openstack-ansible-security/doc/metadata/rhel6/V-38620.rst

---id: V-38620 status: implemented tag: misc ---

The chrony service is installed to manage clock synchronization for hosts and to serve as an NTP server for NTP clients. Chrony was chosen over ntpd because it's actively maintained and has some enhancements for virtualized environments.

Deployers can opt out of the chrony installation by setting the following Ansible variable:

security_enable_chrony: no

There are two configurations available for users to adjust chrony's default configuration:

The security_ntp_servers variable is a list of NTP servers that chrony should use to synchronize time. They are set to North American NTP servers by default.

The security_allowed_ntp_subnets variable is a list of subnets (in CIDR notation) that are allowed to reach your servers running chrony. A sane default is chosen (all RFC1918 networks are allowed), but this can be easily adjusted.

For more information on chrony, review the chrony documentation at the upstream site, or run man chrony on a host with chrony installed.