Merge lp:~paelzer/serverguide/serverguide-chrony-18.04 into lp:serverguide/trunk

Proposed by Christian Ehrhardt  on 2018-02-23
Status: Merged
Approved by: Doug Smythies on 2018-02-23
Approved revision: 359
Merged at revision: 349
Proposed branch: lp:~paelzer/serverguide/serverguide-chrony-18.04
Merge into: lp:serverguide/trunk
Diff against target: 380 lines (+161/-66)
2 files modified
serverguide/C/network-auth.xml (+4/-4)
serverguide/C/network-config.xml (+157/-62)
To merge this branch: bzr merge lp:~paelzer/serverguide/serverguide-chrony-18.04
Reviewer Review Type Date Requested Status
Doug Smythies 2018-02-23 Approve on 2018-02-23
Review via email: mp+338892@code.launchpad.net

Description of the change

Update for 18.04 for the time synchronization chapter
- general 18.04 updates (e.g. new output)
- recommended NTP server changed from ntpd to chrony (LP: #1744072)
- minor cleanups while working at the section

To post a comment you must log in.
Doug Smythies (dsmythies) wrote :

thanks very much.

review: Approve
Simon Déziel (sdeziel) wrote :

LGTM with 2 minor nitpicks.

Doug Smythies (dsmythies) wrote :

@Simon: Thank you very much for your diligence. Since I already pushed this one, I'll make edits and push another revision.

Simon Déziel (sdeziel) wrote :

