[system-administrators-guide] Corrections and clarifications suggested by SME
stephenw
stephenw at fedoraproject.org
Wed Jul 10 07:47:30 UTC 2013
commit e0495716a00f728ec51c0813019149ff4920078c
Author: Stephen Wadeley <swadeley at redhat.com>
Date: Wed Jul 10 09:28:05 2013 +0200
Corrections and clarifications suggested by SME
en-US/Configuring_NTP_using_the_Chrony_suite.xml | 29 +++++++++-------------
1 files changed, 12 insertions(+), 17 deletions(-)
---
diff --git a/en-US/Configuring_NTP_using_the_Chrony_suite.xml b/en-US/Configuring_NTP_using_the_Chrony_suite.xml
index 1d0a90a..ef95a3e 100644
--- a/en-US/Configuring_NTP_using_the_Chrony_suite.xml
+++ b/en-US/Configuring_NTP_using_the_Chrony_suite.xml
@@ -13,12 +13,12 @@
The user space daemon updates the system clock running in the kernel. The system clock can keep time by using various clock sources. Usually, the <firstterm>Time Stamp Counter</firstterm> (<acronym>TSC</acronym>) is used. The TSC is a CPU register which counts the number of cycles since it was last reset. It is very fast, has a high resolution, and there are no interrupts.
</para>
<para>
-There is a choice between the daemons <systemitem class="daemon">ntpd</systemitem> and <systemitem class="daemon">chronyd</systemitem>, which are available from the repos in the <package>ntp</package> and <package>chrony</package> packages respectively. This section describes the use of the <application>chrony</application> suite of utilities to update the daemon on systems that do not fit into the conventional permanently networked, always on, dedicated server category.
+There is a choice between the daemons <systemitem class="daemon">ntpd</systemitem> and <systemitem class="daemon">chronyd</systemitem>, which are available from the repos in the <package>ntp</package> and <package>chrony</package> packages respectively. This section describes the use of the <application>chrony</application> suite of utilities to update the system clock on systems that do not fit into the conventional permanently networked, always on, dedicated server category.
</para>
<section id="sect-Introduction_to_the_chrony_suite">
<title>Introduction to the chrony Suite</title>
<para>
- <application>Chrony</application> consists of <systemitem class="daemon">chronyd</systemitem>, a daemon that runs in user space, and <application>chronyc</application>, a command line program for making adjustments to <systemitem class="daemon">chronyd</systemitem>. Systems which are not permanently connected, or not permanently powered up, take a relatively long time to adjust their system clocks using the <systemitem class="protocol">NTP</systemitem> time protocol. This is because many small corrections are made based on observations of the clocks drift and offset. Temperature changes, which may be significant when powering up a system, affect the stability of hardware clocks. Although adjustments begin within a few milliseconds of booting a system, acceptable accuracy may take anything from ten seconds from a warm restart to a number of hours depending on your requirements, operating environment and hardware. <application>chrony</application> is a different implementat
ion of the <systemitem class="protocol">NTP</systemitem> protocol than <systemitem class="daemon">ntpd</systemitem>, it can adjust the system clock more rapidly.
+ <application>Chrony</application> consists of <systemitem class="daemon">chronyd</systemitem>, a daemon that runs in user space, and <application>chronyc</application>, a command line program for making adjustments to <systemitem class="daemon">chronyd</systemitem>. Systems which are not permanently connected, or not permanently powered up, take a relatively long time to adjust their system clocks with <systemitem class="daemon">ntpd</systemitem>. This is because many small corrections are made based on observations of the clocks drift and offset. Temperature changes, which may be significant when powering up a system, affect the stability of hardware clocks. Although adjustments begin within a few milliseconds of booting a system, acceptable accuracy may take anything from ten seconds from a warm restart to a number of hours depending on your requirements, operating environment and hardware. <application>chrony</application> is a different implementation of the <systemit
em class="protocol">NTP</systemitem> protocol than <systemitem class="daemon">ntpd</systemitem>, it can adjust the system clock more rapidly.
