1CHRONYC(1) User manual CHRONYC(1)
2
6 chronyc - command-line interface for chrony daemon
7
9 chronyc [OPTION]... [COMMAND]...
10
12 chronyc is a command-line interface program which can be used to
13 monitor chronyd’s performance and to change various operating
14 parameters whilst it is running.
15 If no commands are specified on the command line, chronyc will expect
17 input from the user. The prompt chronyc> will be displayed when it is
18 being run from a terminal. If chronyc’s input or output are redirected
19 from or to a file, the prompt will not be shown.
20 There are two ways chronyc can access chronyd. One is the Internet
22 Protocol (IPv4 or IPv6) and the other is a Unix domain socket, which is
23 accessible locally by the root or chrony user. By default, chronyc
24 first tries to connect to the Unix domain socket. The compiled-in
25 default path is /run/chrony/chronyd.sock. If that fails (e.g. because
26 chronyc is running under a non-root user), it will try to connect to
27 127.0.0.1 and then ::1.
28 Only the following monitoring commands, which do not affect the
30 behaviour of chronyd, are allowed from the network: activity, manual
31 list, rtcdata, smoothing, sourcename, sources, sourcestats, tracking,
32 waitsync. The set of hosts from which chronyd will accept these
33 commands can be configured with the cmdallow directive in the chronyd’s
34 configuration file or the cmdallow command in chronyc. By default, the
35 commands are accepted only from localhost (127.0.0.1 or ::1).
36 All other commands are allowed only through the Unix domain socket.
38 When sent over the network, chronyd will respond with a ‘Not
39 authorised’ error, even if it is from localhost.
40 Having full access to chronyd via chronyc is more or less equivalent to
42 being able to modify the chronyd’s configuration file and restart it.
43
45 -4
46 With this option hostnames will be resolved only to IPv4 addresses.
47 -6
49 With this option hostnames will be resolved only to IPv6 addresses.
50 -n
52 This option disables resolving of IP addresses to hostnames, e.g.
53 to avoid slow DNS lookups. Long addresses will not be truncated to
54 fit into the column.
55 -N
57 This option enables printing of original hostnames or IP addresses
58 of NTP sources that were specified in the configuration file, or
59 chronyc commands. Without the -n and -N option, the printed
60 hostnames are obtained from reverse DNS lookups and can be
61 different from the specified hostnames.
62 -c
64 This option enables printing of reports in a comma-separated values
65 (CSV) format. Reverse DNS lookups will be disabled, time will be
66 printed as number of seconds since the epoch, and values in seconds
67 will not be converted to other units.
68 -d
70 This option enables printing of debugging messages if chronyc was
71 compiled with debugging support.
72 -m
74 Normally, all arguments on the command line are interpreted as one
75 command. With this option multiple commands can be specified. Each
76 argument will be interpreted as a whole command.
77 -h host
79 This option allows the user to specify which host (or
80 comma-separated list of addresses) running the chronyd program is
81 to be contacted. This allows for remote monitoring, without having
82 to connect over SSH to the other host first.
83 The default is to contact chronyd running on the same host where
85 chronyc is being run.
86 -p port
88 This option allows the user to specify the UDP port number which
89 the target chronyd is using for its monitoring connections. This
90 defaults to 323; there would rarely be a need to change this.
91 -f file
93 This option is ignored and is provided only for compatibility.
94 -a
96 This option is ignored and is provided only for compatibility.
97 -v, --version
99 With this option chronyc displays its version number on the
100 terminal and exits.
101 --help
103 With this option chronyc displays a help message on the terminal
104 and exits.
105
107 This section describes each of the commands available within the
108 chronyc program.
109 System clock
111 tracking
112 The tracking command displays parameters about the system’s clock
113 performance. An example of the output is shown below.
114 Reference ID : CB00710F (foo.example.net)
116 Stratum : 3
117 Ref time (UTC) : Fri Jan 27 09:49:17 2017
118 System time : 0.000006523 seconds slow of NTP time
119 Last offset : -0.000006747 seconds
120 RMS offset : 0.000035822 seconds
121 Frequency : 3.225 ppm slow
122 Residual freq : -0.000 ppm
123 Skew : 0.129 ppm
124 Root delay : 0.013639022 seconds
125 Root dispersion : 0.001100737 seconds
126 Update interval : 64.2 seconds
127 Leap status : Normal
128 The fields are explained as follows:
130 Reference ID
132 This is the reference ID and name (or IP address) of the server
133 to which the computer is currently synchronised. For IPv4
134 addresses, the reference ID is equal to the address and for
135 IPv6 addresses it is the first 32 bits of the MD5 sum of the
136 address.
137 If the reference ID is 7F7F0101 and there is no name or IP
139 address, it means the computer is not synchronised to any
140 external source and that you have the local mode operating (via
141 the local command in chronyc, or the local directive in the
142 configuration file).
143 The reference ID is printed as a hexadecimal number. Note that
145 in older versions it used to be printed in quad-dotted notation
146 and could be confused with an IPv4 address.
147 Stratum
149 The stratum indicates how many hops away from a computer with
150 an attached reference clock we are. Such a computer is a
151 stratum-1 computer, so the computer in the example is two hops
152 away (i.e. foo.example.net is a stratum-2 and is synchronised
153 from a stratum-1).
154 Ref time
156 This is the time (UTC) at which the last measurement from the
157 reference source was processed.
158 System time
160 In normal operation, chronyd by default never steps the system
161 clock, because any jump in the time can have adverse
162 consequences for certain application programs. Instead, any
163 error in the system clock is corrected by slightly speeding up
164 or slowing down the system clock until the error has been
165 removed, and then returning to the system clock’s normal speed.
166 A consequence of this is that there will be a period when the
167 system clock (as read by other programs) will be different from
168 chronyd’s estimate of the current true time (which it reports
169 to NTP clients when it is operating as a server). The value
170 reported on this line is the difference due to this effect.
171 Last offset
173 This is the estimated local offset on the last clock update. A
174 positive value indicates the local time (as previously
175 estimated true time) was ahead of the time sources.
176 RMS offset
178 This is a long-term average of the offset value.
179 Frequency
181 The ‘frequency’ is the rate by which the system’s clock would
182 be wrong if chronyd was not correcting it. It is expressed in
183 ppm (parts per million). For example, a value of 1 ppm would
184 mean that when the system’s clock thinks it has advanced 1
185 second, it has actually advanced by 1.000001 seconds relative
186 to true time.