Alright, thanks guys.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'serverguide/C/network-auth.xml'
2--- serverguide/C/network-auth.xml 2017-11-06 15:28:57 +0000
3+++ serverguide/C/network-auth.xml 2018-02-23 10:55:44 +0000
4@@ -3977,7 +3977,7 @@
5 <para>The following packages are needed: <emphasis>krb5-user</emphasis>, <emphasis>samba</emphasis>, <emphasis>sssd</emphasis>, and <emphasis>ntp</emphasis>. Samba needs to be installed, even if the system is not exporting shares. The Kerberos realm and FQDN or IP of the domain controllers are needed for this step.</para>
6 <para>Install these packages now.
7 </para>
8- <screen><command>sudo apt install krb5-user samba sssd ntp</command></screen>
9+ <screen><command>sudo apt install krb5-user samba sssd chrony</command></screen>
10 <para>See the next section for the answers to the questions asked by the <emphasis>krb5-user</emphasis> postinstall script.</para>
11 </sect2>
12 <sect2 id="sssd-ad-kerberos" status="review">
13@@ -3997,7 +3997,7 @@
14
15 <para>If default_realm is not specified, it may be necessary to log in with <quote>username@domain</quote> instead of <quote>username</quote>.</para>
16
17- <para>The system time on the Active Directory member needs to be consistent with that of the domain controller, or Kerberos authentication may fail. Ideally, the domain controller server itself will provide the NTP service. Edit <filename>/etc/ntp.conf</filename>:</para>
18+ <para>The system time on the Active Directory member needs to be consistent with that of the domain controller, or Kerberos authentication may fail. Ideally, the domain controller server itself will provide the NTP service. Edit <filename>/etc/chrony/chrony.conf</filename>:</para>
19
20 <programlisting>
21 server dc.myubuntu.example.com
22@@ -4085,8 +4085,8 @@
23
24 <sect2 id="sssd-ad-join" status="review">
25 <title>Join the Active Directory</title>
26-<para>Now, restart ntp and samba and start sssd.</para>
27-<screen><command>sudo systemctl restart ntp.service</command>
28+<para>Now, restart chrony and samba and start sssd.</para>
29+<screen><command>sudo systemctl restart chrony.service</command>
30 <command>sudo systemctl restart smbd.service nmbd.service</command>
31 <command>sudo systemctl start sssd.service</command></screen>
32
33
34=== modified file 'serverguide/C/network-config.xml'
35--- serverguide/C/network-config.xml 2017-07-02 17:41:08 +0000
36+++ serverguide/C/network-config.xml 2018-02-23 10:55:44 +0000
37@@ -1055,34 +1055,49 @@
38 </sect1>
39
40 <sect1 id="NTP" status="review">
41- <title>Time Synchronisation</title>
42+ <title>Time Synchronization</title>
43 <para>
44-NTP is a TCP/IP protocol for synchronising time over a network. Basically a client requests the current time from a server, and uses it to set its own clock.
45+NTP is a TCP/IP protocol for synchronizing time over a network. Basically a client requests the current time from a server, and uses it to set its own clock.
46 </para>
47 <para>
48 Behind this simple description, there is a lot of complexity - there are tiers of NTP servers, with the tier one NTP servers connected to atomic clocks, and tier two and three servers spreading the load of actually handling requests across the Internet. Also the client software is a lot more complex than you might think - it has to factor out communication delays, and adjust the time in a way that does not upset all the other processes that run on the server. But luckily all that complexity is hidden from you!
49 </para>
50 <para>
51-Ubuntu by default uses <emphasis>timedatectl / timesyncd</emphasis> to synchronize time and users can optionally use ntpd to serve network time info.
52+ Ubuntu by default uses <emphasis>timedatectl / timesyncd</emphasis> to synchronize time and users can optionally use chrony to <xref linkend="timeservers"/>.
53 </para>
54
55 <sect2 id="timedate-info" status="review">
56 <title>Synchronizing your systems time</title>
57 <para>
58- Starting with Ubuntu 16.04 <emphasis>timedatectl / timesyncd</emphasis> (which are part of systemd) replace most of <emphasis>ntpdate / ntp</emphasis>.
