NTP: Setting up an NTP server
Setting up an NTP server
chrony is the default service on newer OS releases (Red Hat 7.2 and later, any recent Ubuntu release).
chrony has several advantages over ntpd:
- Quicker synchronisation.
- Better response to changes in clock frequency (very useful for VMs).
- Periodic polling of time servers isn’t required.
It lacks some features like broadcast, multicast, and Autokey packet authentication. When this is required, or for systems that are going to be switched on continuously ntpd is a better choice.
A more comprehensive comparison list is available here:
https://chrony.tuxfamily.org/comparison.html
Locate a pool or set as close as possible to you from any public ntp servers.
Setting a chrony NTP server
chrony is installed by default on many distros. If you don’t already have it, install it.
Edit the configuration file.
# vi /etc/chrony.conf
Make the following changes.
# Edit the time sources of your choice
# iburts helps making initial sync faster
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst
# Helps stabilising initial sync on restarts
driftfile /var/lib/chrony/drift
# Allows serving time even if above sources aren't available
local stratum 8
# Opens the NTP port to respond to client's requests
# Edit it with your client's subnet
allow 192.168.1.0/24
# Enables support for the settime command in chronyc
manual
Start and enable the service.
# systemctl start chronyd
# systemctl enable chronyd
Check the firewall configuration in the last section.
Chrony client configuration
server [IP/HOSTNAME OF ABOVE SERVER] iburst
driftfile /var/lib/chrony/drift
logdir /var/log/chrony
log measurements statistics tracking
Checking chrony
[Check if the service is running]
$ systemctl status chrony
[Display the system's clock performance]
$ chronyc tracking
[Display time sources]
$ chronyc sources
More information on chrony:
https://chrony.tuxfamily.org/faq.html
Setting an ntpd NTP server
Install ntpd for your distro if not already present.
# yum install ntp
# dnf install ntp
# apt install ntp
Syncing to the server’s own system clock
If the system is going to be isolated, with no internet connection, or any other time source available you can use its internal clock.
Edit /etc/ntp.conf.
# To point ntpd to sync with its own system clock
server 127.127.1.0 prefer
fudge 127.127.1.0
driftfile /etc/ntp.drift
tracefile /etc/ntp.trace
This will work in a network “island”, but it won’t be a correct time. It is best to sync from other time sources (next section).
Syncing to other NTP servers
# Edit the time sources of your choice
# iburts helps making initial sync faster
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst
# Insert your own subnet address
# nomodify - Disallows clients from configuring the server
# notrap - Clients can't be used as peers for time sync
restrict 192.168.1.0 netmask 255.255.255.0 nomodify notrap
# Indicates where to keep logs
logfile /var/log/ntp.log
Start, enable and check ntpd status:
# systemctl start ntpd
# systemctl enable ntpd
# systemctl status ntpd
Remember that you will need to open your firewall to allow NTP queries. There are some instructions further down.
ntpd client configuration
server [IP/HOSTNAME OF ABOVE SERVER] iburst
driftfile /var/lib/ntp/drift
Checking ntpd
$ ntpq -p
$ date -R
More information on ntpd:
Firewall
Remember that you might need to open your firewall for clients to connect to your server.
[Red Hat / CentOS]
# firewall-cmd --add-service=ntp --permanent
# firewall-cmd --reload
[Ubuntu]
# ufw allow ntp
or
# ufw allow 123/udp
You might want to also modify the rule to limit access only to certain subnets or clients.
You can add lines to chrony and ntpd configurations to allow IPv6 traffic. You would need to add also additional firewall rules. IPv4 shown here for simplicity (and also because I don’t have the requirement). 🙂