x.x.x iburst” ?
Yes, it should work.
I tried doing just that but after I restart the chronyd service and run chronyc sources -v, the output shows that the server is unreachable. I even disabled the pre-set NTP servers in that config file, so my physical machine is the only source it’s looking to for NTP services.
If I run a timedatectl I can see that NTP is enabled but NTP synchronized is set to no.
Do I need to install ntp? I thought I shouldn’t have both ntp or chronyd installed at once.
You can synchronize either by ntpd or chronyd but not both at the same time.
It’s perhaps something with your bridge configuration.
Is it the standard configuration with virbr0 or did you do something special?
I originally had it point to my eth0 IP address. I changed it to the virbr0 but I’m still getting the same issue. I don’t have an NTP server on my physical machine. Also how do I turn on NTP synchronized to yes?
You don’t have an NTP server on your physical machine???
The physical machine has the default NTP servers enabled on it. I removed those default NTP servers from the virtual machine and added my physical machine’s IP address in the pool server section of the /etc/chrony.conf file
Check your firewalld configuration on the virtual machine and the iptable configuration on the KVM host.
If the exam question says set up ntp client and a FQDN/IP is provided, does this mean either ntpd or chrony can be used? Also provide steps to add the new ntp source. thanks
Yes, ntpd and chronyd should be both valid.
ntp source addition procedures are pretty similar in ntpd and chronyd. The information should be displayed in the tutorials.
hi certdepot,
just wanna ask if can i do
yum install system-config-date
check BOX = synchronize date and time over the network?
is this a valid approach for the objective?
I would advise you to mainly use the command line interface and edit the /etc/ntp.conf file.
Hi
Should I use this command “timedatectl set-ntp true”, when configuring my server as a client for ntp server using chrony package.
To be honest, I haven’t seen the interest of this command.
You can use it but it isn’t required when setting up ntpd or chronyd.
If somebody knows more, please share!
Hi,
Should I uncomment the below lines on the exam, and add the new one for the exam if I asked to configure time service with chronyd:
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
If you are given new servers details, yes. Otherwise, don’t change anything on this part.
I understand, if asked to synch the local system with this abc.d.com , then I should uncomment the lines.
However, if they ask to only configure the local system as a client to abc.d.com , then there is no need to uncomment the lines.
Am I correct? Please advise.
If asked to synch the local system with a time server at abc.d.com, comment out the “server X.centos.pool.ntp.org iburst” lines and add “server abc.d.com” in the configuration file.
Hi CertDepot,
First of all thanks so much for your site.
It is very helpful to pass my rhcsa.. 🙂
Even though I passed I don’t understand why I cannot resolve the issue in chronyd service? I checked that chronyd is installed. Try to mask the ntpd service but to no avail still I cannot start the chronyd service?
I can enable it but it cannot be started 🙁
On this I just used ntpd service instead.
Do you have any idea why it cannot be started? 🙂
Again thanks bro.. 🙂
if we are given a new server to set up ntp on which part of the conf file should we insert it? are we supposed to comment out a line? thanks
You are supposed to change what is necessary in the /etc/ntp.conf file.
either /etc/ntp.conf or /etc/chrony.conf depend on what are you using ntpd or chronyd?
Yes.
Hi Certdepot
I have been working around ntpd and chronyd with your steps as one of my sources
I am running on a “lab” computer (girlfriend’s old Macbook that was gathering dust :p ) with no external network access.
Therefore I needed to set up a “master” ntp server, I did this on my host, using instructions from here:
https://www.borngeek.com/2008/04/03/using-ntp-on-a-private-network/
After this, and pointing my first VM at it as the only time source, enabling ntpd etc, I would run ntpstat which would show as synchronized. The temp fix was
systemctl stop ntpd && ntpdate host1.example.com && systemctl start ntpd
However that failed on next reboot.
Luckily there is also an ntpdate service. Inspecting /usr/lib/systemd/system/ntpd.service, it looks like ntpd is configured to run after ntpdate.service ; so that’s a dependency, right? However it was only after I explicitely enabled ntpdate with systemctl enable ntpdate , that my server would be syncronised quickly after a reboot.
chronyd seems to do the job from what I can see for all the RHCE requirement, but I want to get a handle on both.
Any thoughts?
When you use ntpd, you have to check that your computer isn’t more than 1024 seconds late compare to the NTP master’s, otherwise it doesn’t synchronize its clock. It’s for this reason that ntpdate is used. It synchronizes the computer’s clock with the master NTP’s before ntpd starts.
Chronyd doesn’t react the same way and doesn’t need ntpdate.
Hello guys should I expect on the exam to find “sync to a net time” so I will be able to choose ntpd or chronyd or there will be a specific question? For example “use ntpd”?
You should be able to choose software to configure a system to use time services.