RHEL7: How to set up the NTP service.

Share this link

Note: This is an RHCSA 7 exam objective and an RHCE 7 exam objective.

Presentation

NTP (Network Time Protocol) is a protocol to keep servers time synchronized: one or several master servers provide time to client servers that can themselves provide time to other client servers (notion of stratus).

This tutorial deals with client side configuration, even though server configuration is not entirely different.

Two main packages are used in RHEL 7 to set up the client side:

  • ntp: this is the classic package, already existing in RHEL 6, RHEL 5, etc. It can be used both as a NTP client or server.
  • chrony: this is a new solution better suited for portable PC or machines with network connection problems (time synchronization is quicker). It is mainly used as a NTP client. chrony is the default package in RHEL 7 (a recent security audit has showed that chrony is pretty well written and secure).

Caution: ntpd and chronyd shouldn’t run at the same time. Choose one and only one of them! There are reports from RHCE candidates noting that one of them is purposely already running at the beginning of the exam.

Prerequisites

Before anything else, you need to assign the correct time zone.
To get the current configuration, type:

# timedatectl
Local time: Sat 2015-11-07 08:17:33 EST
Universal time: Sat 2015-11-07 13:17:33 UTC
RTC time: Sat 2015-11-07 13:17:33
Timezone: America/New_York (EST, -0500)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
DST active: no
Last DST change: DST ended at
Sun 2015-11-01 01:59:59 EDT
Sun 2015-11-01 01:00:00 EST
Next DST change: DST begins (the clock jumps one hour forward) at
Sun 2016-03-13 01:59:59 EST
Sun 2016-03-13 03:00:00 EDT

To get the list of all the available time zones, type:

# timedatectl list-timezones
Africa/Abidjan
Africa/Accra
Africa/Addis_Ababa
...
America/La_Paz
America/Lima
America/Los_Angeles
...
Asia/Seoul
Asia/Shanghai
Asia/Singapore
...
Pacific/Tongatapu
Pacific/Wake
Pacific/Wallis

Finally, to set a specific time zone (here America/Los_Angeles), type:

# timedatectl set-timezone America/Los_Angeles

Then, to check your new configuration, type:

# timedatectl
      Local time: Sat 2015-11-07 05:32:43 PST
  Universal time: Sat 2015-11-07 13:32:43 UTC
        RTC time: Sat 2015-11-07 13:32:43
        Timezone: America/Los_Angeles (PST, -0800)
     NTP enabled: yes
NTP synchronized: yes
 RTC in local TZ: no
      DST active: no
 Last DST change: DST ended at
                  Sun 2015-11-01 01:59:59 PDT
                  Sun 2015-11-01 01:00:00 PST
 Next DST change: DST begins (the clock jumps one hour forward) at
                  Sun 2016-03-13 01:59:59 PST
                  Sun 2016-03-13 03:00:00 PDT

The NTP Package

Install the NTP package:

# yum install -y ntp

Activate the NTP service at boot:

# systemctl enable ntpd

Start the NTP service:

# systemctl start ntpd

The NTP configuration is in the /etc/ntp.conf file:

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1 
restrict ::1

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography. 
keys /etc/ntp/keys

Note: For basic configuration purpose, only the server directives could need a change to point at a different set of master time servers than the defaults specified.

To get some information about the time synchronization process, type:

# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*y.ns.gin.ntt.ne 192.93.2.20      2 u   47   64  377   27.136    6.958  11.322
+ns1.univ-montp3 192.93.2.20      2 u   45   64  377   34.836   -0.009  11.463
+merlin.ensma.ne 193.204.114.232  2 u   48   64  377   34.586    4.443  11.370
+obsidian.ad-not 131.188.3.220    2 u   50   64  377   22.548    4.256  12.077

Alternatively, to get a basic report, type:

# ntpstat
synchronised to NTP server (129.250.35.251) at stratum 3
time correct to within 60 ms
polling server every 64 s

To quickly synchronize a server, type:

# systemctl stop ntpd
# ntpdate pool.ntp.org
 5 Jul 10:36:58 ntpdate[2190]: adjust time server 95.81.173.74 offset -0.005354 sec
# systemctl start ntpd

The Chrony Package

Alternatively, you can install the new Chrony service that is quicker to synchronize clocks in mobile and virtual systems.

