How to Sync Time with Chrony on RHEL 8

December 4, 2025
Linux
Comment off

Accurate system time is essential for security certificates, log correlation, scheduled jobs, and Kerberos authentication. RHEL 8 ships with Chrony as its default NTP implementation, replacing the older ntpd daemon. Chrony is faster to synchronize on startup, handles intermittent network connections well, and is better suited to virtual machines. This guide covers installing and configuring Chrony, customizing NTP pool sources, and verifying synchronization status with chronyc and timedatectl.

Prerequisites

A running RHEL 8 server with root or sudo access
Internet access or an internal NTP server address
The chrony package (installed by default on most RHEL 8 deployments)

Step 1 — Install and Enable Chrony

Chrony is included in the default RHEL 8 installation. Verify it is present and install it if missing:

sudo dnf install -y chrony
sudo systemctl enable --now chronyd

Confirm the service is active:

systemctl status chronyd

You should see Active: active (running). If ntpd is also installed, disable it to avoid conflicts: sudo systemctl disable --now ntpd.

Step 2 — Configure NTP Sources in /etc/chrony.conf

The main configuration file is /etc/chrony.conf. Open it to review and customize your time sources:

sudo vi /etc/chrony.conf

Key directives to understand and set:

# Use public NTP pool servers (replace with your region or internal server)
pool 2.rhel.pool.ntp.org iburst

# Step the clock on startup if offset > 1 second (up to 3 corrections)
makestep 1.0 3

# Sync hardware clock (RTC) to system time
rtcsync

# Allow faster sync when offset is large (useful for VMs)
maxdistance 1.5

The iburst option sends a burst of packets on initial contact to accelerate the first sync. For an internal NTP server, replace the pool line with a server directive:

server ntp.example.com iburst prefer

After editing, restart Chrony to apply changes:

sudo systemctl restart chronyd

Step 3 — Verify Synchronization with chronyc tracking

The chronyc tracking command shows the current time source, estimated offset, and root delay. This is the primary diagnostic command for Chrony.

chronyc tracking

Key fields to inspect:

Reference ID — the IP or hostname of the current NTP source
System time — current offset from NTP time (aim for < 10 ms in production)
RMS offset — root mean square of recent offsets
Leap status — should read Normal

Step 4 — Inspect NTP Sources with chronyc sources

Use chronyc sources -v to list all configured NTP servers and their current reachability and stratum:

chronyc sources -v

The output columns show: M (mode: * = selected source, + = acceptable, ? = unreachable), S (stratum), Poll interval, Reach (octal bitmask of last 8 polls — 377 means all successful), and offset. A * in the first column confirms Chrony is actively syncing from that server. You can also check source statistics:

chronyc sourcestats

Step 5 — Set the Correct Timezone with timedatectl

NTP synchronizes UTC time. The system timezone controls how UTC is displayed locally. Use timedatectl to list and set the timezone:

# List available timezones (pipe through grep to filter)
timedatectl list-timezones | grep America

# Set your timezone
sudo timedatectl set-timezone America/New_York

Verify the full time and sync status:

timedatectl status

The output should show NTP service: active and synchronized: yes. If synchronized: no appears immediately after configuration, wait 30–60 seconds for initial sync to complete and re-run the command.

Step 6 — Allow Chrony Through the Firewall (Server Mode)

If this RHEL 8 server also acts as an NTP server for other machines on your network, open the NTP UDP port:

sudo firewall-cmd --add-service=ntp --permanent
sudo firewall-cmd --reload

Also add the allow directive to /etc/chrony.conf to permit clients on your subnet:

allow 192.168.1.0/24

Then restart chronyd again.

Conclusion

You have installed and configured Chrony on RHEL 8, customized NTP pool sources with iburst and makestep, and verified synchronization using chronyc tracking, chronyc sources -v, and timedatectl status. Your system clock is now accurately synchronized, which is a prerequisite for SSL certificates, Kerberos, log auditing, and cluster coordination.

Next steps: How to Configure Automatic Security Updates on RHEL 8, How to Set a Hostname and FQDN on RHEL 8, and How to Harden SSH on RHEL 8.