Benutzer-Werkzeuge

Webseiten-Werkzeuge


tachtler:chrony_archlinux

chrony ArchLinux

Das NTP (Network Time Protocol) ist ein Protokoll, entwickelt um die einzelnen Uhren jedes an ein Netzwerk angeschlossenen Computers, synchron zu halten. Alle in diesem Netzwerk befindlichen Computer, haben dann eine einheitliche Zeit, wenn diese an der Verteilung der Zeitinformationen eines sogenannten „Zeitservers“, teilnehmen.

Es kann unter Umständen sehr wichtig sein, das alle Computer in einem Netzwerk die selbe Zeit zur Verfügung haben, da sonst z.B. der Austausch von DNS Informationen, bei einer zu hoher Zeitabweichung der einzelnen am DNS beteiligten Computer, nicht durchgeführt werden kann.

:!: HINWEIS - Nachfolgend soll die Installation eines „Zeitservers“ für eine privates Netzwerk beschrieben werden!

:!: HINWEIS - IPv6 soll NICHT genutzt werden!!!

Beschreibung Externer Link
Homepage Chrony Home
Dokumentation User guide for the chrony suite
RedHat Dokumentation Chapter 13. Configuring NTP Using the chrony Suite

Ab hier werden zur Ausführung nachfolgender Befehle root-Rechte benötigt. Um der Benutzer root zu werden, melden Sie sich bitte als root-Benutzer am System an, oder wechseln mit nachfolgendem Befehl zum Benutzer root:

$ su -
Password:

Installation

Zur Installation eines „Zeitservers“ wird nachfolgendes Paket benötigt:

  • chrony - ist im community-Repository von ArchLinux enthalten

installiert werden.

Mit nachfolgendem Befehl, werden die benötigten Pakete installiert:

# pacman --noconfirm -S chrony
resolving dependencies...
looking for conflicting packages...

Package (1)       New Version  Net Change  Download Size

community/chrony  3.5.1-1        0.86 MiB       0.26 MiB

Total Download Size:   0.26 MiB
Total Installed Size:  0.86 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
 chrony-3.5.1-1-x...   269.5 KiB  5.26 MiB/s 00:00 [----------------------] 100%
(1/1) checking keys in keyring                     [----------------------] 100%
(1/1) checking package integrity                   [----------------------] 100%
(1/1) loading package files                        [----------------------] 100%
(1/1) checking for file conflicts                  [----------------------] 100%
(1/1) checking available disk space                [----------------------] 100%
:: Processing package changes...
(1/1) installing chrony                            [----------------------] 100%
:: Running post-transaction hooks...
(1/4) Creating system user accounts...
Creating group chrony with gid 974.
Creating user chrony (Network Time Protocol) with uid 974 and gid 974.
(2/4) Reloading system manager configuration...
(3/4) Creating temporary files...
(4/4) Arming ConditionNeedsUpdate...

Mit nachfolgendem Befehl kann überprüft werden, welcher Inhalt mit dem Paket installiert wurde.

Paket chrony:

# pacman -Qil chrony
Name            : chrony
Version         : 3.5.1-1
Description     : Lightweight NTP client and server
Architecture    : x86_64
URL             : https://chrony.tuxfamily.org/
Licenses        : GPL2
Groups          : None
Provides        : None
Depends On      : glibc  nss  readline  libcap  libcap.so=2-64  libedit
                  libseccomp  libseccomp.so=2-64  nettle
Optional Deps   : None
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 876.65 KiB
Packager        : Levente Polyak <anthraxx@archlinux.org>
Build Date      : Sun 30 Aug 2020 01:31:14 PM CEST
Install Date    : Sun 10 Jan 2021 12:27:15 PM CET
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

