Set the time for your Linux instance - Amazon Elastic Compute Cloud

Set the time for your Linux instance

A consistent and accurate time reference on your Linux instance is crucial for many server tasks and processes. Time stamps in system logs play an essential role in identifying when issues occurred and the chronological order of events. When you use the AWS CLI or an AWS SDK to make requests from your instance, these tools sign requests on your behalf. If your instance's date and time settings are inaccurate, it can result in a discrepancy between the date in the signature and the date of the request, leading to AWS rejecting your requests.

To address this important aspect, Amazon offers the Amazon Time Sync Service, which is accessible from all EC2 instances and used by various AWS services. The service uses a fleet of satellite-connected and atomic reference clocks in each AWS Region to deliver accurate and current time readings of the Coordinated Universal Time (UTC) global standard.

The Amazon Time Sync Service either uses the Network Time Protocol (NTP), or provides a local Precision Time Protocol (PTP) hardware clock on supported instances. The PTP hardware clock supports either NTP or a direct PTP connection. The NTP and direct PTP connections use the same highly accurate time source, but the direct PTP connection is more accurate than the NTP connection. The NTP connection to the Amazon Time Sync Service supports leap smearing while the PTP connection to the PTP hardware clock does not smear time. For more information, see Leap seconds.

For a backup to the local Amazon Time Sync Service on your instance, and to connect resources outside of Amazon EC2 to the Amazon Time Sync Service, you can use the public Amazon Time Sync Service located at time.aws.com. The public Amazon Time Sync Service, like the local Amazon Time Sync Service, automatically smears any leap seconds that are added to UTC. The public Amazon Time Sync Service is supported globally by our fleet of satellite-connected and atomic reference clocks in each AWS Region.

For Windows instances, see Set the time for your Windows instance.

Set your instance to use the local Amazon Time Sync Service

Your instances can access the local Amazon Time Sync Service as follows:

  • Through NTP at the following IP address endpoints:

    • IPv4: 169.254.169.123

    • IPv6: fd00:ec2::123 (Only accessible by instances built on the Nitro System.)

  • Through a direct PTP connection to connect to a local PTP hardware clock:

    • PHC0

NTP and PTP connections do not require any VPC configuration changes, and your instance does not require access to the internet.

The PTP hardware clock is part of the Nitro System, so it is directly accessible on supported bare metal and virtualized EC2 instances without using any customer resources.

The NTP endpoints to the PTP hardware clock are the same as the regular Amazon Time Sync Service connection over IPv4 or IPv6. If your software is configured to the NTP endpoint and is running on an instance with a PTP hardware clock, it will be connected to the PTP hardware clock automatically over NTP.

AL2023 and the latest versions of Amazon Linux 2 and Amazon Linux AMIs are configured to use the Amazon Time Sync Service IPv4 endpoint by default. No further configuration is required for instances launched from these AMIs unless you want to use the IPv6 endpoint or connect directly to the PTP hardware clock. For the IPv6 configuration instructions, see Connect to the IPv6 endpoint of the Amazon Time Sync Service. For the PTP hardware clock configuration instructions, see Connect to the PTP hardware clock.

If you're using an AMI that doesn't have the Amazon Time Sync Service configured by default, use one of the following procedures to configure the Amazon Time Sync Service on your instance using the chrony client.

Connect to the IPv4 endpoint of the Amazon Time Sync Service

This section describes how to configure your instance to use the local Amazon Time Sync Service through the IPv4 endpoint. It requires adding a server entry for the Amazon Time Sync Service to the chrony configuration file. On the latest versions of these AMIs, chrony is already installed and configured to use the Amazon Time Sync Service IPv4 endpoint.

Use the instructions for your instance's operating system.

Amazon Linux
Note

On AL2023 and the latest versions of Amazon Linux 2 and Amazon Linux AMI, chrony is already installed and configured to use the Amazon Time Sync Service IPv4 endpoint. If you're using one of these latest AMIs, you can skip this procedure.

To connect to the IPv4 endpoint of the Amazon Time Sync Service on Amazon Linux using chrony
  1. Connect to your instance and uninstall the NTP service.

    [ec2-user ~]$ sudo yum erase 'ntp*'
  2. Install the chrony package.

