NTP时钟同步方式说明
NTP在linux下有两种时钟同步方式,分别为直接同步和平滑同步:
直接同步
使用ntpdate命令进行同步,直接进行时间变更。如果服务器上存在一个12点运行的任务,当前服务器时间是13点,但标准时间时11点,使用此命令可能会造成任务重复执行。因此使用ntpdate同步可能会引发风险,因此该命令也多用于配置时钟同步服务时第一次同步时间时使用。
平滑同步
使用ntpd进行时钟同步,可以保证一个时间不经历两次,它每次同步时间的偏移量不会太陡,是慢慢来的,这正因为这样,ntpd平滑同步可能耗费的时间比较长。
标准时钟同步服务
http://www.pool.ntp.org/zone/cn网站包含全球的标准时间同步服务,也包括对中国时间的同步,对应的URL为cn.pool.ntp.org,在其中也描述了ntp配置文件中的建议写法:
server1.cn.pool.ntp.org
server3.asia.pool.ntp.org
server2.asia.pool.ntp.org
2. 环境情况
准备两台电脑,分别为:
IP 用途
10.0.0.202 ntpd服务器,用于与外部公共ntpd同步标准时间
10.0.0.203 ntpd客户端,用于与ntpd同步时间
3. 检查服务是否安装
使用rpm检查ntp包是否安装
[root@localhostkevin]# rpm -q ntp
ntp-4.2.6p5-19.el7.centos.3.x86_64
如果已经安装则略过此步,否则使用yum进行安装,并设置系统开机自动启动并启动服务
[root@localhostkevin]# yum -y install ntp
[root@localhostkevin]# systemctl enable ntpd
[root@localhostkevin]# systemctl start ntpd
4. 设置ntp服务器: 10.0.0.202
配置前先使用命令:ntpdate -u cn.pool.ntp.org,同步服务器
修改/etc/ntp.conf文件,红色字体是修改的内容
# For more information about thisfile, see the man pages
# ntp.conf(5), ntp_acc(5),ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization withour time source, but do not
# permit the source to query ormodify the service on this system.
restrict default nomodify notrapnopeer noquery
# Permit all access over the loopbackinterface. This could
# be tightened as well, but to do sowould effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are lessrestricted.
#restrict 192.168.1.0 mask255.255.255.0 nomodify notrap
restrict 10.0.0.0 mask255.255.255.0 nomodify notrap
# Use public servers from thepool.ntp.org project.
# Please consider joining the pool(http://www.pool.ntp.org/join.html).
#server0.centos.pool.ntp.org iburst
#server1.centos.pool.ntp.org iburst ###注意此处四行要注释掉
#server2.centos.pool.ntp.org iburst
#server3.centos.pool.ntp.org iburst
server 2.cn.pool.ntp.org
server 1.asia.pool.ntp.org
server 2.asia.pool.ntp.org
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254autokey # manycast client
restrict 2.cn.pool.ntp.orgnomodify notrap noquery
restrict 1.asia.pool.ntp.orgnomodify notrap noquery
restrict 2.asia.pool.ntp.orgnomodify notrap noquery
server 127.0.0.1 # localclock
fudge 127.0.0.1 stratum 10
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys andkey identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers whichare trusted.
#trustedkey 4 8 42
# Specify the key identifier to usewith the ntpdc utility.
#requestkey 8
# Specify the key identifier to usewith the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostatsloopstats peerstats
# Disable the monitoring facility toprevent amplification attacks using ntpdc
# monlist command when defaultrestrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not bedisabled with the limited restriction flag.
disable monitor
[root@lb01 ~]#
修改完成后重启ntpd服务systemctlrestart ntpd
使用ntpq -p 查看网络中的NTP服务器,同时显示客户端和每个服务器的关系
使用ntpstat 命令查看时间同步状态,这个一般需要5-10分钟后才能成功连接和同步。所以,服务器启动后需要稍等下:
刚启动的时候,一般是:
# ntpstat
unsynchronised
time server re-starting
polling server every 64 s
连接并同步后:
# ntpstat
synchronised to NTP server(202.112.10.36) at stratum 3
time correct to within 275 ms
polling server every 256 s
5. 设置ntp客户端: 10.0.0.203
安装ntp服务并设置为自动启动,和前面的设置方式相同。然后编辑/etc/ntp.conf文件,红色字体为变化的内容。
# For more information about thisfile, see the man pages
# ntp.conf(5), ntp_acc(5),ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization withour time source, but do not
# permit the source to query ormodify the service on this system.
restrict default nomodify notrapnopeer noquery
# Permit all access over the loopbackinterface. This could
# be tightened as well, but to do sowould effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are lessrestricted.
#restrict 192.168.1.0 mask255.255.255.0 nomodify notrap
# Use public servers from thepool.ntp.org project.
# Please consider joining the pool(http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 10.0.0.202
restrict 10.0.0.202 nomodify notrap noquery
server 127.0.0.1
fudge 127.0.0.1 stratum 10
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254autokey # manycast client
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys andkey identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers whichare trusted.
#trustedkey 4 8 42
# Specify the key identifier to usewith the ntpdc utility.
#requestkey 8
# Specify the key identifier to usewith the ntpq utility.
#controlkey 8
# Enable writing of statisticsrecords.
#statistics clockstats cryptostatsloopstats peerstats
# Disable the monitoring facility toprevent amplification attacks using ntpdc
# monlist command when defaultrestrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not bedisabled with the limited restriction flag.
disable monitor
[root@docker02 ~]#
重启ntpd服务
systemctl restart ntpd
启动后,查看同步情况,这个步骤一般根据服务器配置,同步时间不同,我的虚拟机同步为约两分钟
ntpq -p
[root@lb01 opt]# ntpstat
synchronised to NTP server(10.0.0.202) at stratum 4
time correct to within 1243 ms
polling server every 64 s