Install the Chrony service:

# yum install -y chrony

Activate the Chrony service at boot:

# systemctl enable chronyd

Start the Chrony service:

# systemctl start chronyd

The Chrony configuration is in the /etc/chrony.conf file:

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

# Ignore stratum in source selection.
stratumweight 0

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# Enable kernel RTC synchronization.
rtcsync

# In first three updates step the system clock instead of slew
# if the adjustment is larger than 10 seconds.
makestep 10 3

# Listen for commands only on localhost.
bindcmdaddress 127.0.0.1
bindcmdaddress ::1

keyfile /etc/chrony.keys

# Specify the key used as password for chronyc.
commandkey 1

# Generate command key if missing.
generatecommandkey

# Disable logging of client accesses.
noclientlog

# Send a message to syslog if a clock adjustment is larger than 0.5 seconds.
logchange 0.5

logdir /var/log/chrony

Note: For basic configuration purpose, only the server directives could need a change to point at a different set of master time servers than the defaults specified.

To get information about the main time reference, type:

# chronyc tracking
Reference ID    : 94.23.44.157 (merzhin.deuza.net)
Stratum         : 3
Ref time (UTC)  : Thu Jul  3 22:26:27 2014
System time     : 0.000265665 seconds fast of NTP time
Last offset     : 0.000599796 seconds
RMS offset      : 3619.895751953 seconds
Frequency       : 0.070 ppm slow
Residual freq   : 0.012 ppm
Skew            : 0.164 ppm
Root delay      : 0.030609 seconds
Root dispersion : 0.005556 seconds
Update interval : 1026.9 seconds
Leap status     : Normal

To get equivalent information to the ntpq command, type:

# chronyc sources -v
210 Number of sources = 4

  .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| /   '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||                                                /   xxxx = adjusted offset,
||         Log2(Polling interval) -.             |    yyyy = measured offset,
||                                  \            |    zzzz = estimated error.
||                                   |           |
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^+ merlin.ensma.fr               2   6    77    61   +295us[+1028us] +/-   69ms
^* lafkor.de                     2   6    77    61  -1371us[ -638us] +/-   65ms
^+ kimsuflol.iroqwa.org          3   6    77    61   -240us[ -240us] +/-   92ms
^+ merzhin.deuza.net             2   6    77    61    +52us[  +52us] +/-   48ms

# chronyc sourcestats -v
210 Number of sources = 4
                             .- Number of sample points in measurement set.
                            /    .- Number of residual runs with same sign.
                           |    /    .- Length of measurement set (time).
                           |   |    /      .- Est. clock freq error (ppm).
                           |   |   |      /           .- Est. error in freq.
                           |   |   |     |           /         .- Est. offset.
                           |   |   |     |          |          |   On the -.
                           |   |   |     |          |          |   samples. \
                           |   |   |     |          |          |             |
Name/IP Address            NP  NR  Span  Frequency  Freq Skew  Offset  Std Dev
==============================================================================
merlin.ensma.fr             7   5   200      0.106      6.541   +381us   176us
lafkor.de                   7   4   199      0.143     10.145   -916us   290us
kimsuflol.iroqwa.org        7   7   200     -0.298      6.717    +69us   184us
merzhin.deuza.net           7   5   200      0.585     11.293   +675us   314us

To quickly synchronize a server, type:

# ntpdate pool.ntp.org
 5 Jul 10:31:06 ntpdate[2135]: step time server 193.55.167.1 offset 121873.493146 sec

Note: You don’t need to stop the Chrony service to synchronize the server.

Additional Resources

You can read these Red Hat articles about leap seconds management, how to resolve leap second issues or the differences between NTP and PTP.
The xmodulo website provides a tutorial on How to set up NTP server in CentOS.
Documentation about NTP is available at the NTP Documentation Archive website and at the Tuxfamily website for Chrony.
In addition, you can read the reports from the Core Infrastructure Initiative conducting security audits of NTP and Chrony.

Beyond the exam objectives, virtualization can trigger problems (see this thread) and it is useful to know How to avoid VM clock drift.

You can also be interested in converting a Raspberry PI into a stratum 1 NTP server.
Some specific services can need to wait until the clock is synchronized: read this thread to know how to configure them.

1 Star2 Stars3 Stars4 Stars5 Stars (8 votes, average: 5.00 out of 5)
Loading...
43 comments on “RHEL7: How to set up the NTP service.
  1. jerky_rs says:

    For Peer configurations.

    on master you must add the following into /etc/chrony.conf

    # Allow NTP client access from local network.
    allow 192.168.0.0/24

    – copy the key file to the clients
    – open up ntp service port firewall-cmd

    On clients you must specify the following and disable “server” in /etc/chrony.conf

    # Use Peer
    peer 192.168.0.33

    https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-Setting_up_chrony_for_different_environments.html

    • CertDepot says:

      I’m going to update the tutorial with your information. Thanks.