chrony /etc/
chrony /etc/chrony.conf
chrony /etc/logrotate.d/
chrony /etc/logrotate.d/chrony
chrony /usr/
chrony /usr/bin/
chrony /usr/bin/chronyc
chrony /usr/bin/chronyd
chrony /usr/lib/
chrony /usr/lib/systemd/
chrony /usr/lib/systemd/system/
chrony /usr/lib/systemd/system/chrony-wait.service
chrony /usr/lib/systemd/system/chronyd.service
chrony /usr/lib/sysusers.d/
chrony /usr/lib/sysusers.d/chrony.conf
chrony /usr/lib/tmpfiles.d/
chrony /usr/lib/tmpfiles.d/chrony.conf
chrony /usr/share/
chrony /usr/share/doc/
chrony /usr/share/doc/chrony/
chrony /usr/share/doc/chrony/FAQ
chrony /usr/share/doc/chrony/NEWS
chrony /usr/share/doc/chrony/README
chrony /usr/share/doc/chrony/chrony.conf.html
chrony /usr/share/doc/chrony/chronyc.html
chrony /usr/share/doc/chrony/chronyd.html
chrony /usr/share/doc/chrony/examples/
chrony /usr/share/doc/chrony/examples/chrony-wait.service
chrony /usr/share/doc/chrony/examples/chrony.conf.example1
chrony /usr/share/doc/chrony/examples/chrony.conf.example2
chrony /usr/share/doc/chrony/examples/chrony.conf.example3
chrony /usr/share/doc/chrony/examples/chrony.keys.example
chrony /usr/share/doc/chrony/examples/chrony.logrotate
chrony /usr/share/doc/chrony/examples/chrony.nm-dispatcher
chrony /usr/share/doc/chrony/examples/chronyd.service
chrony /usr/share/doc/chrony/faq.html
chrony /usr/share/doc/chrony/installation.html
chrony /usr/share/man/
chrony /usr/share/man/man1/
chrony /usr/share/man/man1/chronyc.1.gz
chrony /usr/share/man/man5/
chrony /usr/share/man/man5/chrony.conf.5.gz
chrony /usr/share/man/man8/
chrony /usr/share/man/man8/chronyd.8.gz

Konfiguration

Um einen „Zeitserver“, welcher als Dienst/Deamon als Hintergrundprozess läuft, auch nach einem Neustart des Servers zur Verfügung zu haben, soll der Dienst/Daemon mit dem Server mit gestartet werden, was mit nachfolgendem Befehl durchgeführt werden kann:

# systemctl enable chronyd
Created symlink /etc/systemd/system/multi-user.target.wants/chronyd.service → /usr/lib/systemd/system/chronyd.service.

Der Dienst/Deamon chronyd.service sollte aktuelle nicht gestartet sein, was mit nachfolgendem Befehl überprüft werden kann:

# systemctl status chronyd
● chronyd.service - NTP client/server
     Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor p>
     Active: inactive (dead)
       Docs: man:chronyd(8)
             man:chrony.conf(5)

:!: HINWEIS - Ein Start des Dienstes/Deamons chronyd.service, sollte erst nach nachfolgender Konfiguration erfolgen!

/etc/chrony.conf - Server

In der Konfigurationsdatei

  • /etc/chrony.conf

wird der chronyd-Dienst/Daemon konfiguriert.

Änderungen und persönliche Anpassungen sind mit einem voranstehenden Kommentar, welche wie nachfolgend dargestellt aussieht

# Tachtler

gekennzeichnet.

Hier die komplette Konfigurationsdatei /etc/chrony.conf:

#######################################################################
#
# This is an example chrony configuration file.  You should copy it to
# /etc/chrony.conf after uncommenting and editing the options that you
# want to enable.  The more obscure options are not included.  Refer
# to the documentation for these.
#
#######################################################################
### COMMENTS
# Any of the following lines are comments (you have a choice of
# comment start character):
# a comment
% a comment
! a comment
; a comment
#
# Below, the '!' form is used for lines that you might want to
# uncomment and edit to make your own chrony.conf file.
#
#######################################################################
#######################################################################
### SPECIFY YOUR NTP SERVERS
# Most computers using chrony will send measurement requests to one or
# more 'NTP servers'.  You will probably find that your Internet Service
# Provider or company have one or more NTP servers that you can specify.
# Failing that, there are a lot of public NTP servers.  There is a list
# you can access at http://support.ntp.org/bin/view/Servers/WebHome or
# you can use servers from the pool.ntp.org project.
 
! server 0.arch.pool.ntp.org iburst
! server 1.arch.pool.ntp.org iburst
! server 3.arch.pool.ntp.org iburst
 
# Tachtler (M-Net time server)
# default: pool 2.arch.pool.ntp.org iburst 
server gps-1.m-online.net minpoll 4 maxpoll 10 iburst
server ntp1.m-online.net minpoll 4 maxpoll 10 iburst
server ntp2.m-online.net minpoll 4 maxpoll 10 iburst
 
 
#######################################################################
### AVOIDING POTENTIALLY BOGUS CHANGES TO YOUR CLOCK
#
# To avoid changes being made to your computer's gain/loss compensation
# when the measurement history is too erratic, you might want to enable
# one of the following lines.  The first seems good with servers on the
# Internet, the second seems OK for a LAN environment.
 
! maxupdateskew 100
! maxupdateskew 5
 
# If you want to increase the minimum number of selectable sources
# required to update the system clock in order to make the
# synchronisation more reliable, uncomment (and edit) the following
# line.
 
! minsources 2
 
# If your computer has a good stable clock (e.g. it is not a virtual
# machine), you might also want to reduce the maximum assumed drift
# (frequency error) of the clock (the value is specified in ppm).
 
