In this article, we will be configuring a Linux VM running as a compute workload within the VMC SDDC.
Pre Req: Add a Firewall rule in your Compute Gateway which allows NTP traffic to 169.254.169.123
Sample Rule:
Source: Compute Workload VM/Segment
Destination: 169.254.169.123
Services: NTP (UDP:123)
Applied To: Internet Interface or Direct Connect Interface (i.e.The interface where the default route is pointing - if it is not advertised over a direct connect, it will be the Internet Interface.). In this example, we do not have a DX connection to SDDC, so the rule is applied to the Internet Interface.
Note: If you have a default route advertised over a VPN, then you wouldn't be able to use the native Amazon Time Sync ServiceTo configure your instance to use the Amazon Time Sync Service
a) Connect to your instance and uninstall the NTP service.
sudo yum erase 'ntp*'
b) Install the chrony package
sudo yum install chrony
c) Open the /etc/chrony.conf
file using a text editor (such as vim or nano). Add the following line to the file:
server 169.254.169.123 prefer iburst minpoll 4 maxpoll 4
Note: If the line is present, then the Amazon Time Sync Service is already configured and you can go to the next step. If not, add the line after any other server
or pool
statements that are already present in the file, and save your changes.
d) Restart the chrony daemon (chronyd).
sudo service chronyd restart
e) Use the chkconfig
command to configure chronyd
to start at each system boot
sudo chkconfig chronyd on
f) Verify that chrony
is using the 169.254.169.123
IP address to synchronize the time.
chronyc sources -v
Note:
In the output that's returned, ^* indicates the preferred time source.
If you notice a '?' symbol against 169.254.169.123,
please follow next steps (g)
g) The symbol '?' signifies that your instance is unable to reach the NTP Service at 169.254.169.123.
Some instances are unable to natively route to a 169.254.X.X address. To fix this, you would need to add a static route on your instance for 169.254.169.0/24 pointing to the default gateway of the VM.
In this example, it would look like this: ip route add 169.254.169.0/24 via 10.89.12.1 dev eth0
Once this static route is added, ensure the local firewall on the VM and the compute gateway firewall allows NTP traffic to pass.
Note: You can skip this step if you don't see a '?' symbol against 169.254.169.123
h) Verify the time synchronization metrics that are reported by chrony.
chronyc tracking