187 Residual freq
189 This shows the ‘residual frequency’ for the currently selected
190 reference source. This reflects any difference between what the
191 measurements from the reference source indicate the frequency
192 should be and the frequency currently being used.
193 The reason this is not always zero is that a smoothing
195 procedure is applied to the frequency. Each time a measurement
196 from the reference source is obtained and a new residual
197 frequency computed, the estimated accuracy of this residual is
198 compared with the estimated accuracy (see ‘skew’ next) of the
199 existing frequency value. A weighted average is computed for
200 the new frequency, with weights depending on these accuracies.
201 If the measurements from the reference source follow a
202 consistent trend, the residual will be driven to zero over
203 time.
204 Skew
206 This is the estimated error bound on the frequency.
207 Root delay
209 This is the total of the network path delays to the stratum-1
210 computer from which the computer is ultimately synchronised.
211 Root dispersion
213 This is the total dispersion accumulated through all the
214 computers back to the stratum-1 computer from which the
215 computer is ultimately synchronised. Dispersion is due to
216 system clock resolution, statistical measurement variations,
217 etc.
218 An absolute bound on the computer’s clock accuracy (assuming
220 the stratum-1 computer is correct) is given by:
221 clock_error <= |system_time_offset| + root_dispersion + (0.5 * root_delay)
223 Update interval
225 This is the interval between the last two clock updates.
226 Leap status
228 This is the leap status, which can be Normal, Insert second,
229 Delete second or Not synchronised.
230 makestep, makestep threshold limit
232 Normally chronyd will cause the system to gradually correct any
233 time offset, by slowing down or speeding up the clock as required.
234 In certain situations, the system clock might be so far adrift that
235 this slewing process would take a very long time to correct the
236 system clock.
237 The makestep command can be used in this situation. There are two
239 forms of the command. The first form has no parameters. It tells
240 chronyd to cancel any remaining correction that was being slewed
241 and jump the system clock by the equivalent amount, making it
242 correct immediately.
243 The second form configures the automatic stepping, similarly to the
245 makestep directive. It has two parameters, stepping threshold (in
246 seconds) and number of future clock updates for which the threshold
247 will be active. This can be used with the burst command to quickly
248 make a new measurement and correct the clock by stepping if needed,
249 without waiting for chronyd to complete the measurement and update
250 the clock.
251 makestep 0.1 1
253 burst 1/2
254 BE WARNED: Certain software will be seriously affected by such
256 jumps in the system time. (That is the reason why chronyd uses
257 slewing normally.)
258 maxupdateskew skew-in-ppm
260 This command has the same effect as the maxupdateskew directive in
261 the configuration file.
262 waitsync [max-tries [max-correction [max-skew [interval]]]]
264 The waitsync command waits for chronyd to synchronise.
265 Up to four optional arguments can be specified. The first is the
267 maximum number of tries before giving up and returning a non-zero
268 error code. When 0 is specified, or there are no arguments, the
269 number of tries will not be limited.
270 The second and third arguments are the maximum allowed remaining
272 correction of the system clock and the maximum allowed skew (in
273 ppm) as reported by the tracking command in the System time and
274 Skew fields. If not specified or zero, the value will not be
275 checked.
276 The fourth argument is the interval specified in seconds in which
278 the check is repeated. The interval is 10 seconds by default.
279 An example is:
281 waitsync 60 0.01
283 which will wait up to about 10 minutes (60 times 10 seconds) for
285 chronyd to synchronise to a source and the remaining correction to
286 be less than 10 milliseconds.
287 Time sources
289 sources [-a] [-v]
290 This command displays information about the current time sources
291 that chronyd is accessing.
292 If the -a option is specified, all sources are displayed, including
294 those that do not have a known address yet. Such sources have an
295 identifier in the format ID#XXXXXXXXXX, which can be used in other
296 commands expecting a source address.
297 The -v option enables a verbose output. In this case, extra caption
299 lines are shown as a reminder of the meanings of the columns.
300 MS Name/IP address Stratum Poll Reach LastRx Last sample
302 ===============================================================================
303 #* GPS0 0 4 377 11 -479ns[ -621ns] +/- 134ns
304 ^? foo.example.net 2 6 377 23 -923us[ -924us] +/- 43ms
305 ^+ bar.example.net 1 6 377 21 -2629us[-2619us] +/- 86ms
306 The columns are as follows:
308 M
310 This indicates the mode of the source. ^ means a server, =
311 means a peer and # indicates a locally connected reference
312 clock.
313 S
315 This column indicates the selection state of the source.
316 • * indicates the best source which is currently selected for
318 synchronisation.
319 • + indicates other sources selected for synchronisation,
321 which are combined with the best source.
322 • - indicates a source which is considered to be selectable
324 for synchronisation, but not currently selected.
325 • x indicates a source which chronyd thinks is a falseticker
327 (i.e. its time is inconsistent with a majority of other
328 sources, or sources specified with the trust option).
329 • ~ indicates a source whose time appears to have too much
331 variability.
332 • ? indicates a source which is not considered to be
334 selectable for synchronisation for other reasons (e.g.
335 unreachable, not synchronised, or does not have enough
336 measurements).
337 The selectdata command can be used to get more details about
340 the selection state.
341 Name/IP address
343 This shows the name or the IP address of the source, or
344 reference ID for reference clocks.
345 Stratum
347 This shows the stratum of the source, as reported in its most
348 recently received sample. Stratum 1 indicates a computer with a
349 locally attached reference clock. A computer that is
350 synchronised to a stratum 1 computer is at stratum 2. A
351 computer that is synchronised to a stratum 2 computer is at
352 stratum 3, and so on.
353 Poll
355 This shows the rate at which the source is being polled, as a
356 base-2 logarithm of the interval in seconds. Thus, a value of 6
357 would indicate that a measurement is being made every 64
358 seconds. chronyd automatically varies the polling rate in
359 response to prevailing conditions.
360 Reach
362 This shows the source’s reachability register printed as an
363 octal number. The register has 8 bits and is updated on every
364 received or missed packet from the source. A value of 377
365 indicates that a valid reply was received for all from the last
366 eight transmissions.
367 LastRx
369 This column shows how long ago the last good sample (which is
370 shown in the next column) was received from the source.
