Time Zone and NTP Sync
Time zone configuration controls how local time is displayed and interpreted on a system, while NTP synchronization keeps the system clock accurate by continuously aligning it to trusted time sources.
Network time synchronization became a standard requirement as distributed systems grew and clock drift started causing failures in authentication, scheduling, and log correlation. On Linux, time management has evolved from manually setting date and running ntpd to modern tooling such as timedatectl (systemd), systemd-timesyncd, and Chrony (chronyd).
Most modern Linux distributions support NTP sync out of the box and integrate it into common operational workflows (server hardening baselines, cloud images, Kubernetes nodes, and observability stacks).
Maintained by
- Time zone data: maintained by the IANA Time Zone Database community (often shipped via
tzdata). - NTP implementations: maintained by their respective projects (systemd for
systemd-timesyncd, Chrony forchronyd, and the NTP project forntpdvariants).
Best When to Use
- Consistent timestamps are required across multiple hosts (logs, metrics, audits).
- Time-sensitive protocols are in use (TLS, Kerberos, JWT validation windows).
- Distributed systems depend on ordering and consistent timeouts (databases, queues, clusters).
- Scheduled tasks must run reliably (cron, systemd timers, batch jobs).
Not Suitable When
- The host is fully offline with no secure trusted time source and no operational way to establish a correct initial reference time.
- Sub-millisecond time discipline is required (use PTP with hardware timestamping and a dedicated design).
Compatibility Notes
- systemd-based distributions:
timedatectlis the primary interface for time zone and NTP toggles. - Non-systemd environments: time zone is still handled via
tzdataand/etc/localtime, but NTP is typically managed via Chrony or an NTP daemon service scripts. - Containers: containers inherit the host kernel clock; configure NTP on the host, not inside containers.
- Virtual machines: hypervisor time sync and NTP can interact; avoid running two competing “authoritative” time discipline mechanisms.
Large time jumps can break TLS validation, Kerberos, database replication, and log ordering. Prefer gradual correction (slewing) via NTP/Chrony over manual stepping in production.
Typical Alternatives
| Tool / Approach | Best For |
|---|---|
timedatectl + systemd-timesyncd | Simple NTP client on systemd systems (client-only) |
Chrony (chronyd) | Recommended general-purpose NTP client/server on Linux; resilient to intermittent connectivity |
ntpd (NTP project variants) | Legacy deployments or environments standardized on ntpd |
PTP (ptp4l, phc2sys) | High-precision time sync with hardware support |
Prerequisites
- Root or
sudoprivileges - Basic understanding of time zones, UTC vs local time, and NTP concepts
- Network access to one or more trusted NTP sources (public or internal)
Architecture Overview
Time zone affects display and parsing of local time; NTP affects the underlying system clock.
Core Concepts
System clock vs hardware clock
- System clock: maintained by the kernel while the system is running.
- Hardware clock (RTC): persists across reboots; typically stored in UTC on servers.
Recommended baseline:
- Keep RTC in UTC on servers.
- Use time zone configuration only for local time display.
Some desktop or dual-boot setups store RTC in local time for compatibility. For servers, RTC in UTC reduces DST and cross-OS confusion.
Stepping vs slewing
- Stepping: immediate time jump to a corrected time.
- Slewing: gradual adjustment over time.
Operational preference:
- Use slewing for routine drift correction.
- Step only when the offset is very large and the environment tolerates it (often during maintenance windows).
Safe Read-Only Checks
Start with inspection before applying changes.
Current time and sync status (systemd)
timedatectl status
Key fields to interpret:
Time zone: current zone and offsetSystem clock synchronized: whether sync is achievedNTP service: whether the system NTP integration is enabled/active
Verify current time sources (Chrony)
chronyc tracking
chronyc sources -v
Verify current time sources (ntpd)
ntpq -p
Time Zone Configuration
List available time zones
timedatectl list-timezones | less
Set the time zone (systemd)
Example: Asia/Jakarta
sudo timedatectl set-timezone Asia/Jakarta
timedatectl status
Non-systemd systems
Typical approach:
/etc/localtimepoints to a zoneinfo file/etc/timezone(Debian/Ubuntu) may also be used
Example:
ls -l /etc/localtime
NTP Synchronization Options
Option A: systemd-timesyncd (client-only)
Enable NTP integration:
sudo timedatectl set-ntp true
timedatectl status
Check service status:
systemctl status systemd-timesyncd
View recent logs:
journalctl -u systemd-timesyncd --no-pager -n 100
On many distributions, timedatectl set-ntp true enables the system’s configured NTP integration. If Chrony or another NTP service is installed and configured as the system provider, it may be used instead of systemd-timesyncd.
Option B: Chrony (recommended general-purpose client/server)
Chrony is widely used on servers and is resilient on networks with variable latency.
