Proposal about NTP in cnMaestro On-Premise

Products cnMaestro
1

Proposal about NTP in cnMaestro On-Premise

:round_pushpin: Context

During the installation and operation of cnMaestro On-Premise, the following error appears even though system time synchronization works correctly:

Failed to enable unit: Unit file /etc/systemd/system/ntp.service is masked.

This issue occurs on modern Linux distributions where Chrony is used instead of the legacy ntpd service.

:gear: Root Cause

  • The cnMaestro On-Premise installer explicitly expects the presence of the ntp.service unit (used by the classic ntpd daemon).

  • On recent Debian/Ubuntu versions, the Chrony package replaces ntpd and masks the ntp.service unit to prevent conflicts.

  • As a result, cnMaestro cannot enable ntp.service, even though Chrony is correctly installed, running, and synchronizing system time.

:puzzle_piece: Workaround Implemented

  1. Verified that Chrony was running and synchronized correctly:

    systemctl status chronyd
chronyc tracking
chronyc sources -v
ss -ulpn | grep chronyd

    → Chrony was active, synchronized with external servers (e.g., time2.google.com), and listening on UDP port 123.

  2. Created a dummy compatibility service for ntp.service so cnMaestro could detect an “NTP service” without interfering with Chrony:

    sudo bash -c 'cat > /etc/systemd/system/ntp.service <<EOF
[Unit]
Description=Compatibility NTP service (redirected to Chrony)
After=network.target chrony.service
Requires=chrony.service

[Service]
Type=oneshot
ExecStart=/bin/true
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable ntp
systemctl start ntp
'

    → This allowed systemctl enable ntp to succeed and prevented the “masked” error.

  3. Reactivated Chrony as the real NTP engine:

    systemctl disable ntp
systemctl stop ntp
systemctl start chronyd
systemctl enable chrony

  4. Outcome:

    • cnMaestro installer completes successfully (no more NTP enablement error).

    • Chrony continues handling time synchronization properly.

    • However, the cnMaestro web admin still reports “NTP not synchronized”, likely because it checks for ntpd rather than chronyd or system time status.

:compass: Suggested Improvements for Cambium Networks

  1. Update cnMaestro On-Premise’s NTP detection logic to:

    • Accept both chronyd and ntpd as valid synchronization services.

    • Query synchronization status using:

      timedatectl show | grep NTPSynchronized

      or chronyc tracking when ntpd is not present.

    • Avoid hard-coded calls to systemctl enable ntp.

  2. Add an option during setup or in the admin UI to select the system time backend:

    • Use systemd-timesyncd

    • Use chrony

    • Use ntpd

  3. Avoid masking/unmasking NTP-related services automatically during installation, as this may disrupt correctly configured time services on modern systems.

:white_check_mark: Final State after Workaround

Component Status Notes
chronyd Active (running) Synchronizing with external NTP sources
ntp.service Dummy service (active/exited) Exists to satisfy cnMaestro installer
cnMaestro Installer passes without error Web UI still shows “Not synchronized”

Summary:
cnMaestro On-Premise currently only recognizes ntpd as the system time service. Modern distributions use Chrony by default, leading to false synchronization errors and failed service enablement.
Updating cnMaestro to detect and support Chrony (or systemd-timesyncd) would improve compatibility and reliability on current Linux platforms.

thank you