In Part 1, we discussed setting up Chrony from a client perspective. This post will show how to configure the server side and investigate some of the options available within the /etc/chrony.conf configuration file.
Server Setup
Install the Chrony package
# dnf install chrony
Enable and start the chrony daemon
# systemctl enable chronyd # systemctl start chronyd
Verify that NTP is working correctly as a client
# chronyc sources 210 Number of sources = 4 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^+ voipmonitor.wci.com 2 6 17 1 -2428us[-3365us] +/- 85ms ^* clock.trit.net 2 6 17 1 -362us[-1299us] +/- 94ms ^- radio-sunshine.org 2 6 17 1 -5644us[-5644us] +/- 177ms ^* time.cloudflare.com 2 6 17 0 +12ms[ +12ms] +/- 205ms
Allow for Client connections
By default, chronyd acts only as a client and doesn’t allow any remote connections. To change the daemon to act as a server, the allow directive must be added to the /etc/chrony.conf file. You can specify a single ip address or an entire subnet, each added per line. In my case, I have 3 subnets and a local server. There is also a deny directive which I will use to block access from a separate range.
# vi /etc/chrony.confg allow 10.10.10.5 allow 10.10.30.0/24 allow 10.10.40.0/24 allow 10.10.75.0/24 deny 192.168.150.0/24
Restart chronyd and verify the NTP sources are available
# systemctl restart chronyd # chronyc sources 210 Number of sources = 4 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^+ voipmonitor.wci.com 2 6 17 1 -2428us[-3365us] +/- 85ms ^* clock.trit.net 2 6 17 1 -362us[-1299us] +/- 94ms ^- radio-sunshine.org 2 6 17 1 -5644us[-5644us] +/- 177ms ^* time.cloudflare.com 2 6 17 0 +12ms[ +12ms] +/- 205ms
Edit the firewall rules to allow client connections through the default NTP port 123 and reload
# firewall-cmd --permanent --zone=public --add-port=123/udp # firewall-cmd --reload
Now if your clients are configured to point to your new NTP server, you can see them listed using the clients option from chronyc.
# chronyc clients Hostname NTP Drop Int IntL Last Cmd Drop Int Last =============================================================================== localhost 4 0 2 - 119 14 0 -1 6 client.networklogician.com 17 0 5 - 18 0 0 - -
Finally, lets review a few of the options available for use within the /etc/chrony.conf configuration file.
# Run the server on a differnet port number than the default 123. For example, running the server on port 11223 port 11223 (from the client /etc/chrony.conf, you would need to specify this new port when pointing to the NTP server) server t1.networklogician.com port 11223 # Log the drift changes to the system clock over time. driftfile /var/lib/chrony/drift # State the directory for logging measurements. dumpdir /var/lib/chrony # Log measurements when chronyd exits. dumponexit # Turn on hardware timestamping if the interface in question support it. hwtimestamp # NTP authentication uses the keys in this file. keyfile /etc/chrony.keys # Use an isolated local NTP server that does not sync. local stratum 10 # Set logging perimeters such as measurements, statistics, and tracking. log measurements statistics tracking # Set the directory for log files. logdir /var/log/chrony # In this example, chronyd will check the offset on each update and ignore two adjustments larger # than 300 seconds and then exit on the next one. makestep 300 1 2 # State the amount of offset corrected on a clock update. maxchange 300 # Set the range to determine if an estimates is unreliable. maxupdateskew 100 # This option sets the smallest number of sources that should be potentially available # before updating the local clock. The below example is set to 2 sources. minsources 2 # Do not log client activity. noclientlog # Set the amount of distance to add to sources that are not at presently chosen. reselectdist # stratumweight – set the distance to add for each stratum when chronyd picks from possible # sources. In the example below, the stratumweight is set to 2 milliseconds. stratumweight 2 # rtcfile – this option sets the file name for chronyd to log the tracking of the real-time clock (RTC). # In the example below, the rtcfile is /var/lib/chrony/rtc rtcfile /var/lib/chrony/rtc # Sync the real-time clock (RTC) with the kernel. Don’t use this option with the rtcfile option above. rtcsync
In Part 3, we will discuss the steps to setup ID-key pairs for symmetric authentication between the clients and server.