|
Packit |
96c956 |
Frequently Asked Questions
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
Table of Contents
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
o 1. chrony compared to other programs
|
|
Packit |
96c956 |
? 1.1. How does chrony compare to ntpd?
|
|
Packit |
96c956 |
o 2. Configuration issues
|
|
Packit |
96c956 |
? 2.1. What is the minimum recommended configuration for an NTP client?
|
|
Packit |
96c956 |
? 2.2. How do I make an NTP server from an NTP client?
|
|
Packit |
96c956 |
? 2.3. I have several computers on a LAN. Should be all clients of an
|
|
Packit |
96c956 |
external server?
|
|
Packit |
96c956 |
? 2.4. Must I specify servers by IP address if DNS is not available on
|
|
Packit |
96c956 |
chronyd start?
|
|
Packit |
96c956 |
? 2.5. How can I make chronyd more secure?
|
|
Packit |
96c956 |
? 2.6. How can I improve the accuracy of the system clock with NTP
|
|
Packit |
96c956 |
sources?
|
|
Packit |
96c956 |
? 2.7. Does chronyd have an ntpdate mode?
|
|
Packit |
96c956 |
? 2.8. Can chronyd be configured to control the clock like ntpd?
|
|
Packit |
96c956 |
? 2.9. What happened to the commandkey and generatecommandkey directives?
|
|
Packit |
96c956 |
o 3. Computer is not synchronising
|
|
Packit |
96c956 |
? 3.1. Behind a firewall?
|
|
Packit |
96c956 |
? 3.2. Are NTP servers specified with the offline option?
|
|
Packit |
96c956 |
? 3.3. Is chronyd allowed to step the system clock?
|
|
Packit |
96c956 |
? 3.4. Using a Windows NTP server?
|
|
Packit |
96c956 |
? 3.5. Using a PPS reference clock?
|
|
Packit |
96c956 |
o 4. Issues with chronyc
|
|
Packit |
96c956 |
? 4.1. I keep getting the error 506 Cannot talk to daemon
|
|
Packit |
96c956 |
? 4.2. I keep getting the error 501 Not authorised
|
|
Packit |
96c956 |
? 4.3. Why does chronyc tracking always print an IPv4 address as
|
|
Packit |
96c956 |
reference ID?
|
|
Packit |
96c956 |
? 4.4. Is the chronyc / chronyd protocol documented anywhere?
|
|
Packit |
96c956 |
o 5. Real-time clock issues
|
|
Packit |
96c956 |
? 5.1. What is the real-time clock (RTC)?
|
|
Packit |
96c956 |
? 5.2. I want to use chronyd's RTC support. Must I disable hwclock?
|
|
Packit |
96c956 |
? 5.3. I just keep getting the 513 RTC driver not running message
|
|
Packit |
96c956 |
? 5.4. I get Could not open /dev/rtc, Device or resource busy in my
|
|
Packit |
96c956 |
syslog file
|
|
Packit |
96c956 |
? 5.5. What if my computer does not have an RTC or backup battery?
|
|
Packit |
96c956 |
o 6. NTP-specific issues
|
|
Packit |
96c956 |
? 6.1. Can chronyd be driven from broadcast/multicast NTP servers?
|
|
Packit |
96c956 |
? 6.2. Can chronyd transmit broadcast NTP packets?
|
|
Packit |
96c956 |
? 6.3. Can chronyd keep the system clock a fixed offset away from real
|
|
Packit |
96c956 |
time?
|
|
Packit |
96c956 |
? 6.4. What happens if the network connection is dropped without using
|
|
Packit |
96c956 |
chronyc's offline command first?
|
|
Packit |
96c956 |
o 7. Operating systems
|
|
Packit |
96c956 |
? 7.1. Does chrony support Windows?
