Chrony is a software package for maintaining the accuracy of computer system clocks. It consists of a pair of programs :
chronyd. This is a daemon which runs in background on the
system. It obtains measurements (e.g. via the network) of the system's
offset relative to other systems, and adjusts the system time
accordingly. For isolated systems, the user can periodically enter the
correct time by hand (using chronyc). In either case,
chronyd determines the rate at which the computer gains or loses
time, and compensates for this.
chronyc. This is a command-line driven control and
monitoring program. An administrator can use this to fine-tune various
parameters within the daemon, add or delete servers etc whilst the
daemon is running.
The chrony suite makes use of the algorithm known as RSA
Data Security, Inc. MD5 Message-Digest Algorithm for authenticating
messages between different machines on the network.
In writing the chronyd program, extensive use has been made of
RFC1305, written by David Mills. I have occasionally referred to the
xntp suite's source code to check details of the protocol that
the RFC did not make absolutely clear. The core algorithms in
chronyd are all completely distinct from xntp, however.
Links on the chrony home page describe how to obtain the software.
Although most of the program is portable between Unix-like systems, there are parts that have to be tailored to each specific vendor's system. These are the parts that interface with the operating system's facilities for adjusting the system clock; different operating systems may provide different function calls to achieve this, and even where the same function is used it may have different quirks in its behaviour.
So far, the software is able to run in the following environments:
sys_linux.c file needs modifying to define the patchlevel (value
of 'x') at which the change to the kernel time-keeping equivalent to
that applied in v2.0.32 was included. Until I find out which version
this was, v2.1 kernels are limited to patchlevels prior to 51.
Closely related systems may work too, but they have not been tested.
Porting the software to other system (particularly to those supporting
an adjtime system call) should not be difficult, however it
requires access to such systems to test out the driver.
The `reference' implementation of the Network Time Protocol is the
program xntpd, available via
The NTP home page.
xntpd is designed to support all the operating modes defined by
RFC1305, and has driver support for a large number of reference clocks
(such as GPS receivers) that can be connected directly to a computer,
thereby providing a so-called 'stratum 1' server.
Things chronyd can do that xntpd can't:
chronyd can perform usefully in an environment where access to
the time reference is intermittent. chronyd estimates
both the current time offset and the rate at which the
computer's clock gains or loses time, and can use that rate estimate to
trim the clock after the reference disappears. xntpd corrects
any time offset by speeding up and slowing down the computer clock, and
so could be left with a significant rate error if the reference
disappears whilst it is trying to correct a big offset.
chronyd provides support for isolated networks whether the only
method of time correction is manual entry (e.g. by the administrator
looking at a clock). chronyd can look at the errors corrected at
different updates to work out the rate at which the computer gains or
loses time, and use this estimate to trim the computer clock
subsequently.
chronyd provides support to work out the gain or loss rate of the
`real-time clock', i.e. the clock that maintains the time when the
computer is turned off. It can use this data when the system boots to
set the system time from a corrected version of the real-time clock.
These real-time clock facilities are only available on certain releases
of Linux, so far.
xntpd program is supported by other programs to carry out
certain functions. ntpdate is used to provide an initial
correction to the system clock based on a `one-shot' sampling of other
NTP servers. tickadj is used to adjust certain operating system
parameters to make xntpd work better. All this functionality is
integrated into chronyd.
Things xntpd can do that chronyd can't:
xntpd supports a range of different hardware reference clocks
(GPS, atomic etc) that can be connected to a computer to provide a
`stratum-1' server. chronyd does not support any such hardware
yet; I don't have access to any to do any development work.
However, the software architecture should allow such equipment to be
interfaced at a later date.
xntpd supports effectively all of RFC1305, including broadcast /
multicast clients, leap seconds, and extra encryption schemes for
authenticating data packets.
xntpd has been ported to more types of computer / operating
system (so far).
timed is a program that is part of the BSD networking suite. It
uses broadcast packets to find all machines running the daemon within a
subnet. The machines elect a master which periodically measures the
system clock offsets of the other computers using ICMP timestamps.
Corrections are sent to each member as a result of this process.
Problems that may arise with timed are :
timed does not seem to do this.
timed does not have any integrated capability for feeding
real-time into its estimates, or for estimating the average rate of time
loss/gain of the machines relative to real-time (unless one of the
computers in the group has access to an external reference and is always
appointed as the `master').
timed does have the benefit over chronyd that for isolated
networks of computers, they will track the `majority vote' time. For
such isolated networks, chronyd requires one computer to be the
`master' with the others slaved to it. If the master has a particular
defective clock, the whole set of computers will tend to slip relative
to real time (but they will stay accurate relative to one
another).
{@tensf
This is the licence for the programs "chronyd" and "chronyc". Their source code files which reference this licence, object files / programs (binary form) built from such source code, and the supporting documentation are collectively referred to in this licence as "the Software".
Certain source code files required for the construction of the Software may be included under different licensing arrangements; you should refer to such source code files directly for further information. Any such files are outside the scope of this licence.
Person(s) and/or organisation(s) holding the copyright to any part of the source code to which this licence applies are referred to in this licence as "the Copyright Holder(s)".
Copying and use of this licence itself, with or without modification, are permitted for any purpose subject only to condition 6 below.
Copying, use and redistribution of the Software in source and/or binary forms, with or without modification, and use of any part of the Software in the creation of another work, are permitted without fee subject to the following conditions 1 through 8 and the disclaimer below :
== Start of disclaimer ==
BECAUSE THE SOFTWARE IS PROVIDED FREE OF CHARGE, THERE IS NO WARRANTY FOR IT, TO THE MAXIMUM EXTENT THAT APPLICABLE LAW ALLOWS. UNLESS OTHERWISE STATED IN WRITING OR REQUIRED BY APPLICABLE LAW, THE COPYRIGHT HOLDER(S) AND/OR OTHER PARTIES PROVIDE THE SOFTWARE `AS IS' AND DISCLAIM ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES THAT THE SOFTWARE IS FREE OF DEFECTS, MERCHANTABLE OR FIT FOR A PARTICULAR PURPOSE. THE USER BEARS THE ENTIRE RISK AS TO THE QUALITY, ACCURACY AND PERFORMANCE OF THE SOFTWARE AND THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION IN THE EVENT THAT THE SOFTWARE SHOULD PROVE DEFECTIVE.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE SOFTWARE, BE LIABLE TO YOU OR TO ANY OTHER PARTY FOR DAMAGES OF ANY CHARACTER, INCLUDING WITHOUT LIMITATION ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES WHICH ARISE FROM THE USE OF OR INABILITY TO USE THE SOFTWARE (INCLUDING WITHOUT LIMITATION LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE SOFTWARE TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH COPYRIGHT HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
== End of disclaimer ==
}
The software is distributed as source code which has to be compiled unless you have installed the Debian package, in which case it is already compiled and installed with a default configuration. The source code is supplied in the form of a gzipped tar file, which unpacks to a subdirectory identifying the name and version of the program.
After unpacking the source code, change directory into it, and type
./configure
This is a shell script that automatically determines the system type.
There is a single optional parameter, --prefix which indicates
the directory tree where the software should be installed. For example,
./configure --prefix=/opt/free
will install the chronyd daemon into /opt/free/sbin and the
chronyc control program into /opt/free/bin. The default value for the
prefix is /usr/local.
