CHRONYC(1) | User manual | CHRONYC(1) |
chronyc - command-line interface for chrony daemon
chronyc [OPTION]... [COMMAND]...
chronyc is a command-line interface program which can be used to monitor chronyd's performance and to change various operating parameters whilst it is running.
If no commands are specified on the command line, chronyc will expect input from the user. The prompt chronyc> will be displayed when it is being run from a terminal. If chronyc's input or output are redirected from or to a file, the prompt will not be shown.
There are two ways chronyc can access chronyd. One is the Internet Protocol (IPv4 or IPv6) and the other is a Unix domain socket, which is accessible locally by the root or chrony user. By default, chronyc first tries to connect to the Unix domain socket. The compiled-in default path is /run/chrony/chronyd.sock. If that fails (e.g. because chronyc is running under a non-root user), it will try to connect to 127.0.0.1 and then ::1.
Only the following monitoring commands, which do not affect the behaviour of chronyd, are allowed from the network: activity, manual list, rtcdata, smoothing, sourcename, sources, sourcestats, tracking, waitsync. The set of hosts from which chronyd will accept these commands can be configured with the cmdallow directive in the chronyd's configuration file or the cmdallow command in chronyc. By default, the commands are accepted only from localhost (127.0.0.1 or ::1).
All other commands are allowed only through the Unix domain socket. When sent over the network, chronyd will respond with a ‘Not authorised’ error, even if it is from localhost.
Having full access to chronyd via chronyc is more or less equivalent to being able to modify the chronyd's configuration file and restart it.
-4
-6
-n
-N
-c
-d
-m
-h host
The default value is /run/chrony/chronyd.sock,127.0.0.1,::1, i.e. the host where chronyc is being run. First, it tries to connect to the Unix domain socket and if that fails (e.g. due to running under a non-root user), it will try to connect to 127.0.0.1 and then ::1.
-p port
-f file
-a
-v, --version
--help
This section describes each of the commands available within the chronyc program.
tracking
Reference ID : CB00710F (foo.example.net) Stratum : 3 Ref time (UTC) : Fri Jan 27 09:49:17 2017 System time : 0.000006523 seconds slow of NTP time Last offset : -0.000006747 seconds RMS offset : 0.000035822 seconds Frequency : 3.225 ppm slow Residual freq : -0.000 ppm Skew : 0.129 ppm Root delay : 0.013639022 seconds Root dispersion : 0.001100737 seconds Update interval : 64.2 seconds Leap status : Normal
The fields are explained as follows:
Reference ID
If the reference ID is 7F7F0101 and there is no name or IP address, it means the computer is not synchronised to any external source and that you have the local mode operating (via the local command in chronyc, or the local directive in the configuration file).
The reference ID is printed as a hexadecimal number. Note that in older versions it used to be printed in quad-dotted notation and could be confused with an IPv4 address.
Stratum
Ref time
System time
Note that all other offsets reported by chronyc and most offsets in the log files are relative to the NTP clock, not the system clock.
Last offset
RMS offset
Frequency
Residual freq
The reason this is not always zero is that a smoothing procedure is applied to the frequency. Each time a measurement from the reference source is obtained and a new residual frequency computed, the estimated accuracy of this residual is compared with the estimated accuracy (see ‘skew’ next) of the existing frequency value. A weighted average is computed for the new frequency, with weights depending on these accuracies. If the measurements from the reference source follow a consistent trend, the residual will be driven to zero over time.
Skew
Root delay
Root dispersion
An absolute bound on the computer’s clock accuracy (assuming the stratum-1 computer is correct) is given by:
clock_error <= |system_time_offset| + root_dispersion + (0.5 * root_delay)
Update interval
Leap status
makestep, makestep threshold limit
The makestep command can be used in this situation. There are two forms of the command. The first form has no parameters. It tells chronyd to cancel any remaining correction that was being slewed and jump the system clock by the equivalent amount, making it correct immediately.
