Chrony Time Synchronization: Complete Guide and Implementation
Table of Contents
1. [Introduction](#introduction) 2. [Architecture and Components](#architecture-and-components) 3. [Installation](#installation) 4. [Configuration](#configuration) 5. [Commands and Operations](#commands-and-operations) 6. [Monitoring and Troubleshooting](#monitoring-and-troubleshooting) 7. [Advanced Configuration](#advanced-configuration) 8. [Security Considerations](#security-considerations) 9. [Performance Optimization](#performance-optimization) 10. [Best Practices](#best-practices)Introduction
Chrony is a versatile implementation of the Network Time Protocol (NTP) designed for systems that are not online all the time or have intermittent network connectivity. It consists of two main programs: chronyd (the daemon) and chronyc (the command-line interface). Chrony is particularly effective at synchronizing system clocks with high accuracy and can adapt quickly to changing network conditions.
Key Features
| Feature | Description | |---------|-------------| | Fast Convergence | Quickly synchronizes time even after long periods offline | | Intermittent Connectivity | Handles networks with variable connectivity well | | Low Resource Usage | Minimal CPU and memory footprint | | Hardware Timestamping | Supports hardware timestamping for improved accuracy | | Flexible Configuration | Extensive configuration options for various scenarios | | Security Features | Authentication and access control capabilities |
Advantages over Traditional NTP
| Aspect | Chrony | Traditional NTP | |--------|--------|-----------------| | Startup Time | Fast synchronization on startup | Slower initial synchronization | | Offline Handling | Maintains accuracy during offline periods | Less effective offline handling | | Virtual Machines | Better performance in virtualized environments | May struggle with VM time drift | | Mobile Devices | Optimized for intermittent connectivity | Designed for always-on systems | | Memory Usage | Lower memory footprint | Higher resource consumption |
Architecture and Components
Core Components
chronyd (Daemon) The chronyd daemon is the core component responsible for: - Maintaining system clock synchronization - Communicating with NTP servers - Handling local clock adjustments - Managing reference sources - Providing time services to clients
chronyc (Client) The chronyc client provides: - Command-line interface for daemon control - Real-time monitoring capabilities - Configuration management - Diagnostic tools
Process Flow
`
┌─────────────────┐ ┌──────────────────┐ ┌─────────────────┐
│ NTP Servers │───▶│ chronyd │───▶│ System Clock │
└─────────────────┘ │ (Daemon) │ └─────────────────┘
└──────────────────┘
│
▼
┌──────────────────┐
│ chronyc │
│ (Client) │
└──────────────────┘
`
Installation
Red Hat/CentOS/Fedora Systems
`bash
Install chrony package
sudo dnf install chronyFor older systems using yum
sudo yum install chronyEnable and start the service
sudo systemctl enable chronyd sudo systemctl start chronydVerify installation
rpm -qa | grep chronyDebian/Ubuntu Systems
`bash
Update package repository
sudo apt updateInstall chrony
sudo apt install chronyEnable and start the service
sudo systemctl enable chrony sudo systemctl start chronyVerify installation
dpkg -l | grep chronySUSE/openSUSE Systems
`bash
Install chrony package
sudo zypper install chronyEnable and start the service
sudo systemctl enable chronyd sudo systemctl start chronydVerification Commands
`bash
Check service status
sudo systemctl status chronydVerify chrony is running
ps aux | grep chronydCheck listening ports
sudo netstat -tulpn | grep chronydView basic synchronization status
chronyc trackingConfiguration
Main Configuration File
The primary configuration file is located at /etc/chrony.conf (or /etc/chrony/chrony.conf on some distributions).
