homersssearchOctober 18, 2018

Chrony Network Time Server


a FreeBSD install of chronyd (ntp)

Chrony is an accurate network time daemon and an alternate implementation of the Network Time Protocol (NTP) compared to ntp.org's NTPd, Ntimed, OpenNTPd and systemd-timesyncd. Chrony can be used to sync with NTP servers, reference clocks (e.g. GPS receiver), and even input by hand for an air-gapped network. The daemon will operate as an NTPv4 (RFC 5905) server and peer providing time service to other computers in the network.

Chrony's typical accuracy when synced over the Internet is normally within a few milliseconds. When Chrony is synced between two(2) machines on a LAN the accuracy is a few hundred microseconds, but when Chrony is paired with a GPS receiver, sub-microsecond accuracy is possible. Chrony's accuracy is significantly better than both NTPd and OpenNTPd.

Chrony has quite a few advantages over the other NTP implementations, check the chrony ntp comparison page for more details.

Methodology

FreeBSD 11 supports Chrony v3.1 which allows privilege separation. We will install Chrony from the FreeBSD package system and configure the daemon to run as the unprivileged user, "chronyd" which is a user available on the default FreeBSD 11 install.

The Chrony daemon running as the "chronyd" user will be configured to be a Network Time Protocol (NTP) server on the local LAN to provide millisecond accuracy to its local clock as well as to the hundreds of clients in the cluster.

Install the Chrony package

pkg install chrony libedit

NOTE: after the package install you may see a warning about insecurities in the Chrony package. This is an older warning from a previous Chrony package which we can safely ignore because we are going to configure Chrony to run as a completely unprivileged user. FreeBSD should really remove this unnecessary alarmist text. Also, if you recieve the error, Shared object "libedit.so.0" not found, required by "chronyc" make sure libedit is installed.

Configuration file: chrony.conf

The chrony configuration file defines the Network Time Protocol (NTP) servers our machine will sync to as well as general daemon options. Our example configuration lists out all stratum one(1) public NTP servers for the highest possible accuracy. Create the configuration file in "/usr/local/etc/chrony.conf" and take a look at the file comments for details. All paths are correct for our FreeBSD install.

root@calomel#  vi /usr/local/etc/chrony.conf

# Chrony for FreeBSD, /usr/local/etc/chrony.conf
# https://calomel.org/chrony_network_time.html

# Stratum 1 NTP servers, define at least five(5) and check "chronyc sources"
# for accuracy. Chrony can combine multiple time sources for higher accuracy.
# The following NTP servers are in the United States. 

server bonehed.lcs.mit.edu
server clock.nyc.he.net
server gnomon.cc.columbia.edu
server level1e.cs.unc.edu
server navobs1.gatech.edu
server ntp.mrow.org
server ntp.quintex.com
server ntp.your.org
server ntp1.conectiv.com
server ntp2.netwrx1.com
server ntp3.indypl.org
server otc1.psu.edu
server time-b.nist.gov
server time.google.com
server time.twc.weather.com
server time.xmission.com
server tock.usshc.com
server utcnist.colorado.edu

#pool 0.north-america.pool.ntp.org iburst
#pool 1.north-america.pool.ntp.org iburst

# ip address to listen on
#bindaddress 127.0.0.1
#bindaddress 10.10.10.100
#bindaddress 192.168.10.100
#bindaddress fddd:0:0:10::100

# unprivileged user when root privileges are dropped
user chronyd

# pid file
pidfile /var/run/chronyd.pid

# drift file and dump directory to record system clock gains and losses
driftfile /var/db/chrony/drift
dumponexit
dumpdir /var/db/chrony

# ignore stratum in source selection because any clock can go bad
stratumweight 0

# while chronyd is running, step the local clock if the time is off by more
# than one(1) second for no more then three(3) iterations
makestep 1.0 3

# allow NTP clients on the LAN to sync from the following networks
allow 10/8
allow 192.168/24
allow fddd::/48

# serve time even if not synchronized to any NTP servers (local mode)
#local stratum 10

# command port 323 disabled
cmdport 0

# log clock adjustments larger than 0.5 seconds
logchange 0.5

# logs for debugging
#logdir /var/log/chrony
#log measurements statistics tracking rtc

#
## EOF

Permission changes for the "chronyd" user

Since we are running the chrony daemon as the "chronyd" daemon and not root, we need to change the permissions on some of the daemon directories so chrony can update its database and cache directories.

