Do I need to run a NTP server in every VM?

zimbatm asked:

Couldn’t the guests somehow inherit the system time of the host ?

It seems kind of pointless to run the same daemon to get the same results on the same machine multiple times but I didn’t find anything related to time when reading KVM or Xen articles.
My understanding is that the guest gets the host time on boot but that it might then drift apart. Is that correct ?

My answer:

In a perfect world, your VM guests would keep perfect time, or at least as perfect as the host provides. Unfortunately we don’t live in a perfect world.

Based on my experience with virtually every hypervisor known to man, I always run an NTP client in virtual machines, without exception. My usual setup is ntpd with the -g option, or ntpdate starting right before it for old systems, to step the clock (which may be far out of sync at system boot).

KVM has nearly the perfect setup, with its paravirtualized realtime clock; guests with the appropriate driver (all recent Linux, at least) will keep time as well as the host. But still things go wrong here: For instance, the host may not be running NTP, the host may have an incorrect time zone set, the host’s clock may just be plain wrong, etc.

VMware and Hyper-V fall in the middle. Each has a tool meant to be run on the guest which syncs the clock with the host periodically, but again, this is vulnerable to any existing problems with the host clock.

Guests on my test Hyper-V server also exhibited some strange behavior: even with integration services, the guest clock would drift faster than 500 ppm, preventing ntpd from working (it considers the clock insane if it drifts faster than this). I had to switch these guests to chrony, which allows this value to be adjusted.

Xen is the worst in this respect; it has absolutely no synchronization and running NTP in the guests is pretty much required. (I am told that very recent versions of Xen have some sort of synchronization but haven’t personally worked with it yet.)

Things just get worse if the host hypervisor isn’t under your control, such as a public cloud. You are at the mercy of the provider with respect to the host clock, and if they aren’t diligent in keeping it synchronized, you lose.

With all that, running NTP clients in your virtual machines is pretty much required if you need even a semi-accurate clock. NB: If you run Windows virtual machines, get a third party NTP client that adjusts the clock continuously; the poor excuse for a client that comes with Windows only adjusts the clock once a week, which is utterly ridiculous.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.