Setting up and optimizing Chrony NTP in CentOS Stream

Welcome to our comprehensive guide on mastering time synchronization with Chrony NTP on CentOS Stream. This guide is designed to provide in-depth information for system administrators, IT professionals, and network enthusiasts who are looking to achieve precise and accurate timekeeping across their networks.

We will cover the installation and configuration of Chrony, a modern and efficient NTP solution that offers superior accuracy and can handle network fluctuations with ease. We will also explain how Chrony differs from traditional NTP solutions and why it is a better choice for network timekeeping.

In addition to the installation and configuration process, we will explore common troubleshooting scenarios that can arise when working with Chrony and provide practical solutions to ensure that your network’s timekeeping remains accurate and reliable.

Understanding the basics of NTP

Before we start the installation process, let’s take a moment to understand what NTP is and why it’s crucial for your network. NTP is a protocol used to synchronize the clocks of computers over a network. Accurate timekeeping is essential for various network tasks, including security, log management, and scheduling.

Why choose CentOS Stream for NTP?

CentOS Stream, a rolling-release Linux distribution, provides a stable and flexible platform for setting up an NTP server. Its cutting-edge features and robust community support make it an ideal choice for network administrators.

Preparing for NTP installation on CentOS Stream

First things first, ensure your CentOS Stream system is up-to-date. You can do this by running the following commands:

sudo dnf update
sudo dnf upgrade

Installing the NTP Server

The installation process is straightforward. Run the following command to install the NTP server package:

sudo dnf install chrony

Chrony is a versatile implementation of the Network Time Protocol (NTP), designed to synchronize the system clock from different time sources, including NTP servers and GPS receivers. It’s particularly well-suited for systems with intermittent internet connections or in situations where high precision is necessary. Here’s why Chrony stands out:

Advantages of using Chrony

• Rapid Synchronization: Chrony can synchronize the system clock faster than traditional NTP servers, making it ideal for systems that are not always running.
• Better Timekeeping: It maintains accurate time even when the system is off or not connected to the internet, thanks to its advanced algorithms for calculating the drift and offset of the system clock.
• Low Resource Usage: Chrony is designed to use minimal system resources, making it suitable for systems with limited processing power or memory.
• Handling of Network Fluctuations: Chrony performs well under varying network conditions, including changes in network latency and jitter, which are common in wireless networks.

Configuring the NTP Server

Configuring the Chrony service involves editing its main configuration file, located at /etc/chrony.conf. This file dictates how Chrony behaves, including which NTP servers to synchronize with, security settings, and other operational parameters. Here’s a step-by-step guide to editing and understanding the key elements of this file:

Accessing the configuration file

1. Open the Terminal: Start by opening your terminal on your CentOS Stream system.
2. Edit the File: Use a text editor to open the configuration file. You can use editors like nano, vi, or vim. For beginners, nano is often more user-friendly. To open the file with nano, type:

   sudo nano /etc/chrony.conf
   

Key configuration settings

In the configuration file, you’ll see several lines of text. Here are the most important sections to understand and modify:

1. Server Lines: These lines specify the NTP servers that Chrony will use to synchronize time. They usually start with the word server followed by a server address. You can add or change servers based on your preference or geographic location. For example:

   server 0.centos.pool.ntp.org iburst
   server 1.centos.pool.ntp.org iburst
   

   The iburst keyword speeds up the initial synchronization.

2. Driftfile: This line specifies the location of the drift file where Chrony saves information about the clock’s rate of drift. It’s usually set by default:

   driftfile /var/lib/chrony/drift
   

3. Allow Directive: If you want your Chrony server to provide time synchronization to other machines, you can specify which networks or hosts are allowed to access your server. For instance:

   allow 192.168.0.0/24
   

   This line allows access to any machine on the 192.168.0.x network. Be cautious with this setting to avoid unauthorized access.

4. Local Stratum: If you want your server to act as a reliable time source even when it’s not synchronized to an external source, you can set a local stratum:

   local stratum 10
   

   This is useful in isolated networks.

5. Logging: You can specify the logging options for Chrony. By default, it logs to /var/log/chrony.

Saving and exiting

After making your changes:

1. Save the File: In nano, you do this by pressing Ctrl + O, then Enter.
2. Exit the Editor: Press Ctrl + X to exit nano.

Restarting Chrony

After editing the configuration file, restart the Chrony service to apply the changes:

sudo systemctl restart chronyd

Verifying the configuration

Finally, verify that Chrony is working correctly with your new settings:

chronyc sources

This command will display the status of the NTP servers you are synchronized with.

Choosing NTP Servers

You should specify a few NTP servers in your configuration file. I personally prefer using servers from the pool.ntp.org project, as they are usually reliable and easy to use.

