Accurate time is essential for logging, security, distributed databases, and scheduled tasks. This guide covers how to install Chrony to synchronize time in RHEL systems, configure it to use reliable NTP pool servers, allow internal clients to sync, open the firewall, and verify synchronization. Chrony is the modern, resilient NTP implementation used by RHEL 8 and later; it is optimized for virtualized environments and intermittent network connections. Follow the steps here to deploy a robust time service on RHEL servers, validate settings, and troubleshoot common issues so your infrastructure maintains precise system time.
Install Chrony and verify installation
Install the Chrony package from the RHEL repositories. On RHEL 8/9 use dnf; on older RHEL derivatives you can use yum. Installing with the automatic confirmation flag speeds automation. After installation, confirm the package is present.
sudo dnf install chrony -y Last metadata expiration check: 0:00:10 ago on Fri 04 Mar 2026 10:12:33 UTC Dependencies resolved. ============================================================================= Package Arch Version Repository Size ============================================================================= Installing: chrony x86_64 3.5-18.el8 AppStream 152 k Transaction Summary ============================================================================= Install 1 Package Total download size: 152 k Installed size: 416 k Downloading packages: chrony-3.5-18.el8.x86_64.rpm 8.6 kB/s | 152 kB 00:17 Running transaction check Transaction test succeeded Running transaction Preparing : 1/1 Installing : chrony-3.5-18.el8.x86_64 1/1 Verifying : chrony-3.5-18.el8.x86_64 1/1 Installed: chrony.x86_64 3.5-18.el8 Complete!
The command installs the Chrony daemon and client utilities. The -y flag automatically confirms the install. The output shows package download, installation steps, and a successful completion message.
Backup and inspect the default configuration
Always back up the default configuration before editing. Chrony’s main configuration file is /etc/chrony.conf. Make a backup copy and inspect the first lines to understand default server entries and directives.
sudo cp /etc/chrony.conf /etc/chrony.conf.bak && sudo ls -l /etc/chrony.conf.bak -rw-r--r--. 1 root root 2048 Mar 01 12:00 /etc/chrony.conf.bak
This combines a backup copy with a listing of the backup file. Confirm the file exists and has reasonable permissions; if your environment enforces stricter permissions, adjust ownership or mode.
Configure Chrony to use appropriate NTP pool servers
Replace or supplement the default pool entries with the geographically closest NTP pool servers from pool.ntp.org or use your internal NTP hierarchy. Choosing local pool servers reduces latency and improves stability. Edit /etc/chrony.conf and set one line per server like server 0.pool.ntp.org iburst. The iburst keyword speeds initial synchronization.
sudo sed -n '1,40p' /etc/chrony.conf # Example excerpt # chrony configuration file server 0.rhel.pool.ntp.org iburst server 1.rhel.pool.ntp.org iburst server 2.rhel.pool.ntp.org iburst driftfile /var/lib/chrony/drift makestep 1.0 3 rtcsync allow 127.0.0.1
The sed command displays the top of the configuration file. Typical entries include server lines, a driftfile path, and options such as makestep which allows large corrections at startup. Replace pool hostnames with those you selected for your location.
Allow internal clients to synchronize
To enable other hosts on your LAN to sync time with this server, add an allow directive in Chrony. Prefer creating a small include file under /etc/chrony.d/ so local customizations are separated from the shipped config.
echo "allow 192.168.1.0/24" | sudo tee /etc/chrony.d/allow.conf allow 192.168.1.0/24
This command writes an include file that permits any host on the 192.168.1.0/24 network to query and synchronize time. Chrony’s allow statement is the correct method; legacy restrict lines belong to ntpd and should not be used here.
Open the firewall for NTP (UDP 123)
Chrony uses UDP port 123. If firewalld is active, allow the NTP service and reload the runtime configuration to persist changes.
sudo firewall-cmd --add-service=ntp --permanent success
The --add-service=ntp –permanent flags open the NTP service permanently. The command returns success if the service was added to the permanent zone policy.
sudo firewall-cmd --reload success
Reload applies the permanent firewall configuration to the running instance. The return message success indicates it was applied.
