在Linux系統(tǒng)中,為了避免主機(jī)時(shí)間因?yàn)樵陂L(zhǎng)時(shí)間運(yùn)行下所導(dǎo)致的時(shí)間偏差,進(jìn)行時(shí)間同步(synchronize)的工作是非常必要的。Linux系統(tǒng)下,一般使用ntp服務(wù)來(lái)同步不同機(jī)器的時(shí)間。NTP 是網(wǎng)絡(luò)時(shí)間協(xié)議(Network Time Protocol)的簡(jiǎn)稱,干嘛用的呢?就是通過(guò)網(wǎng)絡(luò)協(xié)議使計(jì)算機(jī)之間的時(shí)間同步化。
安裝NTP包
檢查是否安裝了ntp相關(guān)包。如果沒(méi)有安裝ntp相關(guān)包,使用rpm或yum安裝,安裝也非常簡(jiǎn)單方便。
[root@localhost ~]# rpm -qa | grep
ntpntpdate-4.2.6p5-1.el6.x86_64
fontpackages-filesystem-1.41-1.1.el6.noarch
ntp-4.2.6p5-1.el6.x86_64
NTP的配置
A: 配置/etc/ntp.conf
NTP Server的主要配置文件為/etc/ntp.conf ,沒(méi)有修改過(guò)的ntp.conf文件內(nèi)容如下所示,配置選項(xiàng)都有相關(guān)注釋信息(Linux 版本為Red Hat Enterprise Linux Server release 6.6 )
[root@localhost ~]# more /etc/ntp.conf
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.rhel.pool.ntp.org iburst
server 1.rhel.pool.ntp.org iburst
server 2.rhel.pool.ntp.org iburst
server 3.rhel.pool.ntp.org iburst
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
[root@localhost ~]# more /etc/ntp.conf
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.rhel.pool.ntp.org iburst
server 1.rhel.pool.ntp.org iburst
server 2.rhel.pool.ntp.org iburst
server 3.rhel.pool.ntp.org iburst
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
各個(gè)選項(xiàng)信息:
#系統(tǒng)時(shí)間與BIOS事件的偏差記錄
driftfile /etc/ntp/drift
restrict 控制相關(guān)權(quán)限。
語(yǔ)法為: restrict IP地址 mask 子網(wǎng)掩碼 參數(shù)
其中IP地址也可以是default ,default 就是指所有的IP
參數(shù)有以下幾個(gè):
ignore :關(guān)閉所有的 NTP 聯(lián)機(jī)服務(wù)
nomodify:客戶端不能更改服務(wù)端的時(shí)間參數(shù),但是客戶端可以通過(guò)服務(wù)端進(jìn)行網(wǎng)絡(luò)校時(shí)。
notrust :客戶端除非通過(guò)認(rèn)證,否則該客戶端來(lái)源將被視為不信任子網(wǎng)
noquery :不提供客戶端的時(shí)間查詢:用戶端不能使用ntpq,ntpc等命令來(lái)查詢ntp服務(wù)器
notrap :不提供trap遠(yuǎn)端登陸:拒絕為匹配的主機(jī)提供模式 6 控制消息陷阱服務(wù)。陷阱服務(wù)是 ntpdq 控制消息協(xié)議的子系統(tǒng),用于遠(yuǎn)程事件日志記錄程序。
nopeer :用于阻止主機(jī)嘗試與服務(wù)器對(duì)等,并允許欺詐性服務(wù)器控制時(shí)鐘
kod : 訪問(wèn)違規(guī)時(shí)發(fā)送 KoD 包。
restrict -6 表示IPV6地址的權(quán)限設(shè)置。
1:設(shè)定NTP主機(jī)來(lái)源(其中prefer表示優(yōu)先主機(jī)),192.168.7.49是本地的NTP服務(wù)器,所以優(yōu)先指定從該主機(jī)同步時(shí)間。
server 192.168.7.49 prefer
server 0.rhel.pool.ntp.org iburst
server 1.rhel.pool.ntp.org iburst
server 2.rhel.pool.ntp.org iburst
server 3.rhel.pool.ntp.org iburst
2:限制你允許的這些服務(wù)器的訪問(wèn)類(lèi)型,在這個(gè)例子中的服務(wù)器是不容許修改運(yùn)行時(shí)配置或查詢您的Linux NTP服務(wù)器
restrict 192.168.0.0 mask 255.255.255.0 notrust nomodify notrap
在上例中,掩碼地址擴(kuò)展為255,因此從192.168.0.1-192.168.0.254的服務(wù)器都可以使用我們的NTP服務(wù)器來(lái)同步時(shí)間
#此時(shí)表示限制向從192.168.0.1-192.168.0.254這些IP段的服務(wù)器提供NTP服務(wù)。
restrict 192.168.0.0 mask 255.255.255.0 notrust nomodify notrap noquery
#設(shè)置默認(rèn)策略為允許任何主機(jī)進(jìn)行時(shí)間同步
restrict default ignore
3:確保localhost(這個(gè)常用的IP地址用來(lái)指Linux服務(wù)器本身)有足夠權(quán)限.使用沒(méi)有任何限制關(guān)鍵詞的語(yǔ)法:
restrict 127.0.0.1
restrict -6 ::1
B:配置/etc/ntp/stpe-tickers文件
修改/etc/ntp/stpe-tickers文件,內(nèi)容如下(當(dāng)ntpd服務(wù)啟動(dòng)時(shí),會(huì)自動(dòng)與該文件中記錄的上層NTP服務(wù)進(jìn)行時(shí)間校對(duì))