    • salvador says:

      Nice info. Thank you.
      On centos 7.1 I did not need to copy the key.

      To synchronize 192.168.122.7 with an external server as usual, while synchronizing 192.168.122.2 with 192.168.122.7, we can do as follows:
      ____________________________________________________

      on 192.168.122.7:

      vi /etc/chrony.conf
      ### add the following line:
      allow 192.168.122.2
      ### or, to allow the whole subnet:
      ### allow 192.168.122.0/24

      systemctl restart chronyd

      firewall-cmd –permanent –add-service=ntp
      firewall-cmd –reload
      ____________________________________________________

      on 192.168.122.2:

      vi /etc/chrony.conf
      ### comment out all “server … ” lines;
      ### add the following line:
      peer 192.168.122.7

      systemctl restart chronyd

      after 3 minutes and 18 seconds my kvm guest 192.168.122.2 synchronizes with 192.168.122.7;

      journalctl | grep chronyd
      chronyd[433]: Selected source 192.168.122.7

      chronyc tracking
      Reference ID : 192.168.122.7
      Leap status : Normal
      ____________________________________________________

      If we want to synchronize immediately, then we put this line on a startup script, f.e. /etc/profile:
      chronyc -a makestep

      • beshooo says:

        Hello Salvador,

        Did you mean that client is 192.168.122.7 and NTP server is 192.168.122.2?
        If yes, am I required to change on NTP server? I think no so can we solve this problem?

        Also can I stop chrony and choose ntp instead or it is not recommended?

        Thanks

      • martingarvin says:

        Thank you salvador, I tried your tips. It worked like a charm. Thank you so much.

  2. pharlan says:

    Do we really need to install ntpd? Why can`t we just use “timedatectl set-ntp true”?

    • CertDepot says:

      The “timedatectl set-ntp true/false” command starts/stops the ntpd or chronyd daemon.
      But you still need to install the ntp or chrony package, otherwise time will drift.

  3. ak340 says:

    Hi Certdepot,

    as per verification, think the ntpd and chronyd daemon should not co exist together. Upon powering on my server the ntpd daemon is dead but enabled while the chronyd is running and enabled, have tried to start the ntpd daemon and the chronyd daemon become dead, see output below, looking forward for you advise

    # systemctl status ntpd
    ntpd.service – Network Time Service
    Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled)
    Active: inactive (dead)

    # systemctl status chronyd
    chronyd.service – NTP client/server
    Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled)
    Active: active (running) since Sun 2015-06-28 05:24:18 PHT; 5min ago
    Process: 761 ExecStartPost=/usr/libexec/chrony-helper add-dhclient-servers (code=exited, status=0/SUCCESS)
    Process: 719 ExecStart=/usr/sbin/chronyd -u chrony $OPTIONS (code=exited, status=0/SUCCESS)
    Main PID: 728 (chronyd)
    CGroup: /system.slice/chronyd.service
    └─728 /usr/sbin/chronyd -u chrony

    Jun 28 05:24:17 client.example.com chronyd[728]: chronyd version 1.29.1 starting
    Jun 28 05:24:17 client.example.com chronyd[728]: Linux kernel major=3 minor=10 patch=0
    Jun 28 05:24:17 client.example.com chronyd[728]: hz=100 shift_hz=7 freq_scale=1.00000000 nominal_tick=10000 slew_delta_tick=833 max_tick_bias=1000 shift_pll=2
    Jun 28 05:24:17 client.example.com chronyd[728]: Frequency 18.842 +/- 5.623 ppm read from /var/lib/chrony/drift
    Jun 28 05:24:18 client.example.com systemd[1]: Started NTP client/server.
    Jun 28 05:24:29 client.example.com chronyd[728]: Selected source 129.250.35.251
    # systemctl start ntpd
    # systemctl status ntpd
    ntpd.service – Network Time Service
    Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled)
    Active: active (running) since Sun 2015-06-28 05:29:43 PHT; 3s ago
    Process: 3067 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
    Main PID: 3068 (ntpd)
    CGroup: /system.slice/ntpd.service
    └─3068 /usr/sbin/ntpd -u ntp:ntp -g