If the software cannot (yet) be built on your system, an error message will be shown. Otherwise, the files `options.h' and `Makefile' will be generated.
Now type
make
to build the programs.
Once the programs have been successfully compiled, they need to be installed in their target locations. This step normally needs to be performed by the superuser, and requires the following command to be entered.
make install
Now that the software is successfully installed, the next step is to set up a configuration file. The contents of this depend on the network environment in which the computer operates. The Debian package installs a simple configuration file suitable for a dial-up pc. You should edit it to suit your situation. Typical scenarios are described in the following section of the document.
In this section we discuss how to configure chrony for computers that have permanent connections to the internet (or to any network containing true NTP servers which ultimately derive their time from a reference clock).
To operate in this mode, you will need to know the names of the NTP server machines you wish to use. You may be able to find names of suitable servers by one of the following methods:
Assuming that you have found some servers, you need to set up a
configuration file to run chrony. The (compiled-in) default location
for this file is `/etc/chrony.conf'. In the Debian package the
configuration files are in the directory `/etc/chrony'. Assuming
that your ntp servers are called a.b.c and d.e.f, your
`chrony.conf' file could contain as a minimum
server a.b.c server d.e.f server g.h.i
However, you will probably want to include some of the other directives
described later. The following directives will be particularly useful :
driftfile, commandkey, keyfile. The smallest
useful configuration file would look something like
server a.b.c server d.e.f server g.h.i keyfile /etc/chrony.keys commandkey 1 driftfile /etc/chrony.drift
In this section we discuss how to configure chrony for computers that have occasional connections to the internet.
As in the previous section, you will need access to NTP servers on the internet. The same remarks apply for how to find them.
In this case, you will need some additional configuration to tell
chronyd when the connection to the internet goes up and down.
This saves the program from continuously trying to poll the servers when
they are inaccessible.
Again, assuming that your ntp servers are called a.b.c and
d.e.f, your `chrony.conf' file would need to contain
something like
server a.b.c server d.e.f server g.h.i
However, the following issues need to be addressed:
For this reason, it would be better to specify this part of your configuration file in the following way:
server 1.2.3.4 offline server 5.6.7.8 offline server 9.10.11.12 offline
Because numeric IP addresses have been used, the first problem is
overcome. The offline keyword indicates that the servers start
in an offline state, and that they should not be contacted until chronyd
receives notification that the link to the internet is present.
In order to notify chronyd of the presence of the link, you will
need to be able to log in to it with the program chronyc. To do this,
chronyd needs to be configured with an administrator password.
The Debian package puts a default key in `/etc/chrony/chrony.keys'.
You should change it. To set up an administrator password, you can
create a file `/etc/chrony.keys' containing a single line
1 xyzzy
and add the following line to `/etc/chrony.conf' (the order of the lines does not matter)
commandkey 1
The smallest useful configuration file would look something like
server 1.2.3.4 offline server 5.6.7.8 offline server 9.10.11.12 offline keyfile /etc/chrony.keys commandkey 1 driftfile /etc/chrony.drift
The next section describes how to tell chronyd when the internet link
goes up and down.
To use this option, you will need to configure a command key in
chronyd's configuration file `/etc/chrony.conf', as described in
the previous section.
To tell chronyd when to start and finish sampling the servers, the
online and offline commands of chronyc need to be used.
To give an example of their use, we assume that pppd is the
program being used to connect to the internet, and that chronyc has been
installed at its default location `/usr/local/bin/chronyc'. We
also assume that the command key has been set up as described in the
previous section.
In the file `/etc/ppp/ip-up' we add the command sequence
cat <<EOF | /usr/local/bin/chronyc password xyzzy online EOF
and in the file `/etc/ppp/ip-down' we add the sequence
cat <<EOF | /usr/local/bin/chronyc password xyzzy offline EOF
The Debian package puts scripts similar to those above in the directories `/etc/ppp/ip-up.d' and `/etc/ppp/ip-down.d'.
chronyd's polling of the servers will now only occur whilst the
machine is actually connected to the Internet.
In this section we discuss how to configure chrony for computers that never have network conectivity to any computer which ultimately derives its time from a reference clock.
In this situation, one computer is selected to be the master timeserver. The other computers are either direct clients of the master, or clients of clients.
The rate value in the master's drift file needs to be set to the average
rate at which the master gains or loses time. chronyd includes
support for this, in the form of the manual directive in the
configuration file and the settime command in the chronyc
program.
If the master is rebooted, chronyd can re-read the drift rate
from the drift file. However, the master has no accurate estimate of
the current time. To get around this, the system can be configured so
that the master can initially set itself to a `majority-vote' of
selected clients' times; this allows the clients to `flywheel' the
master across its outage.
A typical configuration file for the master (called master) might
be (assuming the clients are in the 192.168.165.x subnet and that the
master's address is 192.168.169.170)
driftfile /etc/chrony.drift commandkey 25 keyfile /etc/chrony.keys initstepslew 10 client1 client3 client6 local stratum 8 manual allow 192.168.165
For the clients that have to resynchronise the master when it restarts, the configuration file might be
server master driftfile /etc/chrony.drift logdir /var/log/chrony log measurements statistics tracking keyfile /etc/chrony.keys commandkey 24 local stratum 10 initstepslew 20 master allow 192.168.169.170
The rest of the clients would be the same, except that the local
and allow directives are not required.
This section considers the home computer which has a dial-up connection. It assumes that Linux is run exclusively on the computer. Dual-boot systems may work; it depends what (if anything) the other system does to the system's real-time clock.
Much of the configuration for this case is discussed earlier (see section Infrequent connection to true NTP servers). This section addresses specifically the case of a computer which is turned off between 'sessions'.
In this case, chronyd relies on the computer's real-time clock
(RTC) to maintain the time between the periods when it is powered up.
The arrangement is shown in the figure below.
trim if required PSTN
+---------------------------+ +----------+
| | | |
v | | |
+---------+ +-------+ +-----+ +---+
| System's| measure error/ |chronyd| |modem| |ISP|
|real-time|------------------->| |-------| | | |
| clock | drift rate +-------+ +-----+ +---+
+---------+ ^ |
| | |
+---------------------------+ --o-----o---
set time at boot up |
+----------+
|NTP server|
+----------+
When the computer is connected to the Internet (via the modem),
chronyd has access to external NTP servers which it makes
measurements from. These measurements are saved, and straight-line fits
are performed on them to provide an estimate of the computer's time
error and rate of gaining/losing time.
When the computer is taken offline from the Internet, the best estimate of the gain/loss rate is used to free-run the computer until it next goes online.
Whilst the computer is running, chronyd makes measurements of the
real-time clock (RTC) (via the `/dev/rtc' interface, which must be
compiled into the kernel). An estimate is made of the RTC error at a
particular RTC second, and the rate at which the RTC gains or loses time
relative to true time.
For kernels in the 2.0 series prior to 2.0.32, the kernel was set up to
trim the RTC every 11 minutes. This would be disasterous for
chronyd -- there is no reliable way of synchronising with this
trimming. For this reason, chronyd only supports the RTC in 2.0
kernels from v2.0.32 onwards. (I don't know anything about the kernel's
RTC behaviour in other kernel series).
When the computer is powered down, the measurement histories for all the
NTP servers are saved to files (if the dumponexit directive is
specified in the configuration file), and the RTC tracking information
is also saved to a file (if the rtcfile directive has been
specified). These pieces of information are also saved if the
dump and writertc commands respectively are issued through
chronyc.