The second form configures the automatic stepping, similarly to the makestep directive. It has two parameters, stepping threshold (in seconds) and number of future clock updates for which the threshold will be active. This can be used with the burst command to quickly make a new measurement and correct the clock by stepping if needed, without waiting for chronyd to complete the measurement and update the clock.
makestep 0.1 1 burst 1/2
BE WARNED: Certain software will be seriously affected by such jumps in the system time. (That is the reason why chronyd uses slewing normally.)
maxupdateskew skew-in-ppm
waitsync [max-tries [max-correction [max-skew [interval]]]]
Up to four optional arguments can be specified. The first is the maximum number of tries before giving up and returning a non-zero error code. When 0 is specified, or there are no arguments, the number of tries will not be limited.
The second and third arguments are the maximum allowed remaining correction of the system clock and the maximum allowed skew (in ppm) as reported by the tracking command in the System time and Skew fields. If not specified or zero, the value will not be checked.
The fourth argument is the interval specified in seconds in which the check is repeated. The interval is 10 seconds by default.
An example is:
waitsync 60 0.01
which will wait up to about 10 minutes (60 times 10 seconds) for chronyd to synchronise to a source and the remaining correction to be less than 10 milliseconds.
sources [-a] [-v]
If the -a option is specified, all sources are displayed, including those that do not have a known address yet. Such sources have an identifier in the format ID#XXXXXXXXXX, which can be used in other commands expecting a source address.
The -v option enables a verbose output. In this case, extra caption lines are shown as a reminder of the meanings of the columns.
MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== #* GPS0 0 4 377 11 -479ns[ -621ns] +/- 134ns ^? foo.example.net 2 6 377 23 -923us[ -924us] +/- 43ms ^+ bar.example.net 1 6 377 21 -2629us[-2619us] +/- 86ms
The columns are as follows:
M
S
Name/IP address
Stratum
Poll
Reach
LastRx
Last sample
sourcestats [-a] [-v]
If the -a option is specified, all sources are displayed, including those that do not have a known address yet. Such sources have an identifier in the format ID#XXXXXXXXXX, which can be used in other commands expecting a source address.
The -v option enables a verbose output. In this case, extra caption lines are shown as a reminder of the meanings of the columns.
An example report is:
Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev =============================================================================== foo.example.net 11 5 46m -0.001 0.045 1us 25us
The columns are as follows:
Name/IP Address
NP
NR
Span
Frequency
Freq Skew
Offset
Std Dev
selectdata [-a] [-v]
An example of the output is shown below.
S Name/IP Address Auth COpts EOpts Last Score Interval Leap ======================================================================= D foo.example.net Y ----- --TR- 4 1.0 -61ms +62ms N * bar.example.net N ----- ----- 0 1.0 -6846us +7305us N + baz.example.net N ----- ----- 10 1.0 -7381us +7355us N
The columns are as follows:
S
Name/IP address
Auth
COpts
EOpts
Last
Score
Interval
Leap
reselect
The reselect command can be used to force chronyd to reselect the best synchronisation source.