! maxdrift 100
 
#######################################################################
### FILENAMES ETC
# Chrony likes to keep information about your computer's clock in files.
# The 'driftfile' stores the computer's clock gain/loss rate in parts
# per million.  When chronyd starts, the system clock can be tuned
# immediately so that it doesn't gain or lose any more time.  You
# generally want this, so it is uncommented.
 
driftfile /var/lib/chrony/drift
 
# If you want to enable NTP authentication with symmetric keys, you will need
# to uncomment the following line and edit the file to set up the keys.
 
! keyfile /etc/chrony.keys
 
# chronyd can save the measurement history for the servers to files when
# it it exits.  This is useful in 2 situations:
#
# 1. On Linux, if you stop chronyd and restart it with '-r' (e.g. after
# an upgrade), the old measurements will still be relevant when chronyd
# is restarted.  This will reduce the time needed to get accurate
# gain/loss measurements, especially with a dial-up link.
#
# 2. Again on Linux, if you use the RTC support and start chronyd with
# '-r -s' on bootup, measurements from the last boot will still be
# useful (the real time clock is used to 'flywheel' chronyd between
# boots).
#
# Enable these two options to use this.
 
! dumponexit
! dumpdir /var/lib/chrony
# Tachtler
dumpdir /var/run/chrony
 
# chronyd writes its process ID to a file.  If you try to start a second
# copy of chronyd, it will detect that the process named in the file is
# still running and bail out.  If you want to change the path to the PID
# file, uncomment this line and edit it.  The default path is shown.
 
! pidfile /var/run/chrony/chronyd.pid
 
# If the system timezone database is kept up to date and includes the
# right/UTC timezone, chronyd can use it to determine the current
# TAI-UTC offset and when will the next leap second occur.
 
leapsectz right/UTC
 
#######################################################################
### INITIAL CLOCK CORRECTION
# This option is useful to quickly correct the clock on start if it's
# off by a large amount.  The value '1.0' means that if the error is less
# than 1 second, it will be gradually removed by speeding up or slowing
# down your computer's clock until it is correct.  If the error is above
# 1 second, an immediate time jump will be applied to correct it.  The
# value '3' means the step is allowed only in the first three updates of
# the clock.  Some software can get upset if the system clock jumps
# (especially backwards), so be careful!
 
makestep 1.0 3
 
#######################################################################
### LOGGING
# If you want to log information about the time measurements chronyd has
# gathered, you might want to enable the following lines.  You probably
# only need this if you really enjoy looking at the logs, you want to
# produce some graphs of your system's timekeeping performance, or you
# need help in debugging a problem.
 
! logdir /var/log/chrony
! log measurements statistics tracking
 
# If you have real time clock support enabled (see below), you might want
# this line instead:
 
! log measurements statistics tracking rtc
 
#######################################################################
### ACTING AS AN NTP SERVER
# You might want the computer to be an NTP server for other computers.
# e.g.  you might be running chronyd on a dial-up machine that has a LAN
# sitting behind it with several 'satellite' computers on it.
#
# By default, chronyd does not allow any clients to access it.  You need
# to explicitly enable access using 'allow' and 'deny' directives.
#
# e.g. to enable client access from the 192.168.*.* class B subnet,
 
! allow 192.168/16
# Tachtler
allow 192.168.0.0/24
allow 192.168.0.0/24
 
# .. but disallow the 192.168.100.* subnet of that,
 
! deny 192.168.100/24
 
# You can have as many allow and deny directives as you need.  The order
# is unimportant.
 
# If you want chronyd to act as an NTP broadcast server, enable and edit
# (and maybe copy) the following line.  This means that a broadcast
# packet is sent to the address 192.168.1.255 every 60 seconds.  The
# address MUST correspond to the broadcast address of one of the network
# interfaces on your machine.  If you have multiple network interfaces,
# add a broadcast line for each.
 
! broadcast 60 192.168.1.255
 
# If you want to present your computer's time for others to synchronise
# with, even if you don't seem to be synchronised to any NTP servers
# yourself, enable the following line.  The value 10 may be varied
# between 1 and 15.  You should avoid small values because you will look
# like a real NTP server.  The value 10 means that you appear to be 10
# NTP 'hops' away from an authoritative source (atomic clock, GPS
# receiver, radio clock etc).
 
! local stratum 10
# Tachtler
local stratum 3
 
# Normally, chronyd will keep track of how many times each client
# machine accesses it.  The information can be accessed by the 'clients'
# command of chronyc.  You can disable this facility by uncommenting the
# following line.  This will save a bit of memory if you have many
# clients and it will also disable support for the interleaved mode.
 
! noclientlog
 
# The clientlog size is limited to 512KB by default.  If you have many
# clients, you might want to increase the limit.
 
! clientloglimit 4194304
 
# By default, chronyd tries to respond to all valid NTP requests from
# allowed addresses.  If you want to limit the response rate for NTP
# clients that are sending requests too frequently, uncomment and edit
# the following line.
 
