Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 28. Configuring time synchronization by using RHEL system roles

The Network Time Protocol (NTP) and Precision Time Protocol (PTP) are standards to synchronize the clock of computers over a network. An accurate time synchronization in networks is important because certain services rely on it. For example, Kerberos tolerates only a small time difference between the server and client to prevent replay attacks.

You can set the time service to configure in the timesync_ntp_provider variable of a playbook. If you do not set this variable, the role determines the time service based on the following factors:

  • On RHEL 8 and later: chronyd
  • On RHEL 6 and 7: chronyd (default) or, if already installed ntpd.

28.1. Configuring time synchronization over NTP by using the timesync RHEL system role

The Network Time Protocol (NTP) synchronizes the time of a host with an NTP server over a network. In IT networks, services rely on a correct system time, for example, for security and logging purposes. By using the timesync RHEL system role, you can automate the configuration of Red Hat Enterprise Linux NTP clients in your network and keep the time synchronized.

Warning

The timesync RHEL system role replaces the configuration of the specified given or detected provider service on the managed host. Consequently, all settings are lost if they are not specified in the playbook.

Prerequisites

Procedure

  1. Create a playbook file, for example ~/playbook.yml, with the following content:

    Copy to Clipboard Toggle word wrap 
    ---
- name: Managing time synchronization
  hosts: managed-node-01.example.com
  tasks:
    - name: Configuring NTP with an internal server (preferred) and a public server pool as fallback
      ansible.builtin.include_role:
        name: redhat.rhel_system_roles.timesync
      vars:
        timesync_ntp_servers:
        - hostname: time.example.com
          trusted: yes
          prefer: yes
          iburst: yes
        - hostname: 0.rhel.pool.ntp.org
          pool: yes
          iburst: yes

    The settings specified in the example playbook include the following:

    pool: <yes|no>
    Flags a source as an NTP pool rather than an individual host. In this case, the service expects that the name resolves to multiple IP addresses which can change over time.
    iburst: yes
    Enables fast initial synchronization.

    For details about all variables used in the playbook, see the /usr/share/ansible/roles/rhel-system-roles.timesync/README.md file on the control node.

  2. Validate the playbook syntax:

    Copy to Clipboard Toggle word wrap 
    $ ansible-playbook --syntax-check ~/playbook.yml

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  3. Run the playbook:

    Copy to Clipboard Toggle word wrap 
    $ ansible-playbook ~/playbook.yml

Verification

  • Display the details about the time sources:

    • If the managed node runs the chronyd service, enter:

      Copy to Clipboard Toggle word wrap 
      # ansible managed-node-01.example.com -m command -a 'chronyc sources'
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* time.example.com              1  10   377   210   +159us[  +55us] +/-   12ms
^? ntp.example.org               2   9   377   409  +1120us[+1021us] +/-   42ms
^? time.us.example.net           2   9   377   992   -329us[ -386us] +/-   15ms
...

    • If the managed node runs the ntpd service, enter:

      Copy to Clipboard Toggle word wrap 
      # ansible managed-node-01.example.com -m command -a 'ntpq -p'
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*time.example.com .PTB.           1 u    2   64   77   23.585  967.902   0.684
- ntp.example.or 192.0.2.17       2 u    -   64   77   27.090  966.755   0.468
+time.us.example 198.51.100.19    2 u   65   64   37   18.497  968.463   1.588
...

Additional resources

28.2. Configuring time synchronization over NTP with NTS by using the timesync RHEL system role

The Network Time Protocol (NTP) synchronizes the time of a host with an NTP server over a network. By using the Network Time Security (NTS) mechanism, clients establish a TLS-encrypted connection to the server and authenticate NTP packets. In IT networks, services rely on a correct system time, for example, for security and logging purposes. By using the timesync RHEL system role, you can automate the configuration of Red Hat Enterprise Linux NTP clients in your network and keep the time synchronized over NTS.

Note that you cannot mix NTS servers with non-NTS servers. In mixed configurations, NTS servers are trusted and clients do not fall back to unauthenticated NTP sources because they can be exploited in man-in-the-middle (MITM) attacks. For further details, see the authselectmode parameter description in the chrony.conf(5) man page on your system.

Warning

The timesync RHEL system role replaces the configuration of the specified given or detected provider service on the managed host. Consequently, all settings are lost if they are not specified in the playbook.

Prerequisites

Procedure

  1. Create a playbook file, for example ~/playbook.yml, with the following content:

    Copy to Clipboard Toggle word wrap 
    ---
- name: Managing time synchronization
  hosts: managed-node-01.example.com
  tasks:
    - name: Configuring NTP with NTS-enabled servers
      ansible.builtin.include_role:
        name: redhat.rhel_system_roles.timesync
      vars:
        timesync_ntp_servers:
        - hostname: ptbtime1.ptb.de
          nts: yes
          iburst: yes

    The settings specified in the example playbook include the following:

    iburst: yes
    Enables fast initial synchronization.

    For details about all variables used in the playbook, see the /usr/share/ansible/roles/rhel-system-roles.timesync/README.md file on the control node.

  2. Validate the playbook syntax:

    Copy to Clipboard Toggle word wrap 
    $ ansible-playbook --syntax-check ~/playbook.yml

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  3. Run the playbook:

    Copy to Clipboard Toggle word wrap 
    $ ansible-playbook ~/playbook.yml

Verification

  • If the managed node runs the chronyd service:

    1. Display the details about the time sources:

      Copy to Clipboard Toggle word wrap 
      # ansible managed-node-01.example.com -m command -a 'chronyc sources'
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* ptbtime1.ptb.de               1   6    17    55    -13us[  -54us] +/-   12ms
^- ptbtime2.ptb.de               1   6    17    56   -257us[ -297us] +/-   12ms

    2. For sources with NTS enabled, display information that is specific to authentication of NTP sources:

      Copy to Clipboard Toggle word wrap 
      # ansible managed-node-01.example.com -m command -a 'chronyc -N authdata'
Name/IP address             Mode KeyID Type KLen Last Atmp  NAK Cook CLen
=========================================================================
ptbtime1.ptb.de              NTS     1   15  256  229    0    0    8  100
ptbtime2.ptb.de              NTS     1   15  256  230    0    0    8  100

      Verify that the reported cookies in the Cook column is larger than 0.

  • If the managed node runs the ntpd service, enter:

    Copy to Clipboard Toggle word wrap 
    # ansible managed-node-01.example.com -m command -a 'ntpq -p'
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*ptbtime1.ptb.de .PTB.            1 8    2   64   77   23.585  967.902   0.684
-ptbtime2.ptb.de .PTB.            1 8   30   64   78   24.653  993.937   0.765

Additional resources

Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat, Inc.