Basic Configuration Structure
`bash
/etc/chrony.conf
NTP Server Configuration
server 0.pool.ntp.org iburst server 1.pool.ntp.org iburst server 2.pool.ntp.org iburst server 3.pool.ntp.org iburstDrift file location
driftfile /var/lib/chrony/driftReal-time clock configuration
rtcsyncStep threshold
makestep 1.0 3Allow NTP client access
allow 192.168.1.0/24Logging configuration
logdir /var/log/chrony log measurements statistics trackingConfiguration Directives Explained
| Directive | Purpose | Example |
|-----------|---------|---------|
| server | Specify NTP servers | server pool.ntp.org iburst |
| pool | Use server pools | pool pool.ntp.org iburst |
| driftfile | Clock drift storage | driftfile /var/lib/chrony/drift |
| rtcsync | Sync hardware clock | rtcsync |
| makestep | Step threshold | makestep 1.0 3 |
| allow | Client access control | allow 192.168.0.0/16 |
| deny | Deny access | deny all |
| local | Local reference | local stratum 10 |
Server Configuration Options
`bash
Basic server configuration
server time.example.comServer with options
server time.example.com iburst minpoll 4 maxpoll 10 maxdelay 0.1Prefer specific server
server primary.ntp.org prefer iburstPool configuration
pool pool.ntp.org iburst maxsources 4Server Option Parameters
| Option | Description | Default Value |
|--------|-------------|---------------|
| iburst | Send burst of packets on startup | N/A |
| minpoll | Minimum polling interval (log2 seconds) | 6 (64 seconds) |
| maxpoll | Maximum polling interval (log2 seconds) | 10 (1024 seconds) |
| maxdelay | Maximum acceptable delay | No limit |
| maxdist | Maximum acceptable dispersion | No limit |
| prefer | Prefer this source | N/A |
| trust | Trust this source | N/A |
| require | Require this source | N/A |
Access Control Configuration
`bash
Allow access from local network
allow 192.168.1.0/24 allow 10.0.0.0/8Deny access from specific hosts
deny 192.168.1.100Allow all (not recommended for security)
allow allDeny all except explicitly allowed
deny all allow 127.0.0.1 allow ::1Logging Configuration
`bash
Set log directory
logdir /var/log/chronyEnable specific log types
log measurements statistics tracking refclocks tempcompLog file rotation
logbanner 32Detailed logging options
log measurements # Records time measurements log statistics # Records statistical information log tracking # Records tracking information log rtc # Records RTC information log refclocks # Records reference clock informationCommands and Operations
chronyc Command Structure
`bash
Basic syntax
chronyc [options] [command]Interactive mode
chronycNon-interactive mode
chronyc "command"Essential chronyc Commands
#### System Status Commands
`bash
Display tracking information
chronyc trackingShow current time sources
chronyc sourcesVerbose source information
chronyc sources -vShow source statistics
chronyc sourcestatsDisplay system activity
chronyc activity#### Time Synchronization Commands
`bash
Force immediate synchronization
chronyc makestepManually adjust time
chronyc manual on chronyc manual offBurst mode for faster sync
chronyc burst 4/4Online/offline source control
chronyc online [source] chronyc offline [source]#### Monitoring Commands
`bash
Display current system clock status
chronyc trackingShow NTP measurements
chronyc ntpdata [source]Display authentication information
chronyc authdataShow client connections
chronyc clientsDisplay server statistics
chronyc serverstatsCommand Output Interpretation
#### chronyc tracking Output
`bash
$ chronyc tracking
Reference ID : A29FC87B (pool-162-159-200-123.bstnma.fios.verizon.net)
Stratum : 3
Ref time (UTC) : Thu Dec 07 15:30:45 2023
System time : 0.000123456 seconds fast of NTP time
Last offset : -0.000087654 seconds
RMS offset : 0.000234567 seconds
Frequency : 15.432 ppm slow
Residual freq : -0.003 ppm
Skew : 0.012 ppm
Root delay : 0.023456789 seconds
Root dispersion : 0.001234567 seconds
Update interval : 64.2 seconds
Leap status : Normal
`
| Field | Description | |-------|-------------| | Reference ID | IP or identifier of current reference | | Stratum | Distance from primary time source | | System time | Current offset from NTP time | | Last offset | Most recent time adjustment | | RMS offset | Root mean square of recent offsets | | Frequency | Clock frequency adjustment | | Root delay | Network delay to reference | | Update interval | Time between updates |
#### chronyc sources Output
`bash
$ chronyc sources
210 Number of sources = 4
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^+ time.cloudflare.com 3 6 377 45 -1234us[-1234us] +/- 15ms
^* pool-1.ntp.org 2 6 377 46 +567us[ +890us] +/- 25ms
^+ ntp.ubuntu.com 3 7 377 92 -2345us[-2345us] +/- 35ms
^? time.nist.gov 1 6 377 123 +123us[ +123us] +/- 45ms
`
| Symbol | Meaning |
|--------|---------|
| ^* | Current best source |
| ^+ | Good source, combined with best |
| ^? | Source with questionable accuracy |
| ^x | False ticker, discarded |
| ^~ | Too variable, discarded |
Advanced Command Examples
#### Detailed Source Analysis
`bash
Comprehensive source information
chronyc sources -vSource statistics with details
chronyc sourcestats -vNTP packet information
chronyc ntpdata pool.ntp.orgAuthentication status
chronyc authdata#### Manual Time Adjustments
`bash
Enable manual mode
chronyc manual onSet manual offset
chronyc manual resetDisable manual mode
chronyc manual offDelete manual samples
chronyc manual delete 0#### Configuration Management
`bash
Reload configuration
sudo systemctl reload chronydAdd new server temporarily
chronyc add server time.example.comRemove server
chronyc delete time.example.comModify server parameters
chronyc modify time.example.com maxpoll 8Monitoring and Troubleshooting
Log File Analysis
#### Main Log Locations
| Distribution | Log Path |
|--------------|----------|
| RHEL/CentOS/Fedora | /var/log/chrony/ |
| Debian/Ubuntu | /var/log/chrony/ |
| SUSE/openSUSE | /var/log/chrony/ |
| systemd journal | journalctl -u chronyd |
#### Log File Types
`bash
Measurements log
tail -f /var/log/chrony/measurements.logStatistics log
tail -f /var/log/chrony/statistics.logTracking log
tail -f /var/log/chrony/tracking.logSystem journal
journalctl -u chronyd -fCommon Issues and Solutions
#### Issue: Time Not Synchronizing
`bash
Check service status
sudo systemctl status chronydVerify network connectivity
chronyc sourcesCheck for firewall issues
sudo firewall-cmd --list-allReview configuration
sudo chrony -Q 'pool pool.ntp.org iburst'#### Issue: High Time Offset
`bash
Check current tracking
chronyc trackingForce step adjustment
sudo chronyc makestepVerify hardware clock
sudo hwclock --showCheck for VM time drift
dmesg | grep -i time#### Issue: Sources Not Reachable
`bash
Test DNS resolution
nslookup pool.ntp.orgCheck network routes
traceroute pool.ntp.orgVerify NTP port access
telnet pool.ntp.org 123Review firewall rules
sudo iptables -L | grep 123Performance Monitoring
#### Key Metrics to Monitor
| Metric | Command | Acceptable Range |
|--------|---------|------------------|
| Time Offset | chronyc tracking | < 100ms |
| Root Delay | chronyc tracking | < 200ms |
| Root Dispersion | chronyc tracking | < 100ms |
| Frequency Error | chronyc tracking | < 100 ppm |
| Source Reachability | chronyc sources | 377 (octal) |
#### Monitoring Scripts
`bash
#!/bin/bash
chrony-monitor.sh
Check chrony daemon status
if ! systemctl is-active --quiet chronyd; then echo "ERROR: chronyd is not running" exit 1 fiGet tracking information
tracking_output=$(chronyc tracking) offset=$(echo "$tracking_output" | grep "System time" | awk '{print $4}') stratum=$(echo "$tracking_output" | grep "Stratum" | awk '{print $3}')Check offset threshold
if (( $(echo "$offset > 0.1" | bc -l) )); then echo "WARNING: Time offset too high: $offset seconds" fiCheck stratum level