! ratelimit interval 3 burst 8
 
#######################################################################
### REPORTING BIG CLOCK CHANGES
# Perhaps you want to know if chronyd suddenly detects any large error
# in your computer's clock.  This might indicate a fault or a problem
# with the server(s) you are using, for example.
#
# The next option causes a message to be written to syslog when chronyd
# has to correct an error above 0.5 seconds (you can use any amount you
# like).
 
! logchange 0.5
# Tachtler
logchange 1.0
 
# The next option will send email to the named person when chronyd has
# to correct an error above 0.5 seconds.  (If you need to send mail to
# several people, you need to set up a mailing list or sendmail alias
# for them and use the address of that.)
 
! mailonchange wibble@foo.example.net 0.5
# Tachtler
mailonchange you@example.com 1.0
 
#######################################################################
### COMMAND ACCESS
# The program chronyc is used to show the current operation of chronyd
# and to change parts of its configuration whilst it is running.
 
# By default chronyd binds to the loopback interface.  Uncomment the
# following lines to allow receiving command packets from remote hosts.
 
! bindcmdaddress 0.0.0.0
! bindcmdaddress ::
# Tachtler
bindcmdaddress /var/run/chrony/chronyd.sock
 
# Normally, chronyd will only allow connections from chronyc on the same
# machine as itself.  This is for security.  If you have a subnet
# 192.168.*.* and you want to be able to use chronyc from any machine on
# it, you could uncomment the following line.  (Edit this to your own
# situation.)
 
! cmdallow 192.168/16
 
# You can add as many 'cmdallow' and 'cmddeny' lines as you like.  The
# syntax and meaning is the same as for 'allow' and 'deny', except that
# 'cmdallow' and 'cmddeny' control access to the chronyd's command port.
# Tachtler
cmdport 0
 
# Rate limiting can be enabled also for command packets.  (Note,
# commands from localhost are never limited.)
 
! cmdratelimit interval -4 burst 16
 
#######################################################################
### HARDWARE TIMESTAMPING
# On Linux, if the network interface controller and its driver support
# hardware timestamping, it can significantly improve the accuracy of
# synchronisation. It can be enabled on specified interfaces only, or it
# can be enabled on all interfaces that support it.
 
! hwtimestamp eth0
! hwtimestamp *
 
#######################################################################
### REAL TIME CLOCK
# chronyd can characterise the system's real-time clock.  This is the
# clock that keeps running when the power is turned off, so that the
# machine knows the approximate time when it boots again.  The error at
# a particular epoch and gain/loss rate can be written to a file and
# used later by chronyd when it is started with the '-s' option.
#
# You need to have 'enhanced RTC support' compiled into your Linux
# kernel.  (Note, these options apply only to Linux.)
 
! rtcfile /var/lib/chrony/rtc
 
# Your RTC can be set to keep Universal Coordinated Time (UTC) or local
# time.  (Local time means UTC +/- the effect of your timezone.)  If you
# use UTC, chronyd will function correctly even if the computer is off
# at the epoch when you enter or leave summer time (aka daylight saving
# time).  However, if you dual boot your system with Microsoft Windows,
# that will work better if your RTC maintains local time.  You take your
# pick!
 
! rtconutc
 
# By default chronyd assumes that the enhanced RTC device is accessed as
# /dev/rtc.  If it's accessed somewhere else on your system (e.g. you're
# using devfs), uncomment and edit the following line.
 
! rtcdevice /dev/misc/rtc
 
# Alternatively, if not using the -s option, this directive can be used
# to enable a mode in which the RTC is periodically set to the system
# time, with no tracking of its drift.
 
rtcsync
 
#######################################################################
### REAL TIME SCHEDULER
# This directive tells chronyd to use the real-time FIFO scheduler with the
# specified priority (which must be between 0 and 100).  This should result
# in reduced latency.  You don't need it unless you really have a requirement
# for extreme clock stability.  Works only on Linux.  Note that the "-P"
# command-line switch will override this.
 
! sched_priority 1
 
#######################################################################
### LOCKING CHRONYD INTO RAM
# This directive tells chronyd to use the mlockall() syscall to lock itself
# into RAM so that it will never be paged out.  This should result in reduced
# latency.  You don't need it unless you really have a requirement
# for extreme clock stability.  Works only on Linux.  Note that the "-m"
# command-line switch will also enable this feature.
 
! lock_all
# Tachtler
lock_all
 
# Tachtler - NEW -
acquisitionport 123
bindcmdaddress /var/run/chrony/chronyd.sock
stratumweight 0

Eine detaillierte Beschreibung der verwendeten Konfigurationseinträge und noch weitere, hier nicht verwendeter Konfigurationsmöglichkeiten, können unter nachfolgenden externen Links eingesehen werden:

/etc/chrony.conf - Client

In der Konfigurationsdatei

  • /etc/chrony.conf

wird der chronyd-Dienst/Daemon konfiguriert.

