Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 2. Using chrony
Learn how to start and stop chronyd, check it is synchronized, and manually adjust the system clock.
2.1. Managing chrony
You can start, stop, and check the status of chronyd.
The chrony suite is installed by default on Red Hat Enterprise Linux. To ensure that it is, run the following command as
root:dnf install chrony
# dnf install chronyCopy to Clipboard Copied! Toggle word wrap Toggle overflow The default location for the chrony daemon is
/usr/sbin/chronyd. The command line utility will be installed to/usr/bin/chronyc.To check the status of
chronyd, issue the following command:systemctl status chronyd
$ systemctl status chronyd chronyd.service - NTP client/server Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled) Active: active (running) since Wed 2013-06-12 22:23:16 CEST; 11h agoCopy to Clipboard Copied! Toggle word wrap Toggle overflow To start
chronyd, issue the following command asroot:systemctl start chronyd
# systemctl start chronydCopy to Clipboard Copied! Toggle word wrap Toggle overflow To ensure
chronydstarts automatically at system start, issue the following command asroot:systemctl enable chronyd
# systemctl enable chronydCopy to Clipboard Copied! Toggle word wrap Toggle overflow To stop
chronyd, issue the following command asroot:systemctl stop chronyd
# systemctl stop chronydCopy to Clipboard Copied! Toggle word wrap Toggle overflow To prevent
chronydfrom starting automatically at system start, issue the following command asroot:systemctl disable chronyd
# systemctl disable chronydCopy to Clipboard Copied! Toggle word wrap Toggle overflow
2.2. Manually adjusting the system clock
You can manually adjust the system clock.
Procedure
To step the system clock immediately, by passing any adjustments in progress by slewing, enter:
chronyc makestep
# chronyc makestepCopy to Clipboard Copied! Toggle word wrap Toggle overflow
If the rtcfile directive is used, the real-time clock should not be manually adjusted. Random adjustments would interfere with chrony's need to measure the rate at which the real-time clock drifts.
2.3. Disabling a NetworkManager dispatcher script
The chrony dispatcher script manages the online and offline state of the NTP servers. As a system administrator, you can disable the dispatcher script to keep chronyd polling the servers constantly.
The NetworkManager executes the chrony dispatcher script during interface reconfiguration, stop or start operations. However, if you configure certain interfaces or routes outside of NetworkManager, you can encounter the following situation:
- The dispatcher script might run when no route to the NTP servers exists, causing the NTP servers to switch to the offline state.
- If you establish the route later, the script does not run again by default, and the NTP servers remain in the offline state.
To ensure that chronyd can synchronize with your NTP servers, which have separately managed interfaces, disable the dispatcher script.
Procedure
To disable the
chronydispatcher script, create a symlink to/dev/null:ln -f -s /dev/null /etc/NetworkManager/dispatcher.d/20-chrony-onoffline
# ln -f -s /dev/null /etc/NetworkManager/dispatcher.d/20-chrony-onofflineCopy to Clipboard Copied! Toggle word wrap Toggle overflow NoteAfter this change, the NTP servers remain in the online state at all times.
2.4. Setting up chrony in an isolated network
For a network that is never connected to the internet, one computer is selected to be the primary timeserver. The other computers are either direct clients of the server, or clients of clients. On the server, the drift file must be manually set with the average rate of drift of the system clock. If the server is rebooted, it will obtain the time from surrounding systems and calculate an average to set its system clock. Thereafter it resumes applying adjustments based on the drift file. The drift file will be updated automatically when the settime command is used.
To set up chrony for a system in an isolated network, follow the steps mentioned below:
Procedure
On the system selected to be the server, edit
/etc/chrony.confas follows:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Where
<subnet>is the network from which the clients are allowed to connect. Use Classless Inter-Domain Routing (CIDR) notation to specify the subnet.On the systems selected to be direct clients of the server, edit the
/etc/chrony.confas follows:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Where
<server_fqdn>is the host name of the server, and<server_ip_address>is the address of the server . Clients with this configuration will resynchronize with the server if it restarts.
On the client systems which are not to be direct clients of the server, the /etc/chrony.conf file should be the same except that the local and allow directives should be omitted.
In an isolated network, you can also use the local directive that enables a local reference mode, which allows chronyd operating as an NTP server to appear synchronized to real time, even when it was never synchronized or the last update of the clock happened a long time ago.
To allow multiple servers in the network to use the same local configuration and to be synchronized to one another without confusing clients that poll more than one server, use the orphan option of the local directive which enables the orphan mode. Each server needs to be configured to poll all other servers with local. This ensures that only the server with the smallest reference ID has the local reference active and other servers are synchronized to it. When the server fails, another one takes over.
2.5. Configuring remote monitoring access
The chronyc utility can access chronyd by using the following methods:
- IPv4 or IPv6.
-
A domain socket, which is accessible locally by the
rootandchronyuser.
By default, chronyc connects to the Unix domain socket. The default path is /var/run/chrony/chronyd.sock. If this connection fails, chronyc tries to connect to 127.0.0.1 and then ::1.
Only the following monitoring commands, which do not affect the behavior of chronyd, are allowed from the network:
- activity
- manual list
- rtcdata
- smoothing
- sources
- sourcestats
- tracking
- waitsync
By default, the commands are accepted only from localhost (127.0.0.1 or ::1).
All other commands are allowed only through the Unix domain socket. When sent over the network, chronyd responds with a Not authorised error, even if it is from localhost.
The following procedure describes how to access chronyd remotely with chronyc.
Procedure
Configure
chronyto listen on local interface by adding the following to the/etc/chrony.conffile:bindcmdaddress 0.0.0.0
bindcmdaddress 0.0.0.0Copy to Clipboard Copied! Toggle word wrap Toggle overflow and
bindcmdaddress ::
bindcmdaddress ::Copy to Clipboard Copied! Toggle word wrap Toggle overflow Allow commands from remote IP addresses, networks, and subnet:
Add the following content to the
/etc/chrony.conffile:cmdallow 192.168.1.0/24
cmdallow 192.168.1.0/24Copy to Clipboard Copied! Toggle word wrap Toggle overflow cmdallow 2001:db8::/64
cmdallow 2001:db8::/64Copy to Clipboard Copied! Toggle word wrap Toggle overflow Open port 323 in the firewall to allow connections from remote systems:
firewall-cmd --permanent --add-port=323/udp
# firewall-cmd --permanent --add-port=323/udpCopy to Clipboard Copied! Toggle word wrap Toggle overflow Reload the firewall configuration:
firewall-cmd --reload
# firewall-cmd --reloadCopy to Clipboard Copied! Toggle word wrap Toggle overflow
2.6. Checking if chrony is synchronized
You can check if chrony is synchronized with the use of the tracking, sources, and sourcestats commands.
Procedure
To check chrony tracking, enter:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow The
chronycsources command displays information about the current time sources thatchronydis accessing.Copy to Clipboard Copied! Toggle word wrap Toggle overflow You can specify the optional
-vargument to print more verbose information. In this case, extra caption lines are shown as a reminder of the meanings of the columns.The
sourcestatscommand displays information about the drift rate and offset estimation process for each of the sources currently being examined bychronyd. To check chrony source statistics, issue the following command:chronyc sourcestats
$ chronyc sourcestats 210 Number of sources = 1 Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev =============================================================================== abc.def.ghi 11 5 46m -0.001 0.045 1us 25usCopy to Clipboard Copied! Toggle word wrap Toggle overflow The optional argument
-vcan be specified, meaning verbose. In this case, extra caption lines are shown as a reminder of the meanings of the columns.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}