    [ec2-user ~]$ sudo yum install chrony
  3. Open the /etc/chrony.conf file using a text editor (such as vim or nano). Verify that the file includes the following line:

    server 169.254.169.123 prefer iburst minpoll 4 maxpoll 4

    If the line is present, then the Amazon Time Sync Service is already configured to use the IPv4 endpoint of the Amazon Time Sync Service and you can go to the next step. If not, add the line after any other server or pool statements that are already present in the file, and save your changes.

  4. Restart the chrony daemon (chronyd).

    [ec2-user ~]$ sudo service chronyd restart
    Starting chronyd: [ OK ]
    Note

    On RHEL and CentOS (up to version 6), the service name is chrony instead of chronyd.

  5. To configure chronyd to start at each system boot, use the chkconfig command.

    [ec2-user ~]$ sudo chkconfig chronyd on
  6. Verify that chrony is using the 169.254.169.123 IPv4 endpoint to synchronize the time.

    [ec2-user ~]$ chronyc sources -v
    210 Number of sources = 7 .-- Source mode '^' = server, '=' = peer, '#' = local clock. / .- Source state '*' = current synced, '+' = combined , '-' = not combined, | / '?' = unreachable, 'x' = time may be in error, '~' = time too variable. || .- xxxx [ yyyy ] +/- zzzz || Reachability register (octal) -. | xxxx = adjusted offset, || Log2(Polling interval) --. | | yyyy = measured offset, || \ | | zzzz = estimated error. || | | \ MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* 169.254.169.123 3 6 17 43 -30us[ -226us] +/- 287us ^- ec2-12-34-231-12.eu-west> 2 6 17 43 -388us[ -388us] +/- 11ms ^- tshirt.heanet.ie 1 6 17 44 +178us[ +25us] +/- 1959us ^? tbag.heanet.ie 0 6 0 - +0ns[ +0ns] +/- 0ns ^? bray.walcz.net 0 6 0 - +0ns[ +0ns] +/- 0ns ^? 2a05:d018:c43:e312:ce77:> 0 6 0 - +0ns[ +0ns] +/- 0ns ^? 2a05:d018:dab:2701:b70:b> 0 6 0 - +0ns[ +0ns] +/- 0ns

    In the output that's returned, ^* indicates the preferred time source.

  7. Verify the time synchronization metrics that are reported by chrony.

    [ec2-user ~]$ chronyc tracking
    Reference ID : A9FEA97B (169.254.169.123) Stratum : 4 Ref time (UTC) : Wed Nov 22 13:18:34 2017 System time : 0.000000626 seconds slow of NTP time Last offset : +0.002852759 seconds RMS offset : 0.002852759 seconds Frequency : 1.187 ppm fast Residual freq : +0.020 ppm Skew : 24.388 ppm Root delay : 0.000504752 seconds Root dispersion : 0.001112565 seconds Update interval : 64.4 seconds Leap status : Normal
Ubuntu
To connect to the IPv4 endpoint of the Amazon Time Sync Service on Ubuntu using chrony
  1. Connect to your instance and use apt to install the chrony package.

    ubuntu:~$ sudo apt install chrony
    Note

    If necessary, update your instance first by running sudo apt update.

  2. Open the /etc/chrony/chrony.conf file using a text editor (such as vim or nano). Add the following line before any other server or pool statements that are already present in the file, and save your changes:

    server 169.254.169.123 prefer iburst minpoll 4 maxpoll 4
  3. Restart the chrony service.

    ubuntu:~$ sudo /etc/init.d/chrony restart
    Restarting chrony (via systemctl): chrony.service.
  4. Verify that chrony is using the 169.254.169.123 IPv4 endpoint to synchronize the time.

    ubuntu:~$ chronyc sources -v
    210 Number of sources = 7 .-- Source mode '^' = server, '=' = peer, '#' = local clock. / .- Source state '*' = current synced, '+' = combined , '-' = not combined, | / '?' = unreachable, 'x' = time may be in error, '~' = time too variable. || .- xxxx [ yyyy ] +/- zzzz || Reachability register (octal) -. | xxxx = adjusted offset, || Log2(Polling interval) --. | | yyyy = measured offset, || \ | | zzzz = estimated error. || | | \ MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* 169.254.169.123 3 6 17 12 +15us[ +57us] +/- 320us ^- tbag.heanet.ie 1 6 17 13 -3488us[-3446us] +/- 1779us ^- ec2-12-34-231-12.eu-west- 2 6 17 13 +893us[ +935us] +/- 7710us ^? 2a05:d018:c43:e312:ce77:6 0 6 0 10y +0ns[ +0ns] +/- 0ns ^? 2a05:d018:d34:9000:d8c6:5 0 6 0 10y +0ns[ +0ns] +/- 0ns ^? tshirt.heanet.ie 0 6 0 10y +0ns[ +0ns] +/- 0ns ^? bray.walcz.net 0 6 0 10y +0ns[ +0ns] +/- 0ns

