How To Install NTP on AlmaLinux 10
Accurate time synchronization stands as one of the most critical yet often overlooked aspects of modern server management. When servers drift out of sync, the consequences ripple through your entire infrastructure. Authentication failures plague login attempts, log files become chronologically inconsistent, and distributed applications struggle to maintain data integrity.
Network Time Protocol (NTP) solves these timing challenges by synchronizing system clocks across networks with remarkable precision. AlmaLinux 10, as a robust enterprise-grade alternative to Red Hat Enterprise Linux, provides excellent NTP support through both the modern Chrony service and traditional NTP daemon implementations.
This comprehensive guide walks you through installing and configuring NTP on AlmaLinux 10 systems. You’ll master both Chrony and traditional NTP setups, learn essential security configurations, and discover troubleshooting techniques that keep your time synchronization running smoothly.
Understanding NTP and Time Synchronization Fundamentals
Network Time Protocol Architecture
Network Time Protocol operates on a hierarchical system of time sources called stratum levels. Stratum 0 represents atomic clocks and GPS receivers—the most accurate time sources available. Stratum 1 servers connect directly to these reference clocks, while Stratum 2 servers synchronize with Stratum 1 sources, and so forth.
Modern NTP implementations achieve millisecond-level accuracy across local networks and maintain precision within tens of milliseconds over the internet. The protocol continuously monitors network delays and adjusts for transmission latency, ensuring your system clock remains accurate even under varying network conditions.
NTP servers can function in multiple roles simultaneously. A single system might act as a client to upstream time sources while serving time to downstream clients in your network infrastructure.
Chrony vs Traditional NTP: Making the Right Choice
AlmaLinux 10 ships with Chrony as the default time synchronization service, and for good reason. Chrony excels in environments with intermittent network connectivity, making it ideal for laptops, virtual machines, and systems that frequently sleep or hibernate.
Traditional NTP daemon (ntpd) remains the gold standard for always-on servers requiring maximum accuracy and stability. Large-scale deployments often prefer ntpd for its extensive configuration options and proven reliability in mission-critical environments.
Chrony synchronizes faster after system startup and handles network interruptions more gracefully. However, ntpd provides superior accuracy for servers with consistent network connectivity and offers more advanced features for complex time distribution scenarios.
Prerequisites and System Preparation
System Requirements and Validation
Before installing NTP services on AlmaLinux 10, verify your system meets the basic requirements. A minimum of 1GB RAM and 10GB available disk space ensures smooth operation, though typical NTP services consume minimal resources.
Check your current system status using the timedatectl command:
timedatectl statusThis command reveals your current time configuration, timezone settings, and any existing time synchronization services. Network connectivity to NTP servers is essential—verify internet access or identify local NTP servers within your network.
Pre-installation System Updates
Update your AlmaLinux 10 system to ensure compatibility with the latest NTP packages:
sudo dnf update -y
sudo dnf clean allSystem updates prevent package conflicts and ensure you receive the latest security patches. Reboot your system if kernel updates were installed during this process.
Verify your network configuration allows UDP traffic on port 123, the standard NTP port. Most default firewall configurations block this port, requiring explicit configuration changes covered in later sections.
Environment Assessment
Identify appropriate NTP servers for your geographic location and network architecture. Public NTP pools like pool.ntp.org provide geographically distributed servers, while corporate environments often maintain internal NTP servers for security and performance reasons.
Document your current time zone settings and any special requirements for your environment. Some organizations require specific NTP servers for compliance or security policies.
Method 1: Installing and Configuring Chrony
Chrony Installation Process
Chrony comes pre-installed on most AlmaLinux 10 systems, but verify its presence and update to the latest version:
sudo dnf install chrony -yCheck the installed version and service status:
chrony -v
systemctl status chronydIf Chrony isn’t running, the installation process likely completed successfully. The chronyd service starts automatically after installation and configuration.
Basic Chrony Configuration
The main Chrony configuration file resides at /etc/chrony.conf. Open this file with your preferred text editor:
sudo nano /etc/chrony.confThe default configuration typically includes several pool servers:
pool 2.almalinux.pool.ntp.org iburst
server 0.almalinux.pool.ntp.org iburst
server 1.almalinux.pool.ntp.org iburstPool directives automatically select multiple servers from the specified pool, providing redundancy and load distribution. The iburst option accelerates initial synchronization by sending multiple requests when the service starts.