The following lines will change the permissions of the chrony database and /var/run directory.

root@calomel#  mkdir /var/run/chrony /var/db/chrony
root@calomel#  chmod 750 /var/run/chrony /var/db/chrony 
root@calomel#  chown chronyd:chronyd /var/run/chrony /var/db/chrony

Start chronyd at server boot

At reboot we require chronyd to start and begin setting the system time. Add chronyd_enable="YES" to /etc/rc.conf to allow FreeBSD to execute the rc.d start script at system boot.

root@calomel#  vi /etc/rc.conf

chronyd_enable="YES"

Start and stop the chronyd daemon

The Chronyd daemon can be manually started and stopped using the rc.d script we created. Just for reference, here are the exact commands.

root@calomel#  service chronyd start

root@calomel#  service chronyd stop

Chrony setup complete

The configuration is complete. Take a look in the questions section below if you are interested in monitoring chrony in real time.

Questions?

How can I monitor Chrony ?

A simple while loop will query the crony service every 10 seconds.

while true; do clear; chronyc sources -v; echo "" ;chronyc sourcestats -v ; echo ""; chronyc tracking; sleep 10; done

What does the monitor output look like ?

The monitor line above will print the statistics of the time servers once every 10 seconds. This is the output on our time server after chrony had been running for over an hour. Notice the line "System time" towards the bottom of the output which confirms Chrony is able keep time to at least millisecond accuracy.

210 Number of sources = 23

  .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| /   '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||      Reachability register (octal) -.           |  xxxx = adjusted offset,
||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
||                                \     |          |  zzzz = estimated error.
||                                 |    |           \
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^- caspak.cerias.purdue.edu      1   6   377    19  -1893us[-1899us] +/-   21ms
^- clock.isc.org                 1   6   277    18  +4818us[+4812us] +/-   41ms
^* clock.nyc.he.net              1   6   377    17   -856us[ -862us] +/- 5974us
^+ gnomon.cc.columbia.edu        1   6   377    18   -265us[ -271us] +/- 6842us
^- gps1.tns.its.psu.edu          1   6   377    18  -7466us[-7472us] +/-   17ms
^- india.colorado.edu            1   6   337    22  +2402us[+2690us] +/-   29ms
^+ level1f.cs.unc.edu            1   6   377    20  +1191us[+1185us] +/-   15ms
^- montpelier.ilan.caltech.e     1   6   377    20  -2549us[-2261us] +/-   34ms
^+ navobs1.gatech.edu            1   6   377    16  -1105us[-1105us] +/-   12ms
^+ navobs1.oar.net               1   6   377    17  -3669us[-3675us] +/-   16ms
^- navobs1.wustl.edu             1   6   377    18  -1269us[-1275us] +/-   17ms
^- ntp-s1.cise.ufl.edu           1   6   377    16  +4082us[+4082us] +/-   28ms
^+ ntp.colby.edu                 1   6   377    22   +240us[ +528us] +/-   11ms
^- ntp.okstate.edu               1   6   377    19  +2433us[+2427us] +/-   24ms
^+ ntp1.conectiv.com             1   6   377    17    +79us[  +79us] +/- 6099us
^+ ntp1.nss.udel.edu             1   6   377    16  +1175us[+1175us] +/- 7727us
^- ntp1.versadns.com             1   6   373    22   -606us[ -318us] +/-   21ms
^+ rackety.udel.edu              1   6   377    19  +1721us[+1715us] +/- 8590us
^- tick.ucla.edu                 1   6   377    21   -711us[ -423us] +/-   34ms
^- tick.uh.edu                   1   6   377    21    +83us[ +371us] +/-   23ms
^+ tick.usno.navy.mil            1   6   377    20   -566us[ -278us] +/- 7145us
^- time.keneli.org               1   6   377    17  +2545us[+2539us] +/-   13ms
^- usno.labs.hp.com              1   6   373    20    -98ms[  -98ms] +/-  132ms