if [ "$stratum" -gt 5 ]; then echo "WARNING: Stratum level too high: $stratum" fiecho "Chrony status: OK"
`
Advanced Configuration
Hardware Timestamping
`bash
Enable hardware timestamping
hwtimestamp eth0Check interface capabilities
ethtool -T eth0Configure in chrony.conf
hwtimestamp eth0 rxfilter allPTP Integration
`bash
Configure PTP reference
refclock PHC /dev/ptp0 poll 0 dpoll -2 offset 0PTP-specific options
ptp_port 319 ptp_transport udpLeap Second Handling
`bash
Configure leap second file
leapsectz right/UTCManual leap second insertion
chronyc add leap +1Leap second monitoring
chronyc tracking | grep "Leap status"Multi-homed Systems
`bash
Bind to specific interface
bindaddress 192.168.1.100 bindaddress 10.0.0.100Interface-specific servers
server time1.example.com sourcedir 192.168.1.0/24 server time2.example.com sourcedir 10.0.0.0/8Virtual Machine Optimization
`bash
VM-specific configuration
Increase correction thresholds
makestep 1.0 -1Adjust polling intervals
minpoll 0 maxpoll 4Enable corrections
corrtimeratio 100Security Considerations
Authentication Configuration
`bash
Generate key file
sudo chrony-keygenConfigure authentication
keyfile /etc/chrony.keysServer with authentication
server secure.ntp.org key 1Key file format
/etc/chrony.keys
1 SHA1 HEX:1234567890ABCDEF1234567890ABCDEF12345678Access Control Security
`bash
Restrictive access control
deny all allow 127.0.0.1 allow ::1 allow 192.168.1.0/24Rate limiting
ratelimit interval 3 burst 8Command access restriction
bindcmdaddress 127.0.0.1 cmdallow 127.0.0.1Firewall Configuration
`bash
iptables rules
sudo iptables -A INPUT -p udp --dport 123 -j ACCEPT sudo iptables -A OUTPUT -p udp --sport 123 -j ACCEPTfirewalld configuration
sudo firewall-cmd --add-service=ntp --permanent sudo firewall-cmd --reloadufw configuration
sudo ufw allow ntpPerformance Optimization
Polling Optimization
| Scenario | minpoll | maxpoll | Rationale | |----------|---------|---------|-----------| | Servers | 4 | 10 | Balanced accuracy/load | | Workstations | 6 | 10 | Reduced network usage | | Virtual Machines | 0 | 4 | Handle time drift | | Mobile Devices | 6 | 12 | Battery conservation |
Memory and CPU Optimization
`bash
Limit memory usage
maxsamples 16 maxdrift 1000Reduce CPU usage
maxpoll 10 maxdelay 1Optimize for accuracy
minsamples 6 maxsamples 32Network Optimization
`bash
Reduce network overhead
acquisitionport 0 port 0Optimize for WAN links
maxdelay 0.3 maxdist 16Local network optimization
maxdelay 0.01 maxdist 1Best Practices
Configuration Best Practices
1. Use Multiple Sources: Configure at least 3-4 time sources for redundancy 2. Geographic Diversity: Use servers from different geographic locations 3. Stratum Consideration: Prefer lower stratum servers when possible 4. Local Servers: Use local time servers when available
Operational Best Practices
1. Regular Monitoring: Implement automated monitoring of time synchronization 2. Log Analysis: Regularly review chrony logs for issues 3. Update Management: Keep chrony updated to latest stable version 4. Backup Configuration: Maintain backup copies of configuration files
Security Best Practices
1. Access Control: Implement restrictive access control policies 2. Authentication: Use NTP authentication where supported 3. Firewall Rules: Configure appropriate firewall rules 4. Regular Audits: Conduct regular security audits of time infrastructure
Troubleshooting Best Practices
1. Systematic Approach: Follow systematic troubleshooting methodology 2. Documentation: Document configuration changes and issues 3. Testing: Test changes in non-production environments first 4. Rollback Plans: Maintain rollback procedures for configuration changes
This comprehensive guide provides the foundation for implementing and managing chrony time synchronization in various environments. Regular monitoring and maintenance ensure optimal performance and accuracy of time synchronization across your infrastructure.