59+ Since Ubuntu 16.04 <emphasis>timedatectl / timesyncd</emphasis> (which are part of systemd) replace most of <emphasis>ntpdate / ntp</emphasis>.
60 </para>
61 <para>
62- <application>timesyncd</application> is available by default and replaces not only <application>ntpdate</application>, but also the client portion of <application>ntpd</application>.
63+ <application>timesyncd</application> is available by default and replaces not only <application>ntpdate</application>, but also the client portion of <application>chrony</application> (or formerly <application>ntpd</application>).
64 So on top of the one-shot action that <application>ntpdate</application> provided on boot and network activation, now <application>timesyncd</application> by default regularly checks and keeps your local time in sync.
65 It also stores time updates locally, so that after reboots monotonically advances if applicable.
66 </para>
67 <para>
68- If <application>ntpdate / ntp</application> are installed <application>timedatectl</application> steps back to let you keep your old setup.
69- That shall ensure that no two time syncing services are fighting and also to retain any kind of old behaviour/config that you had through an upgrade.
70+ If <application>chrony</application> is installed <application>timedatectl</application> steps back to let chrony do the time keeping.
71+ That shall ensure that no two time syncing services are fighting.
72+ While no more recommended to be used, this still also applies to <application>ntpd</application> being installed to retain any kind of old behavior/config that you had through an upgrade.
73 But it also implies that on an upgrade from a former release ntp/ntpdate might still be installed and therefore renders the new systemd based services disabled.
74 </para>
75 <para>
76- <application>ntpdate</application> is considered deprecated in favour of <application>timedatectl</application> and thereby no more installed by default.
77+ <application>ntpdate</application> is considered deprecated in favor of <application>timedatectl</application> (or <application>chrony</application>) and thereby no more installed by default.
78+ timesyncd will generally do the right thing keeping your time in sync, and <application>chrony</application> will help with more complex cases.
79+ But if you had one of a few known special ntpdate use cases, consider the following:
80+ <itemizedlist>
81+ <listitem>
82+ <para>
83+ If you require a one-shot sync use: <command>chronyd -q</command>
84+ </para>
85+ </listitem>
86+ <listitem>
87+ <para>
88+ If you require a one-shot time check, without setting the time use: <command>chronyd -Q</command>
89+ </para>
90+ </listitem>
91+ </itemizedlist>
92 </para>
93
94 <sect3 id="timedate-config" status="review">
95@@ -1090,16 +1105,20 @@
96 <para>
97 The current status of time and time configuration via <application>timedatectl</application> and <application>timesyncd</application> can be checked with <command>timedatectl status</command>.
98 </para>
99-<screen>
100+ <screen>
101 $ timedatectl status
102- Local time: Mo 2017-06-26 12:16:16 CEST
103- Universal time: Mo 2017-06-26 10:16:16 UTC
104- RTC time: Mo 2017-06-26 10:16:16
105- Time zone: Europe/Berlin (CEST, +0200)
106- Network time on: yes
107-NTP synchronized: yes
108- RTC in local TZ: no
109-</screen>
110+ Local time: Fr 2018-02-23 08:47:13 UTC
111+ Universal time: Fr 2018-02-23 08:47:13 UTC
112+ RTC time: Fr 2018-02-23 08:47:13
113+ Time zone: Etc/UTC (UTC, +0000)
114+ System clock synchronized: yes
115+ systemd-timesyncd.service active: yes
116+ RTC in local TZ: no
117+
118+If chrony is running it will automatically switch to:
119+[...]
120+ systemd-timesyncd.service active: no
121+ </screen>
122 <para>
123 Via <application>timedatectl</application> an admin can control the timezone, how the system clock should relate to the hwclock and if permanent synronization should be enabled or not.
124 See <command>man timedatectl</command> for more details.
125@@ -1108,62 +1127,75 @@
126 timesyncd itself is still a normal service, so you can check its status also more in detail via.
127 <screen>
128 $ systemctl status systemd-timesyncd