When the computer is rebooted, chronyd reads the current RTC time
and the RTC information saved at the last shutdown. This information is
used to set the system clock to the best estimate of what its time would
have been now, had it been left running continuously. The measurement
histories for the servers are then reloaded.
The next time the computer goes online, the previous sessions' measurements can contribute to the line-fitting process, which gives a much better estimate of the computer's gain/loss rate.
One problem with saving the measurements and RTC data when the machine
is shut down is what happens if there is a power failure; the most
recent data will not be saved. Although chronyd is robust enough
to cope with this, some performance may be lost. (The main danger
arises if the RTC has been changed during the session, with the
trimrtc command in chronyc. Because of this,
trimrtc will make sure that a meaningful RTC file is saved out
after the change is completed).
The easiest protection against power failure is to put the dump
and writertc commands in the same place as the offline
command is issued to take chronyd offline; because chronyd
free-runs between online sessions, no parameters will change
significantly between going offline from the Internet and any power
failure.
A final point regards home computers which are left running for extended
periods and where it is desired to spin down the hard disc when it is
not in use (e.g. when not accessed for 15 minutes). chronyd has
been planned so it supports such operation; this is the reason why the
RTC tracking parameters are not saved to disc after every update, but
only when the user requests such a write, or during the shutdown
sequence. The only other facility that will generate periodic writes to
the disc is the log rtc facility in the configuration file; this
option should not be used if you want your disc to spin down.
To illustrate how a dial-up home computer might be configured, example configuration files are shown in this section.
For the `/etc/chrony.conf' file, the following can be used as an
example. NOTE : The server directives are only applicable
to customers of Demon Internet; users of other ISPs will need to use
their own ISP's NTP servers or public NTP servers.
server 158.152.1.65 minpoll 5 maxpoll 10 maxdelay 0.4 offline server 158.152.1.76 minpoll 5 maxpoll 10 maxdelay 0.4 offline server 194.159.253.2 minpoll 5 maxpoll 10 maxdelay 0.4 offline logdir /var/log/chrony log statistics measurements tracking driftfile /etc/chrony.drift keyfile /etc/chrony.keys commandkey 25 maxupdateskew 100.0 dumponexit dumpdir /var/log/chrony rtcfile /etc/chrony.rtc
I use pppd for connecting to my ISP. This runs two scripts
`/etc/ppp/ip-up' and `/etc/ppp/ip-down' when the link goes
online and offline respectively.
The relevant part of the `/etc/ppp/ip-up' file is (with a dummy password)
cat <<EOF | /usr/local/bin/chronyc password xxxxxxxx online EOF
and the relevant part of the `/etc/ppp/ip-down' script is
cat <<EOF | /usr/local/bin/chronyc password xxxxxxxx offline dump writertc EOF
(Because they have to contain the administrator password, it would be desirable to make the files readable only by root on a multiuser machine).
To start chronyd during the boot sequence, I have the following
in `/etc/rc.d/rc.local' (this is a Slackware system)
if [ -f /usr/local/sbin/chronyd -a -f /etc/chrony.conf ]; then /usr/local/sbin/chronyd -r -s echo "Start chronyd" fi
The Debian package puts a script which handles this and shutdown in `/etc/init.d/chrony'.
The placement of this command may be important on some systems. In
particular, chronyd may need to be started several seconds (about
10 as a minimum) before any software that depends on the system clock
not jumping or moving backwards, depending on the directives in
chronyd's configuration file.
For the system shutdown, chronyd should receive a SIGTERM several
seconds before the final SIGKILL; the SIGTERM causes the measurement
histories and RTC information to be saved out. There should be no need
to add anything to the shutdown sequence, unless (as my system had)
there is no pause between the SIGTERM and SIGKILL being delivered to the
remaining processes. So if you find something like
killall5 -15 killall5 -9
in your /etc/rc.d/rc.0 script, you will need to insert a sleep, e.g.
killall5 -15 sleep 5 killall5 -9
Otherwise, chronyd will not always save information on shutdown,
which could be a problem if you don't use dump and
writertc when you go offline.
The most common option to include in the configuration file is the
driftfile option. One of the major tasks of chronyd is to
work out how fast or how slow the system clock runs relative to real
time - e.g. in terms of seconds gained or lost per day. Measurements
over a long period are usually required to refine this estimate to an
acceptable degree of accuracy. Therefore, it would be bad if
chronyd had to work the value out each time it is restarted,
because the system clock would not run so accurately whilst the
determination is taking place.
To avoid this problem, chronyd allows the gain or loss rate to be
stored in a file, which can be read back in when the program is
restarted. This file is called the drift file, and might typically be
stored in `/etc/chrony.drift'. By specifying an option like the
following
driftfile /etc/chrony.drift
in the configuration file (`/etc/chrony.conf'), the drift file facility will be activated.
If chronyd has been installed to its default location
`/usr/local/sbin/chronyd', starting it is simply a matter of
entering the command
/usr/local/sbin/chronyd
The Debian package uses `/usr/sbin/chronyd'.
Information messages and warnings will be logged to syslog.
The command line options supported are as follows:
-d
-f <conf-file>
-r
dump command in
chronyc, or by setting the dumponexit directive in the
configuration file. This option is useful if you want to stop and
restart chronyd briefly for any reason, e.g. to install a new
version. However, it only makes sense on systems where the kernel can
maintain clock compensation whilst not under chronyd's control.
The only version where this happens so far is Linux. On systems where
this is not the case, e.g. Solaris and SunOS the option should not be
used.
-s
rtcfile directive (see section rtcfile).
If chronyd cannot support the real time clock on your computer,
this option cannot be used and a warning message will be logged to the
syslog.
If used in conjunction with the `-r' flag, chronyd will attempt
to preserve the old samples after setting the system clock from the real
time clock. This can be used to allow chronyd to perform long
term averaging of the gain or loss rate across system reboots, and is
useful for dial-up systems that are shut down when not in use. For this
to work well, it relies on chronyd having been able to determine
accurate statistics for the difference between the real time clock and
system clock last time the computer was on.
-v
chronyd's version number to the terminal and
exits.
On systems that support an `/etc/rc.local' file for starting
programs at boot time, chronyd can be started from there.
On systems with a System V style initialisation (e.g. Solaris), a suitable start/stop script might be as shown below. This might be placed in the file `/etc/rc2.d/S83chrony'.
#!/bin/sh
# This file should have uid root, gid sys and chmod 744
#
killproc() { # kill the named process(es)
pid=`/usr/bin/ps -e |
/usr/bin/grep -w $1 |
/usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
[ "$pid" != "" ] && kill $pid
}
case "$1" in
'start')
if [ -f /opt/free/sbin/chronyd -a -f /etc/chrony.conf ]; then
/opt/free/sbin/chronyd
fi
;;
'stop')
killproc chronyd
;;
*)
echo "Usage: /etc/rc2.d/S83chrony { start | stop }"
;;
esac
(In both cases, you may want to bear in mind that chronyd can
step the time when it starts. There may be other programs started at
boot time that could be upset by this, so you may need to consider the
ordering carefully. However, chronyd will need to start after
daemons providing services that it may require, e.g. the domain name
service.)
The configuration file is normally called `/etc/chrony.conf'; in fact, this is the compiled-in default. However, other locations can be specified with a command line option.