|
|
Packit |
96c956 |
? 7.2. Are there any plans to support Windows?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
1. chrony compared to other programs
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
1.1. How does chrony compare to ntpd?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
chronyd was designed to work well in a wide range of conditions and it can
|
|
Packit |
96c956 |
usually synchronise the system clock faster and with better time accuracy. It
|
|
Packit |
96c956 |
doesn't implement some of the less useful NTP modes like broadcast client or
|
|
Packit |
96c956 |
multicast server/client.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
If your computer is connected to the Internet only for few minutes at a time,
|
|
Packit |
96c956 |
the network connection is often congested, you turn your computer off or
|
|
Packit |
96c956 |
suspend it frequently, the clock is not very stable (e.g. there are rapid
|
|
Packit |
96c956 |
changes in the temperature or it's a virtual machine), or you want to use NTP
|
|
Packit |
96c956 |
on an isolated network with no hardware reference clocks in sight, chrony will
|
|
Packit |
96c956 |
probably work much better for you.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
For a more detailed comparison of features and performance, see the comparison
|
|
Packit |
96c956 |
page on the chrony website.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
2. Configuration issues
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
2.1. What is the minimum recommended configuration for an NTP client?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
First, the client needs to know which NTP servers it should ask for the current
|
|
Packit |
96c956 |
time. They are specified by the server or pool directive. The pool directive
|
|
Packit |
96c956 |
can be used for names that resolve to multiple addresses. For good reliability
|
|
Packit |
96c956 |
the client should have at least three servers. The iburst option speeds up the
|
|
Packit |
96c956 |
initial synchronisation.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
To stabilise the initial synchronisation on the next start, the estimated drift
|
|
Packit |
96c956 |
of the system clock is saved to a file specified by the driftfile directive.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
If the system clock can be far from the true time after boot for any reason,
|
|
Packit |
96c956 |
chronyd should be allowed to correct it quickly by stepping instead of slewing,
|
|
Packit |
96c956 |
which would take a very long time. The makestep directive does that.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
In order to keep the real-time clock (RTC) close to the true time, so the
|
|
Packit |
96c956 |
system time is reasonably close to the true time when it's initialised on the
|
|
Packit |
96c956 |
next boot from the RTC, the rtcsync directive enables a mode in which the
|
|
Packit |
96c956 |
system time is periodically copied to the RTC. It is supported on Linux and
|
|
Packit |
96c956 |
macOS.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
If you want to use public NTP servers from the pool.ntp.org project, the
|
|
Packit |
96c956 |
minimal chrony.conf file could be:
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
pool pool.ntp.org iburst
|
|
Packit |
96c956 |
driftfile /var/lib/chrony/drift
|
|
Packit |
96c956 |
makestep 1 3
|
|
Packit |
96c956 |
rtcsync
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
2.2. How do I make an NTP server from an NTP client?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
You need to add an allow directive to the chrony.conf file in order to open the
|
|
Packit |
96c956 |
NTP port and allow chronyd to reply to client requests. allow with no specified
|
|
Packit |
96c956 |
subnet allows access from all IPv4 and IPv6 addresses.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
2.3. I have several computers on a LAN. Should be all clients of an external
|
|
Packit |
96c956 |
server?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
The best configuration is usually to make one computer the server, with the
|
|
Packit |
96c956 |
others as clients of it. Add a local directive to the server's chrony.conf
|
|
Packit |
96c956 |
file. This configuration will be better because
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
o the load on the external connection is less
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
o the load on the external NTP server(s) is less
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
o if your external connection goes down, the computers on the LAN will
|
|
Packit |
96c956 |
maintain a common time with each other.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
2.4. Must I specify servers by IP address if DNS is not available on chronyd
|
|
Packit |
96c956 |
start?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
No. Starting from version 1.25, chronyd will keep trying to resolve the names
|
|
Packit |
96c956 |
specified by the server, pool, and peer directives in an increasing interval
|
|
Packit |
96c956 |
until it succeeds. The online command can be issued from chronyc to force
|
|
Packit |
96c956 |
chronyd to try to resolve the names immediately.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
