
                               The chrony suite
                                       
This manual describes how to use

the programs chronyd and chronyc

   
    Richard P. Curnow
    
     _________________________________________________________________
                                      
                               Table of Contents
                                       
     * Introduction
          + Overview
          + Acknowledgements
          + Availability
               o Getting the software
               o Platforms
          + Relationship to other software packages
               o xntpd
               o timed
          + Distribution rights and (lack of) warranty
     * Installation
     * Typical operating scenarios
          + Computers connected to the internet
          + Infrequent connection to true NTP servers
               o Setting up the configuration file for infrequent
                 connections
               o How to tell chronyd when the internet link is available.
          + Isolated networks
          + The home PC with a dial-up connection
               o Assumptions/how the software works
               o Typical configuration files.
          + Other important configuration options
     * Usage reference
          + Starting chronyd
          + The chronyd configuration file
               o allow
               o bindaddress
               o commandkey
               o cmdport
               o deny
               o driftfile
               o dumpdir
               o dumponexit
               o initstepslew
               o keyfile
               o local
               o log
                    # Measurements log file format
                    # Statistics log file format
                    # Tracking log file format
                    # Real-time clock log file format
               o logchange
               o logdir
               o mailonchange
               o manual
               o maxupdateskew
               o noclientlog
               o peer
               o port
               o rtcfile
               o rtconutc
               o server
          + Running chronyc
               o Basic use
               o Command line options
               o Security with chronyc
               o Command reference
                    # accheck
                    # add peer
                    # add server
                    # allow
                    # allow all
                    # burst
                    # clients
                    # cmdaccheck
                    # cmdallow
                    # cmdallow all
                    # cmddeny
                    # cmddeny all
                    # cyclelogs
                    # delete
                    # deny
                    # deny all
                    # dump
                    # exit
                    # help
                    # local
                    # makestep
                    # manual
                    # maxdelay
                    # maxdelayratio
                    # maxpoll
                    # maxupdateskew
                    # minpoll
                    # offline
                    # online
                    # password
                    # quit
                    # rtcdata
                    # settime
                    # sources
                    # sourcestats
                    # tracking
                    # trimrtc
                    # writertc
     * Porting guide
          + System driver files
          + Quirks of particular systems
               o Linux
               o Solaris 2.5
               o SunOS 4.1.4
       
     _________________________________________________________________
                                      
                                 Introduction
                                       
Overview

   Chrony is a software package for maintaining the accuracy of computer
   system clocks. It consists of a pair of programs :
   
     * chronyd. This is a daemon which runs in background on the system.
       It obtains measurements (e.g. via the network) of the system's
       offset relative to other systems, and adjusts the system time
       accordingly. For isolated systems, the user can periodically enter
       the correct time by hand (using chronyc). In either case, chronyd
       determines the rate at which the computer gains or loses time, and
       compensates for this.
     * chronyc. This is a command-line driven control and monitoring
       program. An administrator can use this to fine-tune various
       parameters within the daemon, add or delete servers etc whilst the
       daemon is running.
       
Acknowledgements

   The chrony suite makes use of the algorithm known as _RSA Data
   Security, Inc. MD5 Message-Digest Algorithm_ for authenticating
   messages between different machines on the network.
   
   In writing the chronyd program, extensive use has been made of
   RFC1305, written by David Mills. I have occasionally referred to the
   xntp suite's source code to check details of the protocol that the RFC
   did not make absolutely clear. The core algorithms in chronyd are all
   completely distinct from xntp, however.
   
Availability

  Getting the software
  
   Links on the chrony home page describe how to obtain the software.
   
  Platforms
  
   Although most of the program is portable between Unix-like systems,
   there are parts that have to be tailored to each specific vendor's
   system. These are the parts that interface with the operating system's
   facilities for adjusting the system clock; different operating systems
   may provide different function calls to achieve this, and even where
   the same function is used it may have different quirks in its
   behaviour.
   
   So far, the software is able to run in the following environments:
     * Linux/i386. The software can be compiled on Linux v2.0.x kernels.
       Linux v2.1.x kernels should also present no problem, but the
       sys_linux.c file needs modifying to define the patchlevel (value
       of 'x') at which the change to the kernel time-keeping equivalent
       to that applied in v2.0.32 was included. Until I find out which
       version this was, v2.1 kernels are limited to patchlevels prior to
       51.
     * Solaris 2.5/2.5.1 on Sparc 20 and Ultrasparc.
     * SunOS 4.1.4 on Sparc 2 and Sparc20.
       
   Closely related systems may work too, but they have not been tested.
   
   Porting the software to other system (particularly to those supporting
   an adjtime system call) should not be difficult, however it requires
   access to such systems to test out the driver.
   
Relationship to other software packages

  xntpd
  
   The `reference' implementation of the Network Time Protocol is the
   program xntpd, available via The NTP home page.
   
   xntpd is designed to support all the operating modes defined by
   RFC1305, and has driver support for a large number of reference clocks
   (such as GPS receivers) that can be connected directly to a computer,
   thereby providing a so-called 'stratum 1' server.
   
   Things chronyd can do that xntpd can't:
   
     * chronyd can perform usefully in an environment where access to the
       time reference is intermittent. chronyd estimates _both_ the
       current time offset _and_ the rate at which the computer's clock
       gains or loses time, and can use that rate estimate to trim the
       clock after the reference disappears. xntpd corrects any time
       offset by speeding up and slowing down the computer clock, and so
       could be left with a significant rate error if the reference
       disappears whilst it is trying to correct a big offset.
     * chronyd provides support for isolated networks whether the only
       method of time correction is manual entry (e.g. by the
       administrator looking at a clock). chronyd can look at the errors
       corrected at different updates to work out the rate at which the
       computer gains or loses time, and use this estimate to trim the
       computer clock subsequently.
     * chronyd provides support to work out the gain or loss rate of the
       `real-time clock', i.e. the clock that maintains the time when the
       computer is turned off. It can use this data when the system boots
       to set the system time from a corrected version of the real-time
       clock. These real-time clock facilities are only available on
       certain releases of Linux, so far.
     * The xntpd program is supported by other programs to carry out
       certain functions. ntpdate is used to provide an initial
       correction to the system clock based on a `one-shot' sampling of
       other NTP servers. tickadj is used to adjust certain operating
       system parameters to make xntpd work better. All this
       functionality is integrated into chronyd.
       
   Things xntpd can do that chronyd can't:
   
     * xntpd supports a range of different hardware reference clocks
       (GPS, atomic etc) that can be connected to a computer to provide a
       `stratum-1' server. chronyd does not support any such hardware
       _yet_; I don't have access to any to do any development work.
       However, the software architecture should allow such equipment to
       be interfaced at a later date.
     * xntpd supports effectively all of RFC1305, including broadcast /
       multicast clients, leap seconds, and extra encryption schemes for
       authenticating data packets.
     * xntpd has been ported to more types of computer / operating system
       (so far).
     * xntpd is designed to work solely with integer arithmetic (i.e.
       does not require floating point support from its host).
       
  timed
  
   timed is a program that is part of the BSD networking suite. It uses
   broadcast packets to find all machines running the daemon within a
   subnet. The machines elect a master which periodically measures the
   system clock offsets of the other computers using ICMP timestamps.
   Corrections are sent to each member as a result of this process.
   
   Problems that may arise with timed are :
   
     * Because it uses broadcasts, it is not possible to isolate its
       functionality to a particular group of computers; there is a risk
       of upsetting other computers on the same network (e.g. where a
       whole company is on the same subnet but different departments are
       independent from the point of view of administering their
       computers.)
     * The update period appears to be 10 minutes. Computers can build up
       significant offsets relative to each other in that time. If a
       computer can estimate its rate of drift it can keep itself closer
       to the other computers between updates by adjusting its clock
       every few seconds. timed does not seem to do this.
     * timed does not have any integrated capability for feeding
       real-time into its estimates, or for estimating the average rate
       of time loss/gain of the machines relative to real-time (unless
       one of the computers in the group has access to an external
       reference and is always appointed as the `master').
       
   timed does have the benefit over chronyd that for isolated networks of
   computers, they will track the `majority vote' time. For such isolated
   networks, chronyd requires one computer to be the `master' with the
   others slaved to it. If the master has a particular defective clock,
   the whole set of computers will tend to slip relative to real time
   (but they _will_ stay accurate relative to one another).
   
Distribution rights and (lack of) warranty

   {@tensf
   
   This is the licence for the programs "chronyd" and "chronyc". Their
   source code files which reference this licence, object files /
   programs (binary form) built from such source code, and the supporting
   documentation are collectively referred to in this licence as "the
   Software".
   
   Certain source code files required for the construction of the
   Software may be included under different licensing arrangements; you
   should refer to such source code files directly for further
   information. Any such files are outside the scope of this licence.
   
   Person(s) and/or organisation(s) holding the copyright to any part of
   the source code to which this licence applies are referred to in this
   licence as "the Copyright Holder(s)".
   
   Copying and use of this licence itself, with or without modification,
   are permitted for any purpose subject only to condition 6 below.
   
   Copying, use and redistribution of the Software in source and/or
   binary forms, with or without modification, and use of any part of the
   Software in the creation of another work, are permitted without fee
   subject to the following conditions 1 through 8 and the disclaimer
   below :
   
    1. Redistributions of the Software as source code, in whole or in
       part, with or without modification, must retain all existing
       copyright notices and references to this licence, and must be
       accompanied by a copy of this licence. You may rename the file
       containing this licence and change all references to it
       accordingly if you need to. Such redistributions must be under
       terms that require this list of conditions and the disclaimer
       below to be carried on any subsequent redistribution.
    2. Redistributions in binary form (of the original version of the
       Software, a modified version of the Software, or any other work
       which incorporates any part of the Software), must carry in
       accompanying documentation and/or other materials a notice to the
       effect of either (A) or (B) below.
         1. This original version of this software was written by
            <name(s) of Copyright Holder(s)> and is used subject to the
            disclaimer in the file <name of file containing the
            disclaimer>.
         2. The parts of this software which <describe their role in your
            software> were originally written by <name(s) of Copyright
            Holder(s)> and are used subject to the disclaimer in the file
            <name of file containing the disclaimer>.
       (You must replace each <...> with the appropriate information.) A
       copy of the disclaimer below must also be included. Such
       redistributions must be under terms that require the relevant
       notice (A) or (B) and the disclaimer below to be carried on any
       subsequent redistribution. As an exception, if all recipients of
       your distribution receive additional rights under condition 5, and
       those rights supersede the disclaimer in its entirety, then you
       need not include the disclaimer, any reference to it, or the
       requirement for further redistributions to carry it.
    3. Unless modifications to the original Software are retained for the
       exclusive personal use of the modifier, each source code file that
       has been modified must identify the original source version and
       carry a notice describing the nature and purpose of all
       modifications and the person responsible for them. Where modified
       source code is widely redistributed (e.g. outside the modifier's
       own organisation), it should preferably be supplied as the
       original version plus `patches' which can be applied to the
       original version to obtain the modified version.
    4. If a modified version of the Software is distributed in any form,
       it must not be misrepresented (whether by the method of
       distribution or by any related advertisement or documentation) as
       being the original version. Both the documentation accompanying
       the software and any advertisement related to the distribution
       must expressly state that the distributed software is not the
       original work, and must identify both the original work (by name
       and version) and the nature and purpose of all modifications made.
    5. You may offer to any party (and charge a fee for) additional
       warranty, liability rights and/or support for the Software (or a
       work derived from it). Any such offer made must be entirely on
       your own behalf, and you must indemnify the Copyright Holder(s)
       and all other parties through whose redistributions you have
       received the Software for any liability arising out of such an
       offer.
    6. This list of conditions and the disclaimer below, when applied
       either to the Software as a whole or to any part of the Software,
       may only be modified by or with the express permission of the
       Copyright Holder(s).
    7. The Copyright Holder(s) retain all rights to the Software,
       including without limitation the rights to use the Software for
       any purpose, to create modified and/or enhanced versions of the
       Software, and to distibute such versions under terms different to
       those in this licence.
    8. Except as required by this licence, the name(s) of the Copyright
       Holder(s) may not be used to endorse or promote products derived
       from the Software without their express permission obtained in
       advance.
       