371 Measurements that failed some tests are ignored. This is
372 normally in seconds. The letters m, h, d or y indicate minutes,
373 hours, days, or years.
374 Last sample
376 This column shows the offset between the local clock and the
377 source at the last measurement. The number in the square
378 brackets shows the actual measured offset. This can be suffixed
379 by ns (indicating nanoseconds), us (indicating microseconds),
380 ms (indicating milliseconds), or s (indicating seconds). The
381 number to the left of the square brackets shows the original
382 measurement, adjusted to allow for any slews applied to the
383 local clock since. The number following the +/- indicator shows
384 the margin of error in the measurement. Positive offsets
385 indicate that the local clock is ahead of the source.
386 sourcestats [-a] [-v]
388 The sourcestats command displays information about the drift rate
389 and offset estimation process for each of the sources currently
390 being examined by chronyd.
391 If the -a option is specified, all sources are displayed, including
393 those that do not have a known address yet. Such sources have an
394 identifier in the format ID#XXXXXXXXXX, which can be used in other
395 commands expecting a source address.
396 The -v option enables a verbose output. In this case, extra caption
398 lines are shown as a reminder of the meanings of the columns.
399 An example report is:
401 Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
403 ===============================================================================
404 foo.example.net 11 5 46m -0.001 0.045 1us 25us
405 The columns are as follows:
407 Name/IP Address
409 This is the name or IP address of the NTP server (or peer) or
410 reference ID of the reference clock to which the rest of the
411 line relates.
412 NP
414 This is the number of sample points currently being retained
415 for the server. The drift rate and current offset are estimated
416 by performing a linear regression through these points.
417 NR
419 This is the number of runs of residuals having the same sign
420 following the last regression. If this number starts to become
421 too small relative to the number of samples, it indicates that
422 a straight line is no longer a good fit to the data. If the
423 number of runs is too low, chronyd discards older samples and
424 re-runs the regression until the number of runs becomes
425 acceptable.
426 Span
428 This is the interval between the oldest and newest samples. If
429 no unit is shown the value is in seconds. In the example, the
430 interval is 46 minutes.
431 Frequency
433 This is the estimated residual frequency for the server, in
434 parts per million. In this case, the computer’s clock is
435 estimated to be running 1 part in 10^9 slow relative to the
436 server.
437 Freq Skew
439 This is the estimated error bounds on Freq (again in parts per
440 million).
441 Offset
443 This is the estimated offset of the source.
444 Std Dev
446 This is the estimated sample standard deviation.
447 selectdata [-a] [-v]
449 The selectdata command displays information specific to the
450 selection of time sources. If the -a option is specified, all
451 sources are displayed, including those that do not have a known
452 address yet. With the -v option, extra caption lines are shown as a
453 reminder of the meanings of the columns.
454 An example of the output is shown below.
456 S Name/IP Address Auth COpts EOpts Last Score Interval Leap
458 =======================================================================
459 D foo.example.net Y ----- --TR- 4 1.0 -61ms +62ms N
460 * bar.example.net N ----- ----- 0 1.0 -6846us +7305us N
461 + baz.example.net N ----- ----- 10 1.0 -7381us +7355us N
462 The columns are as follows:
464 S
466 This column indicates the state of the source after the last
467 source selection. It is similar to the state reported by the
468 sources command, but more states are reported.
469 The following states indicate the source is not considered
472 selectable for synchronisation:
473 • N - has the noselect option.
475 • M - does not have enough measurements.
477 • d - has a root distance larger than the maximum distance
479 (configured by the maxdistance directive).
480 • ~ - has a jitter larger than the maximum jitter (configured
482 by the maxjitter directive).
483 • w - waits for other sources to get out of the M state.
485 • S - has older measurements than other sources.
487 • O - has a stratum equal or larger than the orphan stratum
489 (configured by the local directive).
490 • T - does not fully agree with sources that have the trust
492 option.
493 • x - does not agree with other sources (falseticker).
495 The following states indicate the source is considered
498 selectable, but it is not currently used for synchronisation:
499 • W - waits for other sources to be selectable (required by
501 the minsources directive, or the require option of another
502 source).
503 • P - another selectable source is preferred due to the
505 prefer option.
506 • U - waits for a new measurement (after selecting a
508 different best source).
509 • D - has, or recently had, a root distance which is too
511 large to be combined with other sources (configured by the
512 combinelimit directive).
513 The following states indicate the source is used for
516 synchronisation of the local clock:
517 • + - combined with the best source.
519 • * - selected as the best source to update the reference
521 data (e.g. root delay, root dispersion).
522 Name/IP address
524 This column shows the name or IP address of the source if it is
525 an NTP server, or the reference ID if it is a reference clock.
526 Auth
528 This column indicites whether an authentication mechanism is
529 enabled for the source. Y means yes and N means no.
530 COpts
532 This column displays the configured selection options of the
533 source.
534 • N indicates the noselect option.
536 • P indicates the prefer option.
538 • T indicates the trust option.
540 • R indicates the require option.
542 EOpts
544 This column displays the current effective selection options of
545 the source, which can be different from the configured options
546 due to the authentication selection mode (configured by the
547 authselmode directive). The symbols are the same as in the
548 COpts column.
549 Last
551 This column displays how long ago was the last measurement of
552 the source made when the selection was performed.
553 Score
555 This column displays the current score against the source in
556 the * state. The scoring system avoids frequent reselection
557 when multiple sources have a similar root distance. A value
558 larger than 1 indicates this source was better than the *
559 source in recent selections. If the score reaches 10, the best
560 source will be reselected and the scores will be reset to 1.
561 Interval
563 This column displays the lower and upper endpoint of the
564 interval which was expected to contain the true offset of the
565 local clock considering the root distance at the time of the
566 selection.
567 Leap
569 This column displays the current leap status of the source.
570 • N indicates the normal status (no leap second).
572 • + indicates that a leap second will be inserted at the end
574 of the month.
575 • - indicates that a leap second will be deleted at the end
577 of the month.
578 • ? indicates the unknown status (i.e. no valid measurement
580 was made).
581 reselect
583 To avoid excessive switching between sources, chronyd can stay
584 synchronised to a source even when it is not currently the best one
585 among the available sources.
586 The reselect command can be used to force chronyd to reselect the
588 best synchronisation source.
589 reselectdist distance
591 The reselectdist command sets the reselection distance. It is
592 equivalent to the reselectdist directive in the configuration file.