reselectdist distance
activity
The report shows the number of servers and peers in 5 states:
online
offline
burst_online
burst_offline
unresolved
authdata [-a]
Name/IP address Mode KeyID Type KLen Last Atmp NAK Cook CLen ========================================================================= foo.example.net NTS 1 15 256 135m 0 0 8 100 bar.example.net SK 30 13 128 - 0 0 0 0 baz.example.net - 0 0 0 - 0 0 0 0
The columns are as follows:
Name/IP address
Mode
KeyID
Type
KLen
Last
Atmp
NAK
Cook
CLen
ntpdata [address]
Remote address : 203.0.113.15 (CB00710F) Remote port : 123 Local address : 203.0.113.74 (CB00714A) Leap status : Normal Version : 4 Mode : Server Stratum : 1 Poll interval : 10 (1024 seconds) Precision : -24 (0.000000060 seconds) Root delay : 0.000015 seconds Root dispersion : 0.000015 seconds Reference ID : 47505300 (GPS) Reference time : Fri Nov 25 15:22:12 2016 Offset : -0.000060878 seconds Peer delay : 0.000175634 seconds Peer dispersion : 0.000000681 seconds Response time : 0.000053050 seconds Jitter asymmetry: +0.00 NTP tests : 111 111 1111 Interleaved : No Authenticated : No TX timestamping : Kernel RX timestamping : Kernel Total TX : 24 Total RX : 24 Total valid RX : 24 Total good RX : 22
The fields are explained as follows:
Remote address
Remote port
Local address
Leap status, Version, Mode, Stratum, Poll interval, Precision, Root delay, Root dispersion, Reference ID, Reference time
Offset, Peer delay, Peer dispersion
Response time
Jitter asymmetry
NTP tests
Interleaved
Authenticated
TX timestamping
RX timestamping
Total TX
Total RX
Total valid RX
Total good RX
add peer name [option]...
Following the words add peer, the syntax of the following parameters and options is identical to that for the peer directive in the configuration file.
An example of using this command is shown below.
add peer foo.example.net minpoll 6 maxpoll 10 key 25
add pool name [option]...
Following the words add pool, the syntax of the following parameters and options is identical to that for the pool directive in the configuration file.
An example of using this command is shown below:
add pool foo.example.net maxsources 3 iburst
add server name [option]...
Following the words add server, the syntax of the following parameters and options is identical to that for the server directive in the configuration file.
An example of using this command is shown below:
add server foo.example.net minpoll 6 maxpoll 10 key 25
delete address
burst good/max [mask/masked-address], burst good/max [masked-address/masked-bits], burst good/max [address]
The mask and masked-address arguments are optional, in which case chronyd will initiate a burst for all of its currently defined sources.
The arguments have the following meaning and format:
good
max
mask
masked-address
masked-bits
address
If no mask or masked-address arguments are provided, every source will be matched.
An example of the two-argument form of the command is:
burst 2/10
This will cause chronyd to attempt to get two good measurements from each source, stopping after two have been obtained, but in no event will it try more than ten probes to the source.
Examples of the four-argument form of the command are:
burst 2/10 255.255.0.0/1.2.0.0 burst 2/10 2001:db8:789a::/48
In the first case, the two out of ten sampling will only be applied to sources whose IPv4 addresses are of the form 1.2.x.y, where x and y are arbitrary. In the second case, the sampling will be applied to sources whose IPv6 addresses have first 48 bits equal to 2001:db8:789a.
Example of the three-argument form of the command is:
burst 2/10 foo.example.net
maxdelay address delay
maxdelaydevratio address ratio
maxdelayratio address ratio
maxpoll address maxpoll
Note that the new maximum polling interval only takes effect after the next measurement has been made.
minpoll address minpoll
Note that the new minimum polling interval only takes effect after the next measurement has been made.
minstratum address minstratum
offline [address], offline [masked-address/masked-bits], offline [mask/masked-address]
Another case where offline could be used is where a computer serves time to a local group of computers, and has a permanent connection to true time servers outside the organisation. However, the external connection is heavily loaded at certain times of the day and the measurements obtained are less reliable at those times. In this case, it is probably most useful to determine the gain or loss rate during the quiet periods and let the whole network coast through the loaded periods. The offline and online commands can be used to achieve this.
There are four forms of the offline command. The first form is a wildcard, meaning all sources (including sources that do not have a known address yet). The second form allows an IP address mask and a masked address to be specified. The third form uses CIDR notation. The fourth form uses an IP address or a hostname. These forms are illustrated below.
offline offline 255.255.255.0/1.2.3.0 offline 2001:db8:789a::/48 offline foo.example.net
The second form means that the offline command is to be applied to any source whose IPv4 address is in the 1.2.3 subnet. (The host’s address is logically and-ed with the mask, and if the result matches the masked-address the host is processed.) The third form means that the command is to be applied to all sources whose IPv6 addresses have their first 48 bits equal to 2001:db8:789a. The fourth form means that the command is to be applied only to that one source.
