13.1.1 Configuring the chronyd Service

To configure the chronyd service on a system:

  1. Install the chrony package.

    # yum install chrony
  2. Edit /etc/chrony.conf to set up the configuration for chronyd.

    Note

    The default configuration assumes that the system has network access to public NTP servers with which it can synchronise. The firewall rules for your internal networks might well prevent access to these servers but instead allow access to local NTP servers.

    The following example shows a sample configuration for a system that can access three NTP servers:

    server NTP_server_1
    server NTP_server_2
    server NTP_server_3
    driftfile /var/lib/chrony/drift
    keyfile /etc/chrony.keys
    commandkey 1
    generatecommandkey

    The commandkey directive specifies the keyfile entry that chronyd uses to authenticate both chronyc commands and NTP packets. The generatecommandkey directive causes chronyd to generate an SHA1-based password automatically when the service starts.

    To configure chronyd to act as an NTP server for a specified client or subnet, use the allow directive, for example:

    server NTP_server_1
    server NTP_server_2
    server NTP_server_3
    allow 192.168.2/24
    driftfile /var/lib/chrony/drift
    keyfile /etc/chrony.keys
    commandkey 1
    generatecommandkey

    If a system has only intermittent access to NTP servers, the following configuration might be appropriate:

    server NTP_server_1 offline
    server NTP_server_2 offline
    server NTP_server_3 offline
    driftfile /var/lib/chrony/drift
    keyfile /etc/chrony.keys
    commandkey 1
    generatecommandkey

    If you specify the offline keyword, chronyd does not poll the NTP servers until it is told that network access is available. You can use the chronyc -a online and chronyc -a offline command to inform chronyd of the state of network access.

  3. If remote access to the local NTP service is required, configure the system firewall to allow access to the NTP service in the appropriate zones, for example:

    # firewall-cmd --zone=zone --add-service=ntp
    success
    # firewall-cmd --zone=zone --permanent --add-service=ntp
    success
  4. Start the chronyd service and configure it to start following a system reboot.

    # systemctl start chronyd
    # systemctl enable chronyd

You can use the chronyc command to display information about the operation of chronyd or to change its configuration, for example:

# chronyc -a
chrony version version
...
200 OK
chronyc> sources
210 Number of sources = 4
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^+ service1-eth3.debrecen.hp     2   6    37    21  -2117us[-2302us] +/-   50ms
^* ns2.telecom.lt                2   6    37    21   -811us[ -997us] +/-   40ms
^+ strato-ssd.vpn0.de            2   6    37    21   +408us[ +223us] +/-   78ms
^+ kvm1.websters-computers.c     2   6    37    22  +2139us[+1956us] +/-   54ms
chronyc> sourcestats
210 Number of sources = 4
Name/IP Address            NP  NR  Span  Frequency  Freq Skew  Offset  Std Dev
==============================================================================
service1-eth3.debrecen.hp   5   4   259     -0.394     41.803  -2706us   502us
ns2.telecom.lt              5   4   260     -3.948     61.422   +822us   813us
strato-ssd.vpn0.de          5   3   259      1.609     68.932   -581us   801us
kvm1.websters-computers.c   5   5   258     -0.263      9.586  +2008us   118us
chronyc> tracking
Reference ID    : 212.59.0.2 (ns2.telecom.lt)
Stratum         : 3
Ref time (UTC)  : Tue Sep 30 12:33:16 2014
System time     : 0.000354079 seconds slow of NTP time
Last offset     : -0.000186183 seconds
RMS offset      : 0.000186183 seconds
Frequency       : 28.734 ppm slow
Residual freq   : -0.489 ppm
Skew            : 11.013 ppm
Root delay      : 0.065965 seconds
Root dispersion : 0.007010 seconds
Update interval : 64.4 seconds
Leap status     : Normal
chronyc> exit

Using the -a option to chronyc is equivalent to entering the authhash and password subcommands, and avoids you having to specify the hash type and password every time that you use chronyc:

# cat /etc/chrony.keys

1 SHA1 HEX:4701E4D70E44B8D0736C8A862CFB6B8919FE340E
# chronyc
...
chronyc> authhash SHA1
chronyc> password HEX:4701E4D70E44B8D0736C8A862CFB6B8919FE340E
200 OK

For more information, see the chrony(1) and chronyc(1) manual pages, /usr/share/doc/chrony-version/chrony.txt, or use the info chrony command.