NTP Configuration¶

Outside the NTP server mode, the namespace of the NTP daemon can be set by the following command:

ntp namespace (host|dataplane)

Configures the namespace (Networking Namespaces) in which the NTP daemon will run. Running in the host namespace, NTP has access to host OS interfaces and routing, which is suitable for reaching internal time servers. Running in the dataplane namespace enables NTP to act as a server for clients connected to TNSR interfaces as well as reach servers to which TNSR can route.

NTP is capable of operating in either namespace, but only in one namespace at a time.

Inside NTP server mode, the NTP daemon has a variety of options to fine-tune its timekeeping behavior.

access sequence <seq> (allow|deny) (all|<prefix>)

Defines rules which control client access to the NTP daemon. By default, the NTP daemon does not allow any clients to access the service as an NTP server.

Note

The NTP daemon can always act as a client to upstream NTP servers. No access rules are necessary for that role.

sequence <seq>

Defines the order of this access rule in the list. The NTP daemon matches lowest to highest.

(allow|deny)

Defines the action taken by this rule.

allow: Clients matching this rule are allowed to reach the NTP daemon.
deny: Clients matching this rule are denied access to the NTP daemon.

(all|<prefix>)

The network prefix to be matched by this rule, or all to match any client.

(disable|enable) leapsectz

Instructs the NTP daemon to obtain leap second information from the system time zone data. This is useful when the upstream clock does not provide leap second information or does not announce it properly.

(disable|enable) monitor

Explicitly enables or disables the monitoring facility used to poll the NTP daemon for information about peers and other statistics.

This is enabled by default, and is required for show ntp <x> commands which display peer information to function.

(disable|enable) rtcsync

Instructs the NTP daemon to sync the system time to the hardware real-time clock every 11 minutes without tracking its drift.

driftfile <filename>

Defines the full path to the filename used by the NTP daemon to store clock drift information to improve accuracy over time, e.g. /var/lib/chrony/chrony.drift. This file and its directory must be writable by the _chrony user or group.

interface (bind|bind6|binddevice) <address>

Controls interface and IP address binding behavior. The default behavior when no interface configuration entries are present is to bind to all available addresses on the host.

bind <ip4-addr>: Binds to a specific IPv4 address present on TNSR. This is useful when an interface contains multiple IPv4 addresses and the NTP daemon should only bind to one IPv4 address.
bind6 <ip6-addr>: Binds to a specific IPv6 address present on TNSR. This is useful when an interface contains multiple IPv6 addresses and the NTP daemon should only bind to one IPv6 address.
binddevice <if-name>: Binds to all IPv4 and IPv6 addresses on an interface.

log

Changes to config-ntp-log mode to configure logging behavior. See NTP Logging for more information.

logdir <path>

Defines the full path where the NTP daemon will store its log files, e.g. /var/log/chrony. This directory must be writable by the _chrony user or group.

makestep threshold <num> limit <num>

Allows the NTP daemon to adjust the system clock in larger steps rather than slowly correcting time offsets. This is useful when the clock is very far out of sync and the normal correction behavior would take too long.

threshold <num>: The threshold above which the NTP daemon will step the clock
limit <num>: Prevents stepping if there were more than this number of clock updates since the daemon started.

maxchange offset <num> start <num> ignore <num>

Controls the size of adjustments the NTP daemon can make to the system clock.

offset <num>: The largest allowed offset the NTP daemon can correct during a clock update, in seconds.
start <num>: Prevents the NTP daemon from respecting this limit until after it has performed this number of clock updates. This allows the daemon to make a larger initial adjustment when starting.
ignore <num>: The number of oversize adjustments to ignore before giving up and causing the NTP daemon to exit.

maxupdateskew <num>

Threshold the NTP daemon uses to determine if clock skew estimates are accurate and reliable, given in “parts per million” (PPM), which is microseconds per second. This is helpful when comparing whether the system clock is running faster or slower compared to upstream time sources while also considering variations in data due to network latency and other factors.

Upstream connections which are slower or that have more latency will require larger values for this option. Sources on the same local network may only require a value between 5.00 and 10.00 while distant network sources may require up to 100.00.

server (<fqdn>|<ip-addr>)

Defines an NTP peer with which the daemon will attempt to synchronize the clock. This command enters config-ntp-server mode. The server may be specified as:

<fqdn>: A fully qualified domain name, which will be resolved using DNS.
<IPv4/IPv6 Address>: An IPv4 or IPv6 address specifying a single NTP server.

Within config-ntp-server mode, additional commands are available that control how NTP interacts with the specified server:

burst: Shortens the interval between requests to potentially unreliable servers. The NTP daemon will reduce the interval on up to four requests to two seconds or less in an attempt to improve the likelihood of obtaining a good measurement.
iburst: Controls the initial burst of packets the NTP daemon sends to the server, which allows the daemon to quickly make its first update at startup. This applies to the first four requests which it sends at an interval of two seconds or less.
maxpoll <poll>: Maximum polling interval for NTP messages. This is specified as a power of 2, in seconds. May be between -6 and 24, defaults to 10 (1024 seconds).
maxsources <num>: The number of sources the NTP daemon will utilize from a DNS response when looking up a fully qualified domain name. This option is only relevant when this server entry is configured as operational-mode pool.
noselect: Instructs NTP to not use the server for synchronization, but it will still connect and display statistics from the server.
operational-mode server: This entry is a single server. When the server is specified as an FQDN, if the DNS response contains multiple entries then only one is selected. Can also be used with IPv4/IPv6 addresses directly, rather than FQDN entries.
operational-mode pool: This entry is a pool of servers. Only compatible with FQDN hosts. NTP will expect multiple records in the DNS response and will use all of these entries as distinct servers, up to the optional limit set by maxsources. This is a reliable way to configure multiple NTP peers with minimal configuration.
prefer: When set, NTP will prefer this server if it and multiple other servers are all viable candidates of equal quality.

Warning

An operational-mode is required.

tos orphan <num>

Configures the stratum of orphan mode servers from 1 to 16. When all UTC reference peers below this stratum are unreachable, clients in the same subnet may use each other as references as a last resort.