593 NTP sources
595 activity
596 This command reports the number of servers and peers that are
597 online and offline. If the auto_offline option is used in
598 specifying some of the servers or peers, the activity command can
599 be useful for detecting when all of them have entered the offline
600 state after the network link has been disconnected.
601 The report shows the number of servers and peers in 5 states:
603 online
605 the server or peer is currently online (i.e. assumed by chronyd
606 to be reachable)
607 offline
609 the server or peer is currently offline (i.e. assumed by
610 chronyd to be unreachable, and no measurements from it will be
611 attempted.)
612 burst_online
614 a burst command has been initiated for the server or peer and
615 is being performed; after the burst is complete, the server or
616 peer will be returned to the online state.
617 burst_offline
619 a burst command has been initiated for the server or peer and
620 is being performed; after the burst is complete, the server or
621 peer will be returned to the offline state.
622 unresolved
624 the name of the server or peer was not resolved to an address
625 yet; this source is not visible in the sources and sourcestats
626 reports.
627 authdata [-a]
629 The authdata command displays information specific to
630 authentication of NTP sources. If the -a option is specified, all
631 sources are displayed, including those that do not have a known
632 address yet. An example of the output is shown below.
633 Name/IP address Mode KeyID Type KLen Last Atmp NAK Cook CLen
635 =========================================================================
636 foo.example.net NTS 1 15 256 135m 0 0 8 100
637 bar.example.net SK 30 13 128 - 0 0 0 0
638 baz.example.net - 0 0 0 - 0 0 0 0
639 The columns are as follows:
641 Name/IP address
643 This column shows the name or the IP address of the source.
644 Mode
646 This column shows which mechanism authenticates NTP packets
647 received from the source. NTS means Network Time Security, SK
648 means a symmetric key, and - means authentication is disabled.
649 KeyID
651 This column shows an identifier of the key used for
652 authentication. With a symmetric key, it is the ID from the key
653 file. With NTS, it is a number starting at zero and incremented
654 by one with each successful key establishment using the NTS-KE
655 protocol, i.e. it shows how many times the key establishment
656 was performed with this source.
657 Type
659 This columns shows an identifier of the algorithm used for
660 authentication. With a symmetric key, it is the hash function
661 or cipher specified in the key file. With NTS, it is an
662 authenticated encryption with associated data (AEAD) algorithm,
663 which is negotiated in the NTS-KE protocol. The following
664 values can be reported:
665 • 1: MD5
667 • 2: SHA1
669 • 3: SHA256
671 • 4: SHA384
673 • 5: SHA512
675 • 6: SHA3-224
677 • 7: SHA3-256
679 • 8: SHA3-384
681 • 9: SHA3-512
683 • 10: TIGER
685 • 11: WHIRLPOOL
687 • 13: AES128
689 • 14: AES256
691 • 15: AEAD-AES-SIV-CMAC-256
693 KLen
695 This column shows the length of the key in bits.
696 Last
698 This column shows how long ago the last successful key
699 establishment was performed. It is in seconds, or letters m, h,
700 d or y indicate minutes, hours, days, or years.
701 Atmp
703 This column shows the number of attempts to perform the key
704 establishment since the last successful key establishment. A
705 number larger than 1 indicates a problem with the network or
706 server.
707 NAK
709 This column shows whether an NTS NAK was received since the
710 last request. A NAK indicates that authentication failed on the
711 server side due to chronyd using a cookie which is no longer
712 valid and that it needs to perform the key establishment again
713 in order to get new cookies.
714 Cook
716 This column shows the number of NTS cookies that chronyd
717 currently has. If the key establishment was successful, a
718 number smaller than 8 indicates a problem with the network or
719 server.
720 CLen
722 This column shows the length in bytes of the NTS cookie which
723 will be used in the next request.
724 ntpdata [address]
726 The ntpdata command displays the last valid measurement and other
727 NTP-specific information about the specified NTP source, or all NTP
728 sources (with a known address) if no address was specified. An
729 example of the output is shown below.
730 Remote address : 203.0.113.15 (CB00710F)
732 Remote port : 123
733 Local address : 203.0.113.74 (CB00714A)
734 Leap status : Normal
735 Version : 4
736 Mode : Server
737 Stratum : 1
738 Poll interval : 10 (1024 seconds)
739 Precision : -24 (0.000000060 seconds)
740 Root delay : 0.000015 seconds
741 Root dispersion : 0.000015 seconds
742 Reference ID : 47505300 (GPS)
743 Reference time : Fri Nov 25 15:22:12 2016
744 Offset : -0.000060878 seconds
745 Peer delay : 0.000175634 seconds
746 Peer dispersion : 0.000000681 seconds
747 Response time : 0.000053050 seconds
748 Jitter asymmetry: +0.00
749 NTP tests : 111 111 1111
750 Interleaved : No
751 Authenticated : No
752 TX timestamping : Kernel
753 RX timestamping : Kernel
754 Total TX : 24
755 Total RX : 24
756 Total valid RX : 24
757 The fields are explained as follows:
759 Remote address
761 The IP address of the NTP server or peer, and the corresponding
762 reference ID.
763 Remote port
765 The UDP port number to which the request was sent. The standard
766 NTP port is 123.
767 Local address
769 The local IP address which received the response, and the
770 corresponding reference ID.
771 Leap status, Version, Mode, Stratum, Poll interval, Precision, Root
773 delay, Root dispersion, Reference ID, Reference time
774 The NTP values from the last valid response.
775 Offset, Peer delay, Peer dispersion
777 The measured values.
778 Response time
780 The time the server or peer spent in processing of the request
781 and waiting before sending the response.
782 Jitter asymmetry
784 The estimated asymmetry of network jitter on the path to the
785 source. The asymmetry can be between -0.5 and 0.5. A negative
786 value means the delay of packets sent to the source is more
787 variable than the delay of packets sent from the source back.
788 NTP tests
790 Results of RFC 5905 tests 1 through 3, 5 through 7, and tests
791 for maximum delay, delay ratio, delay dev ratio, and
792 synchronisation loop.
793 Interleaved
795 This shows if the response was in the interleaved mode.
796 Authenticated
798 This shows if the response was authenticated.
799 TX timestamping
801 The source of the local transmit timestamp. Valid values are
802 Daemon, Kernel, and Hardware.
803 RX timestamping
805 The source of the local receive timestamp.
806 Total TX
808 The number of packets sent to the source.
809 Total RX
811 The number of all packets received from the source.
812 Total valid RX
814 The number of valid packets received from the source.
815 add peer name [option]...