129-. systemd-timesyncd.service - Network Time Synchronization
130+ systemd-timesyncd.service - Network Time Synchronization
131 Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)
132- Drop-In: /lib/systemd/system/systemd-timesyncd.service.d
133- |_disable-with-time-daemon.conf
134- Active: active (running) since Mo 2017-06-26 11:12:19 CEST; 30min ago
135+ Active: active (running) since Fri 2018-02-23 08:55:46 UTC; 10s ago
136 Docs: man:systemd-timesyncd.service(8)
137- Main PID: 12379 (systemd-timesyn)
138- Status: "Synchronized to time server [2001:67c:1560:8003::c8]:123 (ntp.ubuntu.com)."
139- Tasks: 2
140- Memory: 424.0K
141- CPU: 12ms
142+ Main PID: 3744 (systemd-timesyn)
143+ Status: "Synchronized to time server 91.189.89.198:123 (ntp.ubuntu.com)."
144+ Tasks: 2 (limit: 4915)
145 CGroup: /system.slice/systemd-timesyncd.service
146- |_12379 /lib/systemd/systemd-timesyncd
147+ └─3744 /lib/systemd/systemd-timesyncd
148
149-Jun 26 11:12:19 lap systemd[1]: Starting Network Time Synchronization...
150-Jun 26 11:12:19 lap systemd[1]: Started Network Time Synchronization.
151-Jun 26 11:12:19 lap systemd-timesyncd[12379]: Synchronized to time server [2001:67c:1560:8003::c8]:123 (ntp.ubuntu.com).
152+Feb 23 08:55:46 bionic-test systemd[1]: Starting Network Time Synchronization...
153+Feb 23 08:55:46 bionic-test systemd[1]: Started Network Time Synchronization.
154+Feb 23 08:55:46 bionic-test systemd-timesyncd[3744]: Synchronized to time server 91.189.89.198:123 (ntp.ubuntu.com).
155 </screen>
156 </para>
157 <para>
158 The nameserver to fetch time for <application>timedatectl</application> and <application>timesyncd</application> from can be specified in <filename>/etc/systemd/timesyncd.conf</filename> and additional config files can be stored in <filename>/etc/systemd/timesyncd.conf.d/</filename>.
159 The entries for NTP= and FallbackNTP= are space separated lists.
160+ See <command>man timesyncd.conf</command> for more.
161 </para>
162 </sect3>
163
164 </sect2>
165
166 <sect2 id="timeservers" status="review">
167- <title>Serving NTP</title>
168+ <title>Serve the Network Time Protocol</title>
169 <para>
170- If on top of synchronizing your system you also want to serve NTP information you need an ntp server. The most classic and supported one is <application>ntpd</application>, but it is also very old so there also are <application>openntpd</application> and <application>chrony</application> as alternatives available in the archive.
171+ If in addition to synchronizing your system you also want to serve NTP information you need an NTP server. There are several options with <application>chrony</application>, <application>ntpd</application> and <application>open-ntp</application>.
172+ The recommended solution <application>chrony</application>.
173 </para>
174
175-<sect3 id="ntpd" status="review">
176- <title>ntpd</title>
177+<sect3 id="chrony" status="review">
178+ <title>chrony(d)</title>
179 <para>
180- The ntp daemon ntpd calculates the drift of your system clock and continuously adjusts it, so there are no large corrections that could
181- lead to inconsistent logs for instance. The cost is a little processing power and memory, but for a modern server this is negligible.
182+ The NTP daemon chronyd calculates the drift and offset of your system clock and continuously adjusts it, so there are no large corrections that could
183+ lead to inconsistent logs for instance. The cost is a little processing power and memory, but for a modern server this is usually negligible.
184 </para>
185 </sect3>
186
187-<sect3 id="ntp-installation" status="review">
188+<sect3 id="chrony-installation" status="review">
189 <title>Installation</title>
190 <para>
191- To install ntpd, from a terminal prompt enter:
192+ To install chrony, from a terminal prompt enter:
193 </para>
194 <screen>
195-<command>sudo apt install ntp</command>
196+<command>sudo apt install chrony</command>
197 </screen>
198+ <para>
199+ This will provide two binaries:
200+ <itemizedlist>
201+ <listitem>
202+ <para>
203+ chronyd - the actual daemon to sync and serve via the NTP protocol
204+ </para>
205+ </listitem>
206+ <listitem>