    Jun 28 05:29:43 client.example.com ntpd[3068]: Listen normally on 2 lo 127.0.0.1 UDP 123
    Jun 28 05:29:43 client.example.com ntpd[3068]: Listen normally on 3 enp0s3 192.168.200.106 UDP 123
    Jun 28 05:29:43 client.example.com ntpd[3068]: Listen normally on 4 virbr0 192.168.122.1 UDP 123
    Jun 28 05:29:43 client.example.com ntpd[3068]: Listen normally on 5 lo ::1 UDP 123
    Jun 28 05:29:43 client.example.com ntpd[3068]: Listen normally on 6 enp0s3 fe80::a00:27ff:fe16:46e4 UDP 123
    Jun 28 05:29:43 client.example.com ntpd[3068]: Listening on routing socket on fd #23 for interface updates
    Jun 28 05:29:43 client.example.com ntpd[3068]: 0.0.0.0 c016 06 restart
    Jun 28 05:29:43 client.example.com ntpd[3068]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM
    Jun 28 05:29:43 client.example.com ntpd[3068]: 0.0.0.0 c011 01 freq_not_set
    Jun 28 05:29:44 client.example.com ntpd[3068]: 0.0.0.0 c614 04 freq_mode
    # systemctl status chronyd
    chronyd.service – NTP client/server
    Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled)
    Active: inactive (dead) since Sun 2015-06-28 05:29:43 PHT; 6s ago
    Process: 761 ExecStartPost=/usr/libexec/chrony-helper add-dhclient-servers (code=exited, status=0/SUCCESS)
    Process: 719 ExecStart=/usr/sbin/chronyd -u chrony $OPTIONS (code=exited, status=0/SUCCESS)
    Main PID: 728 (code=exited, status=0/SUCCESS)
    CGroup: /system.slice/chronyd.service

    Jun 28 05:24:17 client.example.com chronyd[728]: chronyd version 1.29.1 starting
    Jun 28 05:24:17 client.example.com chronyd[728]: Linux kernel major=3 minor=10 patch=0
    Jun 28 05:24:17 client.example.com chronyd[728]: hz=100 shift_hz=7 freq_scale=1.00000000 nominal_tick=10000 slew_delta_tick=833 max_tick_bias=1000 shift_pll=2
    Jun 28 05:24:17 client.example.com chronyd[728]: Frequency 18.842 +/- 5.623 ppm read from /var/lib/chrony/drift
    Jun 28 05:24:18 client.example.com systemd[1]: Started NTP client/server.
    Jun 28 05:24:29 client.example.com chronyd[728]: Selected source 129.250.35.251
    Jun 28 05:29:43 client.example.com systemd[1]: Stopping NTP client/server…
    Jun 28 05:29:43 client.example.com systemd[1]: Stopped NTP client/server.

  4. ak340 says:

    Thanks CertDepot does this means that I can already remove the ntpd package? and stick with chronyd?

  5. usmanshahzad says:

    From where can i find the solution to the task of the day questions?

  6. redhat0329 says:

    chrony: this is a new solution better suited for portable PC or servers with chrony is the default package in RHEL 7.

    Hi CertDepot,

    You mentioned that chrony is the default package in rhel 7. but base on your tutorials why we need to install the package? 🙂 Thanks!

  7. phil_guy412 says:

    If I have a virtual machine on a physical machine and I want the virtual machine to point to the physical host machine for its NTP service, when I edit the /etc/chrony.conf file, do I just append the physical host computers IP address into the “server pool” section?

    I would append, “server 192.x.x.x iburst” ?

    • CertDepot says:

      Yes, it should work.

      • phil_guy412 says:

        I tried doing just that but after I restart the chronyd service and run chronyc sources -v, the output shows that the server is unreachable. I even disabled the pre-set NTP servers in that config file, so my physical machine is the only source it’s looking to for NTP services.

        If I run a timedatectl I can see that NTP is enabled but NTP synchronized is set to no.

        Do I need to install ntp? I thought I shouldn’t have both ntp or chronyd installed at once.

        • CertDepot says:

          You can synchronize either by ntpd or chronyd but not both at the same time.
          It’s perhaps something with your bridge configuration.
          Is it the standard configuration with virbr0 or did you do something special?

          • phil_guy412 says:

            I originally had it point to my eth0 IP address. I changed it to the virbr0 but I’m still getting the same issue. I don’t have an NTP server on my physical machine. Also how do I turn on NTP synchronized to yes?

          • CertDepot says:

            You don’t have an NTP server on your physical machine???