Änderungen und persönliche Anpassungen sind mit einem voranstehenden Kommentar, welche wie nachfolgend dargestellt aussieht

# Tachtler

gekennzeichnet.

Hier die komplette Konfigurationsdatei /etc/chrony.conf:

#######################################################################
#
# This is an example chrony configuration file.  You should copy it to
# /etc/chrony.conf after uncommenting and editing the options that you
# want to enable.  The more obscure options are not included.  Refer
# to the documentation for these.
#
#######################################################################
### COMMENTS
# Any of the following lines are comments (you have a choice of
# comment start character):
# a comment
% a comment
! a comment
; a comment
#
# Below, the '!' form is used for lines that you might want to
# uncomment and edit to make your own chrony.conf file.
#
#######################################################################
#######################################################################
### SPECIFY YOUR NTP SERVERS
# Most computers using chrony will send measurement requests to one or
# more 'NTP servers'.  You will probably find that your Internet Service
# Provider or company have one or more NTP servers that you can specify.
# Failing that, there are a lot of public NTP servers.  There is a list
# you can access at http://support.ntp.org/bin/view/Servers/WebHome or
# you can use servers from the pool.ntp.org project.
 
! server 0.arch.pool.ntp.org iburst
! server 1.arch.pool.ntp.org iburst
! server 3.arch.pool.ntp.org iburst
 
# Tachtler
# default: pool 2.arch.pool.ntp.org iburst
server 192.168.0.20 iburst
 
#######################################################################
### AVOIDING POTENTIALLY BOGUS CHANGES TO YOUR CLOCK
#
# To avoid changes being made to your computer's gain/loss compensation
# when the measurement history is too erratic, you might want to enable
# one of the following lines.  The first seems good with servers on the
# Internet, the second seems OK for a LAN environment.
 
! maxupdateskew 100
! maxupdateskew 5
 
# If you want to increase the minimum number of selectable sources
# required to update the system clock in order to make the
# synchronisation more reliable, uncomment (and edit) the following
# line.
 
! minsources 2
 
# If your computer has a good stable clock (e.g. it is not a virtual
# machine), you might also want to reduce the maximum assumed drift
# (frequency error) of the clock (the value is specified in ppm).
 
! maxdrift 100
 
#######################################################################
### FILENAMES ETC
# Chrony likes to keep information about your computer's clock in files.
# The 'driftfile' stores the computer's clock gain/loss rate in parts
# per million.  When chronyd starts, the system clock can be tuned
# immediately so that it doesn't gain or lose any more time.  You
# generally want this, so it is uncommented.
 
driftfile /var/lib/chrony/drift
 
# If you want to enable NTP authentication with symmetric keys, you will need
# to uncomment the following line and edit the file to set up the keys.
 
! keyfile /etc/chrony.keys
 
# chronyd can save the measurement history for the servers to files when
# it it exits.  This is useful in 2 situations:
#
# 1. On Linux, if you stop chronyd and restart it with '-r' (e.g. after
# an upgrade), the old measurements will still be relevant when chronyd
# is restarted.  This will reduce the time needed to get accurate
# gain/loss measurements, especially with a dial-up link.
#
# 2. Again on Linux, if you use the RTC support and start chronyd with
# '-r -s' on bootup, measurements from the last boot will still be
# useful (the real time clock is used to 'flywheel' chronyd between
# boots).
#
# Enable these two options to use this.
 
! dumponexit
! dumpdir /var/lib/chrony
 
# chronyd writes its process ID to a file.  If you try to start a second
# copy of chronyd, it will detect that the process named in the file is
# still running and bail out.  If you want to change the path to the PID
# file, uncomment this line and edit it.  The default path is shown.
 
! pidfile /var/run/chrony/chronyd.pid
 
# If the system timezone database is kept up to date and includes the
# right/UTC timezone, chronyd can use it to determine the current
# TAI-UTC offset and when will the next leap second occur.
 
leapsectz right/UTC
 
#######################################################################
### INITIAL CLOCK CORRECTION
# This option is useful to quickly correct the clock on start if it's
# off by a large amount.  The value '1.0' means that if the error is less
# than 1 second, it will be gradually removed by speeding up or slowing
# down your computer's clock until it is correct.  If the error is above
# 1 second, an immediate time jump will be applied to correct it.  The
# value '3' means the step is allowed only in the first three updates of
# the clock.  Some software can get upset if the system clock jumps
# (especially backwards), so be careful!
 
makestep 1.0 3
 
#######################################################################
### LOGGING
# If you want to log information about the time measurements chronyd has
# gathered, you might want to enable the following lines.  You probably
# only need this if you really enjoy looking at the logs, you want to
# produce some graphs of your system's timekeeping performance, or you
# need help in debugging a problem.
 