   == Start of disclaimer ==
   
   BECAUSE THE SOFTWARE IS PROVIDED FREE OF CHARGE, THERE IS NO WARRANTY
   FOR IT, TO THE MAXIMUM EXTENT THAT APPLICABLE LAW ALLOWS. UNLESS
   OTHERWISE STATED IN WRITING OR REQUIRED BY APPLICABLE LAW, THE
   COPYRIGHT HOLDER(S) AND/OR OTHER PARTIES PROVIDE THE SOFTWARE `AS IS'
   AND DISCLAIM ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED, INCLUDING
   WITHOUT LIMITATION WARRANTIES THAT THE SOFTWARE IS FREE OF DEFECTS,
   MERCHANTABLE OR FIT FOR A PARTICULAR PURPOSE. THE USER BEARS THE
   ENTIRE RISK AS TO THE QUALITY, ACCURACY AND PERFORMANCE OF THE
   SOFTWARE AND THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION
   IN THE EVENT THAT THE SOFTWARE SHOULD PROVE DEFECTIVE.
   
   IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
   WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
   REDISTRIBUTE THE SOFTWARE, BE LIABLE TO YOU OR TO ANY OTHER PARTY FOR
   DAMAGES OF ANY CHARACTER, INCLUDING WITHOUT LIMITATION ANY GENERAL,
   SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES WHICH ARISE FROM THE USE
   OF OR INABILITY TO USE THE SOFTWARE (INCLUDING WITHOUT LIMITATION LOSS
   OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU
   OR THIRD PARTIES OR A FAILURE OF THE SOFTWARE TO OPERATE WITH ANY
   OTHER SOFTWARE), EVEN IF SUCH COPYRIGHT HOLDER OR OTHER PARTY HAS BEEN
   ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
   
   == End of disclaimer ==
   
   }
   
                                 Installation
                                       
   The software is distributed as source code which has to be compiled.
   The source code is supplied in the form of a gzipped tar file, which
   unpacks to a subdirectory identifying the name and version of the
   program.
   
   After unpacking the source code, change directory into it, and type
   
./configure

   This is a shell script that automatically determines the system type.
   There is a single optional parameter, --prefix which indicates the
   directory tree where the software should be installed. For example,
   
./configure --prefix=/opt/free

   will install the chronyd daemon into /opt/free/sbin and the chronyc
   control program into /opt/free/bin. The default value for the prefix
   is /usr/local.
   
   If the software cannot (yet) be built on your system, an error message
   will be shown. Otherwise, the files `options.h' and `Makefile' will be
   generated.
   
   Now type
   
make

   to build the programs.
   
   Once the programs have been successfully compiled, they need to be
   installed in their target locations. This step normally needs to be
   performed by the superuser, and requires the following command to be
   entered.
   
make install

   Now that the software is successfully installed, the next step is to
   set up a configuration file. The contents of this depend on the
   network environment in which the computer operates. Typical scenarios
   are described in the following section of the document.
   
                          Typical operating scenarios
                                       
Computers connected to the internet

   In this section we discuss how to configure chrony for computers that
   have permanent connections to the internet (or to any network
   containing true NTP servers which ultimately derive their time from a
   reference clock).
   
   To operate in this mode, you will need to know the names of the NTP
   server machines you wish to use. You may be able to find names of
   suitable servers by one of the following methods:
   
     * Your institution may already operate servers on its network.
       Contact your system administrator to find out.
     * Your ISP probably has one or more NTP servers available for its
       customers.
     * Somewhere under the NTP homepage there is a list of public stratum
       1 and stratum 2 servers. You should find one or more servers that
       are near to you -- check that their access policy allows you to
       use their facilities.
       
   Assuming that you have found some servers, you need to set up a
   configuration file to run chrony. The (compiled-in) default location
   for this file is `/etc/chrony.conf'. Assuming that your ntp servers
   are called a.b.c and d.e.f, your `chrony.conf' file could contain as a
   minimum
   
server a.b.c
server d.e.f
server g.h.i

   However, you will probably want to include some of the other
   directives described later. The following directives will be
   particularly useful : driftfile, commandkey, keyfile. The smallest
   useful configuration file would look something like
   
server a.b.c
server d.e.f
server g.h.i
keyfile /etc/chrony.keys
commandkey 1
driftfile /etc/chrony.drift

Infrequent connection to true NTP servers

   In this section we discuss how to configure chrony for computers that
   have occasional connections to the internet.
   
  Setting up the configuration file for infrequent connections
  
   As in the previous section, you will need access to NTP servers on the
   internet. The same remarks apply for how to find them.
   
   In this case, you will need some additional configuration to tell
   chronyd when the connection to the internet goes up and down. This
   saves the program from continuously trying to poll the servers when
   they are inaccessible.
   
   Again, assuming that your ntp servers are called a.b.c and d.e.f, your
   `chrony.conf' file would need to contain something like
   
server a.b.c
server d.e.f
server g.h.i

   However, the following issues need to be addressed:
   
    1. Your computer probably doesn't have DNS access whilst offline to
       turn the machine names into IP addresses.
    2. Your computer will keep trying to contact the servers to obtain
       timestamps, even whilst offline. If you operate a dial-on-demand
       system, things are even worse, because the link to the internet
       will keep getting established.
       
   For this reason, it would be better to specify this part of your
   configuration file in the following way:
   
server 1.2.3.4 offline
server 5.6.7.8 offline
server 9.10.11.12 offline

   Because numeric IP addresses have been used, the first problem is
   overcome. The offline keyword indicates that the servers start in an
   offline state, and that they should not be contacted until chronyd
   receives notification that the link to the internet is present.
   
   In order to notify chronyd of the presence of the link, you will need
   to be able to log in to it with the program chronyc. To do this,
   chronyd needs to be configured with an administrator password. To set
   up an administrator password, you can create a file `/etc/chrony.keys'
   containing a single line
   
1 xyzzy

   and add the following line to `/etc/chrony.conf' (the order of the
   lines does not matter)
   
commandkey 1

   The smallest useful configuration file would look something like
   
server 1.2.3.4 offline
server 5.6.7.8 offline
server 9.10.11.12 offline
keyfile /etc/chrony.keys
commandkey 1
driftfile /etc/chrony.drift

   The next section describes how to tell chronyd when the internet link
   goes up and down.
   
  How to tell chronyd when the internet link is available.
  
   To use this option, you will need to configure a command key in
   chronyd's configuration file `/etc/chrony.conf', as described in the
   previous section.
   
   To tell chronyd when to start and finish sampling the servers, the
   online and offline commands of chronyc need to be used. To give an
   example of their use, we assume that pppd is the program being used to
   connect to the internet, and that chronyc has been installed at its
   default location `/usr/local/bin/chronyc'. We also assume that the
   command key has been set up as described in the previous section.
   
   In the file `/etc/ppp/ip-up' we add the command sequence
   
cat <<EOF | /usr/local/bin/chronyc
password xyzzy
online
EOF

   and in the file `/etc/ppp/ip-down' we add the sequence
   
cat <<EOF | /usr/local/bin/chronyc
password xyzzy
offline
EOF

   chronyd's polling of the servers will now only occur whilst the
   machine is actually connected to the Internet.
   
Isolated networks

   In this section we discuss how to configure chrony for computers that
   never have network conectivity to any computer which ultimately
   derives its time from a reference clock.
   
   In this situation, one computer is selected to be the master
   timeserver. The other computers are either direct clients of the
   master, or clients of clients.
   
   The rate value in the master's drift file needs to be set to the
   average rate at which the master gains or loses time. chronyd includes
   support for this, in the form of the manual directive in the
   configuration file and the settime command in the chronyc program.
   
   If the master is rebooted, chronyd can re-read the drift rate from the
   drift file. However, the master has no accurate estimate of the
   current time. To get around this, the system can be configured so that
   the master can initially set itself to a `majority-vote' of selected
   clients' times; this allows the clients to `flywheel' the master
   across its outage.
   
   A typical configuration file for the master (called master) might be
   (assuming the clients are in the 192.168.165.x subnet and that the
   master's address is 192.168.169.170)
   
driftfile /etc/chrony.drift
commandkey 25
keyfile /etc/chrony.keys
initstepslew 10 client1 client3 client6
local stratum 8
manual
allow 192.168.165

   For the clients that have to resynchronise the master when it
   restarts, the configuration file might be
   
server master
driftfile /etc/chrony.drift
logdir /var/log/chrony
log measurements statistics tracking
keyfile /etc/chrony.keys
commandkey 24
local stratum 10
initstepslew 20 master
allow 192.168.169.170

   The rest of the clients would be the same, except that the local and
   allow directives are not required.
   
The home PC with a dial-up connection

  Assumptions/how the software works
  
   This section considers the home computer which has a dial-up
   connection. It assumes that Linux is run exclusively on the computer.
   Dual-boot systems may work; it depends what (if anything) the other
   system does to the system's real-time clock.
   
   Much of the configuration for this case is discussed earlier (see
   section Infrequent connection to true NTP servers). This section
   addresses specifically the case of a computer which is turned off
   between 'sessions'.
   
   In this case, chronyd relies on the computer's real-time clock (RTC)
   to maintain the time between the periods when it is powered up. The
   arrangement is shown in the figure below.
   
            trim if required                          PSTN
      +---------------------------+               +----------+
      |                           |               |          |
      v                           |               |          |
+---------+                    +-------+       +-----+     +---+
| System's|  measure error/    |chronyd|       |modem|     |ISP|
|real-time|------------------->|       |-------|     |     |   |
|  clock  |   drift rate       +-------+       +-----+     +---+
+---------+                       ^                          |
      |                           |                          |
      +---------------------------+                  --o-----o---
         set time at boot up                           |
                                                  +----------+
                                                  |NTP server|
                                                  +----------+

   When the computer is connected to the Internet (via the modem),
   chronyd has access to external NTP servers which it makes measurements
   from. These measurements are saved, and straight-line fits are
   performed on them to provide an estimate of the computer's time error
   and rate of gaining/losing time.
   
   When the computer is taken offline from the Internet, the best
   estimate of the gain/loss rate is used to free-run the computer until
   it next goes online.
   
   Whilst the computer is running, chronyd makes measurements of the
   real-time clock (RTC) (via the `/dev/rtc' interface, which must be
   compiled into the kernel). An estimate is made of the RTC error at a
   particular RTC second, and the rate at which the RTC gains or loses
   time relative to true time.
   
