Migrate from ntpd to chronyd
Closed, ResolvedPublicFEATURE REQUEST
Actions

Assigned To

Authored By

	Gunni
	Oct 21 2020, 9:12 PM

Description

I would like to suggest a migration from ntpd to chronyd.

Easier to support vrf's, simpler config file, no need to listen on port 123 to sync time unless you intend to accept inbound connections, no need to listen on localhost to check status.

https://chrony.tuxfamily.org/comparison.html

Example config file:

# These servers were defined in the installation:
pool 0.pool.ntp.org. iburst
pool 1.pool.ntp.org. iburst
pool 2.pool.ntp.org. iburst
pool 3.pool.ntp.org. iburst

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3

# Enable kernel synchronization of the real-time clock (RTC).
rtcsync

# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2

# Get TAI-UTC offset and leap seconds from the system tz database.
leapsectz right/UTC

# You can include data from any files in a directory.
#include /etc/chrony.d/*.conf

# Binds the socket on which chronyd listens for NTP requests to a local address of the computer.
#bindaddress 192.168.1.1

# The allow directive is used to designate a particular subnet from which NTP clients are allowed to access the computer as an NTP server.
#allow 192.168.0.0/16
#allow 2001:db8::/32

Details

Difficulty level: Normal (likely a few hours)
Version: -
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Perfectly compatible
Issue type: Internal change (not visible to end users)

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved	FEATURE REQUEST	c-po	T3008 Migrate from ntpd to chronyd
		Resolved	FEATURE REQUEST	indrajitr	T5112 Enable support for Network Time Security (NTS) for chrony

Event Timeline

Gunni created this task.Oct 21 2020, 9:12 PM

Gunni updated the task description. (Show Details)

Gunni mentioned this in T2321: VRF support for SSH, NTP, SNMP service.Oct 21 2020, 11:02 PM

pasik added a subscriber: pasik.Oct 22 2020, 10:26 AM

mpueschel added a subscriber: mpueschel.Oct 22 2020, 12:38 PM

bcstechdept added a subscriber: bcstechdept.Oct 22 2020, 3:33 PM

Viacheslav added a project: VyOS 1.3 Equuleus.Oct 22 2020, 5:07 PM

Can chronyd completely replace NTP?

Yes, absolutely, and if you visit the link in the post you'll see a comparison of them, and at the bottom is some explanation.

1. When the user's data source uses NTP cluster, whether switching to the new service may lead to the compatibility problem of NTP cluster network

The NTP client feature of the new service just does not support extra timestamp validation

Does anyone understand the meaning of these performance data? I don’t know the unit of these data

If the user configures his cluster as a "pool" or a bunch of "server" they should work fine, he can also "allow" them to connect to him if he wishes. I would recommend connecting to a good pool myself, or a low stratum device hosted locally, instead of making some kind of cluster.
https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-users/2016/03/msg00001.html

Regarding the units in the tables, it is probably microseconds.

Here is the output from my laptop chronyc tracking command:

$ chronyc tracking
Reference ID    : EC76EF1F (ht-time01.isnic.is)
Stratum         : 2
Ref time (UTC)  : Thu Oct 22 18:16:28 2020
System time     : 0.000072870 seconds fast of NTP time
Last offset     : +0.000046314 seconds
RMS offset      : 0.000053620 seconds
Frequency       : 16.529 ppm slow
Residual freq   : +0.000 ppm
Skew            : 0.011 ppm
Root delay      : 0.003382422 seconds
Root dispersion : 0.000307402 seconds
Update interval : 2059.1 seconds
Leap status     : Normal

It looks good, I want to ask how other people in the community think about this?

syncer removed a project: VyOS 1.2 Crux.Oct 22 2020, 11:53 PM

I've been running chronyd for some time in a number of environments without any noticeable issues. I do think the clock on the hosts seems to be a bit more stable, but not something that is overly remarkable one way or the other. I'd have no problem with the change.

erkin set Issue type to Internal change (not visible to end users).Aug 29 2021, 12:29 PM

erkin removed a subscriber: Active contributors.

Hey @erkin why hide this ticket? I'm still hoping for this change.

@Gunni I didn't hide it, I just pruned an obsolete subscriber group and assigned a task label. :-)

oh sorry, just misunderstood the

not visible to end users

sorry

Unknown Object (User) added a subscriber: Unknown Object (User).Sep 20 2021, 5:47 PM

Unknown Object (User) awarded a token.Sep 21 2021, 9:59 AM

Georgiy-Tugai added a subscriber: Georgiy-Tugai.Oct 13 2021, 3:28 PM

In T3008#78303, @jack9603301 wrote:

Does anyone understand the meaning of these performance data? I don’t know the unit of these data

From the paragraph above "Test 1"

The results are mean values and standard deviations from 100 simulations. The values are in microseconds.