207+ <para>
208+ chronyc - command-line interface for chrony daemon
209+ </para>
210+ </listitem>
211+ </itemizedlist>
212+ </para>
213 </sect3>
214
215 <sect3 id="timeservers-conf" status="review">
216- <title>Configuration</title>
217+ <title>Chronyd Configuration</title>
218
219 <para>
220- Edit <filename>/etc/ntp.conf</filename> to add/remove server lines.
221+ Edit <filename>/etc/chrony/chrony.conf</filename> to add/remove server lines.
222 By default these servers are configured:
223 </para>
224
225@@ -1171,21 +1203,21 @@
226 # Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
227 # on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
228 # more information.
229-server 0.ubuntu.pool.ntp.org
230-server 1.ubuntu.pool.ntp.org
231-server 2.ubuntu.pool.ntp.org
232-server 3.ubuntu.pool.ntp.org
233+pool 0.ubuntu.pool.ntp.org iburst
234+pool 1.ubuntu.pool.ntp.org iburst
235+pool 2.ubuntu.pool.ntp.org iburst
236+pool 3.ubuntu.pool.ntp.org iburst
237 </programlisting>
238
239 <para>
240- After changing the config file you have to reload the
241- <application>ntpd</application>:
242+ See <command>man chrony.conf</command> for more details on the configuration options.
243+ After changing the any of the config file you have to reload <application>chrony</application>:
244 </para>
245 <screen>
246-<command>sudo systemctl reload ntp.service</command>
247+<command>sudo systemctl restart chrony.service</command>
248 </screen>
249 <para>
250- Of the pool number 2.ubuntu.pool.ntp.org as well as ntp.ubuntu.com also support ipv6 if needed.
251+ Of the pool 2.ubuntu.pool.ntp.org as well as ntp.ubuntu.com also support ipv6 if needed.
252 If one needs to force ipv6 there also is ipv6.ntp.ubuntu.com which is not configured by default.
253 </para>
254
255@@ -1194,26 +1226,79 @@
256 <sect3 id="ntp-status" status="review">
257 <title>View status</title>
258 <para>
259- Use ntpq to see more info:
260+ Use chronyc to see query the status of the chrony daemon.
261+ For example to get an overview of the currently available and selected time sources.
262+ </para>
263+ <para>
264 </para>
265 <screen>
266-<command># sudo ntpq -p</command>
267-<computeroutput> remote refid st t when poll reach delay offset jitter
268+<command>chronyc sources</command>
269+<computeroutput>
270+MS Name/IP address Stratum Poll Reach LastRx Last sample
271+===============================================================================
272+^+ gamma.rueckgr.at 2 8 377 135 -1048us[-1048us] +/- 29ms
273+^- 2b.ncomputers.org 2 8 377 204 -1141us[-1124us] +/- 50ms
274+^+ www.kashra.com 2 8 377 139 +3483us[+3483us] +/- 18ms
275+^+ stratum2-4.NTP.TechFak.U> 2 8 377 143 -2090us[-2073us] +/- 19ms
276+^- zepto.mcl.gg 2 7 377 9 -774us[ -774us] +/- 29ms
277+^- mirrorhost.pw 2 7 377 78 -660us[ -660us] +/- 53ms
278+^- atto.mcl.gg 2 7 377 8 -823us[ -823us] +/- 50ms
279+^- static.140.107.46.78.cli> 2 8 377 9 -1503us[-1503us] +/- 45ms
280+^- 4.53.160.75 2 8 377 137 -11ms[ -11ms] +/- 117ms
281+^- 37.44.185.42 3 7 377 10 -3274us[-3274us] +/- 70ms
282+^- bagnikita.com 2 7 377 74 +3131us[+3131us] +/- 71ms
283+^- europa.ellipse.net 2 8 377 204 -790us[ -773us] +/- 97ms
284+^- tethys.hot-chilli.net 2 8 377 141 -797us[ -797us] +/- 59ms
285+^- 66-232-97-8.static.hvvc.> 2 7 377 206 +1669us[+1686us] +/- 133ms
286+^+ 85.199.214.102 1 8 377 205 +175us[ +192us] +/- 12ms
287+^* 46-243-26-34.tangos.nl 1 8 377 141 -123us[ -106us] +/- 10ms
288+^- pugot.canonical.com 2 8 377 21 -95us[ -95us] +/- 57ms
289+^- alphyn.canonical.com 2 6 377 23 -1569us[-1569us] +/- 79ms
290+^- golem.canonical.com 2 7 377 92 -1018us[-1018us] +/- 31ms
291+^- chilipepper.canonical.com 2 8 377 21 -1106us[-1106us] +/- 27ms
292+</computeroutput>
293+<command>chronyc sourcestats</command>
294+<computeroutput>
295+210 Number of sources = 20
296+Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
297 ==============================================================================
298-+stratum2-2.NTP. 129.70.130.70 2 u 5 64 377 68.461 -44.274 110.334
299-+ntp2.m-online.n 212.18.1.106 2 u 5 64 377 54.629 -27.318 78.882
300-*145.253.66.170 .DCFa. 1 u 10 64 377 83.607 -30.159 68.343