   For kernels in the 2.0 series prior to 2.0.32, the kernel was set up
   to trim the RTC every 11 minutes. This would be disasterous for
   chronyd -- there is no reliable way of synchronising with this
   trimming. For this reason, chronyd only supports the RTC in 2.0
   kernels from v2.0.32 onwards. (I don't know anything about the
   kernel's RTC behaviour in other kernel series).
   
   When the computer is powered down, the measurement histories for all
   the NTP servers are saved to files (if the dumponexit directive is
   specified in the configuration file), and the RTC tracking information
   is also saved to a file (if the rtcfile directive has been specified).
   These pieces of information are also saved if the dump and writertc
   commands respectively are issued through chronyc.
   
   When the computer is rebooted, chronyd reads the current RTC time and
   the RTC information saved at the last shutdown. This information is
   used to set the system clock to the best estimate of what its time
   would have been now, had it been left running continuously. The
   measurement histories for the servers are then reloaded.
   
   The next time the computer goes online, the previous sessions'
   measurements can contribute to the line-fitting process, which gives a
   much better estimate of the computer's gain/loss rate.
   
   One problem with saving the measurements and RTC data when the machine
   is shut down is what happens if there is a power failure; the most
   recent data will not be saved. Although chronyd is robust enough to
   cope with this, some performance may be lost. (The main danger arises
   if the RTC has been changed during the session, with the trimrtc
   command in chronyc. Because of this, trimrtc will make sure that a
   meaningful RTC file is saved out after the change is completed).
   
   The easiest protection against power failure is to put the dump and
   writertc commands in the same place as the offline command is issued
   to take chronyd offline; because chronyd free-runs between online
   sessions, no parameters will change significantly between going
   offline from the Internet and any power failure.
   
   A final point regards home computers which are left running for
   extended periods and where it is desired to spin down the hard disc
   when it is not in use (e.g. when not accessed for 15 minutes). chronyd
   has been planned so it supports such operation; this is the reason why
   the RTC tracking parameters are not saved to disc after every update,
   but only when the user requests such a write, or during the shutdown
   sequence. The only other facility that will generate periodic writes
   to the disc is the log rtc facility in the configuration file; this
   option should not be used if you want your disc to spin down.
   
  Typical configuration files.
  
   To illustrate how a dial-up home computer might be configured, example
   configuration files are shown in this section.
   
   For the `/etc/chrony.conf' file, the following can be used as an
   example. _NOTE : The server directives are only applicable to
   customers of Demon Internet; users of other ISPs will need to use
   their own ISP's NTP servers or public NTP servers._
   
server 158.152.1.65 minpoll 5 maxpoll 10 maxdelay 0.4 offline
server 158.152.1.76 minpoll 5 maxpoll 10 maxdelay 0.4 offline
server 194.159.253.2 minpoll 5 maxpoll 10 maxdelay 0.4 offline
logdir /var/log/chrony
log statistics measurements tracking
driftfile /etc/chrony.drift
keyfile /etc/chrony.keys
commandkey 25
maxupdateskew 100.0
dumponexit
dumpdir /var/log/chrony
rtcfile /etc/chrony.rtc

   With Freeserve as the ISP, I use the following server lines :
   
server 194.152.64.68 minpoll 5 maxpoll 10 maxdelay 0.4 offline
server 194.152.64.35 minpoll 5 maxpoll 10 maxdelay 0.4 offline
server 194.152.64.34 minpoll 5 maxpoll 10 maxdelay 0.4 offline

   I use pppd for connecting to my ISP. This runs two scripts
   `/etc/ppp/ip-up' and `/etc/ppp/ip-down' when the link goes online and
   offline respectively.
   
   The relevant part of the `/etc/ppp/ip-up' file is (with a dummy
   password)
   
cat <<EOF | /usr/local/bin/chronyc
password xxxxxxxx
online
EOF

   and the relevant part of the `/etc/ppp/ip-down' script is
   
cat <<EOF | /usr/local/bin/chronyc
password xxxxxxxx
offline
dump
writertc
EOF

   (Because they have to contain the administrator password, it would be
   desirable to make the files readable only by root on a multiuser
   machine).
   
   To start chronyd during the boot sequence, I have the following in
   `/etc/rc.d/rc.local' (this is a Slackware system)
   
if [ -f /usr/local/sbin/chronyd -a -f /etc/chrony.conf ]; then
  /usr/local/sbin/chronyd -r -s
  echo "Start chronyd"
fi

   The placement of this command may be important on some systems. In
   particular, chronyd may need to be started several seconds (about 10
   as a minimum) before any software that depends on the system clock not
   jumping or moving backwards, depending on the directives in chronyd's
   configuration file.
   
   For the system shutdown, chronyd should receive a SIGTERM several
   seconds before the final SIGKILL; the SIGTERM causes the measurement
   histories and RTC information to be saved out. There should be no need
   to add anything to the shutdown sequence, unless (as my system had)
   there is no pause between the SIGTERM and SIGKILL being delivered to
   the remaining processes. So if you find something like
   
killall5 -15
killall5 -9

   in your /etc/rc.d/rc.0 script, you will need to insert a sleep, e.g.
   
killall5 -15
sleep 5
killall5 -9

   Otherwise, chronyd will not always save information on shutdown, which
   could be a problem if you don't use dump and writertc when you go
   offline.
   
Other important configuration options

   The most common option to include in the configuration file is the
   driftfile option. One of the major tasks of chronyd is to work out how
   fast or how slow the system clock runs relative to real time - e.g. in
   terms of seconds gained or lost per day. Measurements over a long
   period are usually required to refine this estimate to an acceptable
   degree of accuracy. Therefore, it would be bad if chronyd had to work
   the value out each time it is restarted, because the system clock
   would not run so accurately whilst the determination is taking place.
   
   To avoid this problem, chronyd allows the gain or loss rate to be
   stored in a file, which can be read back in when the program is
   restarted. This file is called the drift file, and might typically be
   stored in `/etc/chrony.drift'. By specifying an option like the
   following
   
driftfile /etc/chrony.drift

   in the configuration file (`/etc/chrony.conf'), the drift file
   facility will be activated.
   
                                Usage reference
                                       
Starting chronyd

   If chronyd has been installed to its default location
   `/usr/local/sbin/chronyd', starting it is simply a matter of entering
   the command
   
/usr/local/sbin/chronyd

   Information messages and warnings will be logged to syslog.
   
   The command line options supported are as follows:
   
   -d
          When run in this mode, the program will not detach itself from
          the terminal, and all messages will be sent to the terminal
          instead of to syslog.
   -f <conf-file>
          This option can be used to specify an alternate location for
          the configuration file (default `/etc/chrony.conf').
   -r
          This option will reload sample histories for each of the
          servers being used. These histories are created by using the
          dump command in chronyc, or by setting the dumponexit directive
          in the configuration file. This option is useful if you want to
          stop and restart chronyd briefly for any reason, e.g. to
          install a new version. However, it only makes sense on systems
          where the kernel can maintain clock compensation whilst not
          under chronyd's control. The only version where this happens so
          far is Linux. On systems where this is not the case, e.g.
          Solaris and SunOS the option should not be used.
   -s
          This option will set the system clock from the computer's
          real-time clock. This is analogous to supplying the `-s' flag
          to the `/sbin/clock' program during the Linux boot sequence.
          Support for real-time clocks is limited at present - the
          criteria are described in the section on the rtcfile directive
          (see section rtcfile). If chronyd cannot support the real time
          clock on your computer, this option cannot be used and a
          warning message will be logged to the syslog. If used in
          conjunction with the `-r' flag, chronyd will attempt to
          preserve the old samples after setting the system clock from
          the real time clock. This can be used to allow chronyd to
          perform long term averaging of the gain or loss rate across
          system reboots, and is useful for dial-up systems that are shut
          down when not in use. For this to work well, it relies on
          chronyd having been able to determine accurate statistics for
          the difference between the real time clock and system clock
          last time the computer was on.
   -v
          This option displays chronyd's version number to the terminal
          and exits.
          
   On systems that support an `/etc/rc.local' file for starting programs
   at boot time, chronyd can be started from there.
   
   On systems with a System V style initialisation (e.g. Solaris), a
   suitable start/stop script might be as shown below. This might be
   placed in the file `/etc/rc2.d/S83chrony'.
   
#!/bin/sh
# This file should have uid root, gid sys and chmod 744
#

killproc() {            # kill the named process(es)
        pid=`/usr/bin/ps -e |
             /usr/bin/grep -w $1 |
             /usr/bin/sed -e 's/^  *//' -e 's/ .*//'`
        [ "$pid" != "" ] && kill $pid
}

case "$1" in

'start')
   if [ -f /opt/free/sbin/chronyd -a -f /etc/chrony.conf ]; then
     /opt/free/sbin/chronyd
   fi
   ;;
'stop')
   killproc chronyd
   ;;
*)
   echo "Usage: /etc/rc2.d/S83chrony { start | stop }"
   ;;
esac

   (In both cases, you may want to bear in mind that chronyd can step the
   time when it starts. There may be other programs started at boot time
   that could be upset by this, so you may need to consider the ordering
   carefully. However, chronyd will need to start after daemons providing
   services that it may require, e.g. the domain name service.)
   
The chronyd configuration file

   The configuration file is normally called `/etc/chrony.conf'; in fact,
   this is the compiled-in default. However, other locations can be
   specified with a command line option.
   
   Each command in the configuration file is placed on a separate line.
   The following sections describe each of the commands in turn. The
   directives can occur in any order in the file.
   
  allow
  
   The allow command is used to designate a particular subnet from which
   NTP clients are allowed to access the computer as an NTP server.
   
   The default is that no clients are allowed access, i.e. chronyd
   operates purely as an NTP client. If the allow directive is used,
   chronyd will be both a client of its servers, and a server to other
   clients.
   
   Examples of use of the command are as follows:
   
allow foo.bar.com
allow 1.2
allow 3.4.5
allow

   The first command allows the named host to be an NTP client of this
   computer. The second command allows any host with an IP address of the
   form 1.2.x.y (with x and y arbitrary) to be an NTP client of this
   computer. Likewise, the third command allows any host with an IP
   address of the form 3.4.5.x to have client NTP access. The fourth form
   allows access by any node on the entire Internet.
   
   A second form of the directive, allow all, has a greater effect,
   depending on the ordering of directives in the configuration file. To
   illustrate the effect, consider the two examples
   
allow 1.2.3.4
deny 1.2.3
allow 1.2

   and
   
allow 1.2.3.4
deny 1.2.3
allow all 1.2

   In the first example, the effect is the same regardles of what order
   the three directives are given in. So the 1.2.x.y subnet is allowed
   access, except for the 1.2.3.x subnet, which is denied access, however
   the host 1.2.3.4 is allowed access.
   
   In the second example, the allow all 1.2 directives overrides the
   effect of _any_ previous directive relating to a subnet within the
   specified subnet. Within a configuration file this capability is
   probably rather moot; however, it is of greater use for
   reconfiguration at run-time via chronyc (see section allow all).
   