Installation
Debian/Ubuntu
sudo apt update
sudo apt install chrony
Service name is typically chrony:
sudo systemctl enable --now chrony
systemctl status chrony
RHEL/CentOS Stream/Fedora
sudo dnf install chrony
sudo systemctl enable --now chronyd
systemctl status chronyd
SUSE
sudo zypper install chrony
sudo systemctl enable --now chronyd
systemctl status chronyd
Arch Linux
sudo pacman -S chrony
sudo systemctl enable --now chronyd
systemctl status chronyd
Chrony Configuration
Configuration file is commonly:
/etc/chrony/chrony.conf(Debian/Ubuntu)/etc/chrony.conf(RHEL/Fedora/SUSE/Arch)
Configure time sources (client)
Example (generic):
server time1.example.internal iburst
server time2.example.internal iburst
Apply changes:
sudo systemctl restart chrony || sudo systemctl restart chronyd
Verify synchronization:
chronyc tracking
chronyc sources -v
Enable Chrony as an NTP server (optional)
Do not expose an NTP service broadly to the public internet. Restrict access to trusted subnets and apply firewall controls. Misconfigured NTP can be abused for reflection/amplification attacks.
Example access control (conceptual; exact directives vary by distro defaults):
allow 10.0.0.0/8
allow 192.168.0.0/16
deny all
Restart and verify listening:
sudo systemctl restart chrony || sudo systemctl restart chronyd
sudo ss -ulnp | grep ':123'
Firewall (host-based) example: allow NTP from a trusted subnet only
# Example using UFW
sudo ufw allow from 10.0.0.0/8 to any port 123 proto udp comment "NTP from internal network"
Practical Use Cases
Baseline server setup (time zone + NTP)
# Set time zone
sudo timedatectl set-timezone Asia/Jakarta
# Enable NTP (system integration)
sudo timedatectl set-ntp true
# Confirm status
timedatectl status
Migrate from systemd-timesyncd to Chrony
# Install Chrony
sudo apt update && sudo apt install chrony
# Disable timesyncd (if running)
sudo systemctl disable --now systemd-timesyncd || true
# Enable Chrony
sudo systemctl enable --now chrony || sudo systemctl enable --now chronyd
# Verify
chronyc tracking
Chrony service name differs by distribution (chrony vs chronyd). Use systemctl list-unit-files | grep -E 'chrony|chronyd' to confirm the correct unit name.
Correct a badly skewed clock safely
Preferred approach:
- Confirm current offset with Chrony.
- Let NTP slew the clock whenever possible.
- Step only when necessary and operationally safe.
Read-only checks:
chronyc tracking
chronyc sources -v
If a step is required (maintenance window recommended), use Chrony’s tooling as provided by the distribution rather than manually setting date. On systemd systems, avoid repeated manual changes and re-check synchronization after correction:
timedatectl status
chronyc tracking
Troubleshooting
| Symptom | Likely Cause | Safe Checks | Fix |
|---|---|---|---|
System clock synchronized: no | NTP service not running or blocked | timedatectl status, systemctl status systemd-timesyncd/chrony/chronyd | Enable/start the chosen NTP service; ensure UDP/123 is allowed to time sources |
| Time is correct but displayed “wrong” | Incorrect time zone | timedatectl status | sudo timedatectl set-timezone <Region/City> |
| Chrony shows no sources | DNS/firewall/network issue | chronyc sources -v, resolvectl status (systemd) | Fix DNS, allow outbound UDP/123, configure reachable servers |
| Offset remains large | Bad sources or competing time sync | chronyc tracking, systemctl status of time services | Use a single time discipline service; remove/disable competing services |
| Time drifts after reboot | RTC issues | hwclock --show, timedatectl status | Keep RTC in UTC; sync RTC after stable system time |
Service conflicts
Only one NTP discipline service should actively control the clock.
Find active services:
systemctl --type=service --state=running | grep -E 'timesyncd|chrony|chronyd|ntpd|ntp'
Disable the one not in use (example):
sudo systemctl disable --now systemd-timesyncd
Security Notes
- Prefer trusted internal time sources for fleets; use authenticated time protocols where supported (for example, NTS in compatible NTP stacks).
- Restrict NTP server access to trusted networks.
- Monitor for unexpected time changes (audit logs, config management drift detection).
- Avoid manual time setting on production systems outside controlled maintenance, especially for authentication-dependent services.
Quick Command Reference
| Goal | Command |
|---|---|
| Show time status (systemd) | timedatectl status |
| List time zones | timedatectl list-timezones |
| Set time zone | sudo timedatectl set-timezone Region/City |
| Enable NTP integration (systemd) | sudo timedatectl set-ntp true |
| Check timesyncd status | systemctl status systemd-timesyncd |
| Chrony tracking | chronyc tracking |
| Chrony sources | chronyc sources -v |
| ntpd peers | ntpq -p |
| Check NTP listening port | `sudo ss -ulnp |
| Inspect RTC | sudo hwclock --show |
Key Files and Locations
| Path | Purpose |
|---|---|
/etc/localtime | Active time zone definition (symlink or file) |
/usr/share/zoneinfo/ | Time zone database files (tzdata) |
/etc/timezone | Time zone name (common on Debian/Ubuntu) |
/etc/chrony/chrony.conf | Chrony config (common on Debian/Ubuntu) |
/etc/chrony.conf | Chrony config (common on RHEL/Fedora/SUSE/Arch) |
journalctl -u systemd-timesyncd | systemd-timesyncd logs (systemd) |
journalctl -u chrony / journalctl -u chronyd | Chrony logs (systemd) |