Each command in the configuration file is placed on a separate line. The following sections describe each of the commands in turn. The directives can occur in any order in the file.
The allow command is used to designate a particular subnet from
which NTP clients are allowed to access the computer as an NTP server.
The default is that no clients are allowed access, i.e. chronyd
operates purely as an NTP client. If the allow directive is
used, chronyd will be both a client of its servers, and a server
to other clients.
Examples of use of the command are as follows:
allow foo.bar.com allow 1.2 allow 3.4.5 allow
The first command allows the named host to be an NTP client of this computer. The second command allows any host with an IP address of the form 1.2.x.y (with x and y arbitrary) to be an NTP client of this computer. Likewise, the third command allows any host with an IP address of the form 3.4.5.x to have client NTP access. The fourth form allows access by any node on the entire Internet.
A second form of the directive, allow all, has a greater effect,
depending on the ordering of directives in the configuration file. To
illustrate the effect, consider the two examples
allow 1.2.3.4 deny 1.2.3 allow 1.2
and
allow 1.2.3.4 deny 1.2.3 allow all 1.2
In the first example, the effect is the same regardles of what order the three directives are given in. So the 1.2.x.y subnet is allowed access, except for the 1.2.3.x subnet, which is denied access, however the host 1.2.3.4 is allowed access.
In the second example, the allow all 1.2 directives overrides the
effect of any previous directive relating to a subnet within the
specified subnet. Within a configuration file this capability is
probably rather moot; however, it is of greater use for reconfiguration
at run-time via chronyc (see section allow all).
Note, if the initstepslew directive (see section initstepslew) is used in the configuration file, each of the computers
listed in that directive must allow client access by this computer for
it to work.
The commandkey command is used to set the key number used for authenticating user commands via the chronyc program at run time. This allows certain actions of the chronyc program to be restricted to administrators.
An example of the commandkey command is
commandkey 20
In the key file (see the keyfile command) there should be a line of the form
20 foobar
When running the chronyc program to perform run-time configuration, the command
password foobar
must be entered before any commands affecting the operation of the daemon can be entered.
The cmdport directive allows the port that is used for run-time
command and monitoring (via the program chronyc) to be altered
from its default (323/udp).
An example shows the syntax
cmdport 257
This would make chronyd use 257/udp as its command port.
(chronyc would need to be run with the -p 257 switch to
inter-operate correctly).
This is similar to the allow directive (see section allow),
except that it denies NTP client access to a particular subnet or host,
rather than allowing it.
The syntax is identical.
There is also a deny all directive with similar behaviour to the
allow all directive.
One of the main activities of the chronyd program is to work out
the rate at which the system clock gains or loses time relative to real
time.
Whenever chronyd computes a new value of the gain/loss rate, it
is desirable to record it somewhere. This allows chronyd to
begin compensating the system clock at that rate whenever it is
restarted, even before it has had a chance to obtain an equally good
estimate of the rate during the new run. (This process may take many
minutes, at least).
The driftfile command allows a file to be specified into which
chronyd can store the rate information. Two parameters are
recorded in the file. The first is the rate at which the system clock
gains or loses time, expressed in parts per million, with gains
positive. Therefore, a value of 100.0 indicates that when the system
clock has advanced by a second, it has gained 100 microseconds on
reality (so the true time has only advanced by 999900 microseconds).
The second is an estimate of the error bound around the first value in
which the true rate actually lies.
An example of the driftfile command is
driftfile /etc/chrony.drift
To compute the rate of gain or loss of time, chronyd has to store
a measurement history for each of the time sources it uses.
Certain systems (so far only Linux) have operating system support for
setting the rate of gain or loss to compensate for known errors. (On
other systems, chronyd must simulate such a capability by
periodically slewing the system clock forwards or backwards by a
suitable amount to compensate for the error built up since the previous
slew).
For such systems, it is possible to save the measurement history across
restarts of chronyd (assuming no changes are made to the system
clock behaviour whilst it is not running). If this capability is to be
used (via the dumponexit command in the configuration file, or the dump
command in chronyc), the dumpdir command should be used to define the
directory where the measurement histories are saved.
An example of the command is
dumpdir /var/log/chrony
A source whose IP address is 1.2.3.4 would have its measurement history saved in the file `/var/log/chrony/1.2.3.4.dat'.
If this command is present, it indicates that chronyd should save
the measurement history for each of its time sources recorded whenever
the program exits. (See the dumpdir command above).
In normal operation, chronyd always slews the time when it needs to
adjust the system clock. For example, to correct a system clock which
is 1 second slow, chronyd slightly increases the amount by which the
system clock is advanced on each clock interrupt, until the error is
removed. (Actually, this is done by calling the adjtime() or
similar system function which does it for us.) Note that at no time
does time run backwards with this method.
On most Unix systems it is not desirable to step the system clock, because many programs rely on time advancing monotonically forwards.
When the chronyd daemon is initially started, it is possible that the
system clock is considerably in error. Attempting to correct such an
error by slewing may not be sensible, since it may take several hours
to correct the error by this means.
The purpose of the initstepslew directive is to allow chronyd to
make a rapid measurement of the system clock error at boot time, and to
correct the system clock by stepping before normal operation begins.
Since this would normally be performed only at an appropriate point in
the system boot sequence, no other software should be adversely affected
by the step.
If the correction required is less than a specified threshold, a slew is
used instead. This makes it easier to restart chronyd whilst the
system is in normal operation.
The initstepslew directive takes a threshold and a list of NTP
servers as arguments. A maximum of 8 will be used. Each of the servers
is rapidly polled several times, and a majority voting mechanism used to
find the most likely range of system clock error that is present. A
step (or slew) is applied to the system clock to correct this error.
chronyd then enters its normal operating mode (where only slews are
used).
An example of use of the command is
initstepslew 30 foo.bar.com baz.quz.com
where 2 NTP servers are used to make the measurement. The 30
indicates that if the system's error is found to be 30 seconds or less,
a slew will be used to correct it; if the error is above 30 seconds, a
step will be used.
The initstepslew directive can also be used in an isolated LAN
environment, where the clocks are set manually. The most stable
computer is chosen as the master, and the other computers are slaved to
it. If each of the slaves is configured with the local option (see
below), the master can be set up with an initstepslew directive
which references some or all of the slaves. Then, if the master machine
has to be rebooted, the slaves can be relied on to 'flywheel' the time
for the master.
This command is used to specify the location of the file containing ID/key pairs for the following 2 uses:
The format of the command is shown in the example below
keyfile /etc/chrony.keys
The argument is simply the name of the file containing the ID/key pairs. The format of the file is shown below
10 tulip 11 hyacinth 20 crocus 25 iris ...
Each line consists of an ID and a password. The ID can be any unsigned integer in the range 0 through 2**32-1. The password can be any string of characters not containing a space.
For NTP use, the MD5 authentication scheme is always used. This must be
borne in mind if chronyd is to inter-operate in authenticated
mode with xntpd running on other computers.
The ID for the chronyc authentication key is specified with the commandkey command (see earlier).
The local keyword is used to allow chronyd to appear synchronised
to real time (from the viewpoint of clients polling it), even if it has
no current synchronisation source.
This option is normally used on computers in an isolated network, where several computers are required to synchronise to one other, this being the "master" which is kept vaguely in line with real time by manual input.