          • phil_guy412 says:

            The physical machine has the default NTP servers enabled on it. I removed those default NTP servers from the virtual machine and added my physical machine’s IP address in the pool server section of the /etc/chrony.conf file

          • CertDepot says:

            Check your firewalld configuration on the virtual machine and the iptable configuration on the KVM host.

  8. Noli says:

    If the exam question says set up ntp client and a FQDN/IP is provided, does this mean either ntpd or chrony can be used? Also provide steps to add the new ntp source. thanks

    • CertDepot says:

      Yes, ntpd and chronyd should be both valid.
      ntp source addition procedures are pretty similar in ntpd and chronyd. The information should be displayed in the tutorials.

  9. Taliez says:

    hi certdepot,

    just wanna ask if can i do

    yum install system-config-date

    check BOX = synchronize date and time over the network?

    is this a valid approach for the objective?

  10. Ahmad says:

    Hi

    Should I use this command “timedatectl set-ntp true”, when configuring my server as a client for ntp server using chrony package.

    • CertDepot says:

      To be honest, I haven’t seen the interest of this command.
      You can use it but it isn’t required when setting up ntpd or chronyd.
      If somebody knows more, please share!

  11. Ahmad says:

    Hi,

    Should I uncomment the below lines on the exam, and add the new one for the exam if I asked to configure time service with chronyd:

    server 0.centos.pool.ntp.org iburst
    server 1.centos.pool.ntp.org iburst
    server 2.centos.pool.ntp.org iburst
    server 3.centos.pool.ntp.org iburst

    • CertDepot says:

      If you are given new servers details, yes. Otherwise, don’t change anything on this part.

      • Ahmad says:

        I understand, if asked to synch the local system with this abc.d.com , then I should uncomment the lines.

        However, if they ask to only configure the local system as a client to abc.d.com , then there is no need to uncomment the lines.

        Am I correct? Please advise.

        • CertDepot says:

          If asked to synch the local system with a time server at abc.d.com, comment out the “server X.centos.pool.ntp.org iburst” lines and add “server abc.d.com” in the configuration file.

  12. redhat0329 says:

    Hi CertDepot,

    First of all thanks so much for your site.
    It is very helpful to pass my rhcsa.. 🙂

    Even though I passed I don’t understand why I cannot resolve the issue in chronyd service? I checked that chronyd is installed. Try to mask the ntpd service but to no avail still I cannot start the chronyd service?
    I can enable it but it cannot be started 🙁

    On this I just used ntpd service instead.
    Do you have any idea why it cannot be started? 🙂

    Again thanks bro.. 🙂

  13. zi says:

    if we are given a new server to set up ntp on which part of the conf file should we insert it? are we supposed to comment out a line? thanks

  14. maikeu says:

    Hi Certdepot

    I have been working around ntpd and chronyd with your steps as one of my sources

    I am running on a “lab” computer (girlfriend’s old Macbook that was gathering dust :p ) with no external network access.

    Therefore I needed to set up a “master” ntp server, I did this on my host, using instructions from here:

    https://www.borngeek.com/2008/04/03/using-ntp-on-a-private-network/

    After this, and pointing my first VM at it as the only time source, enabling ntpd etc, I would run ntpstat which would show as synchronized. The temp fix was
    systemctl stop ntpd && ntpdate host1.example.com && systemctl start ntpd

    However that failed on next reboot.
    Luckily there is also an ntpdate service. Inspecting /usr/lib/systemd/system/ntpd.service, it looks like ntpd is configured to run after ntpdate.service ; so that’s a dependency, right? However it was only after I explicitely enabled ntpdate with systemctl enable ntpdate , that my server would be syncronised quickly after a reboot.

    chronyd seems to do the job from what I can see for all the RHCE requirement, but I want to get a handle on both.

    Any thoughts?

    • CertDepot says:

      When you use ntpd, you have to check that your computer isn’t more than 1024 seconds late compare to the NTP master’s, otherwise it doesn’t synchronize its clock. It’s for this reason that ntpdate is used. It synchronizes the computer’s clock with the master NTP’s before ntpd starts.
      Chronyd doesn’t react the same way and doesn’t need ntpdate.

  15. ercole1977 says:

    Hello guys should I expect on the exam to find “sync to a net time” so I will be able to choose ntpd or chronyd or there will be a specific question? For example “use ntpd”?

Leave a Reply

Upcoming Events (Local Time)

There are no events.

RHCSA7: Task of the day

Allowed time: 5 minutes.
Set up time services pointing to default time servers.

RHCE7: Task of the day

Allowed time: 10 minutes.
Set up a caching-only DNS server.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...