817 The add peer command allows a new NTP peer to be added whilst
818 chronyd is running.
819 Following the words add peer, the syntax of the following
821 parameters and options is identical to that for the peer directive
822 in the configuration file.
823 An example of using this command is shown below.
825 add peer foo.example.net minpoll 6 maxpoll 10 key 25
827 add pool name [option]...
829 The add pool command allows a pool of NTP servers to be added
830 whilst chronyd is running.
831 Following the words add pool, the syntax of the following
833 parameters and options is identical to that for the pool directive
834 in the configuration file.
835 An example of using this command is shown below:
837 add pool foo.example.net maxsources 3 iburst
839 add server name [option]...
841 The add server command allows a new NTP server to be added whilst
842 chronyd is running.
843 Following the words add server, the syntax of the following
845 parameters and options is identical to that for the server
846 directive in the configuration file.
847 An example of using this command is shown below:
849 add server foo.example.net minpoll 6 maxpoll 10 key 25
851 delete address
853 The delete command allows an NTP server or peer to be removed from
854 the current set of sources.
855 burst good/max [mask/masked-address], burst good/max
857 [masked-address/masked-bits], burst good/max [address]
858 The burst command tells chronyd to make a set of measurements to
859 each of its NTP sources over a short duration (rather than the
860 usual periodic measurements that it makes). After such a burst,
861 chronyd will revert to the previous state for each source. This
862 might be either online, if the source was being periodically
863 measured in the normal way, or offline, if the source had been
864 indicated as being offline. (A source can be switched between the
865 online and offline states with the online and offline commands.)
866 The mask and masked-address arguments are optional, in which case
868 chronyd will initiate a burst for all of its currently defined
869 sources.
870 The arguments have the following meaning and format:
872 good
874 This defines the number of good measurements that chronyd will
875 want to obtain from each source. A measurement is good if it
876 passes certain tests, for example, the round trip time to the
877 source must be acceptable. (This allows chronyd to reject
878 measurements that are likely to be bogus.)
879 max
881 This defines the maximum number of measurements that chronyd
882 will attempt to make, even if the required number of good
883 measurements has not been obtained.
884 mask
886 This is an IP address with which the IP address of each of
887 chronyd’s sources is to be masked.
888 masked-address
890 This is an IP address. If the masked IP address of a source
891 matches this value then the burst command is applied to that
892 source.
893 masked-bits
895 This can be used with masked-address for CIDR notation, which
896 is a shorter alternative to the form with mask.
897 address
899 This is an IP address or a hostname. The burst command is
900 applied only to that source.
901 If no mask or masked-address arguments are provided, every source
905 will be matched.
906 An example of the two-argument form of the command is:
908 burst 2/10
910 This will cause chronyd to attempt to get two good measurements
912 from each source, stopping after two have been obtained, but in no
913 event will it try more than ten probes to the source.
914 Examples of the four-argument form of the command are:
916 burst 2/10 255.255.0.0/1.2.0.0
918 burst 2/10 2001:db8:789a::/48
919 In the first case, the two out of ten sampling will only be applied
921 to sources whose IPv4 addresses are of the form 1.2.x.y, where x
922 and y are arbitrary. In the second case, the sampling will be
923 applied to sources whose IPv6 addresses have first 48 bits equal to
924 2001:db8:789a.
925 Example of the three-argument form of the command is:
927 burst 2/10 foo.example.net
929 maxdelay address delay
931 This allows the maxdelay option for one of the sources to be
932 modified, in the same way as specifying the maxdelay option for the
933 server directive in the configuration file.
934 maxdelaydevratio address ratio
936 This allows the maxdelaydevratio option for one of the sources to
937 be modified, in the same way as specifying the maxdelaydevratio
938 option for the server directive in the configuration file.
939 maxdelayratio address ratio
941 This allows the maxdelayratio option for one of the sources to be
942 modified, in the same way as specifying the maxdelayratio option
943 for the server directive in the configuration file.
944 maxpoll address maxpoll
946 The maxpoll command is used to modify the maximum polling interval
947 for one of the current set of sources. It is equivalent to the
948 maxpoll option in the server directive in the configuration file.
949 Note that the new maximum polling interval only takes effect after
951 the next measurement has been made.
952 minpoll address minpoll
954 The minpoll command is used to modify the minimum polling interval
955 for one of the current set of sources. It is equivalent to the
956 minpoll option in the server directive in the configuration file.
957 Note that the new minimum polling interval only takes effect after
959 the next measurement has been made.
960 minstratum address minstratum
962 The minstratum command is used to modify the minimum stratum for
963 one of the current set of sources. It is equivalent to the
964 minstratum option in the server directive in the configuration
965 file.
966 offline [address], offline [masked-address/masked-bits], offline
968 [mask/masked-address]
969 The offline command is used to warn chronyd that the network
970 connection to a particular host or hosts is about to be lost, e.g.
971 on computers with intermittent connection to their time sources.
972 Another case where offline could be used is where a computer serves
974 time to a local group of computers, and has a permanent connection
975 to true time servers outside the organisation. However, the
976 external connection is heavily loaded at certain times of the day
977 and the measurements obtained are less reliable at those times. In
978 this case, it is probably most useful to determine the gain or loss
979 rate during the quiet periods and let the whole network coast
980 through the loaded periods. The offline and online commands can be
981 used to achieve this.
982 There are four forms of the offline command. The first form is a
984 wildcard, meaning all sources (including sources that do not have a
985 known address yet). The second form allows an IP address mask and a
986 masked address to be specified. The third form uses CIDR notation.
987 The fourth form uses an IP address or a hostname. These forms are
988 illustrated below.
989 offline
991 offline 255.255.255.0/1.2.3.0
992 offline 2001:db8:789a::/48
993 offline foo.example.net
994 The second form means that the offline command is to be applied to
996 any source whose IPv4 address is in the 1.2.3 subnet. (The host’s
997 address is logically and-ed with the mask, and if the result
998 matches the masked-address the host is processed.) The third form
999 means that the command is to be applied to all sources whose IPv6
1000 addresses have their first 48 bits equal to 2001:db8:789a. The
1001 fourth form means that the command is to be applied only to that
1002 one source.
