Does Proxmox VE support host–guest time synchronization similar to VMware?

[pulipulichen]

I would like to understand how time synchronization is handled in Proxmox VE.

In VMware, there is a host–guest time synchronization feature that keeps virtual machines aligned with the ESXi host time.

Is there an equivalent mechanism in Proxmox VE for synchronizing VM time with the node? If not, what is the recommended approach to ensure consistent and accurate time synchronization across VMs?

 

[leesteken]

I don't know VMware but for Linux VM you can use ptp_kvm as the clock source: https://forum.proxmox.com/threads/h...tween-qemu-guest-and-host.173396/#post-806460

 

[Johannes S]

Or use the same ntp server for the host and guests

 

[pulipulichen]

Thank you both for the helpful explanations!

I will look into using ptp_kvm as the clock source and also make sure that both the host and guests use the same NTP server.

Appreciate your guidance!

 

[Michiel_1afa]

in our env we run chrony on all linux vpms using ptp_kvm and that works very well. For windows we currently just sync with the NTP server in our network, which is also used by the pve hosts. The reason for using ptp_kvm is that is has less overhead, although one could argue that ntp is such little traffic it doesnt matter much.

 

[pulipulichen]

Thank you for the previous suggestions. I have a follow-up question regarding the VM configuration in Proxmox.

How does the approach of using ptp_kvm or a shared NTP server differ from the "Use local time for RTC" option found in the VM's Options tab?

 

[uzumo]

When synchronized with NTP, the RTC is typically not referenced.

For example, in Windows, it is referenced at startup. Once synchronization with NTP begins, the RTC is never referenced again. If synchronization with NTP has not started, it checks for discrepancies with the RTC approximately every hour.

Because it is hardcoded and cannot be changed, the resulting virtual machine has a highly unstable clock.

*Virtual machines are prone to time drift, so hourly synchronization cannot provide highly reliable time management.

 

[Michiel_1afa]

Thank you for the previous suggestions. I have a follow-up question regarding the VM configuration in Proxmox.

How does the approach of using ptp_kvm or a shared NTP server differ from the "Use local time for RTC" option found in the VM's Options tab?

This is not an 'ntp' option, this is for the startup of the vm, windows likes to have the system date/time in the local time zone, while *nix OS likes to have the system date/time in UTC. This option translates the host time for the vms to the timezone or not depending on that option. Which again, only works when the vm starts. After startup you have to rely on NTP in whatever form to keep the time synchronised.

 

[pulipulichen]

This is not an 'ntp' option, this is for the startup of the vm, windows likes to have the system date/time in the local time zone, while *nix OS likes to have the system date/time in UTC. This option translates the host time for the vms to the timezone or not depending on that option. Which again, only works when the vm starts. After startup you have to rely on NTP in whatever form to keep the time synchronised.

Thank you for the detailed explanation. It really cleared up my long-standing confusion. I previously thought checking "Use local time for RTC" was enough, but now I understand it only affects the initial boot and that a continuous sync mechanism is necessary.

in our env we run chrony on all linux vpms using ptp_kvm and that works very well. For windows we currently just sync with the NTP server in our network, which is also used by the pve hosts. The reason for using ptp_kvm is that is has less overhead, although one could argue that ntp is such little traffic it doesnt matter much.

I’m now trying to grasp the practical differences between ptp_kvm and standard NTP. Based on Michiel_1afa's suggestion, it seems using ptp_kvm for Linux and NTP for Windows is a solid strategy, given that ptp_kvm is more efficient and provides precise synchronization with the PVE host.

However, I have a follow-up question regarding Windows VMs:

In an environment where both the PVE host and the VMs are isolated from the internet (no external NTP access), what is the best way to keep Windows VMs synchronized?

Is it recommended to configure the PVE host as an NTP server (e.g., using Chrony or NTPd) and then point the Windows VMs to the PVE host's internal IP address? Or is there a more "native" KVM/Proxmox way to pass the host time to Windows without relying on network-based NTP?

Thanks again for your help!

 

[Michiel_1afa]

Is it recommended to configure the PVE host as an NTP server (e.g., using Chrony or NTPd) and then point the Windows VMs to the PVE host's internal IP address? Or is there a more "native" KVM/Proxmox way to pass the host time to Windows without relying on network-based NTP?

Not sure if it is 'The' recommended way, but as I mentioned, we rely on a NTP source in our network so it is reachable for all machines. In your case if you do not have the means to set up a dedicated NTP source, using one of the PVE hosts, or your router/switch as a NTP source will work fine.

For windows its even a bit more complicated depending on the windows setup you have, if you run Active Directory, windows likes to have the AD servers as its NTP target, which is fine. but you do want to make sure your AD server does have a reliable 'external' source

 

[unsichtbarre]

Thank you for the detailed explanation. It really cleared up my long-standing confusion. I previously thought checking "Use local time for RTC" was enough, but now I understand it only affects the initial boot and that a continuous sync mechanism is necessary.