210 Number of sources = 23
                             .- Number of sample points in measurement set.
                            /    .- Number of residual runs with same sign.
                           |    /    .- Length of measurement set (time).
                           |   |    /      .- Est. clock freq error (ppm).
                           |   |   |      /           .- Est. error in freq.
                           |   |   |     |           /         .- Est. offset.
                           |   |   |     |          |          |   On the -.
                           |   |   |     |          |          |   samples. \
                           |   |   |     |          |          |             |
Name/IP Address            NP  NR  Span  Frequency  Freq Skew  Offset  Std Dev
==============================================================================
caspak.cerias.purdue.edu   11   8   649     +0.033      3.917  -2121us   520us
clock.isc.org              10   7   649     +4.692      5.397  +4888us   762us
clock.nyc.he.net           11   6   649     -0.487      2.715   -597us   327us
gnomon.cc.columbia.edu     11   7   649     +1.102      3.392   -785us   444us
gps1.tns.its.psu.edu       11   8   649     +0.765      3.708  -7469us   552us
india.colorado.edu         10   7   647     +0.861      1.238  +2257us   158us
level1f.cs.unc.edu         11   6   648     -0.250      2.537  +1286us   351us
montpelier.ilan.caltech.e  11   5   650     -0.080      3.280  -2382us   478us
navobs1.gatech.edu         11   6   649     -1.681      6.647  +3569ns   820us
navobs1.oar.net            11   5   650     +0.256      3.361  -3222us   437us
navobs1.wustl.edu           7   4   389     +1.050      5.447   -917us   226us
ntp-s1.cise.ufl.edu         9   5   519     +0.340      2.796  +4440us   173us
ntp.colby.edu              11   7   646     -0.224      2.107    +37us   283us
ntp.okstate.edu            11   6   649     -0.033      7.054  +1594us  1146us
ntp1.conectiv.com          11   8   649     +0.832      1.748  -3646ns   245us
ntp1.nss.udel.edu          11   7   649     +0.212      2.261   +949us   344us
ntp1.versadns.com          10   9   647     +7.833     62.564   +135us  8185us
rackety.udel.edu            7   4   389     +2.348     10.031  +2455us   462us
tick.ucla.edu              11   7   648     -0.272      1.996  -1436us   297us
tick.uh.edu                11   5   647     +0.100      2.433   +688us   290us
tick.usno.navy.mil         11   8   648     -0.861      2.541   -618us   343us
time.keneli.org            11   8   649     +0.893      6.807  +3041us  1085us
usno.hpl.hp.com            10   4   649     +8.359    137.037  -8118us    18ms

Reference ID    : 209.51.161.238 (clock.nyc.he.net)
Stratum         : 2
Ref time (UTC)  : Fri May 20 21:23:33 2016
System time     : 0.000001215 seconds slow of NTP time
Last offset     : -0.000006298 seconds
RMS offset      : 0.000150691 seconds
Frequency       : 5.575 ppm slow
Residual freq   : -0.003 ppm
Skew            : 0.949 ppm
Root delay      : 0.009598 seconds
Root dispersion : 0.000623 seconds
Update interval : 2.8 seconds
Leap status     : Normal

How can I build Chrony from source on FreeBSD ?

Download and build chrony

To build chrony, the GNU version of make is required which can be installed from the FreeBSD package system or ports. Then download the chrony tarball from the chrony web site and build the chronyc and chronyd binaries. The last step is to copy the binaries into the system paths which are the same paths the FreeBSD package normally installs chrony to. Once the install is done you are welcome to delete the chrony source files from /tmp .

# install the GNU version of make
root@calomel#   pkg install gmake

# download and untar chrony in /tmp
root@calomel#   cd /tmp
root@calomel#   wget https://download.tuxfamily.org/chrony/chrony-3.1.tar.gz
root@calomel#   tar zxvf chrony-3.1.tar.gz
root@calomel#   cd chrony-3.1

# build the chronyc and chronyd binaries
root@calomel#   CC=clang ./configure && gmake && echo "BUILD SUCCESSFUL"

# copy the chronyd daemon and chronyc query tool into the system paths
root@calomel#   cp chronyc /usr/local/bin/chronyc
root@calomel#   cp chronyd /usr/local/sbin/chronyd

Create the chronyd startup script

To start and stop chrony as a service we need to generate an rc.d script. Create a new file in "/usr/local/etc/rc.d/chronyd" and place the following startup script in the file. Save the file and make sure the permissions are 555 with the command, "chmod 555 /usr/local/etc/rc.d/chronyd" .

root@calomel#  vi /usr/local/etc/rc.d/chronyd

#!/bin/sh
#
# PROVIDE: chronyd
# REQUIRE: DAEMON
#

. /etc/rc.subr

name=chronyd
rcvar=chronyd_enable
command=/usr/local/sbin/${name}

load_rc_config ${name}

: ${chronyd_enable="NO"}

run_rc_command "$1"


root@calomel#  chmod 555 /usr/local/etc/rc.d/chronyd

Create the chronyd dump directory

Chrony is able to sync time quicker on reboot or service restart if chronyd can gather time statistics about each NTP server from the last time chronyd was running. Create a directory to allow chrony to dump time statistics about each time source to /var/db/chrony and allow the unprivileged user daemon to write to the directory. The statistics are less than a few hundred kilobytes in total so space usage is not an issue.

root@calomel#  mkdir /var/db/chrony

root@calomel#  chown daemon /var/db/chrony

Source build install complete.


Contact UsGoogle Site SearchRSS Feed