The wildcard form of the address is equivalent to:
offline 0.0.0.0/0.0.0.0 offline ::/0
online [address], online [masked-address/masked-bits], online [mask/masked-address]
The syntax is identical to that of the offline command.
onoffline
polltarget address polltarget
refresh
Sources that stop responding will be replaced with newly resolved addresses automatically after 8 polling intervals, but this command can still be useful to replace them immediately and not wait until they are marked as unreachable.
reload sources
sourcename address
Note that different NTP sources can share the same name, e.g. servers from a pool.
manual on, manual off, manual delete index, manual list, manual reset
The on form of the command enables use of the settime command.
The off form of the command disables use of the settime command.
The list form of the command lists all the samples currently stored in chronyd. The output is illustrated below.
210 n_samples = 1 # Date Time(UTC) Slewed Original Residual ====================================================
0 27Jan99 22:09:20 0.00 0.97 0.00
The columns are as as follows:
The delete form of the command deletes a single sample. The parameter is the index of the sample, as shown in the first column of the output from manual list. Following deletion of the data point, the current error and drift rate are re-estimated from the remaining data points and the system clock trimmed if necessary. This option is intended to allow ‘outliers’ to be discarded, i.e. samples where the administrator realises they have entered a very poor timestamp.
The reset form of the command deletes all samples at once. The system clock is left running as it was before the command was entered.
settime time
It should be noted that the computer’s sense of time will only be as accurate as the reference you use for providing this input (e.g. your watch), as well as how well you can time the press of the return key.
Providing your computer’s time zone is set up properly, you will be able to enter a local time (rather than UTC).
The response to a successful settime command indicates the amount that the computer’s clock was wrong. It should be apparent from this if you have entered the time wrongly, e.g. with the wrong time zone.
The rate of drift of the system clock is estimated by a regression process using the entered measurement and all previous measurements entered during the present run of chronyd. However, the entered measurement is used for adjusting the current clock offset (rather than the estimated intercept from the regression, which is ignored). Contrast what happens with the manual delete command, where the intercept is used to set the current offset (since there is no measurement that has just been entered in that case).
The time is parsed by the public domain getdate algorithm. Consequently, you can only specify time to the nearest second.
Examples of inputs that are valid are shown below:
settime 16:30 settime 16:30:05 settime Nov 21, 2015 16:30:05
For a full description of getdate, see the getdate documentation (bundled, for example, with the source for GNU tar).
accheck address
Examples of use, showing a named host and a numeric IP address, are as follows:
accheck foo.example.net accheck 1.2.3.4 accheck 2001:db8::1
This command can be used to examine the effect of a series of allow, allow all, deny, and deny all commands specified either via chronyc, or in chronyd's configuration file.
clients [-p packets] [-k] [-r]
The -p option specifies the minimum number of received NTP or command packets, or accepted NTS-KE connections, needed to include a client in the list. The default value is 0, i.e. all clients are reported. With the -k option the last four columns will show the NTS-KE accesses instead of command accesses. If the -r option is specified, chronyd will reset the counters of received and dropped packets or connections after reporting the current values.
An example of the output is:
Hostname NTP Drop Int IntL Last Cmd Drop Int Last =============================================================================== localhost 2 0 2 - 133 15 0 -1 7 foo.example.net 12 0 6 - 23 0 0 - -
Each row shows the data for a single host. Only hosts that have passed the host access checks (set with the allow, deny, cmdallow and cmddeny commands or configuration file directives) are logged. The intervals are displayed as a power of 2 in seconds.
The columns are as follows:
serverstats
An example of the output is shown below.