! logdir /var/log/chrony
! log measurements statistics tracking
 
# If you have real time clock support enabled (see below), you might want
# this line instead:
 
! log measurements statistics tracking rtc
 
#######################################################################
### ACTING AS AN NTP SERVER
# You might want the computer to be an NTP server for other computers.
# e.g.  you might be running chronyd on a dial-up machine that has a LAN
# sitting behind it with several 'satellite' computers on it.
#
# By default, chronyd does not allow any clients to access it.  You need
# to explicitly enable access using 'allow' and 'deny' directives.
#
# e.g. to enable client access from the 192.168.*.* class B subnet,
 
! allow 192.168/16
 
# .. but disallow the 192.168.100.* subnet of that,
 
! deny 192.168.100/24
# Tachtler
deny all
 
# You can have as many allow and deny directives as you need.  The order
# is unimportant.
 
# If you want chronyd to act as an NTP broadcast server, enable and edit
# (and maybe copy) the following line.  This means that a broadcast
# packet is sent to the address 192.168.1.255 every 60 seconds.  The
# address MUST correspond to the broadcast address of one of the network
# interfaces on your machine.  If you have multiple network interfaces,
# add a broadcast line for each.
 
! broadcast 60 192.168.1.255
 
# If you want to present your computer's time for others to synchronise
# with, even if you don't seem to be synchronised to any NTP servers
# yourself, enable the following line.  The value 10 may be varied
# between 1 and 15.  You should avoid small values because you will look
# like a real NTP server.  The value 10 means that you appear to be 10
# NTP 'hops' away from an authoritative source (atomic clock, GPS
# receiver, radio clock etc).
 
! local stratum 10
 
# Normally, chronyd will keep track of how many times each client
# machine accesses it.  The information can be accessed by the 'clients'
# command of chronyc.  You can disable this facility by uncommenting the
# following line.  This will save a bit of memory if you have many
# clients and it will also disable support for the interleaved mode.
 
! noclientlog
 
# The clientlog size is limited to 512KB by default.  If you have many
# clients, you might want to increase the limit.
 
! clientloglimit 4194304
 
# By default, chronyd tries to respond to all valid NTP requests from
# allowed addresses.  If you want to limit the response rate for NTP
# clients that are sending requests too frequently, uncomment and edit
# the following line.
 
! ratelimit interval 3 burst 8
 
#######################################################################
### REPORTING BIG CLOCK CHANGES
# Perhaps you want to know if chronyd suddenly detects any large error
# in your computer's clock.  This might indicate a fault or a problem
# with the server(s) you are using, for example.
#
# The next option causes a message to be written to syslog when chronyd
# has to correct an error above 0.5 seconds (you can use any amount you
# like).
 
! logchange 0.5
# Tachtler
logchange 1.0
 
# The next option will send email to the named person when chronyd has
# to correct an error above 0.5 seconds.  (If you need to send mail to
# several people, you need to set up a mailing list or sendmail alias
# for them and use the address of that.)
 
! mailonchange wibble@foo.example.net 0.5
# Tachtler
mailonchange you@example.com 1.0
 
#######################################################################
### COMMAND ACCESS
# The program chronyc is used to show the current operation of chronyd
# and to change parts of its configuration whilst it is running.
 
# By default chronyd binds to the loopback interface.  Uncomment the
# following lines to allow receiving command packets from remote hosts.
 
! bindcmdaddress 0.0.0.0
! bindcmdaddress ::
# Tachtler
bindaddress 127.0.0.1
bindaddress ::1
 
# Normally, chronyd will only allow connections from chronyc on the same
# machine as itself.  This is for security.  If you have a subnet
# 192.168.*.* and you want to be able to use chronyc from any machine on
# it, you could uncomment the following line.  (Edit this to your own
# situation.)
 
! cmdallow 192.168/16
 
# You can add as many 'cmdallow' and 'cmddeny' lines as you like.  The
# syntax and meaning is the same as for 'allow' and 'deny', except that
# 'cmdallow' and 'cmddeny' control access to the chronyd's command port.
# Tachtler
cmddeny all
cmdport 0
 
# Rate limiting can be enabled also for command packets.  (Note,
# commands from localhost are never limited.)
 
! cmdratelimit interval -4 burst 16
 
#######################################################################
### HARDWARE TIMESTAMPING
# On Linux, if the network interface controller and its driver support
# hardware timestamping, it can significantly improve the accuracy of
# synchronisation. It can be enabled on specified interfaces only, or it
# can be enabled on all interfaces that support it.
 
