The software is distributed as source code which has to be compiled. The source code is supplied in the form of a gzipped tar file, which unpacks to a subdirectory identifying the name and version of the program.
The following programs and libraries with their development files are needed to
C compiler (gcc or clang recommended)
Nettle, NSS, or LibTomCrypt (optional)
libcap (Linux only, optional)
libseccomp (Linux only, optional)
timepps.h header (optional)
Asciidoctor (for HTML documentation)
Bash (for testing)
After unpacking the source code, change directory into it, and type
This is a shell script that automatically determines the system type. There is
an optional parameter
--prefix, which indicates the directory tree where the
software should be installed. For example,
will install the
chronyd daemon into
/opt/free/sbin and the
control program into
/opt/free/bin. The default value for the prefix is
configure script assumes you want to use
gcc as your compiler. If you
want to use a different compiler, you can configure this way:
CC=cc ./configure --prefix=/opt/free
for Bourne-family shells, or
setenv CC cc setenv CFLAGS -O ./configure --prefix=/opt/free
for C-family shells.
If the software cannot (yet) be built on your system, an error message will be
Makefile will be generated.
On Linux, if development files for the libcap library are available,
will be built with support for dropping root privileges. On other systems no
extra library is needed. The default user which
chronyd should run as can be
specified with the
--with-user option of the
If development files for the POSIX threads library are available,
will be built with support for asynchronous resolving of hostnames specified in
pool directives. This allows
chronyd operating as
a server to respond to client requests when resolving a hostname. If you don’t
want to enable the support, specify the
--disable-asyncdns flag to
If development files for the Nettle,
libtomcrypt library are available,
chronyd will be built with support for other cryptographic hash functions
than MD5, which can be used for NTP authentication with a symmetric key. If you
don’t want to enable the support, specify the
--disable-sechash flag to
If development files for the editline or readline library are available,
chronyc will be built with line editing support. If you don’t want this,
--disable-readline flag to
timepps.h header is available (e.g. from the
chronyd will be built with PPS API
reference clock driver. If the header is installed in a location that isn’t
normally searched by the compiler, you can add it to the searched locations by
CPPFLAGS variable to
--help option can be specified to
configure to print all options
supported by the script.
to build the programs.
If you want to build the manual in HTML, type
Once the programs have been successfully compiled, they need to be installed in their target locations. This step normally needs to be performed by the superuser, and requires the following command to be entered.
This will install the binaries and man pages.
To install the HTML version of the manual, enter the command
Now that the software is successfully installed, the next step is to set up a configuration file. The default location of the file is /etc/chrony.conf. Several examples of configuration with comments are included in the examples directory. Suppose you want to use public NTP servers from the pool.ntp.org project as your time reference. A minimal useful configuration file could be
pool pool.ntp.org iburst makestep 1.0 3 rtcsync
chronyd can be run. For security reasons, it’s recommended to create an
unprivileged user for
chronyd and specify it with the
option or the
user directive in the configuration file, or set the default
user with the
--with-user configure option before building.
Support for system call filtering
chronyd can be built with support for the Linux secure computing (seccomp)
facility. This requires development files for the
libseccomp library and the
--enable-scfilter option specified to
-F option of
chronyd will enable a system call filter, which should significantly reduce
the kernel attack surface and possibly prevent kernel exploits from
if it is compromised.
Support for line editing libraries
chronyc can be built with support for line editing, this allows you to use
the cursor keys to replay and edit old commands. Two libraries are supported
which provide such functionality, editline and GNU readline.
Please note that readline since version 6.0 is licensed under GPLv3+ which is incompatible with chrony’s license GPLv2. You should use editline instead if you don’t want to use older readline versions.
configure script will automatically enable the line editing support if
one of the supported libraries is available. If they are both available, the
editline library will be used.
If you don’t want to use it (in which case
chronyc will use a minimal command
line interface), invoke
configure like this:
./configure --disable-readline other-options...
If you have editline, readline or ncurses installed in locations that aren’t normally searched by the compiler and linker, you need to use extra options:
This defines the name of the directory above the one where
readline.his assumed to be in
readlinesubdirectory of the named directory.
This defines the directory containing the
This defines the directory containing the
Extra options for package builders
make procedures have some extra options that may be
useful if you are building a distribution package for
--mandir=DIR option to
configure specifies an installation directory
for the man pages. This overrides the
man subdirectory of the argument to the
./configure --prefix=/usr --mandir=/usr/share/man
to set both options together.
The final option is the
DESTDIR option to the
make command. For example,
you could use the commands
./configure --prefix=/usr --mandir=/usr/share/man make all docs make install DESTDIR=./tmp cd tmp tar cvf - . | gzip -9 > chrony.tar.gz
to build a package. When untarred within the root directory, this will install the files to the intended final locations.