NTP packets received : 1598 NTP packets dropped : 8 Command packets received : 19 Command packets dropped : 0 Client log records dropped : 0 NTS-KE connections accepted: 3 NTS-KE connections dropped : 0 Authenticated NTP packets : 189 Interleaved NTP packets : 43 NTP timestamps held : 44 NTP timestamp span : 120
The fields have the following meaning:
NTP packets received
NTP packets dropped
Command packets received
Command packets dropped
Client log records dropped
NTS-KE connections accepted
NTS-KE connections dropped
Authenticated NTP packets
Interleaved NTP packets
NTP timestamps held
NTP timestamp span
Note that the numbers reported by this overflow to zero after 4294967295 (32-bit values).
allow [all] [subnet]
The syntax is illustrated in the following examples:
allow 1.2.3.4 allow all 3.4.5.0/24 allow 2001:db8:789a::/48 allow 0/0 allow ::/0 allow allow all
deny [all] [subnet]
The syntax is illustrated in the following examples:
deny 1.2.3.4 deny all 3.4.5.0/24 deny 2001:db8:789a::/48 deny 0/0 deny ::/0 deny deny all
local [option]..., local off
The first form enables the local reference mode on the host. The syntax is identical to the local directive in the configuration file.
The second form disables the local reference mode.
smoothing
Active : Yes Offset : +1.000268817 seconds Frequency : -0.142859 ppm Wander : -0.010000 ppm per second Last update : 17.8 seconds ago Remaining time : 19988.4 seconds
The fields are explained as follows:
Active
Offset
Frequency
Wander
Last update
Remaining time
smoothtime activate, smoothtime reset
cmdaccheck address
Examples of use are as follows:
cmdaccheck foo.example.net cmdaccheck 1.2.3.4 cmdaccheck 2001:db8::1
cmdallow [all] [subnet]
cmddeny [all] [subnet]
rtcdata
An example output is shown below.
RTC ref time (GMT) : Sat May 30 07:25:56 2015 Number of samples : 10 Number of runs : 5 Sample span period : 549 RTC is fast by : -1.632736 seconds RTC gains time at : -107.623 ppm
The fields have the following meaning:
RTC ref time (GMT)
Number of samples
Number of runs
Sample span period
RTC is fast by
RTC gains time at
trimrtc
The command takes no arguments. It performs the following steps (if the RTC is more than 1 second away from the system clock):
The last step is done as a precaution against the computer suffering a power failure before either the daemon exits or the writertc command is issued.
chronyd will still work perfectly well both whilst operating and across machine reboots even if the trimrtc command is never used (and the RTC is allowed to drift away from true time). The trimrtc command is provided as a method by which it can be corrected, in a manner compatible with chronyd using it to maintain accurate time across machine reboots.
The trimrtc command can be executed automatically by chronyd with the rtcautotrim directive in the configuration file.
writertc
cyclelogs
# mv /var/log/chrony/measurements.log /var/log/chrony/measurements1.log # chronyc cyclelogs # rm /var/log/chrony/measurements1.log
dump
rekey
reset sources
shutdown
dns option
There are five options:
dns -n
dns +n
dns -4
dns -6
dns -46
timeout timeout
By default, the timeout is 1000 milliseconds.
retries retries
The default is 2.
keygen [id [type [bits]]]
The command has three optional arguments. The first argument is the key number (by default 1), which will be specified with the key option of the server or peer directives in the configuration file. The second argument is the name of the hash function or cipher (by default SHA1, or MD5 if SHA1 is not available). The third argument is the length of the key in bits if a hash function was selected, between 80 and 4096 bits (by default 160 bits).
An example is:
keygen 73 SHA1 256
which generates a 256-bit SHA1 key with number 73. The printed line should then be securely transferred and added to the key files on both server and client, or peers. A different key should be generated for each client or peer.
An example using the AES128 cipher is:
keygen 151 AES128
exit, quit
help
For instructions on how to report bugs, please visit <https://chrony.tuxfamily.org/>.
chrony was written by Richard Curnow, Miroslav Lichvar, and others.
2022-08-29 | chrony 4.3 |