2.5. How can I make chronyd more secure?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
If you don't need to serve time to NTP clients or peers, you can add port 0 to
|
|
Packit |
96c956 |
the chrony.conf file to completely disable the NTP server functionality and
|
|
Packit |
96c956 |
prevent NTP requests from reaching chronyd. Starting from version 2.0, the NTP
|
|
Packit |
96c956 |
server port is open only when client access is allowed by the allow directive
|
|
Packit |
96c956 |
or command, an NTP peer is configured, or the broadcast directive is used.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
If you don't need to use chronyc remotely, you can add the following directives
|
|
Packit |
96c956 |
to the configuration file to bind the command sockets to the loopback
|
|
Packit |
96c956 |
interface. This is done by default since version 2.0.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
bindcmdaddress 127.0.0.1
|
|
Packit |
96c956 |
bindcmdaddress ::1
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
If you don't need to use chronyc at all or you need to run chronyc only under
|
|
Packit |
96c956 |
the root or chrony user (which can access chronyd through a Unix domain socket
|
|
Packit |
96c956 |
since version 2.2), you can disable the internet command sockets completely by
|
|
Packit |
96c956 |
adding cmdport 0 to the configuration file.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
You can specify an unprivileged user with the -u option, or the user directive
|
|
Packit |
96c956 |
in the chrony.conf file, to which chronyd will switch after start in order to
|
|
Packit |
96c956 |
drop root privileges. The configure script has a --with-user option, which sets
|
|
Packit |
96c956 |
the default user. On Linux, chronyd needs to be compiled with support for the
|
|
Packit |
96c956 |
libcap library. On other systems, chronyd forks into two processes. The child
|
|
Packit |
96c956 |
process retains root privileges, but can only perform a very limited range of
|
|
Packit |
96c956 |
privileged system calls on behalf of the parent.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
Also, if chronyd is compiled with support for the Linux secure computing
|
|
Packit |
96c956 |
(seccomp) facility, you can enable a system call filter with the -F option. It
|
|
Packit |
96c956 |
will significantly reduce the kernel attack surface and possibly prevent kernel
|
|
Packit |
96c956 |
exploits from the chronyd process if it's compromised. It's recommended to
|
|
Packit |
96c956 |
enable the filter only when it's known to work on the version of the system
|
|
Packit |
96c956 |
where chrony is installed as the filter needs to allow also system calls made
|
|
Packit |
96c956 |
from libraries that chronyd is using (e.g. libc) and different versions or
|
|
Packit |
96c956 |
implementations of the libraries may make different system calls. If the filter
|
|
Packit |
96c956 |
is missing some system call, chronyd could be killed even in normal operation.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
2.6. How can I improve the accuracy of the system clock with NTP sources?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
Select NTP servers that are well synchronised, stable and close to your
|
|
Packit |
96c956 |
network. It's better to use more than one server, three or four is usually
|
|
Packit |
96c956 |
recommended as the minimum, so chronyd can detect servers that serve false time
|
|
Packit |
96c956 |
and combine measurements from multiple sources.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
If you have a network card with hardware timestamping supported on Linux, it
|
|
Packit |
96c956 |
can be enabled by the hwtimestamp directive in the chrony.conf file. It should
|
|
Packit |
96c956 |
make local receive and transmit timestamps of NTP packets much more accurate.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
There are also useful options which can be set in the server directive, they
|
|
Packit |
96c956 |
are minpoll, maxpoll, polltarget, maxdelay, maxdelayratio, maxdelaydevratio,
|
|
Packit |
96c956 |
and xleave.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
The first three options set the minimum and maximum allowed polling interval,
|
|
Packit |
96c956 |
and how should be the actual interval adjusted in the specified range. Their
|
|
Packit |
96c956 |
default values are 6 (64 seconds) for minpoll, 10 (1024 seconds) for maxpoll
|
|
Packit |
96c956 |
and 8 (samples) for polltarget. The default values should be used for general
|
|
Packit |
96c956 |
servers on the Internet. With your own NTP servers, or if you have permission
|
|
Packit |
96c956 |
to poll some servers more frequently, setting these options for shorter polling
|
|
Packit |
96c956 |
intervals may significantly improve the accuracy of the system clock.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
The optimal polling interval depends mainly on two factors, stability of the
|
|
Packit |
96c956 |
network latency and stability of the system clock (which mainly depends on the
|
|
Packit |
96c956 |
temperature sensitivity of the crystal oscillator and the maximum rate of the
|
|
Packit |
96c956 |
temperature change).
