一、NTP简介
NTP全名“Network TimeProtocol”,即网络时间协议,是由RFC 1305定义的时间同步协议,用来在分布式时间服务器和客户端之间进行时间同步。
NTP基于UDP报文进行传输,使用的UDP端口号为123。使用NTP的目的是对网络内所有具有时钟的设备进行时钟同步,使网络内所有设备的时钟保持一致,从而使设备能够提供基于统一时间的多种应用。对于运行NTP的本地系统,既可以接收来自其他时钟源的同步,又可以作为时钟源同步其他的时钟,并且可以和其他设备互相同步。
二、NTP配置
1、安装NTP包
yum install -y ntp*
2、server端配置
原始配置文件(/etc/ntp.conf)内容如下
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
#local stratum 10
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
相关参数说明:
restrict: 进行时间同步的权限控制
语法:restrict IP地址 mask 子网掩码 参数
其中IP地址可以是default,default表示所有IP都可以进行时间同步
nomodify:客户端不能更改服务端的时间参数,但是客户端可以通过服务端进行时间校验
nopeer:用于阻止主机尝试与服务器对等,并允许欺诈性服务器控制时钟
noquery:不提供客户端远程查询,即ntpq不能使用
notrup:不提供trup远程登录
notrust:客户端除非经过认证,否则该客户端会被视为不信任的子网
restrict -6 表示IPV6地址权限设置
示例:
如只允许172.30.0.0网段的ip地址进行时间同步,则写法如下:
restrict 172.30.0.0/24 nomodify(参数可以根据自己情况添加)
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
restrict 172.30.0.1/24 notrust notrap nopeer nomodify
server:表示要以哪个时钟服务器为依据进行时钟同步
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
如果server端服务器能够连接互联网,则直接使用上述4个默认的server进行同步即可,如果server端服务器不能连接互联网,则需要进行如下配置
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 127.127.1.0
fudge 127.127.1.0 stratum 10
在无法连接互联网或者没有别的时钟源进行参考时,NTP使用127.127.1.0本地时钟,将local时间作为NTP服务器时间同步给NTP客户端。NTP把本地主机的时钟也看做外部时钟源来处理,分配的地址是127.127.1.0
设置本地时钟源的层次为10,这样如果NTP服务从本地时钟源获取时间的话,NTP对外宣布的时间层次为11
完整的配置文件如下:
[root@rac2 etc]# cat /etc/ntp.conf
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
#restrict default nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
restrict 172.30.0.1/24 notrust notrap nopeer nomodify
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 127.127.1.0
fudge 127.127.1.0 stratum 10
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
#local stratum 10
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
[root@rac2 etc]#
启动server端NTP服务
systemctl start ntpd.service
3、client端配置
修改/etc/ntp.conf参数文件,指定server即可
例如,NTP server端的IP地址是172.30.0.12,则配置如下:
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 172.30.0.12 iburst
修改完成后,启动NTP服务即可。
systmctl start ntpd.service
4、查看NTP时间同步是否正常
[root@rac1 ~]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*rac2 LOCAL(0) 11 u 1 64 37 0.411 906.504 387.168
remote: 本机和上层NTP的ip或主机名
refid: 参考上次NTP的主机地址
st: stratum的阶层
when: 多少秒前同步过时间
poll: 下次更新在多少秒之后
reach: 已经向上层ntp服务器要求更新的次数
delay: 网络延迟
offset: 时间补偿
jitter: 系统时间与bios时间差