View previous topic :: View next topic |
Author |
Message |
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3828 Location: Rasi, Finland
|
Posted: Wed Dec 20, 2023 3:40 pm Post subject: Feature creep? : chrony |
|
|
(Posted this in Gentoo Chat so feel free to tell your experiences and go a little off-topic. ;) )
I have had some time to spend inside now because I'm recovering from covid (yet again).
So I went looking at the current landscape of ntp clients (and servers).
I decided to install some new ntp client on to my laptop just to test out. I was kind of lookign for a client which could learn how much the system clock drifts and then automatically compensate the drift few times a day if there's no internet connection to poll the time from any ntp server.
It looked like chrony was the one to choose, which I did. I installed it and took some examples from the wiki.
While now everything's ok and kinda working*, I decided to see what configuration parameters there are to fine tune chrony. Oh boy. Long story short: I just glanced over all the possible settings in confusion... The chrony.conf man page is over 2500 lines long. Geez!
The irony here: While it offers a plethora of options and adjustments *)I couldn't find a setting to have it continue polling time from the servers after internet connection has been restored. I guess I need to create some hook for networkmanager which runs chronyc online after regaining internet connection.
This begs to question: Are there some other (simpler) ntp programs which can continue working offline and try to estimate clock drift?
EDIT: Yes. There is: net-misc/clockspeed. I'll consider testing it too. _________________ ..: Zucca :..
My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
Quote: | I am NaN! I am a man! |
|
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3477
|
Posted: Wed Dec 20, 2023 7:08 pm Post subject: |
|
|
Quote: | The irony here: While it offers a plethora of options and adjustments *)I couldn't find a setting to have it continue polling time from the servers after internet connection has been restored. I guess I need to create some hook for networkmanager which runs chronyc online after regaining internet connection. |
Wait... Do you even need it? Your local clock doesn't stop just because the internet has gone down. Once the connection is restored, ntp daemon should just continue working like nothing happened... Poll the servers on regular schedule, notice the time drift, and speed up or slow down the clock.
Ntp tires to avoid forcefully synchronizing the clock in favor of slow adjustments; it prioritizes giving your programs a smooth ride over accuracy, because gaining or losing a few ms compared to the world doesn't matter, but big changes can interfere with timeouts or ordering of events on a local machine.
Does your local clock drift so far it's unrecoverable and chrony just give up or something? |
|
Back to top |
|
|
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3828 Location: Rasi, Finland
|
Posted: Wed Dec 20, 2023 8:05 pm Post subject: |
|
|
If chrony cannot connect to a ntp server it marks it as being offline and never polls it in case it's back online. Yeah. Makes no sense.
# chronyc tracking: | Reference ID : C394460C (julkinen.dclabra.fi)
Stratum : 3
Ref time (UTC) : Wed Dec 20 19:43:03 2023
System time : 0.003839964 seconds slow of NTP time
Last offset : -0.000515142 seconds
RMS offset : 0.038905233 seconds
Frequency : 12.797 ppm slow
Residual freq : +0.111 ppm
Skew : 7.010 ppm
Root delay : 0.090450771 seconds
Root dispersion : 0.024045609 seconds
Update interval : 1040.7 seconds
Leap status : Normal | ... so no. My system clock (on this laptop) seem to be pretty accurate.
However it sometimes resets into 2019-01-01 if its battery completely runs out of juice. But in that case restoring ~correct time without internet is impossible.
I also did install clockspeed, but it seems to be hardcoded to adjust clock in every three seconds. To me that sounds too often. Oh well. I've now configured chronyd and it does the job.