For optimal performance, replace default servers with geographically closer alternatives:
pool 0.id.pool.ntp.org iburst
pool 1.asia.pool.ntp.org iburst
server time.cloudflare.com iburst
server time.google.com iburstAdvanced Chrony Configuration
Configure Chrony as a time server for your local network by adding these directives:
allow 192.168.1.0/24
allow 10.0.0.0/8
local stratum 10The allow directive specifies which networks can access your server. Use appropriate IP ranges matching your network topology. The local directive enables the server to continue operating even when external time sources become unavailable.
Additional performance tuning options include:
makestep 1.0 3
maxupdateskew 100.0
rtcsyncThe makestep directive allows immediate time corrections larger than 1 second during the first three updates. This prevents gradual adjustments that might take hours to complete.
Chrony Service Management
Enable and start the chronyd service:
sudo systemctl enable chronyd
sudo systemctl start chronydVerify the service runs correctly:
sudo systemctl status chronydThe service should show “active (running)” status. If you encounter errors, check the system journal for diagnostic information:
sudo journalctl -u chronyd -fMethod 2: Installing Traditional NTP
When to Choose Traditional NTP
Traditional NTP daemon offers superior accuracy for servers with consistent network connectivity. Choose ntpd over Chrony when:
- Maximum time accuracy is critical
- Your environment includes legacy systems requiring ntpd compatibility
- You need advanced features like authentication or access control
- Corporate policies mandate traditional NTP usage
Traditional NTP Installation
First, disable and remove any existing time synchronization services:
sudo systemctl stop chronyd
sudo systemctl disable chronyd
sudo systemctl mask systemd-timesyncdInstall the NTP package:
sudo dnf install ntp -yVerify the installation:
ntpd --versionNTP Configuration
Edit the main NTP configuration file:
sudo nano /etc/ntp.confConfigure reliable time servers:
server 0.id.pool.ntp.org iburst
server 1.asia.pool.ntp.org iburst
server time.cloudflare.com iburst
server time.google.com iburstAdd access control restrictions:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1These restrictions prevent unauthorized clients from modifying your server’s configuration while allowing legitimate time synchronization requests.
NTP Service Management
Enable and start the NTP daemon:
sudo systemctl enable ntpd
sudo systemctl start ntpdMonitor the service status:
sudo systemctl status ntpdThe ntpd service requires several minutes to achieve full synchronization. Be patient during initial startup phases.
Firewall Configuration and Security Implementation
Opening Required Ports
Configure firewalld to allow NTP traffic:
sudo firewall-cmd --permanent --add-service=ntp
sudo firewall-cmd --reloadVerify the rule addition:
sudo firewall-cmd --list-servicesFor custom port configurations, use:
sudo firewall-cmd --permanent --add-port=123/udp
sudo firewall-cmd --reloadSecurity Best Practices
Implement network access controls in your NTP configuration. For Chrony, add specific allow directives:
allow 192.168.1.0/24
deny allTraditional NTP uses restrict directives for access control:
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrapMonitor your NTP logs regularly for unauthorized access attempts. Enable detailed logging in Chrony:
log tracking measurements statistics
logdir /var/log/chronyConsider implementing NTP authentication for high-security environments. Generate authentication keys and distribute them to authorized clients.
Configuration Verification and Testing
Chrony Verification Procedures
Check Chrony synchronization status:
chronyc sources -vThis command displays all configured time sources with their current status. Look for sources marked with asterisks (*), indicating active synchronization.
Monitor tracking information:
chronyc trackingThe tracking output shows system clock accuracy, frequency correction, and synchronization quality metrics. Pay attention to the “System time” offset, which should remain within acceptable limits.
View client connections if running as a server:
chronyc clientsTraditional NTP Verification
Query NTP server status:
ntpq -pThe output displays peer information with status symbols:
*indicates the selected synchronization source+shows acceptable alternative sources-represents discarded sourcesxmarks false tickers
Check overall synchronization status:
ntpstatThis command provides a summary of synchronization health and accuracy estimates.
System-wide Time Verification
Verify system-wide time settings:
timedatectlThe command output should show “NTP synchronized: yes” when time synchronization is working correctly.
Compare hardware and system clocks:
hwclock --show
dateSignificant differences between these clocks may indicate synchronization problems or hardware issues.
Client Configuration Scenarios
Configuring NTP Clients
Set up Chrony clients pointing to your local NTP server:
sudo nano /etc/chrony.confReplace default servers with your local server:
server 192.168.1.100 iburst
server 192.168.1.101 iburstRemove pool directives and external servers when using local time sources exclusively. This configuration improves security by preventing external time synchronization.