[root@localhost ntp]# more /etc/ntp/step-tickers
# List of servers used for initial synchronization.
[root@localhost ntp]# vi /etc/ntp/step-tickers
# List of servers used for initial synchronization.
server 192.168.7.49 prefer
server 0.rhel.pool.ntp.org
server 1.rhel.pool.ntp.org
server 2.rhel.pool.ntp.org
server 3.rhel.pool.ntp.org
C:配置/etc/sysconfig/ntpd文件
ntp服務(wù),默認(rèn)只會(huì)同步系統(tǒng)時(shí)間。如果想要讓ntp同時(shí)同步硬件時(shí)間,可以設(shè)置/etc/sysconfig/ntpd文件,在/etc/sysconfig/ntpd文件中,添加 SYNC_HWCLOCK=yes 這樣,就可以讓硬件時(shí)間與系統(tǒng)時(shí)間一起同步。
#允許BIOS與系統(tǒng)時(shí)間同步,也可以通過(guò)hwclock -w 命令
SYNC_HWCLOCK=yes
IPTABLES 配置
由于NTP服務(wù)需要使用到UDP端口號(hào)123,所以當(dāng)系統(tǒng)的防火墻(Iptables)啟動(dòng)的情況下,必須開(kāi)放UDP端口號(hào)123。
[root@localhost ~]# /etc/init.d/iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[root@localhost ~]# /sbin/iptables -I INPUT -p udp --dport 123 -j ACCEPT
[root@localhost ~]# /etc/init.d/iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[root@localhost ~]#
如果防火墻沒(méi)有開(kāi)放UDP端口號(hào)123,有可能出現(xiàn)下面情況。
[root@localhost ~]# /usr/sbin/ntpq -c rv | grep stratum
stratum=16, precision=-24, rootdelay=0.000, rootdisp=3.525, refid=INIT,
[root@localhost~]#
A stratum level of 16 indicates that NTP is not synchronizing correctly.If a stratum level of 16 is detected, wait 15 minutes and issue the command again. It may take this long for the NTP server to stabilize.If NTP continues to detect a stratum level of 16, verify that the NTP port (UDP Port 123) is open on all firewalls between the cluster and the remote machine you are attempting to synchronize to.
啟動(dòng)NTP服務(wù)
[root@localhost ~]# service ntpd status
ntpd is stopped
[root@localhost ~]# service ntpd start
Starting ntpd: [ OK ]
[root@localhost ~]#
service ntpd status #查看ntpd服務(wù)狀態(tài)
service ntpd start #啟動(dòng)ntpd服務(wù)
service ntpd stop #停止ntpd服務(wù)
service ntpd restart #重啟ntpd服務(wù)
檢查ntp服務(wù)是否開(kāi)機(jī)啟動(dòng),將其設(shè)置為開(kāi)機(jī)啟動(dòng)。
[root@localhost ~]# chkconfig --list ntpd
ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@localhost ~]# runlevel
N 3
[root@localhost ~]# chkconfig ntpd on #在運(yùn)行級(jí)別2、3、4、5上設(shè)置為自動(dòng)運(yùn)行
[root@localhost ~]# chkconfig --list ntpd
ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@localhost ~]#
如果要設(shè)置在運(yùn)行級(jí)別上自動(dòng)運(yùn)行,可以使用下面命令
chkconfig --level 345 ntpd on
可以用下面命令檢測(cè)NTP服務(wù)是否運(yùn)行
[root@localhost ~]# pgrep ntpd
2639
2641
[root@localhost ~]# netstat -tlunp | grep ntp #如果看到123端口,說(shuō)明ntp服務(wù)成功啟動(dòng)。
udp 0 0 192.168.7.224:123 0.0.0.0:* 2639/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 2639/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 2639/ntpd
udp 0 0 fe80::250:56ff:feb3:b5:123 :::* 2639/ntpd
udp 0 0 ::1:123 :::* 2639/ntpd
udp 0 0 :::123 :::* 2639/ntpd
[root@localhost ~]#
查看ntp服務(wù)器有無(wú)和上層ntp連通
[root@localhost ~]# ntpstat
synchronised to NTP server (192.168.7.49) at stratum 6
time correct to within 440 ms
polling server every 128 s
[root@localhost ~]#
查看ntp服務(wù)器與上層ntp的狀態(tài)
remote - 本機(jī)和上層ntp的ip或主機(jī)名,“+”表示優(yōu)先,“*”表示次優(yōu)先
refid - 參考上一層ntp主機(jī)地址
st - stratum階層
when - 多少秒前曾經(jīng)同步過(guò)時(shí)間
poll - 下次更新在多少秒后
reach - 已經(jīng)向上層ntp服務(wù)器要求更新的次數(shù)
delay - 網(wǎng)絡(luò)延遲
offset - 時(shí)間補(bǔ)償
jitter - 系統(tǒng)時(shí)間與bios時(shí)間差
要查看 ntpd 進(jìn)程的狀態(tài),請(qǐng)運(yùn)行以下命令,按 Ctrl+C 停止查看進(jìn)程。
remote - 本機(jī)和上層ntp的ip或主機(jī)名,“+”表示優(yōu)先,“*”表示次優(yōu)先
refid - 參考上一層ntp主機(jī)地址
st - stratum階層
when - 多少秒前曾經(jīng)同步過(guò)時(shí)間
poll - 下次更新在多少秒后
reach - 已經(jīng)向上層ntp服務(wù)器要求更新的次數(shù)
delay - 網(wǎng)絡(luò)延遲
offset - 時(shí)間補(bǔ)償
jitter - 系統(tǒng)時(shí)間與bios時(shí)間差
要查看 ntpd 進(jìn)程的狀態(tài),請(qǐng)運(yùn)行以下命令,按 Ctrl+C 停止查看進(jìn)程。