    In the output that's returned, on the line starting with ^* indicates the preferred time source.

  5. Verify the time synchronization metrics that are reported by chrony.

    ubuntu:~$ chronyc tracking
    Reference ID : 169.254.169.123 (169.254.169.123) Stratum : 4 Ref time (UTC) : Wed Nov 29 07:41:57 2017 System time : 0.000000011 seconds slow of NTP time Last offset : +0.000041659 seconds RMS offset : 0.000041659 seconds Frequency : 10.141 ppm slow Residual freq : +7.557 ppm Skew : 2.329 ppm Root delay : 0.000544 seconds Root dispersion : 0.000631 seconds Update interval : 2.0 seconds Leap status : Normal
SUSE Linux

Starting with SUSE Linux Enterprise Server 15, chrony is the default implementation of NTP.

To connect to IPv4 endpoint of the Amazon Time Sync Service on SUSE Linux using chrony
  1. Open the /etc/chrony.conf file using a text editor (such as vim or nano).

  2. Verify that the file contains the following line:

    server 169.254.169.123 prefer iburst minpoll 4 maxpoll 4

    If this line is not present, add it.

  3. Comment out any other server or pool lines.

  4. Open yaST and enable the chrony service.

Connect to the IPv6 endpoint of the Amazon Time Sync Service

This section explains how the steps described in Connect to the IPv4 endpoint of the Amazon Time Sync Service differ if you are configuring your instance to use the local Amazon Time Sync Service through the IPv6 endpoint. It doesn't explain the entire Amazon Time Sync Service configuration process.

The IPv6 endpoint is only accessible on instances built on the Nitro System.

Note

We don't recommend using both the IPv4 and IPv6 endpoint entries together in your chrony.conf file. The IPv4 and IPv6 NTP packets come from the same local server for your instance. Configuring both IPv4 and IPv6 endpoints is unnecessary and will not improve the accuracy of the time on your instance.

Depending on the Linux distribution you are using, when you reach the step to edit the chrony.conf file, you'll be using the IPv6 endpoint of the Amazon Time Sync Service (fd00:ec2::123) rather than the IPv4 endpoint (169.254.169.123):

server fd00:ec2::123 prefer iburst minpoll 4 maxpoll 4

Save the file and verify that chrony is using the fd00:ec2::123 IPv6 endpoint to synchronize time:

[ec2-user ~]$ chronyc sources -v

In the output, if you see the fd00:ec2::123 IPv6 endpoint, the configuration is complete.

Connect to the PTP hardware clock

This section describes how to configure your instance to use the local Amazon Time Sync Service through the PTP hardware clock using a direct PTP connection. It requires adding a server entry for the PTP hardware clock to the chrony configuration file.

If your instance has a PTP hardware clock and you configured the NTP connection (to either the IPv4 or the IPv6 endpoint), your instance time is automatically sourced from the PTP hardware clock. The steps below configure the direct PTP connection, which will give you more accurate time than the NTP connection.

Requirements

The PTP hardware clock is available on an instance when the following requirements are met:

  • Supported AWS Region: Asia Pacific (Tokyo)

  • Supported instance family: R7g

  • ENA driver version 2.10.0 or later installed on a supported operating system. For more information about supported operating systems, see the driver prerequisites on GitHub.

To connect to the PTP hardware clock
  1. Connect to your instance and install the Linux kernel driver for Elastic Network Adapter (ENA) version 2.10.0 or later. For the installation instructions, see Linux kernel driver for Elastic Network Adapter (ENA) family on GitHub.

  2. Verify that the /dev/ptp0 device shows up on your instance.

    [ec2-user ~]$ ls /dev/ptp0

    The following is the expected output. If /dev/ptp0 is not in the output, the ENA driver was not correctly installed. Review step 1 in this procedure for installing the driver.

