Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 28. Configuring time synchronization by using RHEL system roles

The Network Time Protocol (NTP) and Precision Time Protocol (PTP) are standards to synchronize the clock of computers over a network. By using the timesync RHEL system role, you can automate the configuration of time synchronization on RHEL.

An accurate time synchronization in networks is important because certain services rely on it. For example, Kerberos tolerates only a small time difference between the server and client to prevent replay attacks.

You can set the time service to configure in the timesync_ntp_provider variable of a playbook. If you do not set this variable, the role determines the time service based on the following factors:

  • On RHEL 8 and later: chronyd
  • On RHEL 6 and 7: chronyd (default) or, if already installed ntpd.

The Network Time Protocol (NTP) synchronizes the time of a host with an NTP server over a network. By using the timesync RHEL system role, you can automate the configuration of RHEL NTP clients in your network and keep the time synchronized.

Warning

The timesync RHEL system role replaces the configuration of the specified given or detected provider service on the managed host. Consequently, all settings are lost if they are not specified in the playbook.

Prerequisites

Procedure

  1. Create a playbook file, for example, ~/playbook.yml, with the following content: 

    ---
- name: Managing time synchronization
  hosts: managed-node-01.example.com
  tasks:
    - name: Configuring NTP with an internal server (preferred) and a public server pool as fallback
      ansible.builtin.include_role:
        name: redhat.rhel_system_roles.timesync
      vars:
        timesync_ntp_servers:
        - hostname: time.example.com
          trusted: yes
          prefer: yes
          iburst: yes
        - hostname: 0.rhel.pool.ntp.org
          pool: yes
          iburst: yes
    Copy to Clipboard Toggle word wrap

    The settings specified in the example playbook include the following:

    pool: <yes|no>
    Flags a source as an NTP pool rather than an individual host. In this case, the service expects that the name resolves to multiple IP addresses which can change over time.
    iburst: yes
    Enables fast initial synchronization.

    For details about all variables used in the playbook, see the /usr/share/ansible/roles/rhel-system-roles.timesync/README.md file on the control node.

  2. Validate the playbook syntax: 

    $ ansible-playbook --syntax-check ~/playbook.yml
    Copy to Clipboard Toggle word wrap

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  3. Run the playbook: 

    $ ansible-playbook ~/playbook.yml
    Copy to Clipboard Toggle word wrap

Verification

  • Display the details about the time sources:

    • If the managed node runs the chronyd service, enter: 

      # ansible managed-node-01.example.com -m command -a 'chronyc sources'
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* time.example.com              1  10   377   210   +159us[  +55us] +/-   12ms
^? ntp.example.org               2   9   377   409  +1120us[+1021us] +/-   42ms
^? time.us.example.net           2   9   377   992   -329us[ -386us] +/-   15ms
...
      Copy to Clipboard Toggle word wrap

    • If the managed node runs the ntpd service, enter: 

      # ansible managed-node-01.example.com -m command -a 'ntpq -p'
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*time.example.com .PTB.           1 u    2   64   77   23.585  967.902   0.684
- ntp.example.or 192.0.2.17       2 u    -   64   77   27.090  966.755   0.468
+time.us.example 198.51.100.19    2 u   65   64   37   18.497  968.463   1.588
...
      Copy to Clipboard Toggle word wrap

By using the Network Time Security (NTS) mechanism, clients establish a TLS-encrypted connection to the server and authenticate Network Time Protocol (NTP) packets. By using the timesync RHEL system role, you can automate the configuration of RHEL NTP clients with NTS.

Note that you cannot mix NTS servers with non-NTS servers. In mixed configurations, NTS servers are trusted and clients do not fall back to unauthenticated NTP sources because they can be exploited in man-in-the-middle (MITM) attacks. For further details, see the authselectmode parameter description in the chrony.conf(5) man page on your system.

Warning

The timesync RHEL system role replaces the configuration of the specified given or detected provider service on the managed host. Consequently, all settings are lost if they are not specified in the playbook.

Prerequisites

Procedure

  1. Create a playbook file, for example, ~/playbook.yml, with the following content: 

    ---
- name: Managing time synchronization
  hosts: managed-node-01.example.com
  tasks:
    - name: Configuring NTP with NTS-enabled servers
      ansible.builtin.include_role:
        name: redhat.rhel_system_roles.timesync
      vars:
        timesync_ntp_servers:
        - hostname: ptbtime1.ptb.de
          nts: yes
          iburst: yes
    Copy to Clipboard Toggle word wrap

    The settings specified in the example playbook include the following:

    iburst: yes
    Enables fast initial synchronization.

    For details about all variables used in the playbook, see the /usr/share/ansible/roles/rhel-system-roles.timesync/README.md file on the control node.

  2. Validate the playbook syntax: 

    $ ansible-playbook --syntax-check ~/playbook.yml
    Copy to Clipboard Toggle word wrap

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  3. Run the playbook: 

    $ ansible-playbook ~/playbook.yml
    Copy to Clipboard Toggle word wrap

Verification

  • If the managed node runs the chronyd service:

    1. Display the details about the time sources: 

      # ansible managed-node-01.example.com -m command -a 'chronyc sources'
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* ptbtime1.ptb.de               1   6    17    55    -13us[  -54us] +/-   12ms
^- ptbtime2.ptb.de               1   6    17    56   -257us[ -297us] +/-   12ms
      Copy to Clipboard Toggle word wrap

    2. For sources with NTS enabled, display information that is specific to authentication of NTP sources: 

      # ansible managed-node-01.example.com -m command -a 'chronyc -N authdata'
Name/IP address             Mode KeyID Type KLen Last Atmp  NAK Cook CLen
=========================================================================
ptbtime1.ptb.de              NTS     1   15  256  229    0    0    8  100
ptbtime2.ptb.de              NTS     1   15  256  230    0    0    8  100
      Copy to Clipboard Toggle word wrap

      Verify that the reported cookies in the Cook column is larger than 0.

  • If the managed node runs the ntpd service, enter: 

    # ansible managed-node-01.example.com -m command -a 'ntpq -p'
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*ptbtime1.ptb.de .PTB.            1 8    2   64   77   23.585  967.902   0.684
-ptbtime2.ptb.de .PTB.            1 8   30   64   78   24.653  993.937   0.765
    Copy to Clipboard Toggle word wrap
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat