CentOS7中使用ntp服务同步时间

简单记录使用ntp对centos7进行实践同步。

在安装fabric时，如果虚拟机之间实践差距太大就会导致异常，虽然可以使用命令直接修改时间，但考虑到后期维护还是选择使用ntp来同步时间。

本配置使用五台虚拟机演示：

IP	用途
172.17.0.82	ntp客户端：与内部ntp服务器（85）同步时间
172.17.0.83	ntp客户端：与内部ntp服务器（85）同步时间
172.17.0.84	ntp客户端：与内部ntp服务器（85）同步时间
172.17.0.85	ntp服务器：与外部公共ntp服务器同步标准时间
172.17.0.86	ntp客户端：与内部ntp服务器（85）同步时间

 

先查看ntp是否已经安装：rpm -q ntp

如果没有安装则使用命令：yum -y install ntp 安装ntp。

如果已经安装（如下）则继续：

 

安装完成后设置ntp开机启动并启动ntp，如下：

systemctl enable ntpd

systemctl start ntpd

 

首先设置ntp服务器（172.17.0.85）

编辑配置文件（vim /etc/ntp.conf），注释默认ntp服务地址，使用国内地址（有两个网站可以参考：https://www.pool.ntp.org/zone/cn  和  http://www.ntp.org.cn/pool.php#china  可以自行查找合适的ntp服务器），具体修改部分突出显示，如下：

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1 
restrict ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
restrict 172.17.0.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 0.cn.pool.ntp.org
server 1.cn.pool.ntp.org
server 2.cn.pool.ntp.org
server 3.cn.pool.ntp.org

restrict 0.cn.pool.ntp.org nomodify notrap noquery
restrict 1.cn.pool.ntp.org nomodify notrap noquery
restrict 2.cn.pool.ntp.org nomodify notrap noquery
restrict 3.cn.pool.ntp.org nomodify notrap noquery

server 127.0.0.1 # local clock
fudge 127.0.0.1 stratum 10

#broadcast 192.168.1.255 autokey    # broadcast server
#broadcastclient            # broadcast client
#broadcast 224.0.1.1 autokey        # multicast server
#multicastclient 224.0.1.1        # multicast client
#manycastserver 239.255.254.254        # manycast server
#manycastclient 239.255.254.254 autokey # manycast client

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography. 
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats

# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor

 

修改完成后保存退出，并重启ntp（systemctl restart ntpd）。

 

设置ntp客户端（以172.17.0.82为例，其余相同，略）

编辑配置文件（vim /etc/ntp.conf），注释掉默认ntp服务，使用我们自己配置的ntp服务器（即 172.17.0.85），具体修改部分突出显示，如下：

【！！！】这里需要注意的是，在使用ntp服务器时，如果有防火墙，则需要开启ntp服务器的udp协议123端口，否则其他虚拟机不能成功同步时间。

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1 
restrict ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst

server 172.17.0.85

restrict 172.17.0.85 nomodify notrap noquery

server 127.0.0.1 # local clock
fudge 127.0.0.1 stratum 10

#broadcast 192.168.1.255 autokey    # broadcast server
#broadcastclient            # broadcast client
#broadcast 224.0.1.1 autokey        # multicast server
#multicastclient 224.0.1.1        # multicast client
#manycastserver 239.255.254.254        # manycast server
#manycastclient 239.255.254.254 autokey # manycast client

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography. 
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats

# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor

修改完成后保存退出并重启ntp（systemctl restart ntpd）。

 

重启后可以使用ntpq -p 查看网络中的NTP服务器，如下分别是85和82（其余客户端与82类似）：

 

还可以使用ntpstat 命令查看时间同步状态，但是需要等待几分钟才回看到同步信息，同样，下面分别是85和82：

可以看到82在开始时候并没有同步时间，而是等待一段时间后才开始同步。

---

END