Chrony - DeveloPassion

# Chrony Chrony is a versatile implementation of the [[Network Time Protocol (NTP)]] designed to synchronize the system clock with NTP servers, reference clocks, or manual input. It's the default NTP client on many modern Linux distributions including RHEL, CentOS, Fedora, and [[Arch Linux]]. ## Why Chrony Over ntpd Chrony offers several advantages over the traditional [[ntpd]]: - **Faster synchronization**: Syncs the clock more quickly, especially on systems that are frequently powered off or have intermittent network connections - **Better accuracy**: Maintains better time accuracy on systems with unstable network connections or variable temperatures - **Lower resource usage**: Uses less memory and CPU - **Handles network disruptions**: Works well on machines that don't have permanent network connections (laptops, VMs, containers) - **Virtual machine friendly**: Performs better in virtualized environments where the clock can drift significantly ## Components Chrony consists of two main programs: - **chronyd**: The daemon that runs in the background, adjusting the system clock - **chronyc**: The command-line interface for monitoring and controlling chronyd ## Common Commands ### Check Synchronization Status ```bash # Show current time sources and their status chronyc sources # Verbose output with more details chronyc sources -v # Show tracking information (current sync status) chronyc tracking ``` ### Manual Operations ```bash # Force immediate sync chronyc makestep # Add a new NTP server temporarily chronyc add server pool.ntp.org # Check if chrony is synchronized chronyc tracking | grep "Leap status" # "Normal" means synchronized ``` ### Service Management ```bash # Check status systemctl status chronyd # Start/stop/restart sudo systemctl start chronyd sudo systemctl stop chronyd sudo systemctl restart chronyd # Enable at boot sudo systemctl enable chronyd ``` ## Configuration The main configuration file is `/etc/chrony.conf` (or `/etc/chrony/chrony.conf` on some distributions). ### Basic Configuration Example ```conf # Use public NTP servers pool pool.ntp.org iburst # Record the rate at which the system clock gains/drifts driftfile /var/lib/chrony/drift # Allow the system clock to be stepped in the first three updates # if its offset is larger than 1 second makestep 1.0 3 # Enable kernel synchronization of the real-time clock (RTC) rtcsync # Allow NTP client access from local network (if acting as server) # allow 192.168.0.0/16 # Serve time even if not synchronized to a time source # local stratum 10 ``` ### Key Configuration Options | Option | Description | |--------|-------------| | `server` | Specify a single NTP server | | `pool` | Specify a pool of NTP servers | | `iburst` | Send 4 requests in quick succession on startup for faster initial sync | | `makestep` | Allow stepping the clock if offset exceeds threshold | | `rtcsync` | Sync hardware clock (RTC) with system time | | `driftfile` | Store clock drift rate for faster sync after reboot | | `allow` | Allow NTP client access from specified network | | `local` | Act as NTP server even when not synchronized | ## Verifying Time Sync ```bash # Quick check if time is synchronized timedatectl status # Look for: # System clock synchronized: yes # NTP service: active ``` ## Troubleshooting ### Clock Not Synchronizing 1. Check if chronyd is running: `systemctl status chronyd` 2. Check firewall allows NTP (UDP port 123): `sudo firewall-cmd --list-all` 3. Verify network connectivity to NTP servers: `chronyc sources` 4. Check for `*` or `+` in sources output (indicates good source) ### Large Time Offset If the time is significantly off, chrony won't step the clock by default after the initial sync period. Force it: ```bash # Stop chrony, set time manually, restart sudo systemctl stop chronyd sudo date -s "2026-02-05 20:45:00" sudo systemctl start chronyd # Or allow stepping with makestep sudo chronyc makestep ``` ## Security Considerations - Chrony supports NTS (Network Time Security) for authenticated time synchronization - Restrict which networks can query your server using `allow` and `deny` directives - Use `bindaddress` to limit which interfaces chronyd listens on ## Related - [[Network Time Protocol (NTP)]] - [[ntpd]] - [[David Mills]] - [[systemd]] - [[Arch Linux]]