An example of the command is
local stratum 10
The value 10 may be substituted with other values in the range 1 through 15. Stratum 1 indicates a computer that has a true real-time reference directly connected to it (e.g. GPS, atomic clock etc) – such computers are expected to be very close to real time. Stratum 2 computers are those which have a stratum 1 server; stratum 3 computers have a stratum 2 server and so on.
A large value of 10 indicates that the clock is so many hops away from a reference clock that its time is fairly unreliable. Put another way, if the computer ever has access to another computer which is ultimately synchronised to a reference clock, it will almost certainly be at a stratum less than 10. Therefore, the choice of a high value like 10 for the local command prevents the machine's own time from ever being confused with real time, were it ever to leak out to clients that have visibility of real servers.
The log command indicates that certain information is to be logged.
measurements
statistics
tracking
rtc
The files are written to the directory specified by the logdir command.
An example of the command is
log measurements statistics tracking
An example line (which actually appears as a single line in the file) from the measurements log file is shown below.
22Jul98 05:40:50 158.152.1.76 N 8 1111 11 1111 10 10 1 \ -4.966e-03 2.296e-01 1.577e-05 1.615e-01 7.446e-03
The columns are as follows (the quantities in square brackets are the values from the example line above) :
N means normal, - means that the last minute
of today has 61 seconds, + means that the last minute of the day
has 59 seconds, ? means the remote computer is not currently
synchronised.) [N]
A banner is periodically written to the log file to indicate the meanings of the columns.
An example line (which actually appears as a single line in the file) from the measurements log file is shown below.
22Jul98 05:40:50 158.152.1.76 6.261e-03 -3.247e-03 \
2.220e-03 1.874e-06 1.080e-06 7.8e-02 16 0 8
The columns are as follows (the quantities in square brackets are the values from the example line above) :
A banner is periodically written to the log file to indicate the meanings of the columns.
An example line (which actually appears as a single line in the file) from the measurements log file is shown below.
22Jul98 05:40:50 158.152.1.76 3 340.529 1.606 1.046e-03
The columns are as follows (the quantities in square brackets are the values from the example line above) :
A banner is periodically written to the log file to indicate the meanings of the columns.
An example line (which actually appears as a single line in the file) from the measurements log file is shown below.
22Jul98 05:40:50 -0.037360 1 -0.037434\
-37.948 12 5 120
The columns are as follows (the quantities in square brackets are the values from the example line above) :
gettimeofday()) time. In seconds, positive indicates that the
RTC is fast of the system time. [-0.037360].
A banner is periodically written to the log file to indicate the meanings of the columns.
This command allows the directory where log files are written to be specified.
An example of the use of this command is
logdir /var/log/chrony
The manual directive enables support at run-time for the
settime command in chronyc (see section settime). If no
manual directive is included, any attempt to use the
settime command in chronyc will be met with an error message.
Note that the settime command can be enabled at run-time using
the manual command in chronyc (see section manual). (The
idea of the two commands is that the manual command controls the
manual clock driver's behaviour, whereas the settime command
allows samples of manually entered time to be provided).
One of chronyd's tasks is to work out how fast or slow the computer's
clock runs relative to its reference sources. In addition, it computes
an estimate of the error bounds around the estimated value.
If the range of error is too large, it probably indicates that the measurements have not settled down yet, and that the estimated gain or loss rate is not very reliable.
The maxupdateskew parameter allows the threshold for determining
whether an estimate may be so unreliable that it should not be used.
The syntax is
maxupdateskew <skew-in-ppm>
Typical values for <skew-in-ppm> might be 100 for a dial-up connection to servers over a phone line, and 5 or 10 for a computer on a LAN.
It should be noted that this is not the only means of protection against
using unreliable estimates. At all times, chronyd keeps track of
both the estimated gain or loss rate, and the error bound on the
estimate. When a new estimate is generated following another
measurement from one of the sources, a weighted combination algorithm is
used to update the master estimate. So if chronyd has an existing
highly-reliable master estimate and a new estimate is generated which
has large error bounds, the existing master estimate will dominate in
the new master estimate.
The syntax of this directive is identical to that for the server
directive (see section server), except that it is used to specify
an NTP peer rather than an NTP server.
This option allows you to configure the port used for the NTP service on your machine.
The compiled in default is udp/123, the standard NTP port. It is unlikely that you would ever need to change this value. A possible exception would be if you wanted to operate strictly in client-only mode and never be available as a server to xntpd clients.
An example of the port command is
port 11123
This would change the NTP port served by chronyd on the computer to udp/11123.
The rtcfile directive defines the name of the file in which
chronyd can save parameters associated with tracking the accuracy
of the system's real-time clock (RTC).
The syntax is illustrated in the following example
rtcfile /etc/chrony.rtc
chronyd saves information in this file when it exits and when the
writertc command is issued in chronyc. The information
saved is the RTC's error at some epoch, that epoch (in seconds since
January 1 1970), and the rate at which the RTC gains or loses time.
So far, the support for real-time clocks is limited - their code is even
more system-specific than the rest of the software. You can only use
the real time clock facilities (the rtcfile directive and the
-s command line option to chronyd) if the following three
conditions apply:
chronyd assumes by default that the real time clock (RTC) keeps
local time (including any daylight saving changes). This is convenient
on PCs running Linux which are dual-booted with DOS or Windows.
An alternative is for the RTC to keep Universal Coordinated Time (UTC).
If the rtconutc directive appears, it means the RTC is required
to keep UTC. The directive takes no arguments. It is equivalent to
specifying the -u switch to the Linux `/sbin/clock' program.
The server directive allows NTP servers to be specified. The
client/server relationship is strictly hierarchical : a client may
synchronise its system time to that of the server, but the server's
system time will never be influenced by that of a client.
The server directive is immediately followed by either the name
of the server, or its IP address in dotted-quad notation. The server
command also supports a number of subfields (which may be defined in any
order):
port
minpoll
chronyd will trim the rate at which it samples the
server during normal operation, the user may wish to constrain the
minimum polling interval. This is always defined as a power of 2, so
<tt/minpoll 5/ would mean that the polling interval cannot drop below 32
seconds. The default is 6 (64 seconds).
maxpoll
maxdelay
chronyd uses the network round-trip delay to the server to
determine how accurate a particular measurement is likely to be. Long
round-trip delays indicate that the request, or the response, or both
were delayed. If only one of the messages was delayed the measurement
error is likely to be substantial.
For small variations in round trip delay, chronyd uses a
weighting scheme when processing the measurements. However, beyond a
certain level of delay the measurements are likely to be so corrupted as
to be useless. (This is particularly so on dial-up or other slow links,
where a long delay probably indicates a highly asymmetric delay caused
by the response waiting behind a lot of packets related to a download of
some sort).
If the user knows that round trip delays above a certain level should
cause the measurement to be ignored, this level can be defined with the
maxdelay command. For example, <tt/maxdelay 0.3/ would indicate that
measurements with a round-trip delay of 0.3 seconds or more should be
ignored.
maxdelayratio
chronyd
keeps a record of the minimum round-trip delay amongst the previous
measurements that it has buffered. If a measurement has a round trip
delay that is greater than the maxdelayratio times the minimum delay, it
will be rejected.
presend
chronyd are the only
network data passing between two computers, you may find that some
measurements are badly skewed due to either the client or the server
having to do an ARP lookup on the other party prior to transmitting a
packet. This is more of a problem with long sampling intervals, which
may be similar in duration to the lifetime of entries in the ARP caches
of the machines.