! hwtimestamp eth0
! hwtimestamp *
 
#######################################################################
### REAL TIME CLOCK
# chronyd can characterise the system's real-time clock.  This is the
# clock that keeps running when the power is turned off, so that the
# machine knows the approximate time when it boots again.  The error at
# a particular epoch and gain/loss rate can be written to a file and
# used later by chronyd when it is started with the '-s' option.
#
# You need to have 'enhanced RTC support' compiled into your Linux
# kernel.  (Note, these options apply only to Linux.)
 
! rtcfile /var/lib/chrony/rtc
 
# Your RTC can be set to keep Universal Coordinated Time (UTC) or local
# time.  (Local time means UTC +/- the effect of your timezone.)  If you
# use UTC, chronyd will function correctly even if the computer is off
# at the epoch when you enter or leave summer time (aka daylight saving
# time).  However, if you dual boot your system with Microsoft Windows,
# that will work better if your RTC maintains local time.  You take your
# pick!
 
! rtconutc
 
# By default chronyd assumes that the enhanced RTC device is accessed as
# /dev/rtc.  If it's accessed somewhere else on your system (e.g. you're
# using devfs), uncomment and edit the following line.
 
! rtcdevice /dev/misc/rtc
 
# Alternatively, if not using the -s option, this directive can be used
# to enable a mode in which the RTC is periodically set to the system
# time, with no tracking of its drift.
 
rtcsync
 
#######################################################################
### REAL TIME SCHEDULER
# This directive tells chronyd to use the real-time FIFO scheduler with the
# specified priority (which must be between 0 and 100).  This should result
# in reduced latency.  You don't need it unless you really have a requirement
# for extreme clock stability.  Works only on Linux.  Note that the "-P"
# command-line switch will override this.
 
! sched_priority 1
 
#######################################################################
### LOCKING CHRONYD INTO RAM
# This directive tells chronyd to use the mlockall() syscall to lock itself
# into RAM so that it will never be paged out.  This should result in reduced
# latency.  You don't need it unless you really have a requirement
# for extreme clock stability.  Works only on Linux.  Note that the "-m"
# command-line switch will also enable this feature.
 
! lock_all
 
# Tachtler - NEW -
acquisitionport 123
bindcmdaddress /var/run/chrony/chronyd.sock
stratumweight 0

Eine detaillierte Beschreibung der verwendeten Konfigurationseinträge und noch weitere, hier nicht verwendeter Konfigurationsmöglichkeiten, können unter nachfolgenden externen Links eingesehen werden:

/etc/sysconfig/chronyd

Wenn z.B. der Einsatz von IPv6 nicht gewünscht sein sollte, kann durch die Neuerstellung einer Konfigurationsdatei in nachfolgendem Verzeichnis mit nachfolgendem Namen

  • /etc/sysconfig/chronyd

die Unterstützung für IPv6 deaktiviert werden und ein „lauschen“ auf ggf. definierten IPv6-Adressen findet nicht statt:

Mit nachfolgendem Befehl, kann die Konfigurationsdatei /etc/sysconfig/chronyd erstellt werden:

# touch /etc/sysconfig/chronyd

Der Inhalt sollte dann wie nachfolgend dargestellt sein, damit der Dienst/Deamon chrony, ohne IPv6-Unterstützung ausgeführt wird:

# Tachtler
# Resolve hostnames only to IPv4 addresses and create only IPv4 sockets.
OPTIONS="-4"

iptables Regel

:!: WICHTIG - Nur relevant, beim Einsatz von iptables als Firewall!

Damit der „Zeitserver“ auch erreichbar ist und nicht die Weitergab der Zeitinformationen via NTP vom Paketfilter iptables blockiert wird, muss nachfolgende Regel zum iptables-Regelwerk hinzugefügt werden.

Um die aktuellen iptables-Regeln erweitern zu können, sollten diese erst einmal aufgelistet werden, was mit nachfolgendem Befehl durchgeführt werden kann:

# iptables -L -nv --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      141 10524 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
5        1    32 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 79 packets, 9140 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Nachfolgender Befehl, fügt folgende iptables-Regel dem iptables-Regelwerk nach der Position 4 hinzu, ohne das der Paketfilter angehalten werden muss:

  • -A INPUT -p udp --dport 123 -j ACCEPT

und hier der Befehl:

# iptables -I INPUT 5 -p udp --dport 123 -j ACCEPT

Ein erneute Abfrage des iptables-Regelwerts, sollte dann nachfolgend dargestellte Ausgabe ergeben, was mit folgendem Befehl durchgeführt werden kann:

# iptables -L -nv --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      435 32812 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
5        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:123 
6        4   128 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 12 packets, 1320 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Die neue Zeile ist an Position 5 zu sehen, hier nachfolgend zur Verdeutlichung noch einmal dargestellt (nur relevanter Ausschnitt):

...
5        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:123
...

