Linux Time Synchronization with chrony

Time sync became a critical part of modern system and security behaviors , ssl certificates based systems will not even work without correct timing and logging will not be helpful if it didn’t record the correct time when things happen , as all servers and PCs on your organization needs time sync , so it is recommended to setup local NTP server rather than depending on Internet for all that many machines , Let’s setup our NTP server using chrony package.

01. Installing chrony on server and clients:

Chrony replaces ntp package and provide more accurate and smooth time sync.
It is installed by default on many distributions , you need to install it on server and clients too , it includes chronyd dameon or service and chronyc command-line tool to manage it.

yum -y install chrony
02. Running chrony daemon :

The service called chronyd and must be enabled to run at boot on all servers and clients.

systemctl enable chronyd
systemctl start chronyd
systemctl status chronyd
03. Firewall configuration on server:

Chronyd listen on UDP port 123 ,( and may listen UDP port 323 but don’t use it)

firewall-cmd --permanent --add-service=ntp
firewall-cmd --reload

 

03. Some definitions before configuration:

NTP Server : will provide time for clients , always used for clients configurations.
NTP Peer : Peers are sharing time with each other and calculate the new time to be the mean between both (if server A time is 9:00 and Server B time is 10:00 , the new time will be about 9:30 ) , it is used between servers for more accurate and redundant sync.
NTP Stratum : is the synchronisation distance from the primary time source , server which gets time from server which gets time from another server ,…. and the chain go on, the lower the stratum the closer to the most accurate source, so clients use stratum to select the best source and prevent loops.
Iburst : aggressive sync mechanism for faster sync, The iburst mode sends up ten queries within the first minute to the NTP server. (When iburst mode is not enabled, only one query is sent within the first minute to the NTP server.)

04. Configure chrony server :

The default configuration file is /etc/chrony.conf

vim /etc/chrony.conf

It have public NTP servers by default , for CentOS, this is the defaults:

server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
#By default it is listening only locally , we must change it to our public interface IP or bind to all (0.0.0.0)
#bindcmdaddress 127.0.0.1
bindcmdaddress ::1
# It will listen on all interfaces !
bindcmdaddress 0.0.0.0

# define IP ranges that allowed to contact our server for time sync
# use your own network range !
allow 192.168.1.0/24

It means that our server is a client for public servers and uses four of them for redundancy, Unless we need to depend on local clock, this setting is excellent .
As we defined allowed network and bind it to all interfaces, restart it.

systemctl restart chronyd

use timedatectl command to show our time settings: ( NTP enabled: yes NTP synchronized: yes)

[root@a ~]# timedatectl 
Local time: Sun 2017-04-23 23:54:09 EET
Universal time: Sun 2017-04-23 21:54:09 UTC
RTC time: Sun 2017-04-23 21:54:09
Time zone: Africa/Cairo (EET, +0200)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
DST active: n/a

use chronyc sources command to list current NTP sources:

[root@a ~]# chronyc sources
210 Number of sources = 4
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^+ ntp.malagasy.com              2   8   207   158    +48ms[  +48ms] +/-  384ms
^+ ns3.bancokeve.ao              2   9   337    30    +66ms[  +66ms] +/-  304ms
^+ spice88-137.spicenet.co.t     3   8   375   283   -220ms[ -220ms] +/-  486ms
^* 60-net-185-48.paradise.yo     3   8   133   410    +48ms[  +48ms] +/-  236ms
[root@a ~]#

the mode of the source. ^ means a server, = means a peer and # indicates a locally connected reference clock. * indicates the source to which chronyd is currently synchronized. + indicates acceptable sources which are combined with the selected source. ? indicates sources to which connectivity has been lost or whose packets do not pass all tests.

05. Configure chrony clients:
vim /etc/chrony.conf

Comment the default server list, add our local server at 192.168.1.13 for example:

#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 192.168.1.13 iburst

Then restart chronyd to reload configuration

systemctl restart chronyd

Now check if time synced correctly using timedatectl :

[root@client ~]# timedatectl 
Local time: Mon 2017-04-24 03:03:05 EET
Universal time: Mon 2017-04-24 01:03:05 UTC
RTC time: Mon 2017-04-24 01:03:05
Time zone: Africa/Cairo (EET, +0200)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
DST active: n/a
[root@client ~]#

Check it it is the default source (indicating by ^* mode):

[root@client ~]# chronyc sources
210 Number of sources = 1
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* 192.168.1.13                  3   6    77    56    -21us[ -130us] +/-   81ms
[root@client ~]#

Now Our client is syncing time from our server , no need to connect to internet from all machines , just the server sync from Internet , and all other machines sync with it locally, so helpful .

That is it , thanks for being here , i hope it was simple.
Enjoy !.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s