</para>
<section id="sect-differences_between_ntpd_and_chronyd">
@@ -40,7 +40,7 @@ There is a choice between the daemons <systemitem class="daemon">ntpd</systemite
</listitem>
<listitem>
<para>
- <systemitem class="daemon">chronyd</systemitem> can usually synchronise the clock faster and with better accuracy.
+ <systemitem class="daemon">chronyd</systemitem> can usually synchronise the clock faster and with better time accuracy.
</para>
</listitem>
<listitem>
@@ -50,8 +50,7 @@ There is a choice between the daemons <systemitem class="daemon">ntpd</systemite
</listitem>
<listitem>
<para>
- <systemitem class="daemon">chronyd</systemitem> in the default configuration never steps the time, in order not to upset other running programs. <systemitem class="daemon">ntpd</systemitem> can be configured to never
- step the time too, but it has to use a different means of adjusting the clock, which has some disadvantages.
+ <systemitem class="daemon">chronyd</systemitem> in the default configuration never steps the time after the clock has been synchronized at system start, in order not to upset other running programs. <systemitem class="daemon">ntpd</systemitem> can be configured to never step the time too, but it has to use a different means of adjusting the clock, which has some disadvantages.
</para>
</listitem>
<listitem>
@@ -392,7 +391,7 @@ The <command>rtcfile</command> directive defines the name of the file in which <
The format of the syntax is:
-<screen>rtcfile /etc/chrony.rtc</screen>
+<screen>rtcfile /var/lib/chrony/rtc</screen>
<systemitem class="daemon">chronyd</systemitem> saves information in this file when it exits and when the writertc command is issued in <application>chronyc</application>. The information saved is the RTC’s error at some epoch, that epoch (in seconds since January 1 1970), and the rate at which the RTC gains or loses time.
@@ -408,7 +407,7 @@ Not all real-time clocks are supported as their code system-specific.
<section id="sect-Security_with_chronyc">
<title>Security with chronyc</title>
<para>
- As access to <application>chronyc</application> allows changing <systemitem class="daemon">chronyd</systemitem> just as editing the configuration files would, access to <application>chronyc</application> should be limited. Passwords or their hashes can be specified in the key file, to restrict the use of <application>chronyc</application>. One of the entries is used to restrict the use of operational commands and is referred to as the command key. In the default configuration, a random command key is generated automatically on start. It should not be necessary to specify or alter it manually.</para>
+ As access to <application>chronyc</application> allows changing <systemitem class="daemon">chronyd</systemitem> just as editing the configuration files would, access to <application>chronyc</application> should be limited. Passwords can be specified in the key file, written in ASCII or HEX, to restrict the use of <application>chronyc</application>. One of the entries is used to restrict the use of operational commands and is referred to as the command key. In the default configuration, a random command key is generated automatically on start. It should not be necessary to specify or alter it manually.</para>
<para>Other entries in the key file can be used as <systemitem class="protocol">NTP</systemitem> keys to authenticate packets received from remote <systemitem class="protocol">NTP</systemitem> servers or peers. The two sides need to share a key with identical ID, hash type and password in their key file. This requires manually creating the keys and copying them over a secure medium, such as <systemitem class="protocol">SSH</systemitem>. If the key ID was, for example, 10 then the systems that act as clients must have a line in their configuration files in the following format:
<screen>server w.x.y.z key 10
peer w.x.y.z key 10
@@ -433,16 +432,14 @@ peer w.x.y.z key 10
Were <literal>20</literal> is the key ID and <literal>foobar</literal> is the secret authentication key. The default hash is MD5, and ASCII is the default format for the key.
</para>
<para>
- By default, <systemitem class="daemon">chronyd</systemitem> is configured to listen for commands only from <systemitem class="systemname">localhost</systemitem> (<systemitem class="ipaddress">127.0.0.1</systemitem> and <systemitem class="ipaddress">::1</systemitem>). To access <systemitem class="daemon">chronyd</systemitem> remotely with <application>chronyc</application>, any <command>bindcmdaddress</command> directives in the <filename>/etc/chrony.conf</filename> file should be removed to enable listening on all interfaces and the <command>cmdallow</command> directive should be used to allow commands from the remote IP address, network, or subnet. Note that the <command>allow</command> directive is for <systemitem class="protocol">NTP</systemitem> access whereas the <command>cmdallow</command> directive is to enable the receiving of remote commands. It is possible to make these changes temporarily using <application>chronyc</application> running locally. Edit the c
onfiguration file to make persistent changes.
