Linux时间同步服务NTP

最新推荐文章于 2024-08-30 15:02:43 发布

犇羴骉鱻

最新推荐文章于 2024-08-30 15:02:43 发布

阅读量509

点赞数

分类专栏： Linux 文章标签： linux 网络 udp

本文链接：https://blog.csdn.net/m0_37490944/article/details/129342798

版权

Linux 专栏收录该内容

8 篇文章 0 订阅

订阅专栏

一、NTP简介
NTP全名“Network TimeProtocol”，即网络时间协议，是由RFC 1305定义的时间同步协议，用来在分布式时间服务器和客户端之间进行时间同步。

NTP基于UDP报文进行传输，使用的UDP端口号为123。使用NTP的目的是对网络内所有具有时钟的设备进行时钟同步，使网络内所有设备的时钟保持一致，从而使设备能够提供基于统一时间的多种应用。对于运行NTP的本地系统，既可以接收来自其他时钟源的同步，又可以作为时钟源同步其他的时钟，并且可以和其他设备互相同步。

二、NTP配置
1、安装NTP包
yum install -y ntp*

2、server端配置
原始配置文件(/etc/ntp.conf)内容如下

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1 
restrict ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst


#broadcast 192.168.1.255 autokey	# broadcast server
#broadcastclient			# broadcast client
#broadcast 224.0.1.1 autokey		# multicast server
#multicastclient 224.0.1.1		# multicast client
#manycastserver 239.255.254.254		# manycast server
#manycastclient 239.255.254.254 autokey # manycast client
#local stratum 10

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography. 
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats

# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor

相关参数说明：
restrict: 进行时间同步的权限控制
语法：restrict IP地址 mask 子网掩码参数
其中IP地址可以是default，default表示所有IP都可以进行时间同步
nomodify:客户端不能更改服务端的时间参数，但是客户端可以通过服务端进行时间校验
nopeer:用于阻止主机尝试与服务器对等，并允许欺诈性服务器控制时钟
noquery:不提供客户端远程查询，即ntpq不能使用
notrup:不提供trup远程登录
notrust:客户端除非经过认证，否则该客户端会被视为不信任的子网
restrict -6 表示IPV6地址权限设置
示例：
如只允许172.30.0.0网段的ip地址进行时间同步，则写法如下：
restrict 172.30.0.0/24 nomodify(参数可以根据自己情况添加)

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
restrict 172.30.0.1/24  notrust notrap nopeer nomodify

server:表示要以哪个时钟服务器为依据进行时钟同步

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

如果server端服务器能够连接互联网，则直接使用上述4个默认的server进行同步即可，如果server端服务器不能连接互联网，则需要进行如下配置

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 127.127.1.0
fudge 127.127.1.0 stratum 10

在无法连接互联网或者没有别的时钟源进行参考时，NTP使用127.127.1.0本地时钟，将local时间作为NTP服务器时间同步给NTP客户端。NTP把本地主机的时钟也看做外部时钟源来处理，分配的地址是127.127.1.0
设置本地时钟源的层次为10，这样如果NTP服务从本地时钟源获取时间的话，NTP对外宣布的时间层次为11

完整的配置文件如下：

[root@rac2 etc]# cat /etc/ntp.conf 
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
#restrict default nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1 
restrict ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
restrict 172.30.0.1/24  notrust notrap nopeer nomodify 

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 127.127.1.0
fudge 127.127.1.0 stratum 10

#broadcast 192.168.1.255 autokey	# broadcast server
#broadcastclient			# broadcast client
#broadcast 224.0.1.1 autokey		# multicast server
#multicastclient 224.0.1.1		# multicast client
#manycastserver 239.255.254.254		# manycast server
#manycastclient 239.255.254.254 autokey # manycast client
#local stratum 10

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography. 
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats

# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
[root@rac2 etc]#

启动server端NTP服务
systemctl start ntpd.service

3、client端配置
修改/etc/ntp.conf参数文件，指定server即可
例如，NTP server端的IP地址是172.30.0.12，则配置如下：

#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 172.30.0.12 iburst

修改完成后，启动NTP服务即可。
systmctl start ntpd.service

4、查看NTP时间同步是否正常

[root@rac1 ~]# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*rac2            LOCAL(0)        11 u    1   64   37    0.411  906.504 387.168

remote: 本机和上层NTP的ip或主机名
refid: 参考上次NTP的主机地址
st: stratum的阶层
when: 多少秒前同步过时间
poll: 下次更新在多少秒之后
reach: 已经向上层ntp服务器要求更新的次数
delay: 网络延迟
offset: 时间补偿
jitter: 系统时间与bios时间差