1003 The wildcard form of the address is equivalent to:
1005 offline 0.0.0.0/0.0.0.0
1007 offline ::/0
1008 online [address], online [masked-address/masked-bits], online
1010 [mask/masked-address]
1011 The online command is opposite in function to the offline command.
1012 It is used to advise chronyd that network connectivity to a
1013 particular source or sources has been restored.
1014 The syntax is identical to that of the offline command.
1016 onoffline
1018 The onoffline command tells chronyd to switch all sources that have
1019 a known address to the online or offline status according to the
1020 current network configuration. A source is considered online if it
1021 is possible to send requests to it, i.e. a network route to the
1022 source is present.
1023 polltarget address polltarget
1025 The polltarget command is used to modify the poll target for one of
1026 the current set of sources. It is equivalent to the polltarget
1027 option in the server directive in the configuration file.
1028 refresh
1030 The refresh command can be used to force chronyd to resolve the
1031 names of configured sources to IP addresses again, e.g. after
1032 suspending and resuming the machine in a different network.
1033 Sources that stop responding will be replaced with newly resolved
1035 addresses automatically after 8 polling intervals, but this command
1036 can still be useful to replace them immediately and not wait until
1037 they are marked as unreachable.
1038 reload sources
1040 The reload sources command causes chronyd to re-read all *.sources
1041 files from the directories specified by the sourcedir directive.
1042 sourcename address
1044 The sourcename command prints the original hostname or address that
1045 was specified for an NTP source in the configuration file, or the
1046 add command. This command is an alternative to the -N option, which
1047 can be useful in scripts.
1048 Note that different NTP sources can share the same name, e.g.
1050 servers from a pool.
1051 Manual time input
1053 manual on, manual off, manual delete index, manual list, manual reset
1054 The manual command enables and disables use of the settime command,
1055 and is used to modify the behaviour of the manual clock driver.
1056 The on form of the command enables use of the settime command.
1058 The off form of the command disables use of the settime command.
1060 The list form of the command lists all the samples currently stored
1062 in chronyd. The output is illustrated below.
1063 210 n_samples = 1
1065 # Date Time(UTC) Slewed Original Residual
1066 ====================================================
1067 0 27Jan99 22:09:20 0.00 0.97 0.00
1068 The columns are as as follows:
1070 1. The sample index (used for the manual delete command).
1072 2. The date and time of the sample.
1074 3. The system clock error when the timestamp was entered, adjusted
1076 to allow for changes made to the system clock since.
1077 4. The system clock error when the timestamp was entered, as it
1079 originally was (without allowing for changes to the system
1080 clock since).
1081 5. The regression residual at this point, in seconds. This allows
1083 ‘outliers’ to be easily spotted, so that they can be deleted
1084 using the manual delete command.
1085 The delete form of the command deletes a single sample. The
1089 parameter is the index of the sample, as shown in the first column
1090 of the output from manual list. Following deletion of the data
1091 point, the current error and drift rate are re-estimated from the
1092 remaining data points and the system clock trimmed if necessary.
1093 This option is intended to allow ‘outliers’ to be discarded, i.e.
1094 samples where the administrator realises they have entered a very
1095 poor timestamp.
1096 The reset form of the command deletes all samples at once. The
1098 system clock is left running as it was before the command was
1099 entered.
1100 settime time
1102 The settime command allows the current time to be entered manually,
1103 if this option has been configured into chronyd. (It can be
1104 configured either with the manual directive in the configuration
1105 file, or with the manual command of chronyc.)
1106 It should be noted that the computer’s sense of time will only be
1108 as accurate as the reference you use for providing this input (e.g.
1109 your watch), as well as how well you can time the press of the
1110 return key.
1111 Providing your computer’s time zone is set up properly, you will be
1113 able to enter a local time (rather than UTC).
1114 The response to a successful settime command indicates the amount
1116 that the computer’s clock was wrong. It should be apparent from
1117 this if you have entered the time wrongly, e.g. with the wrong time
1118 zone.
1119 The rate of drift of the system clock is estimated by a regression
1121 process using the entered measurement and all previous measurements
1122 entered during the present run of chronyd. However, the entered
1123 measurement is used for adjusting the current clock offset (rather
1124 than the estimated intercept from the regression, which is
1125 ignored). Contrast what happens with the manual delete command,
1126 where the intercept is used to set the current offset (since there
1127 is no measurement that has just been entered in that case).
1128 The time is parsed by the public domain getdate algorithm.
1130 Consequently, you can only specify time to the nearest second.
1131 Examples of inputs that are valid are shown below:
1133 settime 16:30
1135 settime 16:30:05
1136 settime Nov 21, 2015 16:30:05
1137 For a full description of getdate, see the getdate documentation
1139 (bundled, for example, with the source for GNU tar).
1140 NTP access
1142 accheck address
1143 This command allows you to check whether client NTP access is
1144 allowed from a particular host.
1145 Examples of use, showing a named host and a numeric IP address, are
1147 as follows:
1148 accheck foo.example.net
1150 accheck 1.2.3.4
1151 accheck 2001:db8::1
1152 This command can be used to examine the effect of a series of
1154 allow, allow all, deny, and deny all commands specified either via
1155 chronyc, or in chronyd’s configuration file.
1156 clients [-p packets] [-k] [-r]
1158 This command shows a list of clients that have accessed the server,
1159 through the NTP, command, or NTS-KE port. It does not include
1160 accesses over the Unix domain command socket.
1161 The -p option specifies the minimum number of received NTP or
1163 command packets, or accepted NTS-KE connections, needed to include
1164 a client in the list. The default value is 0, i.e. all clients are
1165 reported. With the -k option the last four columns will show the
1166 NTS-KE accesses instead of command accesses. If the -r option is
1167 specified, chronyd will reset the counters of received and dropped
1168 packets or connections after reporting the current values.
1169 An example of the output is:
1171 Hostname NTP Drop Int IntL Last Cmd Drop Int Last
1173 ===============================================================================
1174 localhost 2 0 2 - 133 15 0 -1 7
1175 foo.example.net 12 0 6 - 23 0 0 - -
1176 Each row shows the data for a single host. Only hosts that have
1178 passed the host access checks (set with the allow, deny, cmdallow
1179 and cmddeny commands or configuration file directives) are logged.
1180 The intervals are displayed as a power of 2 in seconds.
1181 The columns are as follows:
1183 1. The hostname of the client.