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
Generally, if the sourcestats command usually reports a small number of samples
|
|
Packit |
96c956 |
retained for a source (e.g. fewer than 16), a shorter polling interval should
|
|
Packit |
96c956 |
be considered. If the number of samples is usually at the maximum of 64, a
|
|
Packit |
96c956 |
longer polling interval may work better.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
An example of the directive for an NTP server on the Internet that you are
|
|
Packit |
96c956 |
allowed to poll frequently could be
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
server foo.example.net minpoll 4 maxpoll 6 polltarget 16
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
An example using shorter polling intervals with a server located in the same
|
|
Packit |
96c956 |
LAN could be
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
server ntp.local minpoll 2 maxpoll 4 polltarget 30
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
The maxdelay options are useful to ignore measurements with an unusally large
|
|
Packit |
96c956 |
delay (e.g. due to congestion in the network) and improve the stability of the
|
|
Packit |
96c956 |
synchronisation. The maxdelaydevratio option could be added to the example with
|
|
Packit |
96c956 |
local NTP server
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
server ntp.local minpoll 2 maxpoll 4 polltarget 30 maxdelaydevratio 2
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
If your server supports the interleaved mode (e.g. it is running chronyd), the
|
|
Packit |
96c956 |
xleave option should be added to the server directive in order to allow the
|
|
Packit |
96c956 |
server to send the client more accurate transmit timestamps (kernel or
|
|
Packit |
96c956 |
preferably hardware). For example:
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
server ntp.local minpoll 2 maxpoll 4 xleave
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
When combined with local hardware timestamping, good network switches, and even
|
|
Packit |
96c956 |
shorter polling intervals, a sub-microsecond accuracy and stability of a few
|
|
Packit |
96c956 |
tens of nanoseconds may be possible. For example:
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
server ntp.local minpoll 0 maxpoll 0 xleave
|
|
Packit |
96c956 |
hwtimestamp eth0
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
For best stability, the CPU should be running at a constant frequency (i.e.
|
|
Packit |
96c956 |
disabled power saving and performance boosting). Energy-Efficient Ethernet
|
|
Packit |
96c956 |
(EEE) should be disabled in the network. The switches should be configured to
|
|
Packit |
96c956 |
prioritize NTP packets, especially if the network is expected to be heavily
|
|
Packit |
96c956 |
loaded.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
If it is acceptable for NTP clients in the network to send requests at an
|
|
Packit |
96c956 |
excessive rate, a sub-second polling interval may be specified. A median filter
|
|
Packit |
96c956 |
can be enabled in order to update the clock at a reduced rate with more stable
|
|
Packit |
96c956 |
measurements. For example:
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
server ntp.local minpoll -6 maxpoll -6 filter 15 xleave
|
|
Packit |
96c956 |
hwtimestamp eth0 minpoll -6
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
2.7. Does chronyd have an ntpdate mode?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
Yes. With the -q option chronyd will set the system clock once and exit. With
|
|
Packit |
96c956 |
the -Q option it will print the measured offset without setting the clock. If
|
|
Packit |
96c956 |
you don't want to use a configuration file, NTP servers can be specified on the
|
|
Packit |
96c956 |
command line. For example:
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
# chronyd -q 'pool pool.ntp.org iburst'
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