For redundancy, configure multiple local servers:
server ntp1.company.com iburst
server ntp2.company.com iburst
server ntp3.company.com iburstMixed Environment Management
Manage environments with both Chrony and traditional NTP systems by ensuring compatibility at the protocol level. Both implementations communicate using standard NTP packets, allowing seamless interoperability.
Configure Chrony clients to use traditional NTP servers without modification. The protocol abstraction handles implementation differences transparently.
For Windows clients, point them to your AlmaLinux NTP servers using the standard Windows time service configuration:
w32tm /config /manualpeerlist:"192.168.1.100,192.168.1.101" /syncfromflags:manualTroubleshooting Common Issues
Synchronization Problems
When time synchronization fails, start with basic connectivity tests:
ping pool.ntp.org
telnet pool.ntp.org 123Check firewall rules blocking NTP traffic:
sudo firewall-cmd --list-allVerify NTP service status and examine logs:
sudo systemctl status chronyd
sudo journalctl -u chronyd --since "1 hour ago"Large time offsets may prevent synchronization. Manually set the approximate time before starting NTP services:
sudo ntpdate -s pool.ntp.orgService and Configuration Issues
Diagnose Chrony service failures by examining detailed logs:
sudo journalctl -u chronyd -fCommon configuration errors include:
- Syntax errors in configuration files
- Incorrect server addresses or hostnames
- Missing firewall rules
- SELinux denials
Test configuration file syntax:
sudo chronyd -n -dThis command runs Chrony in debug mode without daemonizing, revealing configuration problems.
Network and Connectivity Issues
Resolve DNS issues affecting NTP server resolution:
nslookup pool.ntp.org
dig pool.ntp.orgIf DNS resolution fails, use IP addresses instead of hostnames in your NTP configuration.
Test UDP port 123 connectivity:
sudo nmap -sU -p 123 pool.ntp.orgNetwork routing problems may prevent NTP traffic from reaching intended servers. Trace network paths:
traceroute pool.ntp.orgPerformance Optimization and Monitoring
Tuning Synchronization Parameters
Optimize polling intervals based on your network characteristics:
minpoll 4
maxpoll 9These settings control how frequently your system contacts NTP servers. Shorter intervals provide better accuracy but increase network traffic.
Configure burst mode for faster initial synchronization:
server pool.ntp.org iburstThe iburst option sends multiple requests during startup, reducing synchronization time from minutes to seconds.
Monitoring and Maintenance
Implement automated monitoring for NTP health:
#!/bin/bash
# NTP monitoring script
OFFSET=$(chronyc tracking 2>/dev/null | grep "System time" | awk '{print $4}')
if [ $(echo "$OFFSET > 0.1" | bc) -eq 1 ]; then
echo "WARNING: Time offset exceeds 100ms: $OFFSET"
fiSet up log rotation for NTP logs:
sudo nano /etc/logrotate.d/chronyAdd rotation configuration:
/var/log/chrony/*.log {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 640 chrony chrony
}Integration with Monitoring Systems
Configure SNMP monitoring for NTP status:
sudo dnf install net-snmp-utils -yQuery NTP MIB objects:
snmpwalk -v2c -c public localhost 1.3.6.1.2.1.25.1.2Integrate with popular monitoring solutions like Nagios, Zabbix, or Prometheus using custom scripts or existing plugins.
Advanced Configuration Topics
Authentication and Security
Implement NTP authentication for enhanced security:
sudo nano /etc/chrony.confAdd authentication directives:
keyfile /etc/chrony.keys
authselectmode requireGenerate authentication keys:
sudo sh -c 'echo "1 MD5 $(openssl rand -hex 16)" > /etc/chrony.keys'
sudo chmod 640 /etc/chrony.keys
sudo chown root:chrony /etc/chrony.keysConfigure clients with matching keys for authenticated time synchronization.
High Availability Configurations
Deploy multiple NTP servers for redundancy:
server ntp1.company.com iburst
server ntp2.company.com iburst
server ntp3.company.com iburstImplement server selection algorithms:
tos minclock 2 maxclock 4These settings require at least 2 servers for synchronization while limiting the maximum to 4 for optimal performance.
Container and Virtualization Considerations
Configure NTP in containerized environments by mounting the host’s /etc/localtime:
docker run -v /etc/localtime:/etc/localtime:ro myappFor virtual machines, ensure proper time source configuration. Some hypervisors provide virtual time sources that may conflict with NTP.
Congratulations! You have successfully installed NTP. Thanks for using this tutorial for installing the Network Time Protocol (NTP) on your AlmaLinux OS 10 system. For additional help or useful information, we recommend you check the official AlmaLinux website.