+ By default, <systemitem class="daemon">chronyd</systemitem> is configured to listen for commands only from <systemitem class="systemname">localhost</systemitem> (<systemitem class="ipaddress">127.0.0.1</systemitem> and <systemitem class="ipaddress">::1</systemitem>) on port <literal>323</literal>. To access <systemitem class="daemon">chronyd</systemitem> remotely with <application>chronyc</application>, any <command>bindcmdaddress</command> directives in the <filename>/etc/chrony.conf</filename> file should be removed to enable listening on all interfaces and the <command>cmdallow</command> directive should be used to allow commands from the remote IP address, network, or subnet. In addition, port <literal>323</literal> has to be opened in the firewall in order to connect from a remote system. Note that the <command>allow</command> directive is for <systemitem class="protocol">NTP</systemitem> access whereas the <command>cmdallow</command> directive is to enable the
receiving of remote commands. It is possible to make these changes temporarily using <application>chronyc</application> running locally. Edit the configuration file to make persistent changes.
</para>
<para>
The communication between <application>chronyc</application> and <application>chronyd</application> is done over <systemitem class="protocol">UDP</systemitem>, so it needs to be authorized before issuing operational commands. To authorize, use the <command>authhash</command> and <command>password</command> commands as follows:
<screen>chronyc> <command>authhash SHA1</command>
chronyc> <command>password HEX:A6CFC50C9C93AB6E5A19754C246242FC5471BCDF</command>
200 OK</screen>
- Alternatively, you can use the <application>chrony-helper</application> wrapper, which will do that automatically. For example, to use the <command>reselect</command> command:
- <screen>~]# <command>/usr/libexec/chrony-helper command reselect</command></screen>
- </para>
+ </para>
<para>
Only the following commands can be used without providing a password:
@@ -980,8 +977,8 @@ Where <systemitem class="ipaddress">192.0.2.123</systemitem> is the address of t
</para>
<para>
- The utility can also be invoked in non-interactive command mode if called together with an option as follows:
- <screen>~]# <command>chronyc <replaceable>option</replaceable></command></screen>
+ The utility can also be invoked in non-interactive command mode if called together with a command as follows:
+ <screen>~]# <command>chronyc <replaceable>command</replaceable></command></screen>
</para>
</section>
@@ -994,7 +991,7 @@ Where <replaceable>hostname</replaceable> is the <systemitem class="systemname">
</para>
<para>
To configure <application>chrony</application> to connect to a remote instance of <systemitem class="daemon">chronyd</systemitem> on a non-default port, issue a command as root in the following format:
-<screen>~]# <command>chronyc <option>-p</option> <replaceable>port</replaceable></command></screen>
+<screen>~]# <command>chronyc <option>-h</option> <replaceable>hostname</replaceable> <option>-p</option> <replaceable>port</replaceable></command></screen>
Where <replaceable>port</replaceable> is the port in use for controlling and monitoring by the instance of <systemitem class="daemon">chronyd</systemitem> to be connected to.
</para>
<para>
@@ -1002,11 +999,9 @@ Note that commands issued at the <application>chrony</application> command promp
</para>
<para>
- From the remote systems, the system administrator can issue commands after first using the <command>password</command> command at the <application>chronyc</application> command prompt as follows:
+From the remote systems, the system administrator can issue commands after first using the <command>password</command> command, preceded by the <command>authhash</command> command if the key used a hash different from MD5, at the <application>chronyc</application> command prompt as follows:
<screen>chronyc> <command>password secretpasswordwithnospaces</command>
200 OK</screen>
- Alternatively, the remote system can use the chrony-helper wrapper, which will do that automatically. For example, to use the <command>reselect</command> command:
- <screen>~]# <command>/usr/libexec/chrony-helper command reselect</command></screen>
</para>
<para>
More information about the docs-commits
mailing list