1185 2. The number of NTP packets received from the client.
1187 3. The number of NTP packets dropped to limit the response rate.
1189 4. The average interval between NTP packets.
1191 5. The average interval between NTP packets after limiting the
1193 response rate.
1194 6. Time since the last NTP packet was received
1196 7. The number of command packets or NTS-KE connections
1198 received/accepted from the client.
1199 8. The number of command packets or NTS-KE connections dropped to
1201 limit the response rate.
1202 9. The average interval between command packets or NTS-KE
1204 connections.
1205 10. Time since the last command packet or NTS-KE connection was
1207 received/accepted.
1208 serverstats
1210 The serverstats command displays how many valid NTP and command
1211 requests, and NTS-KE connections, chronyd operating as a server
1212 received from clients, and how many of them were dropped due to
1213 rate limiting. It also displays how many client log records were
1214 dropped due to the memory limit configured by the clientloglimit
1215 directive and how many of the NTP requests (from those which were
1216 not dropped) were authenticated. An example of the output is shown
1217 below.
1218 NTP packets received : 1598
1220 NTP packets dropped : 8
1221 Command packets received : 19
1222 Command packets dropped : 0
1223 Client log records dropped : 0
1224 NTS-KE connections accepted: 3
1225 NTS-KE connections dropped : 0
1226 Authenticated NTP packets : 189
1227 allow [all] [subnet]
1229 The effect of the allow command is identical to the allow directive
1230 in the configuration file.
1231 The syntax is illustrated in the following examples:
1233 allow 1.2.3.4
1235 allow all 3.4.5.0/24
1236 allow 2001:db8:789a::/48
1237 allow 0/0
1238 allow ::/0
1239 allow
1240 allow all
1241 deny [all] [subnet]
1243 The effect of the allow command is identical to the deny directive
1244 in the configuration file.
1245 The syntax is illustrated in the following examples:
1247 deny 1.2.3.4
1249 deny all 3.4.5.0/24
1250 deny 2001:db8:789a::/48
1251 deny 0/0
1252 deny ::/0
1253 deny
1254 deny all
1255 local [option]..., local off
1257 The local command allows chronyd to be told that it is to appear as
1258 a reference source, even if it is not itself properly synchronised
1259 to an external source. (This can be used on isolated networks, to
1260 allow one computer to be a master time server with the other
1261 computers slaving to it.)
1262 The first form enables the local reference mode on the host. The
1264 syntax is identical to the local directive in the configuration
1265 file.
1266 The second form disables the local reference mode.
1268 smoothing
1270 The smoothing command displays the current state of the NTP server
1271 time smoothing, which can be enabled with the smoothtime directive.
1272 An example of the output is shown below.
1273 Active : Yes
1275 Offset : +1.000268817 seconds
1276 Frequency : -0.142859 ppm
1277 Wander : -0.010000 ppm per second
1278 Last update : 17.8 seconds ago
1279 Remaining time : 19988.4 seconds
1280 The fields are explained as follows:
1282 Active
1284 This shows if the server time smoothing is currently active.
1285 Possible values are Yes and No. If the leaponly option is
1286 included in the smoothtime directive, (leap second only) will
1287 be shown on the line.
1288 Offset
1290 This is the current offset applied to the time sent to NTP
1291 clients. Positive value means the clients are getting time
1292 that’s ahead of true time.
1293 Frequency
1295 The current frequency offset of the served time. Negative value
1296 means the time observed by clients is running slower than true
1297 time.
1298 Wander
1300 The current frequency wander of the served time. Negative value
1301 means the time observed by clients is slowing down.
1302 Last update
1304 This field shows how long ago the time smoothing process was
1305 updated, e.g. chronyd accumulated a new measurement.
1306 Remaining time
1308 The time it would take for the smoothing process to get to zero
1309 offset and frequency if there were no more updates.
1310 smoothtime activate, smoothtime reset
1312 The smoothtime command can be used to activate or reset the server
1313 time smoothing process if it is configured with the smoothtime
1314 directive.
1315 Monitoring access
1317 cmdaccheck address
1318 This command is similar to the accheck command, except that it is
1319 used to check whether monitoring access is permitted from a named
1320 host.
1321 Examples of use are as follows:
1323 cmdaccheck foo.example.net
1325 cmdaccheck 1.2.3.4
1326 cmdaccheck 2001:db8::1
1327 cmdallow [all] [subnet]
1329 This is similar to the allow command, except that it is used to
1330 allow particular hosts or subnets to use chronyc to monitor with
1331 chronyd on the current host.
1332 cmddeny [all] [subnet]
1334 This is similar to the deny command, except that it is used to
1335 allow particular hosts or subnets to use chronyc to monitor chronyd
1336 on the current host.
1337 Real-time clock (RTC)
1339 rtcdata
1340 The rtcdata command displays the current RTC parameters.
1341 An example output is shown below.
1343 RTC ref time (GMT) : Sat May 30 07:25:56 2015
1345 Number of samples : 10
1346 Number of runs : 5
1347 Sample span period : 549
1348 RTC is fast by : -1.632736 seconds
1349 RTC gains time at : -107.623 ppm
1350 The fields have the following meaning:
1352 RTC ref time (GMT)
1354 This is the RTC reading the last time its error was measured.
1355 Number of samples
1357 This is the number of previous measurements being used to
1358 determine the RTC gain or loss rate.
1359 Number of runs
1361 This is the number of runs of residuals of the same sign
1362 following the regression fit for (RTC error) versus (RTC time).
1363 A value which is small indicates that the measurements are not
1364 well approximated by a linear model, and that the algorithm
1365 will tend to delete the older measurements to improve the fit.
1366 Sample span period
1368 This is the period that the measurements span (from the oldest
1369 to the newest). Without a unit the value is in seconds;
1370 suffixes m for minutes, h for hours, d for days or y for years
1371 can be used.
1372 RTC is fast by
1374 This is the estimate of how many seconds fast the RTC when it
1375 thought the time was at the reference time (above). If this
1376 value is large, you might (or might not) want to use the
1377 trimrtc command to bring the RTC into line with the system
1378 clock. (Note, a large error will not affect chronyd’s
1379 operation, unless it becomes so big as to start causing
1380 rounding errors.)
