How to do proper VPS timekeeping?

Question

I'm configuring a VPS to log some time-series online data and I notice that the time is off. I'd like to have better than 10 second precision on this.

I read somewhere that VPS timekeeping is different than on native (x86) systems because the error differs according to the system load or something? And ntpd may not be suited for operation inside a VPS because of that?

Enough with the hearsay, I'd like to know: How do I maintain proper system time on a VPS? Does this differ per virtualization technology or VPS provider at all? And why would ntpd not be suited for operation inside a VPS?

Because there's no reason to avoid ntpd. It works fine and is standard practice. If you want to discuss a specific criticism of ntpd you've encountered, bring one up. — ceejayoz, Apr 29 '18 at 15:38
Is this a VM or a container? What is the hypervisor and guest OS? — John Mahowald, Apr 30 '18 at 01:06
@ceejayoz - Depends on the VPS; if it's container-based, it's very unlikely that ntpd will be able to control the clock. — Paul Gear, Apr 30 '18 at 09:54
@PaulGear IMO, a Dockerized web host isn't really selling "VPSes". — ceejayoz, Apr 30 '18 at 12:42

score 3 · Answer 1 · answered Apr 30 '18 at 01:50

If you have access to the hardware, virtual (VM) or physical (bare metal/hypervisor), you can and should use NTP to sync.

Do your own experiments by configuring ntpd and enabling statistics on a variety of hosts. Compare to your favorite reference clocks and see how they perform.

There are operational challenges to very accurate timekeeping and VMs. However, these tend to only matter at orders of magnitude better than single digit seconds.

Paul Gear · Accepted Answer · 2018-05-02T13:57:23.117

Short version: Timekeeping in containers (which is what most VPSes are) is the host's responsibility; you'll probably need to lobby your VPS provider to get this fixed.

Note: This advice does not apply if your VPS is a Xen (e.g. AWS), KVM (e.g. GCE), or Hyper-V (e.g. Azure) virtual machine. In that case, the kernel and its clock driver are virtualised, and you should treat them like you would a bare metal machine, and run an NTP client such as ntpd, chronyd, or systemd-timesyncd.

Longer version: If your VPS is a typical container, then NTP cannot discipline the local clock. The kernel clock is not containerised (namespaced), and most container managers (e.g. OpenVZ, Docker, LXC/LXD) do not grant the kernel time capability to containers. (See https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/1589780 for discussion of this in the context of Ubuntu and Chrony.)

If you're renting your VPS from a typical provider, it sounds like they've either failed to configure NTP at all, or configured it poorly and aren't monitoring it.

You can use a configuration like https://gist.github.com/kuzetsa/4a64cd1a95260d0bc5cc1b8aeaba1878 to get ntpd to run in your container without trying to change the local clock (the disable kernel line is the important part). This will allow you to monitor the host's NTP server (if any); add pool.ntp.org or another public NTP service if you want to compare your VPS host's clock with some external sources.

@warren The most common VPS I've seen offered is based on OpenVZ, which is more a container than a VM. Typically with those you don't get true root access and can't choose your own OS image. — Paul Gear, May 01 '18 at 04:41
I haven't seen a container-based VPS in more than 5 years - they're all doing virtualization now, and have been for quite a while. — warren, May 01 '18 at 23:08

How to do proper VPS timekeeping?

2 Answers2