Adjusting other settings

In the configuration file, you can also set various parameters like the drift file, log options, and access controls, as described above. Here’s an example of a basic configuration:

server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

driftfile /var/lib/chrony/drift
logdir /var/log/chrony

Starting and enabling the NTP Service

Once the configuration is done, start the Chrony service and enable it to start on boot:

sudo systemctl start chronyd
sudo systemctl enable chronyd

Verifying the NTP Server

After you have configured and started your NTP server, it’s always a good practice to verify that everything is functioning correctly. Here’s how you can do it and what to expect:

How to verify

Use the chronyc sources command to check the status of the NTP servers your system is synchronized with. This command will display a list of servers along with their current status.

Understanding the Output

When you run the chronyc sources command, you’ll see an output similar to this:

MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^+ time1.example.com             2   6   377    35   -143us[ -289us] +/-   38ms
^* time2.example.com             1   7   377    73    +20us[  -24us] +/-   17ms
^- time3.example.com             3   6   377    85  +1568us[+1568us] +/-  106ms
^+ time4.example.com             2   6   377    58    -73us[  -73us] +/-   24ms

• MS: Indicates the mode and status of the source (e.g., ^* indicates the currently selected source).
• Name/IP address: Shows the hostname or IP address of the time source.
• Stratum: Represents the stratum level of the server (lower is generally better).
• Poll: Shows the polling interval, in seconds.
• Reach: Indicates the reachability register in octal (377 means fully reachable).
• LastRx: The time since the last received packet.
• Last sample: The offset between the local clock and the server’s clock.

Analyzing the output

• The ^* symbol next to time2.example.com shows that it is the current time source being used.
• The offsets (-143us, +20us, etc.) are quite small, which means your server’s time is very close to the source’s time.
• The Reach value of 377 for all servers suggests excellent network connectivity to these time sources.

Securing your NTP Server

Security is a significant aspect of maintaining an NTP server. Ensure that your server is not open to abuse as a public NTP server. Modify the allow directive in the chrony.conf file to restrict access.

Common troubleshooting for Chrony on CentOS Stream

Even with careful configuration, you might encounter some issues with your Chrony NTP server. Here are common problems and their solutions:

Chrony Service isn’t starting

1. Check Service Status: First, check if the Chrony service is running:sudo systemctl status chronyd
If the service isn’t active, try to start it manually:

   sudo systemctl start chronyd


2. Review System Logs: System logs can provide clues. Check them using:journalctl -u chronyd
Look for any error messages that might indicate what’s going wrong.

Time is not synchronizing

1. Check NTP Sources: Ensure that the NTP servers listed in your /etc/chrony.conf are accessible and working:chronyc sources
If the servers are unreachable or have a high offset or jitter, consider switching to different NTP servers.
2. Firewall Settings: Verify that your firewall allows NTP traffic (UDP port 123). If you’re using firewalld, you can enable NTP traffic with:sudo firewall-cmd --add-service=ntp --permanent
sudo firewall-cmd --reload


Drift too high

If Chrony reports that the time drift is too high:

1. Check System Clock: Ensure your system’s hardware clock is set accurately. Significant drifts might indicate a hardware issue.
2. Restart Chrony: Sometimes, simply restarting Chrony can resolve drift issues:sudo systemctl restart chronyd


Network connectivity issues

If the server has intermittent or poor network connectivity:

1. Test Network Connection: Ensure the server has a stable connection to the internet or network. You can use tools like ping or traceroute to diagnose connectivity problems.
2. Use Local Time Sources: If the server frequently loses internet connectivity, consider configuring local time sources or using GPS as a time source.

Permissions or Access Control Issues

1. Check chrony.conf: Ensure that the allow directive in /etc/chrony.conf is correctly configured to permit time synchronization from your network.
2. SELinux Policies: If you’re using SELinux, ensure it’s not blocking Chrony. Check for SELinux denials related to Chrony in the logs.

Conclusion

Setting up and maintaining a Chrony NTP server on CentOS Stream might seem daunting at first, but with the right steps, it’s a task well within the reach of network administrators and enthusiasts alike. Throughout this guide, we’ve delved into the installation, configuration, and optimization of Chrony, showcasing its advantages over traditional NTP solutions, especially in terms of synchronization speed, accuracy, and handling network variability.

Key takeaways

• Installation and Configuration: We learned that installing Chrony is straightforward, and configuring it mainly involves editing the /etc/chrony.conf file to set NTP servers, drift files, and access controls.
• Advantages of Chrony: Its ability to quickly synchronize time, even in challenging network environments, and its low resource footprint make Chrony an ideal choice for modern CentOS Stream systems.
• Troubleshooting Tips: We covered common issues like service start-up problems, synchronization errors, high time drift, network connectivity, and access control, offering practical solutions for each.