In order to avoid this problem, the presend option may be used.
It takes a single integer argument, which is the smallest polling
interval for which a pair of packets will be exchanged between the
client and the server prior to the actual measurement being initiated by
the client. For example, with the following option included in a
server directive :
presend 9when the polling interval is 512 seconds or more, a UDP echo datagram will be sent to the server a short time (currently 4 seconds) before the NTP client mode datagram.
key
chronyd will attempt to use
authenticated packets when communicating with this server. The key
number used will be the single argument to the key option. The server
must have the same password for this key number configured, otherwise no
relationship between the computers will be possible.
offline
chronyd is started, the
offline option may be specified. chronyd will not try to poll
the server until it is enabled to do so (by using the online option of
chronyc).
Chronyc is the program that can be used to reconfigure options within
the chronyd program whilst it is running. Chronyc can also be
used to generate status reports about the operation of chronyd.
The program chronyc is run by entering
chronyc
at the command line. The prompt chronyc is displayed whilst
chronyc is expecting input from the user, when it is being run from a
terminal. If chronyc's input or output are redirected from/to a file,
the prompt is ow shown.
When you are finished entering commands, the commands exit or
quit will terminate the program. (Entering Control-D will
also terminate the program.)
Chronyc supports the following command line options.
-v
-h <host>
chronyd program is to be contacted. This allows for remote
configuration, without having to telnet or rlogin to the other host
first.
The default is to contact chronyd running on the same host as
that where chronyc is being run.
-p <port>
chronyd is using for its command & monitoring connections.
This defaults to the compiled-in default; there would rarely be a need
to change this.
Many of the commands available through chronyc have a fair amount of
power to reconfigure the run-time behaviour of chronyd. Consequently,
chronyc is quite dangerous for the integrity of the target
system's clock performance. Having access to chronyd via chronyc is
more or less equivalent to being able to modify chronyd's configuration
file (typically `/etc/chrony.conf') and to restart chronyd.
Chronyc also provides a number of monitoring (as opposed to commanding)
commands, which will not affect the behaviour of chronyd. However, you
may still want to restrict access to these commands.
In view of this, access to some of the capabilities of chronyc will usually be tightly controlled. There are two mechanisms supported:
chronyd will accept commands can be
restricted. By default, commands will only be accepted from the same
host that chronyd is running on.
chronyd's
behaviour requires the user of chronyc to know a password. This
password is specified in chronyd's keys file (see section keyfile)
and specified via the commandkey option in its configuration file
(see section commandkey).
Only the following commands can be used without providing a password:
exit
help
password
quit
rtcdata
sources
sourcestats
tracking
All other commands require a password to have been specified previously,
because they affect chronyd's operation.
This section describes each of the commands available within the chronyc program. Chronyc offers the user a simple command-line driven interface.
This command allows you to check whether client NTP access is allowed from a particular host.
Examples of use, showing a named host and a numeric IP address, are as follows:
accheck a.b.c accheck 1.2.3.4
This command can be used to examine the effect of a series of
allow, allow all, deny and deny all commands
specified either via chronyc, or in chronyd's configuration file.
The add peer command allows a new NTP peer to be added whilst
chronyd is running.
Following the words add peer, the syntax of the following
parameters and options is identical to that for the peer
directive in the configuration file (see section peer).
An example of using this command is shown below.
add peer foo.bar.com minpoll 6 maxpoll 10 authkey 25
The add server command allows a new NTP server to be added whilst
chronyd is running.
Following the words add server, the syntax of the following
parameters and options is identical to that for the server
directive in the configuration file (see section server).
An example of using this command is shown below.
add server foo.bar.com minpoll 6 maxpoll 10 authkey 25
The effect of the allow command is identical to the allow directive in
the configuration file (see section allow).
The syntax is illustrated in the following examples:
allow foo.bar.com allow 1.2 allow 3.4.5
The effect of the allow command is identical to the allow all
directive in the configuration file (see section allow).
The burst command tells chronyd to make a set of measurements to
each of its sources over a short duration (rather than the usual
periodic measurements that it makes). After such a burst, chronyd will
revert to the previous state for each source. This might be either
online, if the source was being periodically measured in the normal way,
or offline, if the source had been indicated as being offline.
(Switching a source between the online and offline states is described
in section online, section offline).
The syntax of the burst command is as follows
burst <n-good-measurements>/<max-measurements> [<mask>/<masked-address>]
The mask and masked-address arguments are optional, in which case
chronyd will initiate a burst for all of its currently defined sources.
The arguments have the following meaning and format.
n-good-measurements
chronyd will want to
obtain from each source. A measurement is good if it passes certain
tests, for example, the round trip time to the source must be
acceptable. (This allows chronyd to reject measurements that are likely
to be bogus.)
max-measurements
chronyd will
attempt to make, even if the required number of good measurements has
not been obtained.
mask
255.255.255.0) with which
the IP address of each of chronyd's sources is to be masked.
masked-address
1.2.3.0). If the masked IP
address of a source matches this value then the burst command is applied
to that source.
If no mask or masked address arguments are provided, the default is
0.0.0.0 and 0.0.0.0 respectively, which will match every
source.
An example of the two-argument form of the command is
burst 2/10
This will cause chronyd to attempt to get two good measurements from
each source, stopping after two have been obtained, but in no event will
it try more than ten probes to the source.
An example of the four-argument form of the command is
burst 2/10 255.255.0.0/1.2.0.0
In this case, the two out of ten sampling will only be applied to
sources whose IP addresses are of the form 1.2.x.y, where x and y
are arbitrary.
This command is similar to the accheck command, except that it is
used to check whether command access is permitted from a named host.
Examples of use are as follows:
cmdaccheck a.b.c cmdaccheck 1.2.3.4
This is similar to the allow command, except that it is used to
allow particular hosts or subnets to use the chronyc program to interact
with chronyd on the current host.
This is similar to the allow all command, except that it is used to
allow particular hosts or subnets to use the chronyc program to interact
with chronyd on the current host.
This is similar to the deny command, except that it is used to
allow particular hosts or subnets to use the chronyc program to interact
with chronyd on the current host.
This is similar to the deny all command, except that it is used
to allow particular hosts or subnets to use the chronyc program to
interact with chronyd on the current host.
The cyclelogs command causes all of chronyd's open log
files to be closed and re-opened. This allows them to be renamed so
that they can be periodically purged. An example of how to do this is shown below.
% mv /var/log/chrony/measurements.log /var/log/chrony/measurements1.log % chronyc chronyc> password aardvark 200 OK chronyc> cyclelogs 200 OK chronyc> exit % ls -l /var/log/chrony -rw-r--r-- 1 root root 0 Jun 8 18:17 measurements.log -rw-r--r-- 1 root root 12345 Jun 8 18:17 measurements1.log
The delete command allows an NTP server or peer to be removed
from the current set of sources.
The syntax is illustrated in the examples below.
delete foo.bar.com delete 1.2.3.4
There is one parameter, the name or IP address of the server or peer to be deleted.
The effect of the allow command is identical to the deny
directive in the configuration file (see section deny).
The syntax is illustrated in the following examples:
deny foo.bar.com deny 1.2 deny 3.4.5
The effect of the allow command is identical to the deny all
directive in the configuration file (see section deny).
The dump command causes chronyd to write its current history of
measurements for each of its sources to dump files, either for
inspection or to support the -r option when chronyd is restarted.