   Note, if the initstepslew directive (see section initstepslew) is used
   in the configuration file, each of the computers listed in that
   directive must allow client access by this computer for it to work.
   
  bindaddress
  
   The bindaddress allows you to restrict the network interface to which
   chronyd will listen for packets. This provides an additional level of
   access restriction above that available through the 'deny' mechanism.
   
   Suppose you have a local ethernet with addresses in the 192.168.1.0
   subnet together with a dial-up connection. The ethernet interface's IP
   address is 192.168.1.1. Suppose (for some reason) you want to block
   all access through the dialup connection (note, this will even block
   replies from servers on the dialup side, so you will not be able to
   synchronise to an external source). You could add the line
   
bindaddress 192.168.1.1

   to the configuration file.
   
   This directive affects both NTP (UDP port 123) packets _and_
   chronyc/chronyd command and monitoring packets (UDP port 323 by
   default).
   
  commandkey
  
   The commandkey command is used to set the key number used for
   authenticating user commands via the chronyc program at run time. This
   allows certain actions of the chronyc program to be restricted to
   administrators.
   
   An example of the commandkey command is
   
commandkey 20

   In the key file (see the keyfile command) there should be a line of
   the form
   
20 foobar

   When running the chronyc program to perform run-time configuration,
   the command
   
password foobar

   must be entered before any commands affecting the operation of the
   daemon can be entered.
   
  cmdport
  
   The cmdport directive allows the port that is used for run-time
   command and monitoring (via the program chronyc) to be altered from
   its default (323/udp).
   
   An example shows the syntax
   
cmdport 257

   This would make chronyd use 257/udp as its command port. (chronyc
   would need to be run with the -p 257 switch to inter-operate
   correctly).
   
  deny
  
   This is similar to the allow directive (see section allow), except
   that it denies NTP client access to a particular subnet or host,
   rather than allowing it.
   
   The syntax is identical.
   
   There is also a deny all directive with similar behaviour to the allow
   all directive.
   
  driftfile
  
   One of the main activities of the chronyd program is to work out the
   rate at which the system clock gains or loses time relative to real
   time.
   
   Whenever chronyd computes a new value of the gain/loss rate, it is
   desirable to record it somewhere. This allows chronyd to begin
   compensating the system clock at that rate whenever it is restarted,
   even before it has had a chance to obtain an equally good estimate of
   the rate during the new run. (This process may take many minutes, at
   least).
   
   The driftfile command allows a file to be specified into which chronyd
   can store the rate information. Two parameters are recorded in the
   file. The first is the rate at which the system clock gains or loses
   time, expressed in parts per million, with gains positive. Therefore,
   a value of 100.0 indicates that when the system clock has advanced by
   a second, it has gained 100 microseconds on reality (so the true time
   has only advanced by 999900 microseconds). The second is an estimate
   of the error bound around the first value in which the true rate
   actually lies.
   
   An example of the driftfile command is
   
driftfile /etc/chrony.drift

  dumpdir
  
   To compute the rate of gain or loss of time, chronyd has to store a
   measurement history for each of the time sources it uses.
   
   Certain systems (so far only Linux) have operating system support for
   setting the rate of gain or loss to compensate for known errors. (On
   other systems, chronyd must simulate such a capability by periodically
   slewing the system clock forwards or backwards by a suitable amount to
   compensate for the error built up since the previous slew).
   
   For such systems, it is possible to save the measurement history
   across restarts of chronyd (assuming no changes are made to the system
   clock behaviour whilst it is not running). If this capability is to be
   used (via the dumponexit command in the configuration file, or the
   dump command in chronyc), the dumpdir command should be used to define
   the directory where the measurement histories are saved.
   
   An example of the command is
   
dumpdir /var/log/chrony

   A source whose IP address is 1.2.3.4 would have its measurement
   history saved in the file `/var/log/chrony/1.2.3.4.dat'.
   
  dumponexit
  
   If this command is present, it indicates that chronyd should save the
   measurement history for each of its time sources recorded whenever the
   program exits. (See the dumpdir command above).
   
  initstepslew
  
   In normal operation, chronyd always slews the time when it needs to
   adjust the system clock. For example, to correct a system clock which
   is 1 second slow, chronyd slightly increases the amount by which the
   system clock is advanced on each clock interrupt, until the error is
   removed. (Actually, this is done by calling the adjtime() or similar
   system function which does it for us.) Note that at no time does time
   run backwards with this method.
   
   On most Unix systems it is not desirable to step the system clock,
   because many programs rely on time advancing monotonically forwards.
   
   When the chronyd daemon is initially started, it is possible that the
   system clock is considerably in error. Attempting to correct such an
   error by slewing may not be sensible, since it may take several hours
   to correct the error by this means.
   
   The purpose of the initstepslew directive is to allow chronyd to make
   a rapid measurement of the system clock error at boot time, and to
   correct the system clock by stepping before normal operation begins.
   Since this would normally be performed only at an appropriate point in
   the system boot sequence, no other software should be adversely
   affected by the step.
   
   If the correction required is less than a specified threshold, a slew
   is used instead. This makes it easier to restart chronyd whilst the
   system is in normal operation.
   
   The initstepslew directive takes a threshold and a list of NTP servers
   as arguments. A maximum of 8 will be used. Each of the servers is
   rapidly polled several times, and a majority voting mechanism used to
   find the most likely range of system clock error that is present. A
   step (or slew) is applied to the system clock to correct this error.
   chronyd then enters its normal operating mode (where only slews are
   used).
   
   An example of use of the command is
   
initstepslew 30 foo.bar.com baz.quz.com

   where 2 NTP servers are used to make the measurement. The 30 indicates
   that if the system's error is found to be 30 seconds or less, a slew
   will be used to correct it; if the error is above 30 seconds, a step
   will be used.
   
   The initstepslew directive can also be used in an isolated LAN
   environment, where the clocks are set manually. The most stable
   computer is chosen as the master, and the other computers are slaved
   to it. If each of the slaves is configured with the local option (see
   below), the master can be set up with an initstepslew directive which
   references some or all of the slaves. Then, if the master machine has
   to be rebooted, the slaves can be relied on to 'flywheel' the time for
   the master.
   
  keyfile
  
   This command is used to specify the location of the file containing
   ID/key pairs for the following 2 uses:
   
     * Authentication of NTP packets.
     * Authentication of administrator commands entered via chronyc.
       
   The format of the command is shown in the example below
   
keyfile /etc/chrony.keys

   The argument is simply the name of the file containing the ID/key
   pairs. The format of the file is shown below
   
10 tulip
11 hyacinth
20 crocus
25 iris
 ...

   Each line consists of an ID and a password. The ID can be any unsigned
   integer in the range 0 through 2**32-1. The password can be any string
   of characters not containing a space.
   
   For NTP use, the MD5 authentication scheme is always used. This must
   be borne in mind if chronyd is to inter-operate in authenticated mode
   with xntpd running on other computers.
   
   The ID for the chronyc authentication key is specified with the
   commandkey command (see earlier).
   
  local
  
   The local keyword is used to allow chronyd to appear synchronised to
   real time (from the viewpoint of clients polling it), even if it has
   no current synchronisation source.
   
   This option is normally used on computers in an isolated network,
   where several computers are required to synchronise to one other, this
   being the "master" which is kept vaguely in line with real time by
   manual input.
   
   An example of the command is
   
local stratum 10

   The value 10 may be substituted with other values in the range 1
   through 15. Stratum 1 indicates a computer that has a true real-time
   reference directly connected to it (e.g. GPS, atomic clock etc)
   &ndash; such computers are expected to be very close to real time.
   Stratum 2 computers are those which have a stratum 1 server; stratum 3
   computers have a stratum 2 server and so on.
   
   A large value of 10 indicates that the clock is so many hops away from
   a reference clock that its time is fairly unreliable. Put another way,
   if the computer ever has access to another computer which is
   ultimately synchronised to a reference clock, it will almost certainly
   be at a stratum less than 10. Therefore, the choice of a high value
   like 10 for the local command prevents the machine's own time from
   ever being confused with real time, were it ever to leak out to
   clients that have visibility of real servers.
   
  log
  
   The log command indicates that certain information is to be logged.
   
   measurements
          This option logs the raw NTP measurements and related
          information to a file called measurements.log.
   statistics
          This option logs information about the regression processing to
          a file called statistics.log.
   tracking
          This option logs changes to the estimate of the system's gain
          or loss rate, and any slews made, to a file called
          tracking.log.
   rtc
          This option logs information about the system's real-time
          clock.
          
   The files are written to the directory specified by the logdir
   command.
   
   An example of the command is
   
log measurements statistics tracking

    Measurements log file format
    
   An example line (which actually appears as a single line in the file)
   from the measurements log file is shown below.
   
22Jul98 05:40:50 158.152.1.76    N  8 1111 11 1111 10 10  1 \
   -4.966e-03  2.296e-01  1.577e-05  1.615e-01  7.446e-03

   The columns are as follows (the quantities in square brackets are the
   values from the example line above) :
   
    1. Date [22Jul98]
    2. Hour:Minute:Second [05:40:50]. Note that the date/time pair is
       expressed in UTC, not the local time zone.
    3. IP address of server/peer from which measurement comes
       [158.152.1.76]
    4. Leap status (N means normal, - means that the last minute of today
       has 61 seconds, + means that the last minute of the day has 59
       seconds, ? means the remote computer is not currently
       synchronised.) [N]
    5. Stratum of remote computer. [2]
    6. RFC1305 tests 1 through 4 (1=pass, 0=fail) [1111]
    7. Tests for maximum delay and maximum delay ratio, against user
       defined parameters (1=pass, 0=fail) [11]
    8. RFC1305 tests 5 through 8 (1=pass, 0=fail) [1111]
    9. Local poll [10]
   10. Remote poll [10]
   11. `Score' (an internal score within each polling level used to
       decide when to increase or decrease the polling level. This is
       adjusted based on changes to the variance of the measurements
       obtained from the source). [1]
   12. The estimated local clock error (`theta' in RFC1305). Positive
       indicates that the local clock is slow. [-4.966e-03].
   13. The peer delay (`delta' in RFC1305). [2.296e-01]
   14. The peer dispersion (`epsilon' in RFC1305). [1.577e-05]
   15. The root delay (`Delta' in RFC1305). [1.615e-01]
   16. The root dispersion (`E' in RFC1305). [7.446e-03]
       
   A banner is periodically written to the log file to indicate the
   meanings of the columns.
   
    Statistics log file format
    
   An example line (which actually appears as a single line in the file)
   from the measurements log file is shown below.
   