2.8. Can chronyd be configured to control the clock like ntpd?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
It is not possible to perfectly emulate ntpd, but there are some options that
|
|
Packit |
96c956 |
can configure chronyd to behave more like ntpd.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
In the following example the minsamples directive slows down the response to
|
|
Packit |
96c956 |
changes in the frequency and offset of the clock. The maxslewrate and
|
|
Packit |
96c956 |
corrtimeratio directives reduce the maximum frequency error due to an offset
|
|
Packit |
96c956 |
correction and the maxdrift directive reduces the maximum assumed frequency
|
|
Packit |
96c956 |
error of the clock. The makestep directive enables a step threshold and the
|
|
Packit |
96c956 |
maxchange directive enables a panic threshold. The maxclockerror directive
|
|
Packit |
96c956 |
increases the minimum dispersion rate.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
minsamples 32
|
|
Packit |
96c956 |
maxslewrate 500
|
|
Packit |
96c956 |
corrtimeratio 100
|
|
Packit |
96c956 |
maxdrift 500
|
|
Packit |
96c956 |
makestep 0.128 -1
|
|
Packit |
96c956 |
maxchange 1000 1 1
|
|
Packit |
96c956 |
maxclockerror 15
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
Note that increasing minsamples may cause the offsets in the tracking and
|
|
Packit |
96c956 |
sourcestats reports/logs to be significantly smaller than the actual offsets
|
|
Packit |
96c956 |
and be unsuitable for monitoring.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
2.9. What happened to the commandkey and generatecommandkey directives?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
They were removed in version 2.2. Authentication is no longer supported in the
|
|
Packit |
96c956 |
command protocol. Commands that required authentication are now allowed only
|
|
Packit |
96c956 |
through a Unix domain socket, which is accessible only by the root and chrony
|
|
Packit |
96c956 |
users. If you need to configure chronyd remotely or locally without the root
|
|
Packit |
96c956 |
password, please consider using ssh and/or sudo to run chronyc under the root
|
|
Packit |
96c956 |
or chrony user on the host where chronyd is running.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
3. Computer is not synchronising
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
This is the most common problem. There are a number of reasons, see the
|
|
Packit |
96c956 |
following questions.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
3.1. Behind a firewall?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
Check the Reach value printed by the chronyc's sources command. If it's zero,
|
|
Packit |
96c956 |
it means chronyd did not get any valid responses from the NTP server you are
|
|
Packit |
96c956 |
trying to use. If there is a firewall between you and the server, the packets
|
|
Packit |
96c956 |
may be blocked. Try using a tool like wireshark or tcpdump to see if you're
|
|
Packit |
96c956 |
getting any responses from the server.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
When chronyd is receiving responses from the servers, the output of the sources
|
|
Packit |
96c956 |
command issued few minutes after chronyd start might look like this:
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
210 Number of sources = 3
|
|
Packit |
96c956 |
MS Name/IP address Stratum Poll Reach LastRx Last sample
|
|
Packit |
96c956 |
===============================================================================
|
|
Packit |
96c956 |
^* foo.example.net 2 6 377 34 +484us[ -157us] +/- 30ms
|
|
Packit |
96c956 |
^- bar.example.net 2 6 377 34 +33ms[ +32ms] +/- 47ms
|
|
Packit |
96c956 |
^+ baz.example.net 3 6 377 35 -1397us[-2033us] +/- 60ms
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
3.2. Are NTP servers specified with the offline option?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
Check that you're using chronyc's online and offline commands appropriately.