I’m now trying to grasp the practical differences between ptp_kvm and standard NTP. Based on Michiel_1afa's suggestion, it seems using ptp_kvm for Linux and NTP for Windows is a solid strategy, given that ptp_kvm is more efficient and provides precise synchronization with the PVE host.

However, I have a follow-up question regarding Windows VMs:

In an environment where both the PVE host and the VMs are isolated from the internet (no external NTP access), what is the best way to keep Windows VMs synchronized?

Is it recommended to configure the PVE host as an NTP server (e.g., using Chrony or NTPd) and then point the Windows VMs to the PVE host's internal IP address? Or is there a more "native" KVM/Proxmox way to pass the host time to Windows without relying on network-based NTP?

Thanks again for your help!

I would look into something like this: Time Machines Relatively inexpensive and create a NTP/PTP server on your LAN.

Failing that, in the past when I have faced this challenge, I often prefer to create VMs as NTP time server. It is not accurate to any standard, however it keeps all referencing items in-sync with one and other which is important for most everything and authentication.

-JB

 

[pulipulichen]

For windows its even a bit more complicated depending on the windows setup you have, if you run Active Directory, windows likes to have the AD servers as its NTP target, which is fine. but you do want to make sure your AD server does have a reliable 'external' source

That’s a great point! I completely forgot that AD can also serve as the NTP target for the entire domain infrastructure.

On a related note, I’m actually planning to join my PVE host to the AD realm for authentication. Does joining the realm automatically handle time synchronization between the PVE host and the AD domain controllers? Or would I still need to manually configure the AD server as the NTP source in the PVE host's system settings?

Thanks for the clarification!

 

[pulipulichen]

Failing that, in the past when I have faced this challenge, I often prefer to create VMs as NTP time server. It is not accurate to any standard, however it keeps all referencing items in-sync with one and other which is important for most everything and authentication.

Regarding your approach, I would personally still prefer using a physical host outside the PVE cluster, or at the very least the PVE host itself, as the NTP target.

To the best of my knowledge, placing the NTP server within a VM on PVE might not be the most reliable setup. VMs can often encounter time inconsistencies or "drifts" due to various factors such as being frozen, suspended, or during heavy snapshot/backup operations.

I believe the role of a stable NTP server is just as critical as a Quorum device (QDevice) in a cluster environment to ensure everything stays in sync and healthy. What do you think?

 

[Michiel_1afa]

Does joining the realm automatically handle time synchronization between the PVE host and the AD domain controllers? Or would I still need to manually configure the AD server as the NTP source in the PVE host's system settings?

As far as I know, on windows this is a "domain policy" pushed by the Active Directory. The windows domain policies don't work on anything but windows. Technically you can change the policy (GPT editor) to change the NTP server to something other then the main AD. However in my experience this is more trouble then its worth and usually ends up in time problems in your kerberos realm.

To the best of my knowledge, placing the NTP server within a VM on PVE might not be the most reliable setup. VMs can often encounter time inconsistencies or "drifts" due to various factors such as being frozen, suspended, or during heavy snapshot/backup operations.

Agree, always use 'something' hardware, it can be a switch, a router, the pve machine or a dedicated time box. Do not trust a vm to keep accurate time.

 

[unsichtbarre]

Regarding your approach, I would personally still prefer using a physical host outside the PVE cluster, or at the very least the PVE host itself, as the NTP target.

To the best of my knowledge, placing the NTP server within a VM on PVE might not be the most reliable setup. VMs can often encounter time inconsistencies or "drifts" due to various factors such as being frozen, suspended, or during heavy snapshot/backup operations.

I believe the role of a stable NTP server is just as critical as a Quorum device (QDevice) in a cluster environment to ensure everything stays in sync and healthy. What do you think?

So the reasons I have chosen a VM in the past are the very same reasons that we use virtualization infrastructure in the first place: high availability and clustering. Just as with any critical service like domain controllers (which are actually time servers if they are windows), there should always be several in a clustered configuration running on different hosts. I think this would mitigate the considerations of time running on a virtual machine. Moreover if choosing a PVE host as the time source, which one, or all of them? And of course external physical servers would be fine, as long as they were more than one and they were in a clustered configuration for consistency.

-JB

 

[pulipulichen]

As far as I know, on windows this is a "domain policy" pushed by the Active Directory. The windows domain policies don't work on anything but windows. Technically you can change the policy (GPT editor) to change the NTP server to something other then the main AD. However in my experience this is more trouble then its worth and usually ends up in time problems in your kerberos realm.

That makes sense. It seems that relying on Windows Active Directory for time synchronization is indeed the more practical and reasonable approach to avoid potential issues, especially with Kerberos.

Thank you for sharing your valuable experience and analysis!