Skip to main content

Build a Chrony NTS Client from Source

TST, Hong Kong

Build

The Chrony software is distributed as source code which has to be compiled.

git clone https://git.tuxfamily.org/chrony/chrony.git

Git does not seem to be working atm - I downloaded the latest build using wget:

wget https://git.tuxfamily.org/chrony/chrony.git/snapshot/chrony-4.3.zip
unzip chrony-4.3.zip
rm chrony-4.3.zip && cd chrony-4.3
mkdir build

The following programs and libraries with their development files are needed to build chrony:

  • C compiler (gcc or clang recommended)
  • GNU Make
  • Nettle, NSS, or LibTomCrypt (optional)
  • Editline (optional)
  • libcap (Linux only, optional)
  • libseccomp (Linux only, optional)
  • timepps.h header (optional)
  • Asciidoctor (for HTML documentation)
  • Bash (for testing)

The build will use the gcc compiler if not configured otherwise:

apt install build-essential

If development files for the Nettle, NSS, or libtomcrypt library are available, chronyd will be built with support for other cryptographic hash functions than MD5, which can be used for NTP authentication with a symmetric key. If you don’t want to enable the support, specify the --disable-sechash flag to configure.

apt install libtomcrypt-dev nettle-dev

If development files for the POSIX threads library are available, chronyd will be built with support for asynchronous resolving of hostnames specified in the server, peer, and pool directives. This allows chronyd operating as a server to respond to client requests when resolving a hostname. If you don’t want to enable the support, specify the --disable-asyncdns flag to configure.

If development files for the editline or readline library are available, chronyc will be built with line editing support. If you don’t want this, specify the --disable-readline flag to configure.

On Linux, if development files for the libcap library are available, chronyd will be built with support for dropping root privileges. On other systems no extra library is needed. The default user which chronyd should run as can be specified with the --with-user option of the configure script.

useradd --no-create-home chrony

After unpacking the source code, change directory into it, and type:

./configure

This is a shell script that automatically determines the system type. There is an optional parameter --prefix, which indicates the directory tree where the software should be installed:

./configure --prefix=/home/kali/chrony/build

will install the chronyd daemon into /home/kali/chrony/build/sbin and the chronyc control program into /home/kali/chrony/build/bin. The default value for the prefix is /usr/local.

Bringing it all together:

./configure --disable-sechash --disable-asyncdns --disable-readline --prefix=/home/kali/chrony/build

Configuring for Linux-armv7l
Checking for gcc : Yes
Checking for hardening compiler options : Yes
Checking for -fstack-protector-strong : Yes
Checking for pkg-config : No
Checking for 64-bit time_t : No
Checking for math : No
Checking for math in -lm : Yes
Checking for struct in_pktinfo : Yes
Checking for IPv6 support : Yes
Checking for struct in6_pktinfo : No
Checking for struct in6_pktinfo with _GNU_SOURCE : Yes
Checking for O_NOFOLLOW flag : Yes
Checking for clock_gettime() : Yes
Checking for getaddrinfo() : Yes
Checking for getrandom() : Yes
Checking for recvmmsg() : Yes
Checking for SW/HW timestamping : Yes
Checking for other timestamping options : Yes
Checking for <sys/timepps.h> : No
Checking for <timepps.h> : No
Checking for libcap : Yes
Checking for <linux/rtc.h> : Yes
Checking for <linux/ptp_clock.h> : Yes
Checking for pthread_setschedparam() : Yes
Checking for mlockall() : Yes
Checking for setrlimit(RLIMIT_MEMLOCK, ...) : Yes
Features : +CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER -SIGND -ASYNCDNS -NTS -READLINE -SECHASH +IPV6 -DEBUG
Creating Makefile
Creating doc/Makefile
Creating test/unit/Makefile