301-+stratum2-3.NTP. 129.70.130.70 2 u 5 64 357 68.795 -68.168 104.612
302-+europium.canoni 193.79.237.14 2 u 63 64 337 81.534 -67.968 92.792</computeroutput>
303+gamma.rueckgr.at 25 15 32m -0.007 0.142 -878us 106us
304+2b.ncomputers.org 26 16 35m -0.132 0.283 -1169us 256us
305+www.kashra.com 25 15 32m -0.092 0.259 +3426us 195us
306+stratum2-4.NTP.TechFak.U> 25 14 32m -0.018 0.130 -2056us 96us
307+zepto.mcl.gg 13 11 21m +0.148 0.196 -683us 66us
308+mirrorhost.pw 6 5 645 +0.117 0.445 -591us 19us
309+atto.mcl.gg 21 13 25m -0.069 0.199 -904us 103us
310+static.140.107.46.78.cli> 25 18 34m -0.005 0.094 -1526us 78us
311+4.53.160.75 25 10 32m +0.412 0.110 -11ms 84us
312+37.44.185.42 24 12 30m -0.983 0.173 -3718us 122us
313+bagnikita.com 17 7 31m -0.132 0.217 +3527us 139us
314+europa.ellipse.net 26 15 35m +0.038 0.553 -473us 424us
315+tethys.hot-chilli.net 25 11 32m -0.094 0.110 -864us 88us
316+66-232-97-8.static.hvvc.> 20 11 35m -0.116 0.165 +1561us 109us
317+85.199.214.102 26 11 35m -0.054 0.390 +129us 343us
318+46-243-26-34.tangos.nl 25 16 32m +0.129 0.297 -307us 198us
319+pugot.canonical.com 25 14 34m -0.271 0.176 -143us 135us
320+alphyn.canonical.com 17 11 1100 -0.087 0.360 -1749us 114us
321+golem.canonical.com 23 12 30m +0.057 0.370 -988us 229us
322+chilipepper.canonical.com 25 18 34m -0.084 0.224 -1116us 169us
323+</computeroutput>
324 </screen>
325-
326+ <para>
327+ Certain chronyc commands are privileged and can not be run via the network without explicitly allowing them.
328+ See section <emphasis>Command and monitoring access</emphasis> in <command>man chrony.conf</command> for more details.
329+ A local admin can use <application>sudo</application> as usually as this will grant him access to the local admin socket <filename>/var/run/chrony/chronyd.sock</filename>.
330+ </para>
331 </sect3>
332
333 <sect3 id="ntp-pps" status="review">
334 <title>PPS Support</title>
335 <para>
336-Since 16.04 ntp supports PPS discipline which can be used to augment ntp with local timesources for better accuracy.
337-For more details on configuration see the external pps ressource listed below.
338+ Chrony supports various PPS types natively. It can use kernel PPS API as well as PTP hardware clock.
339+ Most general GPS receivers can be leveraged via <application>GPSD</application>.
340+ The latter (and potentially more) can be accessed via <emphasis>SHM</emphasis> or via a <emphasis>socket</emphasis> (recommended).
341+ All of the above can be used to augment chrony with additional high quality time sources for better accuracy, jitter, drift, longer-or-short term accuracy (Usually each kind of clock type is good at one of those, but non-perfect at the others).
342+ For more details on configuration see some of the external PPS/GPSD resource listed below.
343 </para>
344 </sect3>
345 </sect2>
346@@ -1225,7 +1310,7 @@
347 <itemizedlist>
348 <listitem>
349 <para>
350- See the <ulink url="https://help.ubuntu.com/community/UbuntuTime">Ubuntu Time</ulink> wiki page for more information.
351+ <ulink url="https://chrony.tuxfamily.org/faq.html">Chrony FAQ</ulink>
352 </para>
353 </listitem>
354 <listitem>
355@@ -1235,6 +1320,11 @@
356 </listitem>
357 <listitem>
358 <para>
359+ <ulink url="http://www.pool.ntp.org/">The pool.ntp.org projecti, being a big virtual cluster of timeservers.</ulink>
360+ </para>
361+ </listitem>
362+ <listitem>
363+ <para>
364 <ulink url="https://www.freedesktop.org/software/systemd/man/timedatectl.html">Freedesktop.org info on timedatectl</ulink>
365 </para>
366 </listitem>
367@@ -1245,7 +1335,12 @@
368 </listitem>
369 <listitem>
370 <para>
371- <ulink url="http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#S-CONFIG-ADV-PPS">ntp.org faq on configuring PPS</ulink>
372+ <ulink url="http://www.catb.org/gpsd/gpsd-time-service-howto.html#_feeding_chrony_from_gpsd">Feeding chrony from GPSD</ulink>
373+ </para>
374+ </listitem>
375+ <listitem>
376+ <para>
377+ See the <ulink url="https://help.ubuntu.com/community/UbuntuTime">Ubuntu Time</ulink> wiki page for more information.
378 </para>
379 </listitem>
380 </itemizedlist>

Subscribers

People subscribed via source and target branches