Chronyd Configuration As A Local Ntp Server
This is for CentOS 7 that has chronyd 2.1.1
I am looking into how to use chronyd as my local ntp server.
On my old servers with ntpd I had local access control lines like:
restrict 192.168.128.0 mask 255.255.255.0 nomodify notrap
But in looking for documentation on chronyd I did not find anything on this at:
https://chrony.tuxfamily.org/doc/2.1/manual.html
In the actual /etc/chronyd.conf there is the sample line:
# Allow NTP client access from local network.
#allow 192.168/16
Does this allow only allow queries? Does chronyd support the ‘restrict’
option?
thank you
6 thoughts on - Chronyd Configuration As A Local Ntp Server
Robert:
Years back I used to use Chrony for that purpose (when I was running Smoothwall on an old PC instead of a commercial router, as I am now)
and it did the job remarkably well.
One of the designgoals of Chrony was to support networks or computers that are NOT connected full-time, so that time stayed somewhere near correct even if offline for hours or days.
But that having been so long ago, now, I don’t remember the details.
I also don’t remember what the “restrict” directive for ntpd does.
(to give you an idea of how long ago that was it was when I had a Red Hat
7.2 or 7.3 workstation as my home PC–pre-RHEL. I could compile things on that RH box, tar up the necessary results and take that file to the smoothwall box and untar them and with small configuration: voila!)
there used to be a chrony mailing list where one could ask such questions, but I haven’t seen traffic on it in years, so it may no longer exist.
Fred
AFAIK the only thing needed to make your host an NTP server using chrony is to set the allow line to the network address in CIDR format of the network you want to be served, and uncomment it. The restart chronyd. You also need to ensure that port 123 (NTP) is open to your internal network on your filrewall.
I have a CentOS 6 box that is an NTP server for my network. CentOS 7
works the same way.
‘Modern’ NTP allows for all sorts of updates to NTP servers, with all sorts of attacks. So to prevent even local hosts from making changes to your NTP server, there is the restrict instead of allow command. Its intent is to limit what the server will accept from a host in the address range instead of allowing any command from within that range. I
use this on my CentOS6 servers.
I guess I will have to register to the chronyd list and ask there.
thanks
Here are the commands for that. Apparently restrict is replaced with deny.
deny [] Deny access to subnet as a default deny all [ ] Deny access to subnet and all children
Robert, If your NTP server will be on 7/24, I would uninstall chrony and install ntpd which is still included in CentOS 7. Configure as usual.
For the differences between chrony and ntpd reference:
http://thegeekdiary.com/CentOS-rhel-7-chrony-vs-ntp-differences-between-ntpd-and-chronyd/
Essentially, chrony is more for laptops with intermittant network connections, and ntpd is better suited to always-on servers
Thanks I will look into this later. Family emergency has me doing family things for the next week.
Robert