I am setting up a time server with chronyd but it fails to sync.
# chronyc sources
210 Number of sources = 5
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^? smtp.visionnet.us 0 10 0 10y +0ns[ +0ns] +/- 0ns
^? nist1-lnk.binary.net 0 10 0 10y +0ns[ +0ns] +/- 0ns
^? c-73-98-218-154.hsd1.ut.c 0 10 0 10y +0ns[ +0ns] +/- 0ns
^? clock.xmission.com 0 10 0 10y +0ns[ +0ns] +/- 0ns
^? time-c.timefreq.bldrdoc.g 0 10 0 10y +0ns[ +0ns] +/- 0ns
Hours later, it still can't sync.
However, if I configure ntpd on the same host with the same ntp servers it syncs immediately:
# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
-lithium.constan 18.26.4.105 2 u 50 64 7 74.746 13.677 1.487
*nist1-lnk.binar .ACTS. 1 u 49 64 7 48.827 6.845 4.008
+c-73-98-218-154 .GPS. 1 u 47 64 7 12.792 2.418 1.338
+clock.xmission. .XMIS. 1 u 49 64 7 22.799 12.845 1.272
-time-c.timefreq .NIST. 1 u 49 64 7 59.498 -2.968 1.434
If I watch tcpdump during both attempts I can see that when chrony attempts, it sends a NTPv4 Client packet and I never see a response, but when ntpd does it, I see the NTPv4 Client packet and the NTPv4 Server packet immediately after.
Is there something I'm missing? Does chrony talk on any other port than udp 123? (We do have a datacenter firewall that needed a hole opened to get out, but I can't shake the feeling that there might be something else needed by chronyd)
ENVIRONMENT:
System is RHEL 7.3 patched current one week ago
Here's my chrony.conf
server us.pool.ntp.org iburst
server time.nist.gov iburst
server time.nc7j.com iburst
server time.xmission.com iburst
server time-c.timefreq.bldrdoc.gov iburst
stratumweight 0
driftfile /var/lib/chrony/drift
rtcsync
makestep 10 3
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
keyfile /etc/chrony.keys
commandkey 1
generatecommandkey
noclientlog
logchange 0.5
logdir /var/log/chrony
allow 0.0.0.0/0
and for comparison, my ntp.conf
driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
server us.pool.ntp.org iburst
server time.nist.gov iburst
server time.nc7j.com iburst
server time.xmission.com iburst
server time-c.timefreq.bldrdoc.gov iburst
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor
logfile /var/log/ntp.log
Best Answer
The difference is that chronyd by default uses a random source port for each client request. If the firewall doesn't allow client requests from other ports than 123, you will need to specify the port by adding
acquisitionport 123
to chrony.conf. The directive is documented here.