The chronyd service is the default service to synchronise time on RHEL 7.
The Lab
We have two RHEL 7.0 servers available in our lab:
- srv1.rhce.local (10.8.8.71)
- srv2.rhce.local (10.8.8.72)
We are going to configure both servers srv1 and srv2 to synchronise time with our central NTP server ipa.rhce.local as well as use peer synchronisation as a backup.
SELinux set to enforcing mode.
Chronyd Configuration
Install package on both servers srv1 and srv2:
[ALL]# yum install -y chrony
On the server srv1, open /etc/chrony.conf and add the line pointing to an NTP server, in our case ipa.rhce.local:
server ipa.rhce.local iburst peer srv2.rhce.local local stratum 10
The server should use peer synchronisation with the server srv2 as a backup.
The last line enables the server to fall back on the internal local hardware clock if external servers cannot be reached. Using local to say that the local clock is stratum 10 makes chrony use the local clock when no timeservers are available. This is good because it makes sure we can disconnect your server from the Internet without getting our clock screwed.
Do the same on the server srv2, but replace the peer address with the server srv1.
Enable and start the chronyd service on both servers:
[ALL]# systemctl enable chronyd && systemctl start chronyd
Ensure that an NTP based network time synchronisation is enabled:
[ALL]# timedatectl set-ntp true
Verify:
[srv1]# chronyc sources 210 Number of sources = 2 MS Name/IP address Stratum Poll Reach LastRx Last sample ========================================================================== ^* ipa.rhce.local 3 6 17 3 +252us[ +335us] +/- 1523ms =? srv2.rhce.local 0 6 0 10y +0ns[ +0ns] +/- 0ns
Is it correct that peer (srv2.rhce.local) is shown as “?” (connection lost) ?
Yea, that seems to be correct. I likely copied the output before making firewall changes.
Suppose, that also need to add service ntp and port 323/udp in firewall on peer servers to avoid unreachable status on peer addresses.
Also add to /etc/chrony.conf bellow entry (where 192.168.19.0/24 is my network):
allow 192.168.19.0/24
Thanks, you may be right.
Good day Tomas!!
I have a question about ntp and chrony. As we now we should use one of them in server ntp or chrony. When I disable ntp, ipa-client-install not working with disabling ntp. What we should do in exam?
I guess you should enable ntp then. You will need it for Kerberos anyway.
Thanks Tomas,
So your suggestion is that after installing ipa-client-install we can disable ntp and use chrony. Will kerberos security work correctly when disable ntp?
No, I was saying that there is no benefit in disabling ntp because you will need it for Kerberos, therefore I would keep it enabled. If you prefer chrony over ntp then use chrony. They both work.
Kerberos will not work if there is time skew.
Hi,
Sander Van Vugt in his book is saying same as you, but in his RHCSE he is saying to properly configure the NTP peers> to middle the time, you have do it:
sr1
server ipa.rhce.local iburst
peer srv1.rhce.local
peer srv2.rhce.local
sr2
server ipa.rhce.local iburst
peer srv1.rhce.local
peer srv2.rhce.local
by any chance do you know what is the proper way?
Your example suggests that you have to peer with yourself? What’s the reason behind it?
The ntp service is already enabled on srv1 and srv2.
RHEL 7 comes with chronyd, but you still need to configure the service for peering.
If you’ve already enabled chronyd via systemctl, why then/further run timedatectl set-ntp?
Doesn’t this just run the risk of having chronyd and ntpd both running, as “dueling time clients”?
To enable a time client via BOTH chronyd.service AND whatever timedatectl set-ntp initiates seems, at best, redundant/unnecessary, and, at worst, possibly inductive of inconsistent or breaking system behavior. What is the reasoning behind doing so?
Belt and braces.