22Jul98 05:40:50 158.152.1.76     6.261e-03 -3.247e-03 \
     2.220e-03  1.874e-06  1.080e-06 7.8e-02  16   0   8

   The columns are as follows (the quantities in square brackets are the
   values from the example line above) :
   
    1. Date [22Jul98]
    2. Hour:Minute:Second [05:40:50]. Note that the date/time pair is
       expressed in UTC, not the local time zone.
    3. IP address of server/peer from which measurement comes
       [158.152.1.76]
    4. The estimated standard deviation of the measurements from the
       source (in seconds). [6.261e-03]
    5. The estimated offset of the source (in seconds, positive means the
       local clock is estimated to be fast, in this case). [-3.247e-03]
    6. The estimated standard deviation of the offset estimate (in
       seconds). [2.220e-03]
    7. The estimated rate at which the local clock is gaining or losing
       time relative to the source (in seconds per second, positive means
       the local clock is gaining). This is relative to the compensation
       currently being applied to the local clock, _not_ to the local
       clock without any compensation. [1.874e-06]
    8. The estimated error in the rate value (in seconds per second).
       [1.080e-06].
    9. The ration of |old_rate - new_rate| / old_rate_error. Large values
       indicate the statistics are not modelling the source very well.
       [7.8e-02]
   10. The number of measurements currently being used for the regression
       algorithm. [16]
   11. The new starting index (the oldest sample has index 0; this is the
       method used to prune old samples when it no longer looks like the
       measurements fit a linear model). [0, i.e. no samples discarded
       this time]
   12. The number of runs. The number of runs of regression residuals
       with the same sign is computed. If this is too small it indicates
       that the measurements are no longer represented well by a linear
       model and that some older samples need to be discarded. The number
       of runs for the data that is being retained is tabulated. Values
       of approximately half the number of samples are expected. [8]
       
   A banner is periodically written to the log file to indicate the
   meanings of the columns.
   
    Tracking log file format
    
   An example line (which actually appears as a single line in the file)
   from the measurements log file is shown below.
   
22Jul98 05:40:50 158.152.1.76     3    340.529      1.606  1.046e-03

   The columns are as follows (the quantities in square brackets are the
   values from the example line above) :
   
    1. Date [22Jul98]
    2. Hour:Minute:Second [05:40:50]. Note that the date/time pair is
       expressed in UTC, not the local time zone.
    3. The IP address of the server/peer to which the local system is
       synchronised. [158.152.1.76]
    4. The stratum of the local system. [3]
    5. The local system frequency (in ppm, positive means the local
       system runs fast of UTC). [340.529]
    6. The error bounds on the frequency (in ppm) [1.606]
    7. The estimated local offset at the epoch (which is rapidly
       corrected by slewing the local clock. (In seconds, positive
       indicates the local system is fast of UTC). [1.046e-3]
       
   A banner is periodically written to the log file to indicate the
   meanings of the columns.
   
    Real-time clock log file format
    
   An example line (which actually appears as a single line in the file)
   from the measurements log file is shown below.
   
22Jul98 05:40:50     -0.037360 1       -0.037434\
          -37.948  12   5  120

   The columns are as follows (the quantities in square brackets are the
   values from the example line above) :
   
    1. Date [22Jul98]
    2. Hour:Minute:Second [05:40:50]. Note that the date/time pair is
       expressed in UTC, not the local time zone.
    3. The measured offset between the system's real time clock and the
       system (gettimeofday()) time. In seconds, positive indicates that
       the RTC is fast of the system time. [-0.037360].
    4. Flag indicating whether the regression has produced valid
       coefficients. (1 for yes, 0 for no). [1]
    5. Offset at the current time predicted by the regression process. A
       large difference between this value and the measured offset tends
       to indicate that the measurement is an outlier with a serious
       measurement error. [-0.037434].
    6. The rate at which the RTC is losing or gaining time relative to
       the system clock. In ppm, with positive indicating that the RTC is
       gaining time. [-37.948]
    7. The number of measurements used in the regression. [12]
    8. The number of runs of regression residuals of the same sign. Low
       values indicate that a straight line is no longer a good model of
       the measured data and that older measurements should be discarded.
       [5]
    9. The measurement interval used prior to the measurement being made
       (in seconds). [120]
       
   A banner is periodically written to the log file to indicate the
   meanings of the columns.
   
  logchange
  
   This directive forces chronyd to send a message to syslog if it makes
   a system clock adjustment larger than a threshold value. An example of
   use is
   
logchange 0.5

   which would cause a syslog message to be generated a system clock
   error of over 0.5 seconds starts to be compensated.
   
   Clock errors detected either via NTP packets or via timestamps entered
   via the settime command of chronyc are logged.
   
   This directive assumes that syslog messages are appearing where
   somebody can see them. This allows that person to see if a large error
   has arisen, e.g. because of a fault, or because of faulty timezone
   handling, for example when summer time (daylight saving) starts or
   ends.
   
  logdir
  
   This directive allows the directory where log files are written to be
   specified.
   
   An example of the use of this directive is
   
logdir /var/log/chrony

  mailonchange
  
   This directive defines an email address to which mail should be sent
   if chronyd applies a correction exceeding a particular threshold to
   the system clock.
   
   An example of use of this directive is
   
mailonchange root@localhost 0.5

   This would send a mail message to root if a change of more than 0.5
   seconds were applied to the system clock.
   
  manual
  
   The manual directive enables support at run-time for the settime
   command in chronyc (see section settime). If no manual directive is
   included, any attempt to use the settime command in chronyc will be
   met with an error message.
   
   Note that the settime command can be enabled at run-time using the
   manual command in chronyc (see section manual). (The idea of the two
   commands is that the manual command controls the manual clock driver's
   behaviour, whereas the settime command allows samples of manually
   entered time to be provided).
   
  maxupdateskew
  
   One of chronyd's tasks is to work out how fast or slow the computer's
   clock runs relative to its reference sources. In addition, it computes
   an estimate of the error bounds around the estimated value.
   
   If the range of error is too large, it probably indicates that the
   measurements have not settled down yet, and that the estimated gain or
   loss rate is not very reliable.
   
   The maxupdateskew parameter allows the threshold for determining
   whether an estimate may be so unreliable that it should not be used.
   
   The syntax is
   
maxupdateskew <skew-in-ppm>

   Typical values for <skew-in-ppm> might be 100 for a dial-up connection
   to servers over a phone line, and 5 or 10 for a computer on a LAN.
   
   It should be noted that this is not the only means of protection
   against using unreliable estimates. At all times, chronyd keeps track
   of both the estimated gain or loss rate, and the error bound on the
   estimate. When a new estimate is generated following another
   measurement from one of the sources, a weighted combination algorithm
   is used to update the master estimate. So if chronyd has an existing
   highly-reliable master estimate and a new estimate is generated which
   has large error bounds, the existing master estimate will dominate in
   the new master estimate.
   
  noclientlog
  
   This directive, which takes no arguments, specifies that client
   accesses are not to be logged. Normally they are logged, allowing
   statistics to be reported using the clients command in chronyc.
   
  peer
  
   The syntax of this directive is identical to that for the server
   directive (see section server), except that it is used to specify an
   NTP peer rather than an NTP server.
   
  port
  
   This option allows you to configure the port used for the NTP service
   on your machine.
   
   The compiled in default is udp/123, the standard NTP port. It is
   unlikely that you would ever need to change this value. A possible
   exception would be if you wanted to operate strictly in client-only
   mode and never be available as a server to xntpd clients.
   
   An example of the port command is
   
port 11123

   This would change the NTP port served by chronyd on the computer to
   udp/11123.
   
  rtcfile
  
   The rtcfile directive defines the name of the file in which chronyd
   can save parameters associated with tracking the accuracy of the
   system's real-time clock (RTC).
   
   The syntax is illustrated in the following example
   
rtcfile /etc/chrony.rtc

   chronyd saves information in this file when it exits and when the
   writertc command is issued in chronyc. The information saved is the
   RTC's error at some epoch, that epoch (in seconds since January 1
   1970), and the rate at which the RTC gains or loses time.
   
   So far, the support for real-time clocks is limited - their code is
   even more system-specific than the rest of the software. You can only
   use the real time clock facilities (the rtcfile directive and the -s
   command line option to chronyd) if the following three conditions
   apply:
   
    1. You are running Linux v2.0.x with x>=32.
    2. You have compiled the kernel with extended real-time clock support
       (i.e. the `/dev/rtc' device is capable of doing useful things).
    3. You don't have other applications that need to make use of
       `/dev/rtc' at all.
       
  rtconutc
  
   chronyd assumes by default that the real time clock (RTC) keeps local
   time (including any daylight saving changes). This is convenient on
   PCs running Linux which are dual-booted with DOS or Windows.
   
   NOTE : IF YOU KEEP THE REAL TIME CLOCK ON LOCAL TIME AND YOUR COMPUTER
   IS OFF WHEN DAYLIGHT SAVING (SUMMER TIME) STARTS OR ENDS, THE
   COMPUTER'S SYSTEM TIME WILL BE ONE HOUR IN ERROR WHEN YOU NEXT BOOT
   AND START CHRONYD.
   
   An alternative is for the RTC to keep Universal Coordinated Time
   (UTC). This does not suffer from the 1 hour problem when daylight
   saving starts or ends.
   
   If the rtconutc directive appears, it means the RTC is required to
   keep UTC. The directive takes no arguments. It is equivalent to
   specifying the -u switch to the Linux `/sbin/clock' program.
   
  server
  
   The server directive allows NTP servers to be specified. The
   client/server relationship is strictly hierarchical : a client may
   synchronise its system time to that of the server, but the server's
   system time will never be influenced by that of a client.
   
   The server directive is immediately followed by either the name of the
   server, or its IP address in dotted-quad notation. The server command
   also supports a number of subfields (which may be defined in any
   order):
   
   port
          This option allows the UDP port on which the server understands
          NTP requests to be specified. For normal servers this option
          should not be required (the default is 123, the standard NTP
          port).
   minpoll
          Although chronyd will trim the rate at which it samples the
          server during normal operation, the user may wish to constrain
          the minimum polling interval. This is always defined as a power
          of 2, so <tt/minpoll 5/ would mean that the polling interval
          cannot drop below 32 seconds. The default is 6 (64 seconds).
   maxpoll
          In a similar way, the user may wish to constrain the maximum
          polling interval. Again this is specified as a power of 2, so
          <tt/maxpoll 9/ indicates that the polling interval must stay at
          or below 512 seconds. The default is 10 (1024 seconds).
   maxdelay
          chronyd uses the network round-trip delay to the server to
          determine how accurate a particular measurement is likely to
          be. Long round-trip delays indicate that the request, or the
          response, or both were delayed. If only one of the messages was
          delayed the measurement error is likely to be substantial. For
          small variations in round trip delay, chronyd uses a weighting
          scheme when processing the measurements. However, beyond a
          certain level of delay the measurements are likely to be so
          corrupted as to be useless. (This is particularly so on dial-up
          or other slow links, where a long delay probably indicates a
          highly asymmetric delay caused by the response waiting behind a
          lot of packets related to a download of some sort). If the user
          knows that round trip delays above a certain level should cause
          the measurement to be ignored, this level can be defined with
          the maxdelay command. For example, <tt/maxdelay 0.3/ would
          indicate that measurements with a round-trip delay of 0.3
          seconds or more should be ignored.
   maxdelayratio
          This option is similar to the maxdelay option above. chronyd
          keeps a record of the minimum round-trip delay amongst the
          previous measurements that it has buffered. If a measurement
          has a round trip delay that is greater than the maxdelayratio
          times the minimum delay, it will be rejected.
   presend
          If the timing measurements being made by chronyd are the only
          network data passing between two computers, you may find that
          some measurements are badly skewed due to either the client or
          the server having to do an ARP lookup on the other party prior
          to transmitting a packet. This is more of a problem with long
          sampling intervals, which may be similar in duration to the
          lifetime of entries in the ARP caches of the machines. In order
          to avoid this problem, the presend option may be used. It takes
          a single integer argument, which is the smallest polling
          interval for which a pair of packets will be exchanged between
          the client and the server prior to the actual measurement being
          initiated by the client. For example, with the following option
          included in a server directive :

presend 9
   when the polling interval is 512 seconds or more, a UDP echo datagram
          will be sent to the server a short time (currently 4 seconds)
          before the NTP client mode datagram.
   key
          The NTP protocol supports the inclusion of checksums in the
          packets, to prevent computers having their system time upset by
          rogue packets being sent to them. The checksums are generated
          as a function of a password, using the MD5 algorithm. The
          association between key numbers and passwords is contained in
          the keys file, defined by the keyfile command. If the key
          option is present, chronyd will attempt to use authenticated
          packets when communicating with this server. The key number
          used will be the single argument to the key option. The server
          must have the same password for this key number configured,
          otherwise no relationship between the computers will be
          possible.
   offline
          If the server will not be reachable when chronyd is started,
          the offline option may be specified. chronyd will not try to
          poll the server until it is enabled to do so (by using the
          online option of chronyc).
          