Um diese iptables-Regel dauerhaft, auch nach einem Neustart des Server, weiterhin im iptables-Regelwerk zu speichern, muss nachfolgend dargestellter Befehl abschließend noch ausgeführt werden:

# iptables-save > /etc/iptables/iptables.rules

Zeitserver starten

Um einen „Zeitserver“ zu starten muss der chronyd-Dienst/Deamon mit nachfolgendem Befehl gestartete werden:

# systemctl start chronyd

Ob der „Zeitserver“, sprich der chronyd-Dienst/Deamon auch tatsächlich als Hintergrundprozess läuft, kann mit nachfolgendem Befehl überprüft werden (Es sollte eine Ausgabe wie nachfolgend dargestellt, erfolgen - es kommt auf die zweite Zeile an!):

 ps auxwwwf | grep chronyd
root       22572  0.0  0.2   6684  2312 pts/0    S+   13:11   0:00          \_ grep chronyd
chrony     22570  0.0  0.2   4552  2124 ?        S    13:11   0:00 /usr/bin/chronyd

bzw. nachfolgendem Befehl überprüft werden:

# systemctl status chronyd
● chronyd.service - NTP client/server
     Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor p>
     Active: active (running) since Sun 2021-01-10 13:11:21 CET; 26s ago
       Docs: man:chronyd(8)
             man:chrony.conf(5)
    Process: 22568 ExecStart=/usr/bin/chronyd $OPTIONS (code=exited, status=0/S>
   Main PID: 22570 (chronyd)
      Tasks: 1 (limit: 1152)
     Memory: 796.0K
     CGroup: /system.slice/chronyd.service
             └─22570 /usr/bin/chronyd

Jan 10 13:11:21 archlinux systemd[1]: Starting NTP client/server...
Jan 10 13:11:21 archlinux chronyd[22570]: chronyd version 3.5.1 starting (+CMDM>
Jan 10 13:11:21 archlinux chronyd[22570]: Using right/UTC timezone to obtain le>
Jan 10 13:11:21 archlinux systemd[1]: Started NTP client/server.

Auf welchen Ports der chronyd-Dienst/Deamon auch tatsächlich als Hintergrundprozess lauscht, kann mit nachfolgendem Befehl überprüft werden:

# ss -taube | grep ntp
udp   UNCONN 0      0               127.0.0.1:ntp             0.0.0.0:*                                                      
udp   UNCONN 0      0                   [::1]:ntp                   *:*

Zeitserver Status

Um zu überprüfen in wie weit der offset bzw. die Abweichung zur aktuell gültigen Zeit ist, kann nachfolgende Abfrage genutzt werden:

# chronyc -4 sources
210 Number of sources = 1
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* 192.168.0.20                  2   6    17    44   +728ns[+6000ns] +/-   34ms

Um zu überprüfen welchen Status der angefragte Zeitserver (Zeitserverquelle) hat, kann nachfolgende Abfrage genutzt werden:

# chronyc -n -4 sourcestats
210 Number of sources = 1
Name/IP Address            NP  NR  Span  Frequency  Freq Skew  Offset  Std Dev
==============================================================================
192.168.0.20               10   6   582     -0.003      0.170    -14ns    20us

Um zu überprüfen wie die aktuelle Systemzeit aufgebaut wird, kann nachfolgende Abfrage genutzt werden:

# chronyc -4 tracking
Reference ID    : 192.168.0.20 (timeserver.home.tachtler.net)
Stratum         : 3
Ref time (UTC)  : Thu Jan 10 13:35:29 2021
System time     : 0.000000350 seconds fast of NTP time
Last offset      : 0.000002115 seconds
RMS offset       : 0.000014358 seconds
Frequency       : 0.415 ppm slow
Residual freq   : -0.015 ppm
Skew            : 0.492 ppm
Root delay      : 0.000626 seconds
Root dispersion : 0.019811 seconds
Update interval : 64.9 seconds
Leap status     : Normal

:!: HINWEIS - Aufgrund der Beschränkung in der Konfigurationsdatei /etc/sysconfig/chronyd:

# Tachtler
# Resolve hostnames only to IPv4 addresses and create only IPv4 sockets.
OPTIONS="-4"

können Befehle nur ausgeführt werden, wenn

  1. IPv6 auf dem Server generell und komplett deaktiviert wurde, oder
  2. -4 als Parameter beim Befehl chronyc mit angegeben wird
Diese Website verwendet Cookies. Durch die Nutzung der Website stimmen Sie dem Speichern von Cookies auf Ihrem Computer zu. Außerdem bestätigen Sie, dass Sie unsere Datenschutzbestimmungen gelesen und verstanden haben. Wenn Sie nicht einverstanden sind, verlassen Sie die Website.Weitere Information
tachtler/chrony_archlinux.txt · Zuletzt geändert: 2021/01/10 13:18 von klaus