The dump command is somewhat equivalent to the dumponexit
directive in the chrony configuration file. See section dumponexit.
To use the dump, you probably want to configure the name of the
directory into which the dump files will be written. This can only be
done in the configuration file, see section dumpdir.
The exit command exits from chronyc and returns the user to the shell (same as the quit command).
The help command displays a summary of the commands and their arguments.
The local command allows chronyd to be told that it is to appear
as a reference source, even if it is not itself properly synchronised to
an external source. (This can be used on isolated networks, to allow
one computer to be a master time server with the other computers slaving
to it.) The local command is somewhat equivalent to the
local directive in the configuration file, see section local.
The syntax is as shown in the following examples.
local stratum 10 local off
The first example enables the local reference mode on the host, and sets the stratum at which it should claim to be synchronised.
The second example disables the local reference mode.
The manual command enables and disables use of the settime
command (see section settime), and is used to modify the behaviour
of the manual clock driver.
Examples of the command are shown below.
manual on manual off manual reset
The first form of the command enables use of the settime command.
The second form of the command disables use of the settime
command.
When a time is entered with the settime command, the current time
and machine clock error are stored within chronyd. When another time is
entered later, the rate of gain or loss of the machine clock is computed
and used to adjust the running speed of the machine clock.
If you want to correct the machine time without this rate compensation
being performed, use the third form of the manual command first.
This will purge any previous measurements stored within chronyd.
This allows the maxdelay option for one of the sources to be
modified, in the same way as specifying the maxdelay option for
the server directive in the configuration file (see section server).
The following examples illustrate the syntax
maxdelay foo.bar.com 0.3 maxdelay 1.2.3.4 0.0015
The first example sets the maximum network delay allowed for a
measurement to the host foo.bar.com to 0.3 seconds. The second
example sets the maximum network delay for a measurement to the host
with IP address 1.2.3.4 to 1.5 milliseconds.
(Any measurement whose network delay exceeds the specified value is discarded.)
This allows the maxdelayratio option for one of the sources to be
modified, in the same way as specifying the maxdelayratio option
for the server directive in the configuration file (see section server).
The following examples illustrate the syntax
maxdelayratio foo.bar.com 1.5 maxdelayratio 1.2.3.4 2.0
The first example sets the maximum network delay for a measurement to
the host foo.bar.com to be 1.5 times the minimum delay found
amongst the previous measurements that have been retained. The second
example sets the maximum network delay for a measurement to the host
with IP address 1.2.3.4 to be double the retained minimum.
As for maxdelay, any measurement whose network delay is too large
will be discarded.
The maxpoll command is used to modify the minimum polling
interval for one of the current set of sources. It is equivalent to the
maxpoll option in the server directive in the
configuration file (see section server).
The syntax is as follows
maxpoll <host> <new-maxpoll>
where the host can be specified as either a machine name or dotted-quad IP address. The new minimum poll is specified as a base-2 logarithm of the number of seconds between polls (e.g. specify 6 for 64 second sampling).
An example is
maxpoll foo.bar.com 10
which sets the maximum polling interval for the host foo.bar.com
to 1024 seconds.
Note that the new maximum polling interval only takes effect after the next measurement has been made.
This command has the same effect as the maxupdateskew directive
in the configuration file, see section maxupdateskew.
The minpoll command is used to modify the minimum polling
interval for one of the current set of sources. It is equivalent to the
minpoll option in the server directive in the
configuration file (see section server).
The syntax is as follows
minpoll <host> <new-minpoll>
where the host can be specified as either a machine name or dotted-quad IP address. The new minimum poll is specified as a base-2 logarithm of the number of seconds between polls (e.g. specify 6 for 64 second sampling).
An example is
minpoll foo.bar.com 5
which sets the minimum polling interval for the host foo.bar.com
to 32 seconds.
Note that the new minimum polling interval only takes effect after the next measurement has been made.
The offline command is used to warn chronyd that the network
connection to a particular host or hosts is about to be lost. It should
be used on computers with a dial-up or similar connection to their time
sources, to warn chronyd that the connection is about to be broken.
An example of how to use offline in this case is shown in
section How to tell chronyd when the internet link is available..
Another case where offline could be used is where a computer
serves time to a local group of computers, and has a permanant
connection to true time servers outside the organisation. However, the
external connection is heavily loaded at certain times of the day and
the measurements obtained are less reliable at those times. In this
case, it is probably most useful to determine the gain/loss rate during
the quiet periods and let the whole network coast through the loaded
periods. The offline and online commands can be used to
achieve this. The situation is shown in the figure below.
+----------+
|Ext source|
+----------+
|
|
|/| <-- Link with variable
| reliability
|
+-------------------+
|Local master server|
+-------------------+
|
+---+---+-----+-----+----+----+
| | | | | | |
Local clients
If the source to which chronyd is currently synchronised is indicated
offline in this way, chronyd will continue to treat it as the
synchronisation source. If the network connection were broken without
the offline command being used, chronyd would assume that the
source had failed and would attempt to pick another synchronisation
source.
There are two forms of the offline command. The first form is a
wildcard, meaning all sources. The second form allows a IP address mask
and a masked address to be specified. These forms are illustrated below.
offline offline 255.255.255.0/1.2.3.0
The second form means that the offline command is to be applied
to any source whose IP address is in the 1.2.3 subnet. (The host's
address is logically and-ed with the mask, and if the result matches the
masked-address the host is processed).
The wildcard form of the address is actually equivalent to
offline 0.0.0.0/0.0.0.0
The online command is opposite in function to the offline
command. It is used to advise chronyd that network connectivity to a
particular source or sources has been restored.
The syntax is identical to that of the offline command, see
section offline.
The password command is used to allow chronyc to send privileged
commands to chronyd. The password can either be entered on the command
line, or can be entered without echoing. The syntax for entering the
password on the command line is as follows
password xyzzy
To enter the password without it being echoed, enter
password
The computer will respond with a `Password:' prompt, at which you should enter the password and press return. (Note that the no-echo mode is limited to 8 characters on SunOS 4.1 due to limitations in the system library. Other systems do not have this restriction.)
The password is any string of characters not containing whitespace. It
has to match chronyd's currently defined command key (see section commandkey).
The quit command exits from chronyc and returns the user to the shell (same as the exit command).
The rtcdata command displays the current real time clock RTC parameters.
An example output is shown below.
RTC ref time (GMT) : Sat May 30 07:25:56 1998 Number of samples : 10 Number of runs : 5 Sample span period : 549 RTC is fast by : -1.632736 seconds RTC gains time at : -107.623 ppm
The fields have the following meaning
RTC ref time (GMT)
Number of samples
Number of runs
Sample span period
RTC is fast by
trimrtc command to bring the RTC
into line with the system clock. (Note, a large error will not affect
chronyd's operation, unless it becomes so big as to start causing
rounding errors.
RTC gains time at
The settime command allows the current time to be entered
manually, if this option has been configured into chronyd. (It may be
configured either with the manual directive in the configuration
file (see section manual), or with the manual command of
chronyc (see section manual).
It should be noted that the computer's sense of time will only be as accurate as the reference you use for providing this input (e.g. your watch), as well as how well you can time the press of the return key. When inputting time to an isolated network, I have a battery operated alarm clock that is synchronised to the Rugby MSF time signal in the UK.
Providing your computer's time zone is set up properly, you will be able to enter a local time (rather than UTC).
