Set the time for your Linux instance
A consistent and accurate time reference on your Linux instance is crucial for many server tasks and processes. Time stamps in system logs play an essential role in identifying when issues occurred and the chronological order of events. When you use the AWS CLI or an AWS SDK to make requests from your instance, these tools sign requests on your behalf. If your instance's date and time settings are inaccurate, it can result in a discrepancy between the date in the signature and the date of the request, leading to AWS rejecting your requests.
To address this important aspect, Amazon offers the Amazon Time Sync Service, which is accessible from all EC2 instances and used by various AWS services. The service uses a fleet of satellite-connected and atomic reference clocks in each AWS Region to deliver accurate and current time readings of the Coordinated Universal Time (UTC) global standard.
The Amazon Time Sync Service either uses the Network Time Protocol (NTP), or provides a local Precision Time Protocol (PTP) hardware clock on supported instances. The PTP hardware clock supports either NTP or a direct PTP connection. The NTP and direct PTP connections use the same highly accurate time source, but the direct PTP connection is more accurate than the NTP connection. The NTP connection to the Amazon Time Sync Service supports leap smearing while the PTP connection to the PTP hardware clock does not smear time. For more information, see Leap seconds.
For a backup to the local Amazon Time Sync Service on your instance, and to connect resources outside of
Amazon EC2 to the Amazon Time Sync Service, you can use the public Amazon Time Sync Service located at time.aws.com
. The
public Amazon Time Sync Service, like the local Amazon Time Sync Service, automatically smears any leap seconds that are added
to UTC. The public Amazon Time Sync Service is supported globally by our fleet of satellite-connected and
atomic reference clocks in each AWS Region.
For Windows instances, see Set the time for your Windows instance.
Topics
Set your instance to use the local Amazon Time Sync Service
Your instances can access the local Amazon Time Sync Service as follows:
-
Through NTP at the following IP address endpoints:
-
IPv4:
169.254.169.123
-
IPv6:
fd00:ec2::123
(Only accessible by instances built on the Nitro System.)
-
-
Through a direct PTP connection to connect to a local PTP hardware clock:
-
PHC0
-
NTP and PTP connections do not require any VPC configuration changes, and your instance does not require access to the internet.
The PTP hardware clock is part of the Nitro System, so it is directly accessible on supported bare metal and virtualized EC2 instances without using any customer resources.
The NTP endpoints to the PTP hardware clock are the same as the regular Amazon Time Sync Service connection over IPv4 or IPv6. If your software is configured to the NTP endpoint and is running on an instance with a PTP hardware clock, it will be connected to the PTP hardware clock automatically over NTP.
Amazon Linux 2023 and the latest versions of Amazon Linux 2 and Amazon Linux AMIs are configured to use the Amazon Time Sync Service IPv4 endpoint by default. No further configuration is required for instances launched from these AMIs unless you want to use the IPv6 endpoint or connect directly to the PTP hardware clock. For the IPv6 configuration instructions, see Connect to the IPv6 endpoint of the Amazon Time Sync Service. For the PTP hardware clock configuration instructions, see Connect to the PTP hardware clock.
If you're using an AMI that doesn't have the Amazon Time Sync Service configured by default,
use one of the following procedures to configure the Amazon Time Sync Service on your instance using the
chrony
client.
Contents
Connect to the IPv4 endpoint of the Amazon Time Sync Service
This section describes how to configure your instance to use the local Amazon Time Sync Service through
the IPv4 endpoint. It requires adding a server entry for the Amazon Time Sync Service to the
chrony
configuration file. On the latest versions of these AMIs,
chrony
is already installed and configured to use the Amazon Time Sync Service IPv4
endpoint.
Use the instructions for your instance's operating system.
Connect to the IPv6 endpoint of the Amazon Time Sync Service
This section explains how the steps described in Connect to the IPv4 endpoint of the Amazon Time Sync Service differ if you are configuring your instance to use the local Amazon Time Sync Service through the IPv6 endpoint. It doesn't explain the entire Amazon Time Sync Service configuration process.
The IPv6 endpoint is only accessible on instances built on the Nitro System.
Note
We don't recommend using both the IPv4 and IPv6 endpoint entries together in your chrony.conf file. The IPv4 and IPv6 NTP packets come from the same local server for your instance. Configuring both IPv4 and IPv6 endpoints is unnecessary and will not improve the accuracy of the time on your instance.