Start, enable, and verify the chronyd service
Enable chronyd to start at boot and start it immediately. After starting, verify it is active and listening.
sudo systemctl restart chronyd && sudo systemctl status chronyd --no-pager ● chronyd.service - NTP client/server Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2026-03-04 10:20:15 UTC; 10s ago Main PID: 2345 (chronyd) Tasks: 1 Memory: 1.8M CGroup: /system.slice/chronyd.service └─2345 /usr/sbin/chronyd --foreground -d
The systemctl restart command restarts the service; status reports the service as active (running). The output shows the PID, loaded unit file, and whether the unit is enabled at boot.
Verify time sources and synchronization state
Use Chrony’s control tool chronyc to inspect peers and the server’s tracking status. Useful commands are chronyc sources (peer list) and chronyc tracking (local clock details).
chronyc sources 210 Number of sources = 4, # sources looplimit = 16 MS Name/IP address Stratum Poll Reach LastRx Last sample ============================================================================= ^* 0.rhel.pool.ntp.org 2 6 377 12 -0.000123s ^+ 1.rhel.pool.ntp.org 2 6 377 11 -0.000215s ^+ 2.rhel.pool.ntp.org 2 6 377 10 0.000045s ^- 3.time.example.com 3 6 377 15 0.000567s
The chronyc sources output shows each NTP source with status flags: * is the current system peer, + are acceptable candidates, and – are discarded by the selection algorithm. Columns show stratum, poll interval, reachability, last response, and last offset.
chronyc tracking Reference ID : 0.rhel.pool.ntp.org (123.45.67.89) Stratum : 2 Ref time (UTC) : Fri Mar 04 10:34:12 2026 System time : 0.000089 seconds slow Last offset : -0.000123 seconds RMS offset : 0.000135 seconds Frequency : 12.345 ppm Residual freq : -0.001 ppm Skew : 0.012 ppm Root delay : 0.027065 s Root dispersion : 0.002345 s
chronyc tracking summarizes the server’s relationship to its reference: current reference ID, stratum, accuracy (RMS offset), and frequency correction applied to the local clock. Small RMS offset values indicate good synchronization.
Confirm system-wide time synchronization
Verify that systemd’s time facilities agree with Chrony and that NTP is enabled at the system level.
timedatectl status Local time: Fri 2026-03-04 10:34:20 UTC Universal time: Fri 2026-03-04 10:34:20 UTC RTC time: Fri 2026-03-04 10:34:20 Time zone: UTC (UTC, +0000) System clock synchronized: yes NTP service: active
The timedatectl output confirms system clock synchronization and shows whether system-level NTP service integration is active. If System clock synchronized is no, investigate chronyd and firewall rules.
Troubleshooting and common issues
If clients cannot reach the server, ensure Chrony is listening on UDP 123 and SELinux or external firewalls are not blocking traffic. Use socket tools to confirm the service binding.
sudo ss -ulpn | grep :123 udp UNCONN 0 0 0.0.0.0:123 0.0.0.0:* users:(("chronyd",pid=2345,fd=6)) This output shows chronyd listening on UDP port 123 on all interfaces. If nothing appears, verify service state and configuration files. For SELinux environments, check AVC denials in /var/log/audit/audit.log or use ausearch -m avc -ts recent to find related denials.
Best practices and security
• Use local or national pool servers to minimize latency. • Keep Chrony updated through official repositories. • Limit which networks can query your server with allow instead of exposing NTP to the Internet. • Monitor chrony drift and offsets with regular checks or integrate into your monitoring system. • Avoid mixing ntpd and chronyd; run only one NTP daemon to prevent conflicts.
Conclusion
Installing Chrony to synchronize time in RHEL systems is straightforward and provides robust, accurate timekeeping suited to modern server environments. This guide walked through installing Chrony, backing up and editing configuration, adding allowed client networks, opening the firewall, starting and enabling the service, and verifying synchronization with Chrony tools and systemd. Applying the best practices above ensures consistent timestamps across logs, correct behavior for distributed systems, and smoother forensic and auditing operations. Regular monitoring and periodic checks of Chrony’s offsets and server reachability will keep your RHEL infrastructure time-accurate and reliable.