RHEL 8 and Chrony – Part 2

In Part 1, we discussed setting up Chrony from a client perspective. This post will show how to configure the server side and investigate some of the options available within the /etc/chrony.conf configuration file.

Server Setup

Install the Chrony package

# dnf install chrony

Enable and start the chrony daemon

# systemctl enable chronyd
# systemctl start chronyd

Verify that NTP is working correctly as a client

# chronyc sources
210 Number of sources = 4
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^+ voipmonitor.wci.com           2   6    17     1  -2428us[-3365us] +/-   85ms
^* clock.trit.net                2   6    17     1   -362us[-1299us] +/-   94ms
^- radio-sunshine.org            2   6    17     1  -5644us[-5644us] +/-  177ms
^* time.cloudflare.com           2   6    17     0    +12ms[  +12ms] +/-  205ms

Allow for Client connections

By default, chronyd acts only as a client and doesn’t allow any remote connections. To change the daemon to act as a server, the allow directive must be added to the /etc/chrony.conf file. You can specify a single ip address or an entire subnet, each added per line. In my case, I have 3 subnets and a local server. There is also a deny directive which I will use to block access from a separate range.

# vi /etc/chrony.confg

allow 10.10.10.5
allow 10.10.30.0/24
allow 10.10.40.0/24
allow 10.10.75.0/24
deny 192.168.150.0/24

Restart chronyd and verify the NTP sources are available

# systemctl restart chronyd

# chronyc sources
210 Number of sources = 4
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^+ voipmonitor.wci.com           2   6    17     1  -2428us[-3365us] +/-   85ms
^* clock.trit.net                2   6    17     1   -362us[-1299us] +/-   94ms
^- radio-sunshine.org            2   6    17     1  -5644us[-5644us] +/-  177ms
^* time.cloudflare.com           2   6    17     0    +12ms[  +12ms] +/-  205ms

Edit the firewall rules to allow client connections through the default NTP port 123 and reload

# firewall-cmd --permanent --zone=public --add-port=123/udp
# firewall-cmd --reload

Now if your clients are configured to point to your new NTP server, you can see them listed using the clients option from chronyc.

# chronyc clients
Hostname                      NTP   Drop Int IntL Last     Cmd   Drop Int  Last
===============================================================================
localhost                       4      0   2   -   119      14      0  -1     6    
client.networklogician.com     17      0   5   -    18       0      0   -     -

Finally, lets review a few of the options available for use within the /etc/chrony.conf configuration file.

# Run the server on a differnet port number than the default 123. For example, running the server on port 11223

port 11223

(from the client /etc/chrony.conf, you would need to specify this new port when pointing to the NTP server)

server t1.networklogician.com port 11223

# Log the drift changes to the system clock over time.

driftfile /var/lib/chrony/drift

# State the directory for logging measurements.
 
dumpdir /var/lib/chrony

# Log measurements when chronyd exits.
 
dumponexit

# Turn on hardware timestamping if the interface in question support it.

hwtimestamp

# NTP authentication uses the keys in this file.

keyfile /etc/chrony.keys

# Use an isolated local NTP server that does not sync.

local stratum 10

# Set logging perimeters such as measurements, statistics, and tracking.

log measurements statistics tracking

# Set the directory for log files.

logdir /var/log/chrony

# In this example, chronyd will check the offset on each update and ignore two adjustments larger  
# than 300 seconds and then exit on the next one.

makestep 300 1 2

# State the amount of offset corrected on a clock update.

maxchange 300 

# Set the range to determine if an estimates is unreliable. 
 
maxupdateskew 100

# This option sets the smallest number of sources that should be potentially available
# before updating the local clock. The below example is set to 2 sources.  

minsources 2

# Do not log client activity.

noclientlog

# Set the amount of distance to add to sources that are not at presently chosen.

reselectdist

# stratumweight – set the distance to add for each stratum when chronyd picks from possible
# sources. In the example below, the stratumweight is set to 2 milliseconds.

stratumweight 2

# rtcfile – this option sets the file name for chronyd to log the tracking of the real-time clock (RTC).
# In the example below, the rtcfile is /var/lib/chrony/rtc

rtcfile /var/lib/chrony/rtc

# Sync the real-time clock (RTC) with the kernel. Don’t use this option with the rtcfile option above.

rtcsync

In Part 3, we will discuss the steps to setup ID-key pairs for symmetric authentication between the clients and server.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s