Running chronyc

   Chronyc is the program that can be used to reconfigure options within
   the chronyd program whilst it is running. Chronyc can also be used to
   generate status reports about the operation of chronyd.
   
  Basic use
  
   The program chronyc is run by entering
   
chronyc

   at the command line. The prompt chronyc is displayed whilst chronyc is
   expecting input from the user, when it is being run from a terminal.
   If chronyc's input or output are redirected from/to a file, the prompt
   is ow shown.
   
   When you are finished entering commands, the commands exit or quit
   will terminate the program. (Entering Control-D will also terminate
   the program.)
   
  Command line options
  
   Chronyc supports the following command line options.
   
   -v
          Displays the version number of chronyc on the terminal, and
          exists.
   -h <host>
          This option allows the user to specify which host running the
          chronyd program is to be contacted. This allows for remote
          configuration, without having to telnet or rlogin to the other
          host first. The default is to contact chronyd running on the
          same host as that where chronyc is being run.
   -p <port>
          This option allows the user to specify the UDP port number
          which the target chronyd is using for its command & monitoring
          connections. This defaults to the compiled-in default; there
          would rarely be a need to change this.
          
  Security with chronyc
  
   Many of the commands available through chronyc have a fair amount of
   power to reconfigure the run-time behaviour of chronyd. Consequently,
   chronyc is quite dangerous for the integrity of the target system's
   clock performance. Having access to chronyd via chronyc is more or
   less equivalent to being able to modify chronyd's configuration file
   (typically `/etc/chrony.conf') and to restart chronyd.
   
   Chronyc also provides a number of monitoring (as opposed to
   commanding) commands, which will not affect the behaviour of chronyd.
   However, you may still want to restrict access to these commands.
   
   In view of this, access to some of the capabilities of chronyc will
   usually be tightly controlled. There are two mechanisms supported:
   
    1. The set of hosts from which chronyd will accept commands can be
       restricted. By default, commands will only be accepted from the
       same host that chronyd is running on.
    2. Any command that actually reconfigures some aspect of chronyd's
       behaviour requires the user of chronyc to know a password. This
       password is specified in chronyd's keys file (see section keyfile)
       and specified via the commandkey option in its configuration file
       (see section commandkey).
       
   Only the following commands can be used _without_ providing a
   password:
   
     * exit
     * help
     * password
     * quit
     * rtcdata
     * sources
     * sourcestats
     * tracking
       
   All other commands require a password to have been specified
   previously, because they affect chronyd's operation.
   
  Command reference
  
   This section describes each of the commands available within the
   chronyc program. Chronyc offers the user a simple command-line driven
   interface.
   
    accheck
    
   This command allows you to check whether client NTP access is allowed
   from a particular host.
   
   Examples of use, showing a named host and a numeric IP address, are as
   follows:
   
accheck a.b.c
accheck 1.2.3.4

   This command can be used to examine the effect of a series of allow,
   allow all, deny and deny all commands specified either via chronyc, or
   in chronyd's configuration file.
   
    add peer
    
   The add peer command allows a new NTP peer to be added whilst chronyd
   is running.
   
   Following the words add peer, the syntax of the following parameters
   and options is identical to that for the peer directive in the
   configuration file (see section peer).
   
   An example of using this command is shown below.
   
add peer foo.bar.com minpoll 6 maxpoll 10 authkey 25

    add server
    
   The add server command allows a new NTP server to be added whilst
   chronyd is running.
   
   Following the words add server, the syntax of the following parameters
   and options is identical to that for the server directive in the
   configuration file (see section server).
   
   An example of using this command is shown below.
   
add server foo.bar.com minpoll 6 maxpoll 10 authkey 25

    allow
    
   The effect of the allow command is identical to the allow directive in
   the configuration file (see section allow).
   
   The syntax is illustrated in the following examples:
   
allow foo.bar.com
allow 1.2
allow 3.4.5

    allow all
    
   The effect of the allow command is identical to the allow all
   directive in the configuration file (see section allow).
   
    burst
    
   The burst command tells chronyd to make a set of measurements to each
   of its sources over a short duration (rather than the usual periodic
   measurements that it makes). After such a burst, chronyd will revert
   to the previous state for each source. This might be either online, if
   the source was being periodically measured in the normal way, or
   offline, if the source had been indicated as being offline. (Switching
   a source between the online and offline states is described in section
   online, section offline).
   
   The syntax of the burst command is as follows
   
burst <n-good-measurements>/<max-measurements> [<mask>/<masked-address>]

   The mask and masked-address arguments are optional, in which case
   chronyd will initiate a burst for all of its currently defined
   sources.
   
   The arguments have the following meaning and format.
   
   n-good-measurements
          This defines the number of good measurements that chronyd will
          want to obtain from each source. A measurement is good if it
          passes certain tests, for example, the round trip time to the
          source must be acceptable. (This allows chronyd to reject
          measurements that are likely to be bogus.)
   max-measurements
          This defines the maximum number of measurements that chronyd
          will attempt to make, even if the required number of good
          measurements has not been obtained.
   mask
          This is a dotted quad argument (e.g. 255.255.255.0) with which
          the IP address of each of chronyd's sources is to be masked.
   masked-address
          This is a dotted quad argument (e.g. 1.2.3.0). If the masked IP
          address of a source matches this value then the burst command
          is applied to that source.
          
   If no mask or masked address arguments are provided, the default is
   0.0.0.0 and 0.0.0.0 respectively, which will match every source.
   
   An example of the two-argument form of the command is
   
burst 2/10

   This will cause chronyd to attempt to get two good measurements from
   each source, stopping after two have been obtained, but in no event
   will it try more than ten probes to the source.
   
   An example of the four-argument form of the command is
   
burst 2/10 255.255.0.0/1.2.0.0

   In this case, the two out of ten sampling will only be applied to
   sources whose IP addresses are of the form 1.2.x.y, where x and y are
   arbitrary.
   
    clients
    
   This command shows a list of all clients that have accessed the
   server, through either the NTP or command/monitoring ports. There are
   no arguments.
   
   An example of the output is
   
   Hostname Client Peer CmdAuth CmdNorm CmdBad LstN LstC
   ========================= ====== ====== ====== ====== ====== ==== ====
   localhost 0 0 15 1 0 29y 0 aardvark.xxx 4 0 0 0 0 49 29y badger.xxx 4
   0 0 0 0 6 29y
   
   Each row shows the data for a single host. Only hosts that have passed
   the host access checks (set with the allow, deny, cmdallow and cmddeny
   commands or configuration file directives) are logged.
   
   The columns are as follows:
   
    1. The hostname of the client
    2. The number of times the client has accessed the server using an
       NTP client mode packet.
    3. The number of times the client has accessed the server using an
       NTP symmetric active mode packet.
    4. The number of authenticated command packets that have been
       processed from the client (i.e. those following a successful
       password command).
    5. The number of unauthenticated command packets that have been
       processed from the client.
    6. The number of bad command packets received from the client (not
       all forms of bad packet are logged).
    7. Time since the last NTP packet was received
    8. Time since the last command packet was received
       
   The last two entries will be shown as the time since 1970 if no packet
   of that type has ever been received.
   
    cmdaccheck
    
   This command is similar to the accheck command, except that it is used
   to check whether command access is permitted from a named host.
   
   Examples of use are as follows:
   
cmdaccheck a.b.c
cmdaccheck 1.2.3.4

    cmdallow
    
   This is similar to the allow command, except that it is used to allow
   particular hosts or subnets to use the chronyc program to interact
   with chronyd on the current host.
   
    cmdallow all
    
   This is similar to the allow all command, except that it is used to
   allow particular hosts or subnets to use the chronyc program to
   interact with chronyd on the current host.
   
    cmddeny
    
   This is similar to the deny command, except that it is used to allow
   particular hosts or subnets to use the chronyc program to interact
   with chronyd on the current host.
   
    cmddeny all
    
   This is similar to the deny all command, except that it is used to
   allow particular hosts or subnets to use the chronyc program to
   interact with chronyd on the current host.
   
    cyclelogs
    
   The cyclelogs command causes all of chronyd's open log files to be
   closed and re-opened. This allows them to be renamed so that they can
   be periodically purged. An example of how to do this is shown below.
   
% mv /var/log/chrony/measurements.log /var/log/chrony/measurements1.log
% chronyc
chronyc> password aardvark
200 OK
chronyc> cyclelogs
200 OK
chronyc> exit
% ls -l /var/log/chrony
-rw-r--r--   1 root     root            0 Jun  8 18:17 measurements.log
-rw-r--r--   1 root     root        12345 Jun  8 18:17 measurements1.log

    delete
    
   The delete command allows an NTP server or peer to be removed from the
   current set of sources.
   
   The syntax is illustrated in the examples below.
   
delete foo.bar.com
delete 1.2.3.4

   There is one parameter, the name or IP address of the server or peer
   to be deleted.
   
    deny
    
   The effect of the allow command is identical to the deny directive in
   the configuration file (see section deny).
   
   The syntax is illustrated in the following examples:
   
deny foo.bar.com
deny 1.2
deny 3.4.5

    deny all
    
   The effect of the allow command is identical to the deny all directive
   in the configuration file (see section deny).
   
    dump
    
   The dump command causes chronyd to write its current history of
   measurements for each of its sources to dump files, either for
   inspection or to support the -r option when chronyd is restarted.
   
   The dump command is somewhat equivalent to the dumponexit directive in
   the chrony configuration file. See section dumponexit.
   
   To use the dump, you probably want to configure the name of the
   directory into which the dump files will be written. This can only be
   done in the configuration file, see section dumpdir.
   
    exit
    
   The exit command exits from chronyc and returns the user to the shell
   (same as the quit command).
   
    help
    
   The help command displays a summary of the commands and their
   arguments.
   
    local
    
   The local command allows chronyd to be told that it is to appear as a
   reference source, even if it is not itself properly synchronised to an
   external source. (This can be used on isolated networks, to allow one
   computer to be a master time server with the other computers slaving
   to it.) The local command is somewhat equivalent to the local
   directive in the configuration file, see section local.
   
   The syntax is as shown in the following examples.
   
local stratum 10
local off

   The first example enables the local reference mode on the host, and
   sets the stratum at which it should claim to be synchronised.
   
