Setting up Time Synchronisation with Chrony on RHEL 7

The chronyd service is the default service to synchronise time on RHEL 7.

The Lab

We have two RHEL 7.0 servers available in our lab:

  1. srv1.rhce.local (10.8.8.71)
  2. srv2.rhce.local (10.8.8.72)

We are going to configure both servers srv1 and srv2 to synchronise time with our central NTP server ipa.rhce.local as well as use peer synchronisation as a backup.

SELinux set to enforcing mode.

Chronyd Configuration

Install package on both servers srv1 and srv2:

[ALL]# yum install -y chrony

On the server srv1, open /etc/chrony.conf and add the line pointing to an NTP server, in our case ipa.rhce.local:

server ipa.rhce.local iburst
peer srv2.rhce.local
local stratum 10

The server should use peer synchronisation with the server srv2 as a backup.

The last line enables the server to fall back on the internal local hardware clock if external servers cannot be reached. Using local to say that the local clock is stratum 10 makes chrony use the local clock when no timeservers are available. This is good because it makes sure we can disconnect your server from the Internet without getting our clock screwed.

Do the same on the server srv2, but replace the peer address with the server srv1.

Enable and start the chronyd service on both servers:

[ALL]# systemctl enable chronyd && systemctl start chronyd

Ensure that an NTP based network time synchronisation is enabled:

[ALL]# timedatectl set-ntp true

Verify:

[srv1]# chronyc sources
210 Number of sources = 2
MS Name/IP address    Stratum Poll Reach LastRx Last sample
==========================================================================
^* ipa.rhce.local           3   6    17     3   +252us[ +335us] +/- 1523ms
=? srv2.rhce.local          0   6     0   10y     +0ns[   +0ns] +/-    0ns

15 thoughts on “Setting up Time Synchronisation with Chrony on RHEL 7

  1. Suppose, that also need to add service ntp and port 323/udp in firewall on peer servers to avoid unreachable status on peer addresses.

  2. Good day Tomas!!

    I have a question about ntp and chrony. As we now we should use one of them in server ntp or chrony. When I disable ntp, ipa-client-install not working with disabling ntp. What we should do in exam?

  3. Thanks Tomas,
    So your suggestion is that after installing ipa-client-install we can disable ntp and use chrony. Will kerberos security work correctly when disable ntp?

    • No, I was saying that there is no benefit in disabling ntp because you will need it for Kerberos, therefore I would keep it enabled. If you prefer chrony over ntp then use chrony. They both work.

      Kerberos will not work if there is time skew.

  4. Hi,
    Sander Van Vugt in his book is saying same as you, but in his RHCSE he is saying to properly configure the NTP peers> to middle the time, you have do it:
    sr1
    server ipa.rhce.local iburst
    peer srv1.rhce.local
    peer srv2.rhce.local

    sr2
    server ipa.rhce.local iburst
    peer srv1.rhce.local
    peer srv2.rhce.local

    by any chance do you know what is the proper way?

  5. If you’ve already enabled chronyd via systemctl, why then/further run timedatectl set-ntp?

    Doesn’t this just run the risk of having chronyd and ntpd both running, as “dueling time clients”?

    To enable a time client via BOTH chronyd.service AND whatever timedatectl set-ntp initiates seems, at best, redundant/unnecessary, and, at worst, possibly inductive of inconsistent or breaking system behavior. What is the reasoning behind doing so?

Leave a Reply

Your email address will not be published. Required fields are marked *