The response to a successful settime command indicates the amount
that the computer's clock was wrong. It should be apparent from this if
you have entered the time wrongly, e.g. with the wrong time zone.
The software always allows you to enter the time again, replacing the measurement you just entered, for example if you realise that it was wrong. You are given a 5 minute period for doing this.
The time is parsed by the public domain `getdate' algorithm. Consequently, you can only specify time to the nearest second.
Examples of inputs that are valid are shown below.
settime 16:30 settime 16:30:05 settime Nov 21, 1997 16:30:05
For a full description of getdate, get hold of the getdate
documentation (bundled, for example, with the source for GNU tar).
This command displays information about the current time sources that
chronyd is accessing. It takes no arguments.
210 Number of sources = 3 MS Name/IP address Str Poll LastRx Last sample =================================================================== ^+ a.b.c 3 6 47m -9491us[-6983us] +/- 159ms ^+ d.e.f 3 6 47m +32ms[ +35ms] +/- 274ms ^* g.h.i 2 6 47m +8839us[ +11ms] +/- 214ms
The columns are as follows:
M
^ means a server,
= means a peer and # indicates a locally connected
reference clock(1).
S
* indicates the
source to which chronyd is current synchronised. + indicates
other acceptable sources. ? indicates sources to which
connectivity has been lost. x indicates a clock which chronyd
thinks is is a falseticker (i.e. its time is inconsistent with a
majority of other sources). ~ indicates a source whose time
appears to have too much variability. The ~ condition is also
shown at start-up, until at least 3 samples have been gathered from it.
IP address
Str
Poll
chronyd automatically varies the polling rate in response to prevailing
conditions.
LastRx
m, h,
d or y indicate minutes, hours, days or years.
Last sample
us (indicating
microseconds), ms (indicating milliseconds), or s
(indicating seconds). The number to the left of the square brackets
shows the original measurement, adjusted to allow for any slews applied
to the local clock since. The number following the +/- indicator
shows the margin of error in the measurement.
Positive offsets indicate that the local clock is fast of the source.
The sourcestats command displays information about the drift rate
and offset estimatation process for each of the sources currently being
examined by chronyd.
An example report is
210 Number of sources = 1 Name/IP NP NR Span Freq Skew S.D./us ================================================================ abc.def.ghi 11 5 46m -0.001 0.045 25
The columns are as follows
Name/IP
NP
NR
chronyd discards older samples and re-runs the regression until
the number of runs becomes acceptable.
Span
Freq
Skew
Freq (again in parts per
million).
Var/us
The tracking command displays parameters about the system's clock
performance. An example of the output is shown below.
Reference ID : 1.2.3.4 (a.b.c) Stratum : 3 Ref time (UTC) : Sun May 17 06:13:11 1998 System time : 0.000000 seconds fast of NTP time Frequency : 331.898 ppm fast Residual freq : 0.004 ppm Skew : 0.154 ppm Root delay : 0.373169 seconds Root dispersion : 0.024780 seconds
The fields are explained as follows.
Reference ID
127.127.1.1
it means the computer is not synchronised to any external source and
that you have the `local' mode operating (via the local command
in chronyc (see section local), or the local directive
in the `/etc/chrony.conf' file (see section local)).
Stratum
a.b.c is a stratum-2 and is synchronised from a stratum-1).
Ref time
System time
chronyd never steps the system clock,
because any jump in the timescale can have adverse consequences for
certain application programs. Instead, any error in the system clock is
corrected by slightly speeding up or slowing down the system clock until
the error has been removed, and then returning to the system clock's
normal speed. A consequence of this is that there will be a period when
the system clock (as read by other programs using the
gettimeofday() system call, or by the date command in the
shell) will be different from chronyd's estimate of the current
true time (which it reports to NTP clients when it is operating in
server mode). The value reported on this line is the difference due to
this effect.
On systems such as Solaris and SunOS, chronyd has no means to
adjust the fundamental rate of the system clock, so keeps the system
time correct by periodically making offsets to it as though an error had
been measured. The build up of these offsets will be observed in this
report. On systems such as Linux where chronyd can adjust the
fundamental rate of the system clock, this value will show zero unless a
very recent measurement has shown the system to be error.
Frequency
chronyd was not correcting it. It is expressed in
ppm (parts per million). For example, a value of 1ppm would mean that
when the system's clock thinks it has advanced 1 second, it has actually
advanced by 1.000001 seconds relative to true time.
As you can see in the example, the clock in the computer I developed
chrony on is not a very good one - it gains about 30 seconds per
day! This was the reason I started to write chrony in the first
place.
Residual freq
Skew
Root delay
Root dispersion
clock_error <= root_dispersion + (0.5 * |root_delay|)
The trimrtc command is used to correct the system's real time
clock (RTC) to the main system clock. It has no effect if the error
between the two clocks is currently estimated at less than a second (the
resolution of the RTC is only 1 second).
The command takes no arguments. It performs the following steps (if the RTC is more than 1 second away from the system clock):
rtcfile directive in the configuration file (see section rtcfile).
The last step is done as a precaution against the computer suffering a
power failure before either the daemon exits or the writertc
command is issued.
chronyd will still work perfectly well both whilst operating and
across machine reboots even if the trimrtc command is never used
(and the RTC is allowed to drift away from true time). The
trimrtc command is provided as a method by which it can be
corrected, in a manner compatible with chronyd using it to
maintain accurate time across machine reboots.
The writertc command writes the currently estimated error and
gain/loss rate parameters for the RTC to the RTC file (specified with
the rtcfile directive (see section rtcfile)). This
information is also written automatically when chronyd is killed
(with SIGHUP, SIGINT, SIGQUIT or SIGTERM).
This appendix discusses issues that have arisen in writing the system-specific parts of the existing ports. This will provide useful information for those attempting to write ports to other systems.
The system specific parts of the software are contained in files with
names like sys_linux.c.
The following functions are required in a system driver file:
chronyd's estimate of real time. (This is required
because some systems have to track real time by making the system time
follow it in a 'sawtooth' fashion).
The frequency is the rate at which the system gains or loses time, measured relative to the system when running uncompensated.
These sections describe quirks in each system type that needed to be investigated to port the software to each system type.
The following quirks have been found in developing the Linux port.
adjtimex() system call is
not the frequency that is actually obtained. The method of
approximation varies between kernel versions and must be determined by
examining the kernel source. An inverse factor must be included in the
driver to compensate.
adjtimex() system call with the flags
bits all zeroed will return the amount of offset still to be corrected.
In others (e.g. the 2.0 series beyond 2.0.32), the offset must be
changed in order to get the old offset returned (similar to
adjtime() on other systems).
The following quirks have been found in developing the Solaris port.
adjtime() system call with a zero argument does not cancel an
adjustment that is in progress - it just reports the remaining
adjustment.
settimeofday() system call only observes the seconds part of
the argument - any fractional seconds part is lost.
second.
dosynctodr has to be set to zero, otherwise
the system clock is periodically reset to the real-time clock.
The following quirks have been found in developing the SunOS port.
adjtime() system call truncates its argument to a multiple of
the system's tickadj variable. (chronyd sets that to 100,
giving a 1 part in 100 slewing capability for correcting offsets.)
dosynctodr has to be set to zero, otherwise
the system clock is periodically reset to the real-time clock.
This document was generated on 11 November 1998 using the texi2html translator version 1.51a.