   The second example disables the local reference mode.
   
    makestep
    
   Normally chronyd will cause the system to gradually correct any time
   offset, by slowing down or speeding up the clock as required. In
   certain situations, the system clock may be so far adrift that this
   slewing process would take a very long time to correct the system
   clock.
   
   The makestep command can be used in this situation. It cancels any
   remaining correction that was being slewed, and jumps the system clock
   by the equivalent amount, making it correct immediately.
   
   BE WARNED - certain software will be seriously affected by such jumps
   to the system time. (That is the reason why chronyd uses slewing
   normally.)
   
   The makestep command is currently only available on the Linux version
   of chrony.
   
    manual
    
   The manual command enables and disables use of the settime command
   (see section settime), and is used to modify the behaviour of the
   manual clock driver.
   
   Examples of the command are shown below.
   
manual on
manual off
manual delete 1
manual list
manual reset

   The on form of the command enables use of the settime command.
   
   The off form of the command disables use of the settime command.
   
   The list form of the command lists all the samples currently stored in
   chronyd. The output is illustrated below.
   
210 n_samples = 1
#    Date  Time(UTC)    Slewed   Original   Residual
====================================================
 0 27Jan99 22:09:20       0.00       0.97       0.00

   The columns as as follows :
   
    1. The sample index (used for the manual delete command)
    2. The date and time of the sample
    3. The system clock error when the timestamp was entered, adjusted to
       allow for changes made to the system clock since.
    4. The system clock error when the timestamp was entered, as it
       originally was (without allowing for changes to the system clock
       since).
    5. The regression residual at this point, in seconds. This allows
       'outliers' to be easily spotted, so that they can be deleted using
       the manual delete command.
       
   The delete form of the command deletes a single sample. The parameter
   is the index of the sample, as shown in the first column of the output
   from manual list. Following deletion of the data point, the current
   error and drift rate are re-estimated from the remaining data points
   and the system clock trimmed if necessary. This option is intended to
   allow 'outliers' to be discarded, i.e. samples where the administrator
   realises he/she has entered a very poor timestamp.
   
   The reset form of the command deletes all samples at once. The system
   clock is left running as it was before the command was entered.
   
    maxdelay
    
   This allows the maxdelay option for one of the sources to be modified,
   in the same way as specifying the maxdelay option for the server
   directive in the configuration file (see section server).
   
   The following examples illustrate the syntax
   
maxdelay foo.bar.com 0.3
maxdelay 1.2.3.4 0.0015

   The first example sets the maximum network delay allowed for a
   measurement to the host foo.bar.com to 0.3 seconds. The second example
   sets the maximum network delay for a measurement to the host with IP
   address 1.2.3.4 to 1.5 milliseconds.
   
   (Any measurement whose network delay exceeds the specified value is
   discarded.)
   
    maxdelayratio
    
   This allows the maxdelayratio option for one of the sources to be
   modified, in the same way as specifying the maxdelayratio option for
   the server directive in the configuration file (see section server).
   
   The following examples illustrate the syntax
   
maxdelayratio foo.bar.com 1.5
maxdelayratio 1.2.3.4 2.0

   The first example sets the maximum network delay for a measurement to
   the host foo.bar.com to be 1.5 times the minimum delay found amongst
   the previous measurements that have been retained. The second example
   sets the maximum network delay for a measurement to the host with IP
   address 1.2.3.4 to be double the retained minimum.
   
   As for maxdelay, any measurement whose network delay is too large will
   be discarded.
   
    maxpoll
    
   The maxpoll command is used to modify the minimum polling interval for
   one of the current set of sources. It is equivalent to the maxpoll
   option in the server directive in the configuration file (see section
   server).
   
   The syntax is as follows
   
maxpoll <host> <new-maxpoll>

   where the host can be specified as either a machine name or
   dotted-quad IP address. The new minimum poll is specified as a base-2
   logarithm of the number of seconds between polls (e.g. specify 6 for
   64 second sampling).
   
   An example is
   
maxpoll foo.bar.com 10

   which sets the maximum polling interval for the host foo.bar.com to
   1024 seconds.
   
   Note that the new maximum polling interval only takes effect after the
   next measurement has been made.
   
    maxupdateskew
    
   This command has the same effect as the maxupdateskew directive in the
   configuration file, see section maxupdateskew.
   
    minpoll
    
   The minpoll command is used to modify the minimum polling interval for
   one of the current set of sources. It is equivalent to the minpoll
   option in the server directive in the configuration file (see section
   server).
   
   The syntax is as follows
   
minpoll <host> <new-minpoll>

   where the host can be specified as either a machine name or
   dotted-quad IP address. The new minimum poll is specified as a base-2
   logarithm of the number of seconds between polls (e.g. specify 6 for
   64 second sampling).
   
   An example is
   
minpoll foo.bar.com 5

   which sets the minimum polling interval for the host foo.bar.com to 32
   seconds.
   
   Note that the new minimum polling interval only takes effect after the
   next measurement has been made.
   
    offline
    
   The offline command is used to warn chronyd that the network
   connection to a particular host or hosts is about to be lost. It
   should be used on computers with a dial-up or similar connection to
   their time sources, to warn chronyd that the connection is about to be
   broken.
   
   An example of how to use offline in this case is shown in section How
   to tell chronyd when the internet link is available..
   
   Another case where offline could be used is where a computer serves
   time to a local group of computers, and has a permanant connection to
   true time servers outside the organisation. However, the external
   connection is heavily loaded at certain times of the day and the
   measurements obtained are less reliable at those times. In this case,
   it is probably most useful to determine the gain/loss rate during the
   quiet periods and let the whole network coast through the loaded
   periods. The offline and online commands can be used to achieve this.
   The situation is shown in the figure below.
   
          +----------+
          |Ext source|
          +----------+
              |
              |
              |/| <-- Link with variable
                |     reliability
                |
      +-------------------+
      |Local master server|
      +-------------------+
                |
  +---+---+-----+-----+----+----+
  |   |   |     |     |    |    |
           Local clients

   If the source to which chronyd is currently synchronised is indicated
   offline in this way, chronyd will continue to treat it as the
   synchronisation source. If the network connection were broken without
   the offline command being used, chronyd would assume that the source
   had failed and would attempt to pick another synchronisation source.
   
   There are two forms of the offline command. The first form is a
   wildcard, meaning all sources. The second form allows a IP address
   mask and a masked address to be specified. These forms are illustrated
   below.
   
offline
offline 255.255.255.0/1.2.3.0

   The second form means that the offline command is to be applied to any
   source whose IP address is in the 1.2.3 subnet. (The host's address is
   logically and-ed with the mask, and if the result matches the
   masked-address the host is processed).
   
   The wildcard form of the address is actually equivalent to
   
offline 0.0.0.0/0.0.0.0

    online
    
   The online command is opposite in function to the offline command. It
   is used to advise chronyd that network connectivity to a particular
   source or sources has been restored.
   
   The syntax is identical to that of the offline command, see section
   offline.
   
    password
    
   The password command is used to allow chronyc to send privileged
   commands to chronyd. The password can either be entered on the command
   line, or can be entered without echoing. The syntax for entering the
   password on the command line is as follows
   
password xyzzy

   To enter the password without it being echoed, enter
   
password

   The computer will respond with a `Password:' prompt, at which you
   should enter the password and press return. (Note that the no-echo
   mode is limited to 8 characters on SunOS 4.1 due to limitations in the
   system library. Other systems do not have this restriction.)
   
   The password is any string of characters not containing whitespace. It
   has to match chronyd's currently defined command key (see section
   commandkey).
   
    quit
    
   The quit command exits from chronyc and returns the user to the shell
   (same as the exit command).
   
    rtcdata
    
   The rtcdata command displays the current real time clock RTC
   parameters.
   
   An example output is shown below.
   
RTC ref time (GMT) : Sat May 30 07:25:56 1998
Number of samples  : 10
Number of runs     : 5
Sample span period :  549
RTC is fast by     :    -1.632736 seconds
RTC gains time at  :  -107.623 ppm

   The fields have the following meaning
   
   RTC ref time (GMT)
          This is the RTC reading the last time its error was measured.
   Number of samples
          This is the number of previous measurements being used to
          determine the RTC gain/loss rate.
   Number of runs
          This is the number of runs of residuals of the same sign
          following the regression fit for (RTC error) versus (RTC time).
          A value which is small indicates that the measurements are not
          well approximated by a linear model, and that the algorithm
          will tend to delete the older measurements to improve the fit.
   Sample span period
          This is the period that the measurements span (from the oldest
          to the newest). Without a unit the value is in seconds;
          suffixes `m' for minutes, `h' for hours, `d' for days or `y'
          for years may be used.
   RTC is fast by
          This is the estimate of how many seconds fast the RTC when it
          thought the time was at the reference time (above). If this
          value is large, you may (or may not) want to use the trimrtc
          command to bring the RTC into line with the system clock.
          (Note, a large error will not affect chronyd's operation,
          unless it becomes so big as to start causing rounding errors.
   RTC gains time at
          This is the amount of time gained (positive) or lost (negative)
          by the real time clock for each second that it ticks. It is
          measured in parts per million. So if the value shown was +1,
          suppose the RTC was exactly right when it crosses a particular
          second boundary. Then it would be 1 microsecond fast when it
          crosses its next second boundary.
          
    settime
    
   The settime command allows the current time to be entered manually, if
   this option has been configured into chronyd. (It may be configured
   either with the manual directive in the configuration file (see
   section manual), or with the manual command of chronyc (see section
   manual).
   
   It should be noted that the computer's sense of time will only be as
   accurate as the reference you use for providing this input (e.g. your
   watch), as well as how well you can time the press of the return key.
   When inputting time to an isolated network, I have a battery operated
   alarm clock that is synchronised to the Rugby MSF time signal in the
   UK.
   
   Providing your computer's time zone is set up properly, you will be
   able to enter a local time (rather than UTC).
   
   The response to a successful settime command indicates the amount that
   the computer's clock was wrong. It should be apparent from this if you
   have entered the time wrongly, e.g. with the wrong time zone.
   
   The rate of drift of the system clock is estimated by a regression
   process using the entered measurement and all previous measurements
   entered during the present run of chronyd. However, the entered
   measurement is used for adjusting the current clock offset (rather
   than the estimated intercept from the regression, which is ignored).
   Contrast what happens with the manual delete command, where the
   intercept is used to set the current offset (since there is no
   measurement that has just been typed in in that case).
   
   The time is parsed by the public domain `getdate' algorithm.
   Consequently, you can only specify time to the nearest second.
   
   Examples of inputs that are valid are shown below.
   
settime 16:30
settime 16:30:05
settime Nov 21, 1997 16:30:05

   For a full description of getdate, get hold of the getdate
   documentation (bundled, for example, with the source for GNU tar).
   
    sources
    
   This command displays information about the current time sources that
   chronyd is accessing. It takes no arguments.
   