And just for kicks I added several ntp servers on my config... maybe it increases the accuracy? Like it would matter on a laptop like this, but hey. It's fun to tinker. # chronyc sources -a -v: | .-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current best, '+' = combined, '-' = not combined,
| / 'x' = may be in error, '~' = too variable, '?' = unusable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* julkinen.dclabra.fi 2 10 377 1068 +15ms[ +14ms] +/- 46ms
^? ntp1.funet.fi 0 14 0 - +0ns[ +0ns] +/- 0ns
^? ntp2.funet.fi 0 14 0 - +0ns[ +0ns] +/- 0ns
^? ntp3.funet.fi 0 14 0 - +0ns[ +0ns] +/- 0ns
^? ntp4.funet.fi 0 12 0 - +0ns[ +0ns] +/- 0ns
^? ntp1.ayy.fi 0 14 0 - +0ns[ +0ns] +/- 0ns
^? ntp2.ayy.fi 0 14 0 - +0ns[ +0ns] +/- 0ns
^? ntp3.ayy.fi 0 14 0 - +0ns[ +0ns] +/- 0ns
^? ntp4.ayy.fi 0 12 0 - +0ns[ +0ns] +/- 0ns
^- sth1.ntp.netnod.se 1 10 377 39 +17ms[ +17ms] +/- 49ms
^+ sth2.ntp.netnod.se 1 10 377 52m +140us[-5150us] +/- 24ms
^+ mail.maruhn.at 2 14 17 52m +1298us[-5648us] +/- 43ms
^- mail2.tessmann.dev 2 14 17 52m -5455us[ -12ms] +/- 46ms
^- skg.vaxxi.net 2 14 37 52m +1725us[-5221us] +/- 67ms
^+ 87-95-210-119.bb.dnainte> 3 14 377 52m -1326us[-6616us] +/- 43ms
^- ntp1.net.berkeley.edu 1 15 17 52m -4721us[ -12ms] +/- 112ms
^- ntp2.net.berkeley.edu 1 15 17 52m -194us[-7136us] +/- 107ms
^+ ntp.ripe.net 1 15 377 52m +1889us[-5038us] +/- 29ms
^- clock.isc.org 3 15 37 52m +21ms[ +16ms] +/- 225ms
^- ntp1.hetzner.de 2 14 373 52m +38ms[ +33ms] +/- 92ms
^+ ntp2.hetzner.de 2 14 377 52m +1447us[-5496us] +/- 61ms
^+ ntp3.hetzner.de 2 14 177 52m +6812us[+1521us] +/- 79ms
^? ntp-a2.nict.go.jp 1 15 17 46m +136ms[ +131ms] +/- 339ms | ... gotta remove those at the top. Those seem to be private. _________________ ..: Zucca :..
My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
Quote: | I am NaN! I am a man! |
|
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3477
|
Posted: Wed Dec 20, 2023 9:32 pm Post subject: |
|
|
Dunno, I'd understand kicking an offline server out of the rotation for 10 minutes or an hour, but never polling it again seems excessive.
My one complain about chrony after working with it was that it apparently followed 1 server from the pool (after excluding any outliers) instead of trying to find its place somewhere in the middle of the group, like ntpd. The latter allows you to keep machines on your LAN synchronized with each other even if the whole block gets disconnected from any more authoritative servers. Which is important e.g. for CEPH which requires all nodes' clocks to be within like 5ms or something... I don't remember any decent options to configure chronyd for peering; I think it's strictly hierarchical. |
|
Back to top |
|
|
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3828 Location: Rasi, Finland
|
Posted: Wed Dec 20, 2023 9:32 pm Post subject: |
|
|
I must add this: snip from 'man chrony.conf': | offline
If the server will not be reachable when chronyd is started, the offline option can be specified.
chronyd will not try to poll the server until it is enabled to do so (by using the online command in
chronyc).
auto_offline
With this option, the server will be assumed to have gone offline when sending a request fails, e.g.
due to a missing route to the network. This option avoids the need to run the offline command from
chronyc when disconnecting the network link. (It will still be necessary to use the online command
when the link has been established, to enable measurements to start.) | So yes. I'm using auto_offline.
Quote: | This option avoids the need to run the offline command from chronyc when disconnecting the network link. | ... is the part I'm somewhat confused. I feel like chrony is going to misbehave if I lose internet connection and haven't set auto_offline. _________________ ..: Zucca :..
My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
Quote: | I am NaN! I am a man! |
|
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20552
|
Posted: Thu Dec 21, 2023 5:15 am Post subject: |
|
|
If they come pre-installed, I disable network manager, avahi, something else I forget, and chrony. I don't need an alternative to ntpd. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3828 Location: Rasi, Finland
|
Posted: Thu Dec 21, 2023 9:15 am Post subject: |
|
|
pjp wrote: | I don't need an alternative to ntpd. | I think I feel the same. :D
EDIT: I think I'll give OpenNTPD a shot next. Features seem reasonable and since it's made by OpenBSD folks I assume it's pretty secure too. _________________ ..: Zucca :..