Depending on the Linux distribution you are using, when you reach the step to edit the
chrony.conf file, you'll be using the IPv6 endpoint of the Amazon Time Sync Service
(fd00:ec2::123
) rather than the IPv4 endpoint
(169.254.169.123
):
server fd00:ec2::123 prefer iburst minpoll 4 maxpoll 4
Save the file and verify that chrony
is using the
fd00:ec2::123
IPv6 endpoint to synchronize time:
[ec2-user ~]$
chronyc sources -v
In the output, if you see the fd00:ec2::123
IPv6 endpoint, the
configuration is complete.
Connect to the PTP hardware clock
This section describes how to configure your instance to use the local Amazon Time Sync Service
through the PTP hardware clock using a direct PTP connection. It requires adding a
server entry for the PTP hardware clock to the chrony
configuration
file.
If your instance has a PTP hardware clock and you configured the NTP connection (to either the IPv4 or the IPv6 endpoint), your instance time is automatically sourced from the PTP hardware clock. The steps below configure the direct PTP connection, which will give you more accurate time than the NTP connection.
Requirements
The PTP hardware clock is available on an instance when the following requirements are met:
-
Supported AWS Region: Asia Pacific (Tokyo)
-
Supported instance family: R7g
-
ENA driver version 2.10.0 or later installed on a supported operating system. For more information about supported operating systems, see the driver prerequisites
on GitHub.
To connect to the PTP hardware clock
-
Connect to your instance and install the Linux kernel driver for Elastic Network Adapter (ENA) version 2.10.0 or later. For the installation instructions, see Linux kernel driver for Elastic Network Adapter (ENA) family
on GitHub. -
Verify that the
/dev/ptp0
device shows up on your instance.[ec2-user ~]$
ls /dev/ptp0
The following is the expected output. If
/dev/ptp0
is not in the output, the ENA driver was not correctly installed. Review step 1 in this procedure for installing the driver./dev/ptp0
-
Edit
/etc/chrony.conf
using a text editor and add the following line anywhere in the file.refclock PHC /dev/ptp0 poll 0 delay 0.000010 prefer
-
Restart chrony using the following command.
[ec2-user ~]$
sudo systemctl restart chronyd
-
Verify that chrony is using the PTP hardware clock to synchronize the time on this instance.
[ec2-user ~]$
chronyc sources
Expected output
MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== #* PHC0 0 0 377 1 +2ns[ +1ns] +/- 5031ns
In the output that's returned,
*
indicates the preferred time source.PHC0
corresponds to the PTP hardware clock. You might need to wait a few seconds after restarting chrony for the asterisk to appear.
Set your instance or any internet-connected device to use the public Amazon Time Sync Service
You can set your instance, or any internet-connected device such as your local
computer or an on-prem server, to use the public Amazon Time Sync Service, which is accessible over the
internet at time.aws.com
. You can use the public Amazon Time Sync Service as a backup for the
local Amazon Time Sync Service and to connect resources outside of AWS to the Amazon Time Sync Service.
Depending on the operating system of your instance or device, use one of the following procedures to set your instance or device to use the public Amazon Time Sync Service.
Compare timestamps
If you're using the Amazon Time Sync Service, you can compare the timestamps on your Amazon EC2 instances with ClockBound to determine the true time of an event. ClockBound measures the clock accuracy of your EC2 instance, and allows you to check if a given timestamp is in the past or future with respect to your instance's current clock. This information is valuable for determining the order and consistency of events and transactions across EC2 instances, independent of each instance's geographic location.
ClockBound is an open source daemon and library. To learn more about ClockBound,
including installation instructions, see ClockBound
If you're using the direct PTP connection to the PTP hardware clock, your time daemon,
such as chrony, will underestimate the clock error bound. This is because
a PTP hardware clock does not pass the correct error bound information to
chrony, the way that NTP does. As a result, your clock
synchronization daemon assumes the clock is accurate to UTC and thus has an error bound
of 0
. To measure the full error bound, the Nitro System calculates the
error bound of the PTP hardware clock, and makes it available it to your EC2 instance
over the ENA driver sysfs
filesystem. You can read this directly as a
value, in nanoseconds, using the following command:
cat /sys/devices/pci0000:00/0000:00:05.0/phc_error_bound
The output is the clock error bound of the PTP hardware clock, in nanoseconds.