Now we are ready to build the binaries:

make
ls -la /home/kali/chrony/ | grep chrony 
-rwxr-xr-x 1 kali kali 418560 Oct 6 05:31 chronyc
-rwxr-xr-x 1 kali kali 1160816 Oct 6 05:30 chronyd

Once the programs have been successfully compiled, they need to be installed in their target locations. This step normally needs to be performed by the superuser, and requires the following command to be entered.

sudo make install

[ -d /etc ] || mkdir -p /etc
[ -d /home/kali/chrony/build/sbin ] || mkdir -p /home/kali/chrony/build/sbin
[ -d /home/kali/chrony/build/bin ] || mkdir -p /home/kali/chrony/build/bin
[ -d /var/lib/chrony ] || mkdir -p /var/lib/chrony
if [ -f /home/kali/chrony/build/sbin/chronyd ]; then rm -f /home/kali/chrony/build/sbin/chronyd ; fi
if [ -f /home/kali/chrony/build/bin/chronyc ]; then rm -f /home/kali/chrony/build/bin/chronyc ; fi
cp chronyd /home/kali/chrony/build/sbin/chronyd
chmod 755 /home/kali/chrony/build/sbin/chronyd
cp chronyc /home/kali/chrony/build/bin/chronyc
chmod 755 /home/kali/chrony/build/bin/chronyc
make -C doc install
make[1]: Entering directory '/home/kali/chrony/doc'
asciidoctor -b manpage -o chrony.conf.man.in chrony.conf.adoc
make[1]: asciidoctor: No such file or directory
make[1]: *** [Makefile:44: chrony.conf.man.in] Error 127
make[1]: Leaving directory '/home/kali/chrony/doc'
make: *** [Makefile:98: install] Error 2

This will installed the binaries - but adding the man pages seems to have failed:

tree build  
build
├── bin
│ └── chronyc
└── sbin
└── chronyd

2 directories, 2 files

Configuration

Now that the software is successfully installed, the next step is to set up a configuration file. The default location of the file is /etc/chrony.conf:

# Use Debian vendor zone.
# pool 2.debian.pool.ntp.org iburst

# This directive specify the location of the file containing ID/key pairs for
# NTP authentication.
keyfile /home/kali/chrony/build/chrony.keys

# This directive specify the file into which chronyd will store the rate
# information.
driftfile /home/kali/chrony/build/chrony.drift

# Save NTS keys and cookies.
ntsdumpdir /home/kali/chrony/build

# Uncomment the following line to turn logging on.
#log tracking measurements statistics

# Log files location.
logdir /var/log/chrony

# Stop bad estimates upsetting machine clock.
maxupdateskew 100.0

# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
rtcsync

# Step the system clock instead of slewing it if the adjustment is larger than
# one second, but only in the first three clock updates.
makestep 1 3

# Get TAI-UTC offset and leap seconds from the system tz database.
# This directive must be commented out when using time sources serving
# leap-smeared time.
leapsectz right/UTC
server my.server.com key 666 nts iburst
chown chronyd:chronyd /etc/chrony.conf
mkdir /home/kali/chrony/build
chown chronyd:chronyd /home/kali/chrony/build
mv chronyd /home/kali/chrony/build/chronyd

And add your keyfiles:

nano /home/kali/chrony/build/chrony.keys

And service file:

nano /etc/systemd/system/chronyd.service

[Unit]
Description=chrony, an NTP client/server
Documentation=man:chronyd(8) man:chronyc(1) man:chrony.conf(5)
Conflicts=openntpd.service ntp.service ntpsec.service
Wants=time-sync.target
Before=time-sync.target
After=network.target
ConditionCapability=CAP_SYS_TIME

[Service]
Type=forking
PIDFile=/run/chrony/chronyd.pid
EnvironmentFile=-/etc/default/chrony
ExecStart=/home/kali/chrony/build/chronyd $DAEMON_OPTS
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes

[Install]
Alias=chronyd.service
WantedBy=multi-user.target