|
|
Packit |
96c956 |
The activity command prints the number of sources that are currently online and
|
|
Packit |
96c956 |
offline. For example:
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
200 OK
|
|
Packit |
96c956 |
3 sources online
|
|
Packit |
96c956 |
0 sources offline
|
|
Packit |
96c956 |
0 sources doing burst (return to online)
|
|
Packit |
96c956 |
0 sources doing burst (return to offline)
|
|
Packit |
96c956 |
0 sources with unknown address
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
3.3. Is chronyd allowed to step the system clock?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
By default, chronyd adjusts the clock gradually by slowing it down or speeding
|
|
Packit |
96c956 |
it up. If the clock is too far from the true time, it will take a long time to
|
|
Packit |
96c956 |
correct the error. The System time value printed by the chronyc's tracking
|
|
Packit |
96c956 |
command is the remaining correction that needs to be applied to the system
|
|
Packit |
96c956 |
clock.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
The makestep directive can be used to allow chronyd to step the clock. For
|
|
Packit |
96c956 |
example, if chrony.conf had
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
makestep 1 3
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
the clock would be stepped in the first three updates if its offset was larger
|
|
Packit |
96c956 |
than one second. Normally, it's recommended to allow the step only in the first
|
|
Packit |
96c956 |
few updates, but in some cases (e.g. a computer without an RTC or virtual
|
|
Packit |
96c956 |
machine which can be suspended and resumed with an incorrect time) it may be
|
|
Packit |
96c956 |
necessary to allow the step on any clock update. The example above would change
|
|
Packit |
96c956 |
to
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
makestep 1 -1
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
3.4. Using a Windows NTP server?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
A common issue with Windows NTP servers is that they report a very large root
|
|
Packit |
96c956 |
dispersion (e.g. three seconds or more), which causes chronyd to ignore the
|
|
Packit |
96c956 |
server for being too inaccurate. The sources command may show a valid
|
|
Packit |
96c956 |
measurement, but the server is not selected for synchronisation. You can check
|
|
Packit |
96c956 |
the root dispersion of the server with the chronyc's ntpdata command.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
The maxdistance value needs to be increased in chrony.conf to enable
|
|
Packit |
96c956 |
synchronisation to such a server. For example:
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
maxdistance 16.0
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
3.5. Using a PPS reference clock?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
A pulse-per-second (PPS) reference clock requires a non-PPS time source to
|
|
Packit |
96c956 |
determine which second of UTC corresponds to each pulse. If it is another
|
|
Packit |
96c956 |
reference clock specified with the lock option in the refclock directive, the
|
|
Packit |
96c956 |
offset between the two reference clocks must be smaller than 0.2 seconds in
|
|
Packit |
96c956 |
order for the PPS reference clock to work. With NMEA reference clocks it is
|
|
Packit |
96c956 |
common to have a larger offset. It needs to be corrected with the offset
|
|
Packit |
96c956 |
option.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
One approach to find out a good value of the offset option is to configure the
|
|
Packit |
96c956 |
reference clocks with the noselect option and compare them to an NTP server.
|
|
Packit |
96c956 |
For example, if the sourcestats command showed
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
|
|
Packit |
96c956 |
==============================================================================
|
|
Packit |
96c956 |
PPS0 0 0 0 +0.000 2000.000 +0ns 4000ms
|
|
Packit |
96c956 |
NMEA 58 30 231 -96.494 38.406 +504ms 6080us
|
|
Packit |
96c956 |
foo.example.net 7 3 200 -2.991 16.141 -107us 492us
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
the offset of the NMEA source would need to be increased by about 0.504
|
|
Packit |
96c956 |
seconds. It does not have to be very accurate. As long as the offset of the
|
|
Packit |
96c956 |
NMEA reference clock stays below 0.2 seconds, the PPS reference clock should be
|
|
Packit |
96c956 |
able to determine the seconds corresponding to the pulses and allow the samples
|
|
Packit |
96c956 |
to be used for synchronisation.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
4. Issues with chronyc
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
4.1. I keep getting the error 506 Cannot talk to daemon
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
When accessing chronyd remotely, make sure that the chrony.conf file (on the
|
|
Packit |
96c956 |
computer where chronyd is running) has a cmdallow entry for the computer you
|
|
Packit |
96c956 |
are running chronyc on and an appropriate bindcmdaddress directive. This isn't
|
|
Packit |
96c956 |
necessary for localhost.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
Perhaps chronyd is not running. Try using the ps command (e.g. on Linux, ps
|
|
Packit |
96c956 |
-auxw) to see if it's running. Or try netstat -a and see if the ports 123/udp
|
|
Packit |
96c956 |
and 323/udp are listening. If chronyd is not running, you may have a problem
|
|
Packit |
96c956 |
with the way you are trying to start it (e.g. at boot time).