1381 RTC gains time at
1383 This is the amount of time gained (positive) or lost (negative)
1384 by the real time clock for each second that it ticks. It is
1385 measured in parts per million. So if the value shown was +1,
1386 suppose the RTC was exactly right when it crosses a particular
1387 second boundary. Then it would be 1 microsecond fast when it
1388 crosses its next second boundary.
1389 trimrtc
1391 The trimrtc command is used to correct the system’s real-time clock
1392 (RTC) to the main system clock. It has no effect if the error
1393 between the two clocks is currently estimated at less than a
1394 second.
1395 The command takes no arguments. It performs the following steps (if
1397 the RTC is more than 1 second away from the system clock):
1398 1. Remember the currently estimated gain or loss rate of the RTC
1400 and flush the previous measurements.
1401 2. Step the real-time clock to bring it within a second of the
1403 system clock.
1404 3. Make several measurements to accurately determine the new
1406 offset between the RTC and the system clock (i.e. the remaining
1407 fraction of a second error).
1408 4. Save the RTC parameters to the RTC file (specified with the
1410 rtcfile directive in the configuration file).
1411 The last step is done as a precaution against the computer
1415 suffering a power failure before either the daemon exits or the
1416 writertc command is issued.
1417 chronyd will still work perfectly well both whilst operating and
1419 across machine reboots even if the trimrtc command is never used
1420 (and the RTC is allowed to drift away from true time). The trimrtc
1421 command is provided as a method by which it can be corrected, in a
1422 manner compatible with chronyd using it to maintain accurate time
1423 across machine reboots.
1424 The trimrtc command can be executed automatically by chronyd with
1426 the rtcautotrim directive in the configuration file.
1427 writertc
1429 The writertc command writes the currently estimated error and gain
1430 or loss rate parameters for the RTC to the RTC file (specified with
1431 the rtcfile directive). This information is also written
1432 automatically when chronyd is killed (by the SIGHUP, SIGINT,
1433 SIGQUIT or SIGTERM signals) or when the trimrtc command is issued.
1434 Other daemon commands
1436 cyclelogs
1437 The cyclelogs command causes all of chronyd’s open log files to be
1438 closed and re-opened. This allows them to be renamed so that they
1439 can be periodically purged. An example of how to do this is shown
1440 below.
1441 # mv /var/log/chrony/measurements.log /var/log/chrony/measurements1.log
1443 # chronyc cyclelogs
1444 # rm /var/log/chrony/measurements1.log
1445 dump
1447 The dump command causes chronyd to write its current history of
1448 measurements for each of its sources to dump files in the directory
1449 specified in the configuration file by the dumpdir directive and
1450 also write server NTS keys and client NTS cookies to the directory
1451 specified by the ntsdumpdir directive. Note that chronyd does this
1452 automatically when it exits. This command is mainly useful for
1453 inspection whilst chronyd is running.
1454 rekey
1456 The rekey command causes chronyd to re-read the key file specified
1457 in the configuration file by the keyfile directive. It also
1458 re-reads the server NTS keys if ntsdumpdir is specified and
1459 automatic rotation is disabled in the configuration file.
1460 reset sources
1462 The reset sources command causes chronyd to drop all measurements
1463 and switch to the unsynchronised state. This command can help
1464 chronyd with recovery when the measurements are known to be no
1465 longer valid or accurate, e.g. due to moving the computer to a
1466 different network, or resuming the computer from a low-power state
1467 (which resets the system clock). chronyd will drop the measurements
1468 automatically when it detects the clock has made an unexpected
1469 jump, but the detection is not completely reliable.
1470 shutdown
1472 The shutdown command causes chronyd to exit. This is equivalent to
1473 sending the process the SIGTERM signal.
1474 Client commands
1476 dns option
1477 The dns command configures how hostnames and IP addresses are
1478 resolved in chronyc. IP addresses can be resolved to hostnames when
1479 printing results of sources, sourcestats, tracking and clients
1480 commands. Hostnames are resolved in commands that take an address
1481 as argument.
1482 There are five options:
1484 dns -n
1486 Disables resolving IP addresses to hostnames. Raw IP addresses
1487 will be displayed.
1488 dns +n
1490 Enables resolving IP addresses to hostnames. This is the
1491 default unless chronyc was started with -n option.
1492 dns -4
1494 Resolves hostnames only to IPv4 addresses.
1495 dns -6
1497 Resolves hostnames only to IPv6 addresses.
1498 dns -46
1500 Resolves hostnames to both address families. This is the
1501 default behaviour unless chronyc was started with the -4 or -6
1502 option.
1503 timeout timeout
1505 The timeout command sets the initial timeout for chronyc requests
1506 in milliseconds. If no response is received from chronyd, the
1507 timeout is doubled and the request is resent. The maximum number of
1508 retries is configured with the retries command.
1509 By default, the timeout is 1000 milliseconds.
1511 retries retries
1513 The retries command sets the maximum number of retries for chronyc
1514 requests before giving up. The response timeout is controlled by
1515 the timeout command.
1516 The default is 2.
1518 keygen [id [type [bits]]]
1520 The keygen command generates a key that can be added to the key
1521 file (specified with the keyfile directive) to allow NTP
1522 authentication between server and client, or peers. The key is
1523 generated from the /dev/urandom device and it is printed to
1524 standard output.
1525 The command has three optional arguments. The first argument is the
1527 key number (by default 1), which will be specified with the key
1528 option of the server or peer directives in the configuration file.
1529 The second argument is the name of the hash function or cipher (by
1530 default SHA1, or MD5 if SHA1 is not available). The third argument
1531 is the length of the key in bits if a hash function was selected,
1532 between 80 and 4096 bits (by default 160 bits).
1533 An example is:
1535 keygen 73 SHA1 256
1537 which generates a 256-bit SHA1 key with number 73. The printed line
1539 should then be securely transferred and added to the key files on
1540 both server and client, or peers. A different key should be
1541 generated for each client or peer.
1542 An example using the AES128 cipher is:
1544 keygen 151 AES128
1546 exit, quit
1548 The exit and quit commands exit from chronyc and return the user to
1549 the shell.
1550 help
1552 The help command displays a summary of the commands and their
1553 arguments.
1554
1556 chrony.conf(5), chronyd(8)
1557
1559 For instructions on how to report bugs, please visit
1560 https://chrony.tuxfamily.org/.
1561
1563 chrony was written by Richard Curnow, Miroslav Lichvar, and others.
1564chrony 4.1 2021-05-12 CHRONYC(1)