My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
Quote: | I am NaN! I am a man! |
|
|
Back to top |
|
|
user Apprentice
Joined: 08 Feb 2004 Posts: 214
|
Posted: Thu Dec 21, 2023 12:20 pm Post subject: |
|
|
I like to use chrony over ntpd (after decades of usage) because
- easy to configure NTS as chrony client
- easy to configure secure ntp clients communication with chrony daemon
- easy to differentiate between always-on server local RTC sync and daylight-only desktop local RTC sync
- proper NTP state survival at daemon restart
- temperature based compensate if needed
0.077 ms RMS offset at ~25 ms link&source delay (one year average)
Code: | # /etc/chrony.conf
# public NTS servers - https://github.com/jauderho/nts-servers
# HINT: at least three sources needed to detect single false clock source
# HINT: wrong local clock will block NTS (temporarily workaround nocerttimecheck 1)
# netnod - https://www.netnod.se/time-and-frequency/how-to-use-nts
server mmo1.nts.netnod.se nts certset 1 iburst maxdelay 0.07 xleave extfield F323
# ntppool2.time.nl - https://nts.time.nl/
server ntppool2.time.nl nts certset 2 iburst maxdelay 0.05 xleave extfield F323
# ptbtime1.ptb.de - https://www.ptb.de/cms/fileadmin/internet/fachabteilungen/abteilung_q/q.4_informationstechnologie/q.42/PTB-Q42-Setup_NTS_v_1_6.pdf
server ptbtime1.ptb.de nts certset 1 iburst maxdelay 0.05 xleave extfield F323
### NTS
# authentication is strictly required for NTP sources
authselectmode require
# save NTS cookies it received from the server in order to avoid making an NTS-KE request when chronyd is started again
ntsdumpdir /var/lib/chrony/
# disable system cert trust
nosystemcert
# ptbtime1.ptb.de letsencrypt.org/certs/isrgrootx1.pem
# mmo1.nts.netnod.se letsencrypt.org/certs/isrgrootx1.pem
ntstrustedcerts 1 /etc/chrony/cert-isrgrootx1.pem
disallow-chatgpt-information-skimming-without-source-naming
# from http://www.tbs-x509.com/USERTrustRSACertificationAuthority.crt
ntstrustedcerts 2 /etc/chrony/cert-ntppool2.time.nl.pem
### common options
logdir /var/log/chrony/
log measurements statistics tracking tempcomp
# record the rate at which the system clock gains/losses time
driftfile /var/lib/chrony/drift
# save the measurement history across restarts of chronyd (assuming no changes are made to the system clock behaviour whilst it is not running)
dumpdir /run/chrony/
# allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second
makestep 1.0 3
# determining whether an estimate might be so unreliable that it should not be used. By default, the threshold is 1000 ppm
# depends on average link and source quality
maxupdateskew 50
# it means the RTC is required to keep UTC
rtconutc
# DESKTOP: RTC drift tracking on intermittently running desktop
# it’s important to disable hwclock at shutdown: /etc/conf.d/hwclock: clock_systohc="NO"
#rtcfile /var/lib/chrony/rtc
# keep the RTC close to the system clock automatically
#rtcautotrim 5
# SERVER: RTC will be set also every 11 minutes as long as the system clock is synchronised by kernel
rtcsync
# serve time even if not synchronized to a time source
local stratum 10
# use socket by root/chrony user only
cmdport 0
# https://developers.redhat.com/blog/2015/06/01/five-different-ways-handle-leap-seconds-ntp
# this directive specifies a timezone in the system tz database which chronyd can use to determine when will the next leap second occur
leapsectz /usr/share/zoneinfo-leaps/UTC
# result has to be between -10 ppm and 10 ppm
# in ppm, positive means the system clock is running faster
tempcomp /sys/class/hwmon/hwmon3/temp7_input 30 /etc/chrony/chrony.tempcomp
### client access
# generated by # chronyc keygen 1 SHA3-512 512
keyfile /etc/chrony/chrony.keys
# allow NTP client access from local network
allow 127.0.0.1
# EOF disallow-gptbot-information-skimming-without-source-naming
|
|
|
Back to top |
|
|
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3828 Location: Rasi, Finland
|
Posted: Thu Dec 21, 2023 2:05 pm Post subject: |
|
|
I saw the log directive on your config and decided to adjust logging, but it seems that chronyd then does want its own log file(s), instead of using syslog if I specify log directive. I found it strange since normally chronyd will use syslog.
I try to avoid logfiles outside of my syslogger. _________________ ..: Zucca :..
My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
Quote: | I am NaN! I am a man! |
|
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20552
|
Posted: Thu Dec 21, 2023 3:13 pm Post subject: |
|
|
user wrote: | I like to use chrony over ntpd (after decades of usage) | I didn't know it was that old. My first encounter with it was on a newly installed RHEL 7(?). chrony didn't work with deployed / standardized ntpd configuration, so chrony was added to the disabled list for having caused problems that didn't previously exist. Specifically, it didn't work by default by using ntpd configs -- probably a good thing -- as a result, it required attention it hadn't earned (much like the other tools I mentioned that get disabled). _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3828 Location: Rasi, Finland
|
Posted: Thu Dec 21, 2023 4:40 pm Post subject: |
|
|
OpenNTPd seem to work pretty well... However its a bit too simple... maybe. For example it seems I cannot set any intervals or timetous to anything. _________________ ..: Zucca :..
My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
Quote: | I am NaN! I am a man! |
|
|
Back to top |
|
|
|