Time sync became a critical part of modern system and security behaviors , ssl certificates based systems will not even work without correct timing and logging will not be helpful if it didn’t record the correct time when things happen , as all servers and PCs on your organization needs time sync , so it is recommended to setup local NTP server rather than depending on Internet for all that many machines , Let’s setup our NTP server using chrony package.
01. Installing chrony on server and clients:
Chrony replaces ntp package and provide more accurate and smooth time sync.
It is installed by default on many distributions , you need to install it on server and clients too , it includes chronyd dameon or service and chronyc command-line tool to manage it.
yum -y install chrony
02. Running chrony daemon :
The service called chronyd and must be enabled to run at boot on all servers and clients.
systemctl enable chronyd systemctl start chronyd systemctl status chronyd
03. Firewall configuration on server:
Chronyd listen on UDP port 123 ,( and may listen UDP port 323 but don’t use it)
firewall-cmd --permanent --add-service=ntp firewall-cmd --reload
03. Some definitions before configuration:
NTP Server : will provide time for clients , always used for clients configurations.
NTP Peer : Peers are sharing time with each other and calculate the new time to be the mean between both (if server A time is 9:00 and Server B time is 10:00 , the new time will be about 9:30 ) , it is used between servers for more accurate and redundant sync.
NTP Stratum : is the synchronisation distance from the primary time source , server which gets time from server which gets time from another server ,…. and the chain go on, the lower the stratum the closer to the most accurate source, so clients use stratum to select the best source and prevent loops.
Iburst : aggressive sync mechanism for faster sync, The iburst mode sends up ten queries within the first minute to the NTP server. (When iburst mode is not enabled, only one query is sent within the first minute to the NTP server.)
04. Configure chrony server :
The default configuration file is /etc/chrony.conf
It have public NTP servers by default , for CentOS, this is the defaults:
server 0.centos.pool.ntp.org iburst server 1.centos.pool.ntp.org iburst server 2.centos.pool.ntp.org iburst server 3.centos.pool.ntp.org iburst #By default it is listening only locally , we must change it to our public interface IP or bind to all (0.0.0.0) #bindcmdaddress 127.0.0.1 bindcmdaddress ::1 # It will listen on all interfaces ! bindcmdaddress 0.0.0.0 # define IP ranges that allowed to contact our server for time sync # use your own network range ! allow 192.168.1.0/24
It means that our server is a client for public servers and uses four of them for redundancy, Unless we need to depend on local clock, this setting is excellent .
As we defined allowed network and bind it to all interfaces, restart it.
systemctl restart chronyd
use timedatectl command to show our time settings: ( NTP enabled: yes NTP synchronized: yes)
[root@a ~]# timedatectl Local time: Sun 2017-04-23 23:54:09 EET Universal time: Sun 2017-04-23 21:54:09 UTC RTC time: Sun 2017-04-23 21:54:09 Time zone: Africa/Cairo (EET, +0200) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: n/a
use chronyc sources command to list current NTP sources:
[root@a ~]# chronyc sources 210 Number of sources = 4 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^+ ntp.malagasy.com 2 8 207 158 +48ms[ +48ms] +/- 384ms ^+ ns3.bancokeve.ao 2 9 337 30 +66ms[ +66ms] +/- 304ms ^+ spice88-137.spicenet.co.t 3 8 375 283 -220ms[ -220ms] +/- 486ms ^* 60-net-185-48.paradise.yo 3 8 133 410 +48ms[ +48ms] +/- 236ms [root@a ~]#
the mode of the source.
^ means a server,
= means a peer and
# indicates a locally connected reference clock. “*” indicates the source to which
chronyd is currently synchronized. “+” indicates acceptable sources which are combined with the selected source. “?” indicates sources to which connectivity has been lost or whose packets do not pass all tests.
05. Configure chrony clients:
Comment the default server list, add our local server at 192.168.1.13 for example:
#server 0.centos.pool.ntp.org iburst #server 1.centos.pool.ntp.org iburst #server 2.centos.pool.ntp.org iburst #server 3.centos.pool.ntp.org iburst server 192.168.1.13 iburst
Then restart chronyd to reload configuration
systemctl restart chronyd
Now check if time synced correctly using timedatectl :
[root@client ~]# timedatectl Local time: Mon 2017-04-24 03:03:05 EET Universal time: Mon 2017-04-24 01:03:05 UTC RTC time: Mon 2017-04-24 01:03:05 Time zone: Africa/Cairo (EET, +0200) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: n/a [root@client ~]#
Check it it is the default source (indicating by ^* mode):
[root@client ~]# chronyc sources 210 Number of sources = 1 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* 192.168.1.13 3 6 77 56 -21us[ -130us] +/- 81ms [root@client ~]#
Now Our client is syncing time from our server , no need to connect to internet from all machines , just the server sync from Internet , and all other machines sync with it locally, so helpful .
That is it , thanks for being here , i hope it was simple.