    /dev/ptp0
  3. Edit /etc/chrony.conf using a text editor and add the following line anywhere in the file.

    refclock PHC /dev/ptp0 poll 0 delay 0.000010 prefer
  4. Restart chrony using the following command.

    [ec2-user ~]$ sudo systemctl restart chronyd
  5. Verify that chrony is using the PTP hardware clock to synchronize the time on this instance.

    [ec2-user ~]$ chronyc sources

    Expected output

    MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== #* PHC0 0 0 377 1 +2ns[ +1ns] +/- 5031ns

    In the output that's returned, * indicates the preferred time source. PHC0 corresponds to the PTP hardware clock. You might need to wait a few seconds after restarting chrony for the asterisk to appear.

Set your instance or any internet-connected device to use the public Amazon Time Sync Service

You can set your instance, or any internet-connected device such as your local computer or an on-prem server, to use the public Amazon Time Sync Service, which is accessible over the internet at time.aws.com. You can use the public Amazon Time Sync Service as a backup for the local Amazon Time Sync Service and to connect resources outside of AWS to the Amazon Time Sync Service.

Depending on the operating system of your instance or device, use one of the following procedures to set your instance or device to use the public Amazon Time Sync Service.

Linux
To set your Linux instance or device to use the public Amazon Time Sync Service using chrony or ntpd
  1. Edit /etc/chrony.conf (if you use chrony) or /etc/ntp.conf (if you use ntpd) using a text editor as follows:

    1. To prevent your instance or device from trying to mix smeared and non-smeared servers, remove or comment out lines starting with server except any existing connection to the local Amazon Time Sync Service.

      Important

      If you're setting your EC2 instance to connect to the public Amazon Time Sync Service, do not remove the following line which sets your instance to connect to the local Amazon Time Sync Service. The local Amazon Time Sync Service is a more direct connection and will provide better clock accuracy. The public Amazon Time Sync Service should only be used as a backup.

      server 169.254.169.123 prefer iburst minpoll 4 maxpoll 4
    2. Add the following line to connect to the public Amazon Time Sync Service.

      pool time.aws.com iburst
  2. Restart the daemon using one of the following commands.

    • chrony

      sudo service chronyd force-reload
    • ntpd

      sudo service ntp reload
macOS
To set your macOS instance or device to use the public Amazon Time Sync Service
  1. Open System Preferences.

  2. Choose Date & Time, and then choose the Date & Time tab.

  3. To make changes, choose the lock icon, and enter your password when prompted.

  4. For Set date and time automatically, enter time.aws.com.

Windows
To set your Windows instance or device to use the public Amazon Time Sync Service
  1. Open the Control Panel.

  2. Choose the Date and Time icon.

  3. Choose the Internet Time tab. This tab is not be available if your PC is part of a domain. In this case, it will synchronize time with the domain controller. You can configure the controller to use the public Amazon Time Sync Service.

  4. Choose Change settings.

  5. Select the check box for Synchronize with an Internet time server.

  6. Next to Server, enter time.aws.com.

To set your Windows Server instance or device to use the public Amazon Time Sync Service

Compare timestamps

If you're using the Amazon Time Sync Service, you can compare the timestamps on your Amazon EC2 instances with ClockBound to determine the true time of an event. ClockBound measures the clock accuracy of your EC2 instance, and allows you to check if a given timestamp is in the past or future with respect to your instance's current clock. This information is valuable for determining the order and consistency of events and transactions across EC2 instances, independent of each instance's geographic location.

ClockBound is an open source daemon and library. To learn more about ClockBound, including installation instructions, see ClockBound on GitHub.

If you're using the direct PTP connection to the PTP hardware clock, your time daemon, such as chrony, will underestimate the clock error bound. This is because a PTP hardware clock does not pass the correct error bound information to chrony, the way that NTP does. As a result, your clock synchronization daemon assumes the clock is accurate to UTC and thus has an error bound of 0. To measure the full error bound, the Nitro System calculates the error bound of the PTP hardware clock, and makes it available it to your EC2 instance over the ENA driver sysfs filesystem. You can read this directly as a value, in nanoseconds, using the following command:

cat /sys/devices/pci0000:00/0000:00:05.0/phc_error_bound

The output is the clock error bound of the PTP hardware clock, in nanoseconds.

