Use NTP or systemd-timesyncd to keep servers in sync. Drift can break TLS, cause log confusion, and affect distributed transactions. Prefer multiple NTP sources; in DCs, use provider or internal NTP.
Why time matters
- TLS: Certificates have validity periods; if the server clock is wrong, certs may be rejected or expired incorrectly. Time skew can break HTTPS.
- Logs: Correlation and incident response rely on timestamps. If servers are out of sync, you cannot order events across hosts.
- Distributed systems: Databases, queues, and consensus (e.g. etcd) often depend on consistent time. Large drift can cause split-brain or incorrect ordering.
NTP and systemd-timesyncd
- NTP: Classic daemon (ntpd, chronyd) syncs with NTP servers. Use multiple sources (e.g. 3–4 pool or provider NTP) for redundancy.
- systemd-timesyncd: Lighter option on systemd systems; good for most servers. Configure NTP servers in /etc/systemd/timesyncd.conf or via timedatectl.
- Stratum: Prefer stratum 1 or 2 sources when possible. In a data center, use the provider's NTP or an internal NTP server that syncs to the internet.
Best practices
- Multiple sources: So one bad or unreachable NTP server does not leave you unsynced. chrony and systemd-timesyncd support multiple servers.
- Firewall: Allow outbound NTP (UDP 123) if you sync to external servers; or use provider/internal NTP only.
- Monitor: Alert if time drift exceeds a threshold (e.g. 1–5 seconds). Indicates NTP failure or misconfiguration.
Summary
Keep servers in sync with NTP or systemd-timesyncd. Use multiple sources; in DCs prefer provider or internal NTP. Monitor drift; accurate time is critical for TLS, logs, and distributed systems.