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
Perhaps you have a firewall set up in a way that blocks packets on port 323/
|
|
Packit |
96c956 |
udp. You need to amend the firewall configuration in this case.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
4.2. I keep getting the error 501 Not authorised
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
Since version 2.2, the password command doesn't do anything and chronyc needs
|
|
Packit |
96c956 |
to run locally under the root or chrony user, which are allowed to access the
|
|
Packit |
96c956 |
chronyd's Unix domain command socket.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
With older versions, you need to authenticate with the password command first
|
|
Packit |
96c956 |
or use the -a option to authenticate automatically on start. The configuration
|
|
Packit |
96c956 |
file needs to specify a file which contains keys (keyfile directive) and which
|
|
Packit |
96c956 |
key in the key file should be used for chronyc authentication (commandkey
|
|
Packit |
96c956 |
directive).
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
4.3. Why does chronyc tracking always print an IPv4 address as reference ID?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
The reference ID is a 32-bit value and in versions before 3.0 it was printed in
|
|
Packit |
96c956 |
quad-dotted notation, even if the reference source did not actually have an
|
|
Packit |
96c956 |
IPv4 address. For IPv4 addresses, the reference ID is equal to the address, but
|
|
Packit |
96c956 |
for IPv6 addresses it is the first 32 bits of the MD5 sum of the address. For
|
|
Packit |
96c956 |
reference clocks, the reference ID is the value specified with the refid option
|
|
Packit |
96c956 |
in the refclock directive.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
Since version 3.0, the reference ID is printed as a hexadecimal number to avoid
|
|
Packit |
96c956 |
confusion with IPv4 addresses.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
If you need to get the IP address of the current reference source, use the -n
|
|
Packit |
96c956 |
option to disable resolving of IP addresses and read the second field (printed
|
|
Packit |
96c956 |
in parentheses) on the Reference ID line.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
4.4. Is the chronyc / chronyd protocol documented anywhere?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
Only by the source code. See cmdmon.c (chronyd side) and client.c (chronyc
|
|
Packit |
96c956 |
side).
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
5. Real-time clock issues
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
5.1. What is the real-time clock (RTC)?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
This is the clock which keeps the time even when your computer is turned off.
|
|
Packit |
96c956 |
It is used to initialise the system clock on boot. It normally doesn't drift
|
|
Packit |
96c956 |
more than few seconds per day.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
There are two approaches how chronyd can work with it. One is to use the
|
|
Packit |
96c956 |
rtcsync directive, which tells chronyd to enable a kernel mode which sets the
|
|
Packit |
96c956 |
RTC from the system clock every 11 minutes. chronyd itself won't touch the RTC.
|
|
Packit |
96c956 |
If the computer is not turned off for a long time, the RTC should still be
|
|
Packit |
96c956 |
close to the true time when the system clock will be initialised from it on the
|
|
Packit |
96c956 |
next boot.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
The other option is to use the rtcfile directive, which tells chronyd to
|
|
Packit |
96c956 |
monitor the rate at which the RTC gains or loses time. When chronyd is started
|
|
Packit |
96c956 |
with the -s option on the next boot, it will set the system time from the RTC
|
|
Packit |
96c956 |
and also compensate for the drift it has measured previously. The rtcautotrim
|
|
Packit |
96c956 |
directive can be used to keep the RTC close to the true time, but it's not
|
|
Packit |
96c956 |
strictly necessary if its only purpose is to set the system clock when chronyd
|
|
Packit |
96c956 |
is started on boot. See the documentation for details.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
5.2. I want to use chronyd's RTC support. Must I disable hwclock?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
The hwclock program is often set-up by default in the boot and shutdown scripts
|
|
Packit |
96c956 |
with many Linux installations. With the kernel RTC synchronisation (rtcsync
|
|
Packit |
96c956 |
directive), the RTC will be set also every 11 minutes as long as the system
|
|
Packit |
96c956 |
clock is synchronised. If you want to use chronyd's RTC monitoring (rtcfile
|
|
Packit |
96c956 |
directive), it's important to disable hwclock in the shutdown procedure. If you
|
|
Packit |
96c956 |
don't, it will over-write the RTC with a new value, unknown to chronyd. At the
|
|
Packit |
96c956 |
next reboot, chronyd started with the -s option will compensate this (wrong)
|
|
Packit |
96c956 |
time with its estimate of how far the RTC has drifted whilst the power was off,
|
|
Packit |
96c956 |
giving a meaningless initial system time.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
There is no need to remove hwclock from the boot process, as long as chronyd is