210 Number of sources = 3
MS Name/IP address      Str  Poll LastRx        Last sample
===================================================================
^+ a.b.c                  3    6   47m  -9491us[-6983us] +/-  159ms
^+ d.e.f                  3    6   47m    +32ms[  +35ms] +/-  274ms
^* g.h.i                  2    6   47m  +8839us[  +11ms] +/-  214ms

   The columns are as follows:
   
   M
          This indicates the mode of the source. ^ means a server, =
          means a peer and # indicates a locally connected reference
          clock(1).
   S
          This column indicates the state of the sources. * indicates the
          source to which chronyd is current synchronised. + indicates
          other acceptable sources. ? indicates sources to which
          connectivity has been lost. x indicates a clock which chronyd
          thinks is is a falseticker (i.e. its time is inconsistent with
          a majority of other sources). ~ indicates a source whose time
          appears to have too much variability. The ~ condition is also
          shown at start-up, until at least 3 samples have been gathered
          from it.
   IP address
          This shows the name or the IP address of the source.
   Str
          This shows the stratum of the source, as reported in its most
          recently received sample. Stratum 1 indicates a computer with a
          locally attached reference clock. A computer that is
          synchronised to a stratum 1 computer is at stratum 2. A
          computer that is synchronised to a stratum 2 computer is at
          stratum 3, and so on.
   Poll
          This shows the rate at which the source is being polled, as a
          base-2 logarithm of the interval in seconds. Thus, a value of 6
          would indicate that a measurement is being made every 64
          seconds. chronyd automatically varies the polling rate in
          response to prevailing conditions.
   LastRx
          This column shows how long ago the last sample was received
          from the source. This is normally in seconds. The letters m, h,
          d or y indicate minutes, hours, days or years.
   Last sample
          This column shows the offset between the local clock and the
          source at the last measurement. The number in the square
          brackets shows the actual measured offset. This may be suffixed
          by us (indicating microseconds), ms (indicating milliseconds),
          or s (indicating seconds). The number to the left of the square
          brackets shows the original measurement, adjusted to allow for
          any slews applied to the local clock since. The number
          following the +/- indicator shows the margin of error in the
          measurement. Positive offsets indicate that the local clock is
          fast of the source.
          
    sourcestats
    
   The sourcestats command displays information about the drift rate and
   offset estimatation process for each of the sources currently being
   examined by chronyd.
   
   An example report is
   
210 Number of sources = 1
Name/IP          NP   NR  Span       Freq      Skew      S.D./us
================================================================
abc.def.ghi      11    5   46m      -0.001       0.045        25

   The columns are as follows
   
   Name/IP
          This is the name or dotted-quad IP address of the NTP server
          (or peer) to which the rest of the line relates.
   NP
          This is the number of sample points currently being retained
          for the server. The drift rate and current offset are estimated
          by performing a linear regression through these points.
   NR
          This is the number of runs of residuals having the same sign
          following the last regression. If this number starts to become
          too small relative to the number of samples, it indicates that
          a straight line is no longer a good fit to the data. If the
          number of runs is too low, chronyd discards older samples and
          re-runs the regression until the number of runs becomes
          acceptable.
   Span
          This is the interval between the oldest and newest samples. If
          no unit is shown the value is in seconds. In the example, the
          interval is 46 minutes.
   Freq
          This is the estimated residual frequency for the server, in
          parts per million. In this case, the computer's clock is
          estimated to be running 1 part in 10**9 slow relative to the
          server.
   Skew
          This is the estimated error bounds on Freq (again in parts per
          million).
   Var/us
          This is the estimated sample variance in microseconds.
          
    tracking
    
   The tracking command displays parameters about the system's clock
   performance. An example of the output is shown below.
   
Reference ID    : 1.2.3.4 (a.b.c)
Stratum         : 3
Ref time (UTC)  : Sun May 17 06:13:11 1998
System time     : 0.000000 seconds fast of NTP time
Frequency       : 331.898 ppm fast
Residual freq   : 0.004 ppm
Skew            : 0.154 ppm
Root delay      : 0.373169 seconds
Root dispersion : 0.024780 seconds

   The fields are explained as follows.
   
   Reference ID
          This is the IP address, and name if available, of the server to
          which the computer is currently synchronised. If this is
          127.127.1.1 it means the computer is not synchronised to any
          external source and that you have the `local' mode operating
          (via the local command in chronyc (see section local), or the
          local directive in the `/etc/chrony.conf' file (see section
          local)).
   Stratum
          The stratum indicates how many hops away from a computer with
          an attached reference clock we are. Such a computer is a
          stratum-1 computer, so the computer in the example is two hops
          away (i.e. a.b.c is a stratum-2 and is synchronised from a
          stratum-1).
   Ref time
          This is the time (GMT) at which the last measurement from the
          reference source was processed.
   System time
          In normal operation, chronyd _never_ steps the system clock,
          because any jump in the timescale can have adverse consequences
          for certain application programs. Instead, any error in the
          system clock is corrected by slightly speeding up or slowing
          down the system clock until the error has been removed, and
          then returning to the system clock's normal speed. A
          consequence of this is that there will be a period when the
          system clock (as read by other programs using the
          gettimeofday() system call, or by the date command in the
          shell) will be different from chronyd's estimate of the current
          true time (which it reports to NTP clients when it is operating
          in server mode). The value reported on this line is the
          difference due to this effect. On systems such as Solaris and
          SunOS, chronyd has no means to adjust the fundamental rate of
          the system clock, so keeps the system time correct by
          periodically making offsets to it as though an error had been
          measured. The build up of these offsets will be observed in
          this report. On systems such as Linux where chronyd can adjust
          the fundamental rate of the system clock, this value will show
          zero unless a very recent measurement has shown the system to
          be error.
   Frequency
          The `frequency' is the rate by which the system's clock would
          be would be wrong if chronyd was not correcting it. It is
          expressed in ppm (parts per million). For example, a value of
          1ppm would mean that when the system's clock thinks it has
          advanced 1 second, it has actually advanced by 1.000001 seconds
          relative to true time. As you can see in the example, the clock
          in the computer I developed chrony on is not a very good one -
          it gains about 30 seconds per day! This was the reason I
          started to write chrony in the first place.
   Residual freq
          This shows the `residual frequency' for the currently selected
          reference source. This reflects any difference between what the
          measurements from the reference source indicate the frequency
          should be and the frequency currently being used. The reason
          this is not always zero is that a smoothing procedure is
          applied to the frequency. Each time a measurement from the
          reference source is obtained and a new residual frequency
          computed, the estimated accuracy of this residual is compared
          with the estimated accuracy (see `skew' next) of the existing
          frequency value. A weighted average is computed for the new
          frequency, with weights depending on these accuracies. If the
          measurements from the reference source follow a consistent
          trend, the residual will be driven to zero over time.
   Skew
          This is the estimated error bound on the the frequency.
   Root delay
          This is the total of the network path delays to the stratum-1
          computer from which the computer is ultimately synchronised. In
          certain extreme situations, this value can be negative. (This
          can arise in a symmetric peer arrangement where the computers'
          frequencies are not tracking each other and the network delay
          is very short relative to the turn-around time at each
          computer.)
   Root dispersion
          This is the total dispersion accumulated through all the
          computers back to the stratum-1 computer from which the
          computer is ultimately synchronised. Dispersion is due to
          system clock resolution, statistical measurement variations
          etc. An absolute bound on the computer's clock accuracy
          (assuming the stratum-1 computer is correct) is given by

clock_error <= root_dispersion + (0.5 * |root_delay|)

    trimrtc
    
   The trimrtc command is used to correct the system's real time clock
   (RTC) to the main system clock. It has no effect if the error between
   the two clocks is currently estimated at less than a second (the
   resolution of the RTC is only 1 second).
   
   The command takes no arguments. It performs the following steps (if
   the RTC is more than 1 second away from the system clock):
   
    1. Remember the currently estimated gain/loss rate of the RTC and
       flush the previous measurements.
    2. Step the real time clock to bring it within a second of the system
       clock.
    3. Make several measurements to accurately determine the new offset
       between the RTC and the system clock (i.e. the remaining fraction
       of a second error)
    4. Save the RTC parameters to the RTC file (specified with the
       rtcfile directive in the configuration file (see section rtcfile).
       
   The last step is done as a precaution against the computer suffering a
   power failure before either the daemon exits or the writertc command
   is issued.
   
   chronyd will still work perfectly well both whilst operating and
   across machine reboots even if the trimrtc command is never used (and
   the RTC is allowed to drift away from true time). The trimrtc command
   is provided as a method by which it can be corrected, in a manner
   compatible with chronyd using it to maintain accurate time across
   machine reboots.
   
    writertc
    
   The writertc command writes the currently estimated error and
   gain/loss rate parameters for the RTC to the RTC file (specified with
   the rtcfile directive (see section rtcfile)). This information is also
   written automatically when chronyd is killed (with SIGHUP, SIGINT,
   SIGQUIT or SIGTERM).
   
                                 Porting guide
                                       
   This appendix discusses issues that have arisen in writing the
   system-specific parts of the existing ports. This will provide useful
   information for those attempting to write ports to other systems.
   
System driver files

   The system specific parts of the software are contained in files with
   names like sys_linux.c.
   
   The following functions are required in a system driver file:
   
    1. A function to read the current frequency
    2. A function to set the current frequency
    3. A function to slew the system time by a specified delta
    4. A function to step the system time by a specified delta
    5. A function to work out the error at a particular time between the
       system's clock and chronyd's estimate of real time. (This is
       required because some systems have to track real time by making
       the system time follow it in a 'sawtooth' fashion).
       
   The _frequency_ is the rate at which the system gains or loses time,
   measured relative to the system when running uncompensated.
   
Quirks of particular systems

   These sections describe quirks in each system type that needed to be
   investigated to port the software to each system type.
   
  Linux
  
   The following quirks have been found in developing the Linux port.
   
    1. In order to avoid floating point arithmetic, the kernel uses
       shifting and adding to approximate a scaling of 100/128. This
       approximation implies that the frequency set via the adjtimex()
       system call is not the frequency that is actually obtained. The
       method of approximation varies between kernel versions and must be
       determined by examining the kernel source. An inverse factor must
       be included in the driver to compensate.
    2. In some kernel versions, an adjtimex() system call with the flags
       bits all zeroed will return the amount of offset still to be
       corrected. In others (e.g. the 2.0 series beyond 2.0.32), the
       offset must be changed in order to get the old offset returned
       (similar to adjtime() on other systems).
       
  Solaris 2.5
  
   The following quirks have been found in developing the Solaris port.
   
    1. The adjtime() system call with a zero argument does not cancel an
       adjustment that is in progress - it just reports the remaining
       adjustment.
    2. The settimeofday() system call only observes the seconds part of
       the argument - any fractional seconds part is lost. second.
    3. The kernel variable dosynctodr has to be set to zero, otherwise
       the system clock is periodically reset to the real-time clock.
       
  SunOS 4.1.4
  
   The following quirks have been found in developing the SunOS port.
   
    1. The adjtime() system call truncates its argument to a multiple of
       the system's tickadj variable. (chronyd sets that to 100, giving a
       1 part in 100 slewing capability for correcting offsets.)
    2. The kernel variable dosynctodr has to be set to zero, otherwise
       the system clock is periodically reset to the real-time clock.
       
     _________________________________________________________________
                                      
                                   Footnotes
                                       
  (1)
  
   In the current version this will never be shown, because chronyd has
   no support for reference clocks yet.
   
     _________________________________________________________________
                                      
   This document was generated on 8 August 2000 using the texi2html
   translator version 1.52.