My understanding is that the values in the table are, thus, the difference between ground truth (the reference clock) and the client clock as synchronised by the three different NTP implementations, under various network conditions.

In regards to the chrony-ntp comparison in general;

Things ntp can do that chrony can’t:

ntp supports all operating modes from RFC 5905, including broadcast, multicast, and manycast server/client. However, the broadcast and multicast modes are inherently less accurate and less secure (even with authentication) than the ordinary server/client mode, and should generally be avoided.

ntp supports the Autokey protocol (RFC 5906) to authenticate servers with public-key cryptography. Note that the protocol has been shown to be insecure and has been obsoleted by NTS (RFC 8915).

ntp has been ported to more operating systems.

ntp includes a large number of drivers for various hardware reference clocks. chrony requires other programs (e.g. gpsd or ntp-refclock) to provide reference time via the SHM or SOCK interface.

I don't know whether there are platforms which VyOS supports but Chrony does not.

I assume that the VyOS project is not likely to care deeply about arcane NTP modes or local hardware clocks, but I thought those points were worth mentioning anyway.

Georgiy-Tugai awarded a token.Oct 13 2021, 3:39 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:24 AM

c-po assigned this task to Viacheslav.Dec 4 2021, 3:58 PM

c-po merged a task: T4050: Replace NTPd with Chrony.

c-po added subscribers: dmbaturin, Viacheslav, Active contributors.

syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:04 AM

tioan added a subscriber: tioan.Oct 16 2022, 12:30 PM

Viacheslav mentioned this in T4926: using chronyd service to replace ntpd .Jan 10 2023, 5:51 AM

c-po merged a task: T4926: using chronyd service to replace ntpd .Jan 10 2023, 8:28 AM

jack9603301 awarded a token.Jan 11 2023, 3:07 AM

Viacheslav removed Viacheslav as the assignee of this task.Jan 11 2023, 9:11 AM

Viacheslav added a project: VyOS 1.4 Sagitta.

c-po claimed this task.Jan 13 2023, 1:49 PM

Draft PR https://github.com/vyos/vyos-1x/pull/1758

Change Summary

Replace ntpd with chrony
Move CLI from "system ntp" -> "service ntp"
Drop NTP server option preempt as not supported by chrony

c-po removed a project: VyOS 1.3 Equuleus (1.3.3).Jan 15 2023, 7:00 AM

I believe this change had an unintended side effect:

$ show ntp system
506 Cannot talk to daemon

$ show version
Version: VyOS 1.4-rolling-202301151434
Release train: current

Built by: [email protected]
Built on: Sun 15 Jan 2023 14:34 UTC
Build UUID: 0b5a5058-ba0b-4a31-a6ce-81eb91b1107b
Build commit ID: a7ab213d74e4f1

Architecture: x86_64
Boot via: installed image
System type: KVM guest

Hardware vendor: QEMU
Hardware model: Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID: c853f94e-bed9-460e-804e-041facee7e76

Discovered a couple of problems with chrony using the existing CLI.

bindaddress has the following note in documentation:

Currently, for each of the IPv4 and IPv6 protocols, only one bindaddress directive can be specified. Therefore, it is not useful on computers which should serve NTP on multiple network interfaces.

binddevice also has the following:

The binddevice directive binds the NTP and NTS-KE server sockets to a network device specified by the interface name. This directive can specify only one interface and it is supported on Linux only.

Both listen-address and interface nodes in VyOS are multi value nodes, chrony will only use the first value of each node.

indrajitr added a subtask: T5112: Enable support for Network Time Security (NTS) for chrony.Mar 25 2023, 7:55 AM

Viacheslav changed the status of subtask T5112: Enable support for Network Time Security (NTS) for chrony from Open to Needs testing.Mar 26 2023, 9:51 AM

indrajitr mentioned this in T5118: Cleanup vestigial ntp completion script.Mar 28 2023, 10:53 PM

indrajitr mentioned this in T5170: Relocate ntp config path in config.boot.default.Apr 20 2023, 1:15 AM

indrajitr closed subtask T5112: Enable support for Network Time Security (NTS) for chrony as Resolved.Oct 13 2023, 10:08 PM