To calculate the correct clock error bound at a specific point in time when using the direct PTP connection to the PTP hardware clock, you must add the clock error bound from chrony or ClockBound at the time that chrony polls the PTP hardware clock. For more information about measuring and monitoring clock accuracy, see Manage Amazon EC2 instance clock accuracy using Amazon Time Sync Service and Amazon CloudWatch – Part 1.

Change the time zone on your instance

Amazon Linux instances are set to the UTC (Coordinated Universal Time) time zone by default. You can change the time on an instance to the local time zone or to another time zone in your network.

Important

This information applies to Amazon Linux. For information about other distributions, see their specific documentation.

To change the time zone on an AL2023 or Amazon Linux 2 instance
  1. View the system's current time zone setting.

    [ec2-user ~]$ timedatectl
  2. List the available time zones.

    [ec2-user ~]$ timedatectl list-timezones
  3. Set the chosen time zone.

    [ec2-user ~]$ sudo timedatectl set-timezone America/Vancouver
  4. (Optional) Confirm that the current time zone is updated to the new time zone by running the timedatectl command again.

    [ec2-user ~]$ timedatectl
To change the time zone on an Amazon Linux instance
  1. Identify the time zone to use on the instance. The /usr/share/zoneinfo directory contains a hierarchy of time zone data files. Browse the directory structure at that location to find a file for your time zone.

    [ec2-user ~]$ ls /usr/share/zoneinfo Africa Chile GB Indian Mideast posixrules US America CST6CDT GB-Eire Iran MST PRC UTC Antarctica Cuba GMT iso3166.tab MST7MDT PST8PDT WET Arctic EET GMT0 Israel Navajo right W-SU ...

    Some of the entries at this location are directories (such as America), and these directories contain time zone files for specific cities. Find your city (or a city in your time zone) to use for the instance.

  2. Update the /etc/sysconfig/clock file with the new time zone. In this example, we use the time zone data file for Los Angeles, /usr/share/zoneinfo/America/Los_Angeles.

    1. Open the /etc/sysconfig/clock file with a text editor (such as vim or nano). You need to use sudo with your editor command because /etc/sysconfig/clock is owned by root.

      [ec2-user ~]$ sudo nano /etc/sysconfig/clock
    2. Locate the ZONE entry, and change it to the time zone file (omitting the /usr/share/zoneinfo section of the path). For example, to change to the Los Angeles time zone, change the ZONE entry to the following:

      ZONE="America/Los_Angeles"
      Note

      Do not change the UTC=true entry to another value. This entry is for the hardware clock, and does not need to be adjusted when you're setting a different time zone on your instance.

    3. Save the file and exit the text editor.

  3. Create a symbolic link between /etc/localtime and the time zone file so that the instance finds the time zone file when it references local time information.

    [ec2-user ~]$ sudo ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
  4. Reboot the system to pick up the new time zone information in all services and applications.

    [ec2-user ~]$ sudo reboot
  5. (Optional) Confirm that the current time zone is updated to the new time zone by using the date command. The current time zone appears in the output. In the following example, the current time zone is PDT, which refers to the Los Angeles time zone.

    [ec2-user ~]$ date Sun Aug 16 05:45:16 PDT 2020

Leap seconds

Leap seconds, introduced in 1972, are occasional one-second adjustments to UTC time to factor in irregularities in the earth’s rotation in order to accommodate differences between International Atomic Time (TAI) and solar time (Ut1). To manage leap seconds on behalf of customers, we designed leap second smearing within the Amazon Time Sync Service. For more information, see Look Before You Leap – The Coming Leap Second and AWS.

Leap seconds are going away, and we are in full support of the decision made at the 27th General Conference on Weights and Measures to abandon leap seconds by or before 2035.

To support this transition, we still plan on smearing time during a leap second event when accessing the Amazon Time Sync Service over the local NTP connection or our public NTP pools (time.aws.com). The PTP hardware clock, however, does not provide a smeared time option. In the event of a leap second, the PTP hardware clock will add the leap second following UTC standards. Leap-smeared and leap second time sources are the same in most cases. But because they differ during a leap second event, we do not recommend using both smeared and non-smeared time sources in your time client configuration during a leap second event.