To calculate the correct clock error bound at a specific point in time when using the
direct PTP connection to the PTP hardware clock, you must add the clock error bound from
chrony or ClockBound at the time that chrony polls the
PTP hardware clock. For more information about measuring and monitoring clock accuracy,
see Manage Amazon EC2 instance clock accuracy using Amazon Time Sync Service and Amazon
CloudWatch – Part 1
Change the time zone on your instance
Amazon Linux instances are set to the UTC (Coordinated Universal Time) time zone by default. You can change the time on an instance to the local time zone or to another time zone in your network.
Important
This information applies to Amazon Linux. For information about other distributions, see their specific documentation.
To change the time zone on an Amazon Linux 2023 or Amazon Linux 2 instance
-
View the system's current time zone setting.
[ec2-user ~]$
timedatectl
-
List the available time zones.
[ec2-user ~]$
timedatectl list-timezones
-
Set the chosen time zone.
[ec2-user ~]$
sudo timedatectl set-timezone
America/Vancouver
-
(Optional) Confirm that the current time zone is updated to the new time zone by running the timedatectl command again.
[ec2-user ~]$
timedatectl
To change the time zone on an Amazon Linux instance
-
Identify the time zone to use on the instance. The
/usr/share/zoneinfo
directory contains a hierarchy of time zone data files. Browse the directory structure at that location to find a file for your time zone.[ec2-user ~]$
ls /usr/share/zoneinfo
Africa Chile GB Indian Mideast posixrules US America CST6CDT GB-Eire Iran MST PRC UTC Antarctica Cuba GMT iso3166.tab MST7MDT PST8PDT WET Arctic EET GMT0 Israel Navajo right W-SU ...
Some of the entries at this location are directories (such as
America
), and these directories contain time zone files for specific cities. Find your city (or a city in your time zone) to use for the instance. -
Update the
/etc/sysconfig/clock
file with the new time zone. In this example, we use the time zone data file for Los Angeles,/usr/share/zoneinfo/America/Los_Angeles
.-
Open the
/etc/sysconfig/clock
file with a text editor (such as vim or nano). You need to use sudo with your editor command because/etc/sysconfig/clock
is owned byroot
.[ec2-user ~]$
sudo
nano
/etc/sysconfig/clock -
Locate the
ZONE
entry, and change it to the time zone file (omitting the/usr/share/zoneinfo
section of the path). For example, to change to the Los Angeles time zone, change theZONE
entry to the following:ZONE="
America/Los_Angeles
"Note
Do not change the
UTC=true
entry to another value. This entry is for the hardware clock, and does not need to be adjusted when you're setting a different time zone on your instance. -
Save the file and exit the text editor.
-
-
Create a symbolic link between
/etc/localtime
and the time zone file so that the instance finds the time zone file when it references local time information.[ec2-user ~]$
sudo ln -sf /usr/share/zoneinfo/
America/Los_Angeles
/etc/localtime -
Reboot the system to pick up the new time zone information in all services and applications.
[ec2-user ~]$
sudo reboot
-
(Optional) Confirm that the current time zone is updated to the new time zone by using the date command. The current time zone appears in the output. In the following example, the current time zone is PDT, which refers to the Los Angeles time zone.
[ec2-user ~]$
date
Sun Aug 16 05:45:16 PDT 2020
Leap seconds
Leap seconds, introduced in 1972, are occasional one-second adjustments to UTC time to
factor in irregularities in the earth’s rotation in order to accommodate differences
between International Atomic Time (TAI) and solar time (Ut1). To manage leap seconds on
behalf of customers, we designed leap second smearing within the Amazon Time Sync Service. For more
information, see Look Before You
Leap – The Coming Leap Second and AWS
Leap seconds are going away, and we are in full support of the decision made at the 27th General Conference on
Weights and Measures to abandon leap seconds by or before 2035
To support this transition, we still plan on smearing time during a leap second event
when accessing the Amazon Time Sync Service over the local NTP connection or our public NTP pools
(time.aws.com
). The PTP hardware clock, however, does not provide a
smeared time option. In the event of a leap second, the PTP hardware clock will add the
leap second following UTC standards. Leap-smeared and leap second time sources are the
same in most cases. But because they differ during a leap second event, we do not
recommend using both smeared and non-smeared time sources in your time client
configuration during a leap second event.