|
|
Packit |
96c956 |
started after it has run.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
5.3. I just keep getting the 513 RTC driver not running message
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
For the real-time clock support to work, you need the following three things
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
o an RTC in your computer
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
o a Linux kernel with enabled RTC support
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
o an rtcfile directive in your chrony.conf file
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
5.4. I get Could not open /dev/rtc, Device or resource busy in my syslog file
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
Some other program running on the system may be using the device.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
5.5. What if my computer does not have an RTC or backup battery?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
In this case you can still use the -s option to set the system clock to the
|
|
Packit |
96c956 |
last modification time of the drift file, which should correspond to the system
|
|
Packit |
96c956 |
time when chronyd was previously stopped. The initial system time will be
|
|
Packit |
96c956 |
increasing across reboots and applications started after chronyd will not
|
|
Packit |
96c956 |
observe backward steps.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
6. NTP-specific issues
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
6.1. Can chronyd be driven from broadcast/multicast NTP servers?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
No, the broadcast/multicast client mode is not supported and there is currently
|
|
Packit |
96c956 |
no plan to implement it. While the mode may be useful to simplify configuration
|
|
Packit |
96c956 |
of clients in large networks, it is inherently less accurate and less secure
|
|
Packit |
96c956 |
(even with authentication) than the ordinary client/server mode.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
When configuring a large number of clients in a network, it is recommended to
|
|
Packit |
96c956 |
use the pool directive with a DNS name which resolves to addresses of multiple
|
|
Packit |
96c956 |
NTP servers. The clients will automatically replace the servers when they
|
|
Packit |
96c956 |
become unreachable, or otherwise unsuitable for synchronisation, with new
|
|
Packit |
96c956 |
servers from the pool.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
Even with very modest hardware, an NTP server can serve time to hundreds of
|
|
Packit |
96c956 |
thousands of clients using the ordinary client/server mode.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
6.2. Can chronyd transmit broadcast NTP packets?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
Yes, the broadcast directive can be used to enable the broadcast server mode to
|
|
Packit |
96c956 |
serve time to clients in the network which support the broadcast client mode
|
|
Packit |
96c956 |
(it's not supported in chronyd, see the previous question).
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
6.3. Can chronyd keep the system clock a fixed offset away from real time?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
Yes. Starting from version 3.0, an offset can be specified by the offset option
|
|
Packit |
96c956 |
for all time sources in the chrony.conf file.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
6.4. What happens if the network connection is dropped without using chronyc's
|
|
Packit |
96c956 |
offline command first?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
chronyd will keep trying to access the sources that it thinks are online, and
|
|
Packit |
96c956 |
it will take longer before new measurements are actually made and the clock is
|
|
Packit |
96c956 |
corrected when the network is connected again. If the sources were set to
|
|
Packit |
96c956 |
offline, chronyd would make new measurements immediately after issuing the
|
|
Packit |
96c956 |
online command.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
Unless the network connection lasts only few minutes (less than the maximum
|
|
Packit |
96c956 |
polling interval), the delay is usually not a problem, and it may be acceptable
|
|
Packit |
96c956 |
to keep all sources online all the time.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
7. Operating systems
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
7.1. Does chrony support Windows?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
No. The chronyc program (the command-line client used for configuring chronyd
|
|
Packit |
96c956 |
while it is running) has been successfully built and run under Cygwin in the
|
|
Packit |
96c956 |
past. chronyd is not portable, because part of it is very system-dependent. It
|
|
Packit |
96c956 |
needs adapting to work with Windows' equivalent of the adjtimex() call, and it
|
|
Packit |
96c956 |
needs to be made to work as a service.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
7.2. Are there any plans to support Windows?
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
We have no plans to do this. Anyone is welcome to pick this work up and
|
|
Packit |
96c956 |
contribute it back to the project.
|
|
Packit |
96c956 |
|
|
Packit |
96c956 |
Last updated 2019-05-10 12:22:57 CEST
|