stay Linux In the system , In order to avoid the time deviation caused by the long-time running of the host computer , Time synchronization (synchronize) It's very necessary to have a good job .Linux Under the system , In general use ntp Services to synchronize the time of different machines .NTP It's network time protocol (Network Time Protocol) For short , What's it for ? It is to synchronize the time between computers through network protocol .

 

install NTP package

Check that... Is installed ntp Related packages . If not installed ntp Related packages , Use rpm or yum install , The installation is also very simple and convenient .

[[email protected] ~]#  rpm -qa | grep ntp

 

ntpdate-4.2.6p5-1.el6.x86_64

 

fontpackages-filesystem-1.41-1.1.el6.noarch

 

ntp-4.2.6p5-1.el6.x86_64

 

NTP Configuration of

 

 

 

A: To configure /etc/ntp.conf

 

NTP Server The main configuration files for are /etc/ntp.conf , It's not modified ntp.conf The contents of the document are as follows , Configuration options have related comments (Linux Version is Red Hat Enterprise Linux Server release 6.6 )

[[email protected] ~]# more /etc/ntp.conf

 

# For more information about this file, see the man pages

 

# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

 

 

 

driftfile /var/lib/ntp/drift

 

 

 

# Permit time synchronization with our time source, but do not

 

# permit the source to query or modify the service on this system.

 

restrict default kod nomodify notrap nopeer noquery

 

restrict -6 default kod nomodify notrap nopeer noquery

 

 

 

# Permit all access over the loopback interface.  This could

 

# be tightened as well, but to do so would effect some of

 

# the administrative functions.

 

restrict 127.0.0.1

 

restrict -6 ::1

 

 

 

# Hosts on local network are less restricted.

 

#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

 

 

 

# Use public servers from the pool.ntp.org project.

 

# Please consider joining the pool (http://www.pool.ntp.org/join.html).

 

server 0.rhel.pool.ntp.org iburst

 

server 1.rhel.pool.ntp.org iburst

 

server 2.rhel.pool.ntp.org iburst

 

server 3.rhel.pool.ntp.org iburst

 

 

 

 

 

#broadcast 192.168.1.255 autokey        # broadcast server

 

#broadcastclient                        # broadcast client

 

#broadcast 224.0.1.1 autokey            # multicast server

 

#multicastclient 224.0.1.1              # multicast client

 

#manycastserver 239.255.254.254         # manycast server

 

#manycastclient 239.255.254.254 autokey # manycast client

 

 

 

# Enable public key cryptography.

 

#crypto

 

 

 

includefile /etc/ntp/crypto/pw

 

 

 

# Key file containing the keys and key identifiers used when operating

 

# with symmetric key cryptography.

 

keys /etc/ntp/keys

 

 

 

# Specify the key identifiers which are trusted.

 

#trustedkey 4 8 42

 

 

 

# Specify the key identifier to use with the ntpdc utility.

 

#requestkey 8

 

 

 

# Specify the key identifier to use with the ntpq utility.

 

#controlkey 8

 

 

 

# Enable writing of statistics records.

 

#statistics clockstats cryptostats loopstats peerstats

Each option information :

# System time and BIOS Deviation records of events

driftfile /etc/ntp/drift

 

restrict Control related permissions .

The grammar is : restrict IP Address mask Subnet mask Parameters

among IP The address can also be default ,default It's all about IP

The parameters are as follows :

ignore  : Close all NTP Online services

nomodify: The client cannot change the time parameter of the server , But the client can use the server for network timing .

notrust : Unless the client is authenticated , Otherwise, the client source will be treated as untrusted subnet

noquery : Do not provide client time query : The client cannot use ntpq,ntpc Wait for the command ntp The server

notrap : Does not provide trap Remote login : Refused to provide pattern for matching hosts 6 Control message trap service . The trap service is ntpdq The subsystem that controls the message protocol , For remote event loggers .

nopeer : Used to prevent the host from trying to peer to the server , And allow fraudulent servers to control the clock

kod : Send... When access violation occurs KoD package .

restrict -6 Express IPV6 Permission setting of address .

1: Set up NTP Host source ( among prefer Indicates the priority host ),192.168.7.49 Is local NTP The server , So priority is given to the synchronization time from the host .

server 192.168.7.49 prefer

 

 

 

server 0.rhel.pool.ntp.org iburst

 

 

 

server 1.rhel.pool.ntp.org iburst

 

 

 

server 2.rhel.pool.ntp.org iburst

 

 

 

server 3.rhel.pool.ntp.org iburst

clip_image001

 

2: Limit the types of access you allow to these servers , In this case, the server is not allowed to modify the runtime configuration or query your Linux NTP The server

 

restrict 192.168.0.0 mask 255.255.255.0 notrust nomodify notrap

In the example above , Mask address extended to 255, So from 192.168.0.1-192.168.0.254 All of our servers can use our NTP Server to synchronize time

 

# In this case, it means that the restriction is from 192.168.0.1-192.168.0.254 these IP Section of the server provides NTP service .

restrict 192.168.0.0 mask 255.255.255.0 notrust nomodify notrap noquery

 

# Set the default policy to allow any host to synchronize time

restrict default ignore

 

3: Make sure localhost( This is commonly used IP Address is used to refer to Linux The server itself ) With enough authority . Use syntax without any restrictions on keywords :

restrict 127.0.0.1

restrict -6 ::1

 

B: To configure /etc/ntp/stpe-tickers file

modify /etc/ntp/stpe-tickers file , The contents are as follows ( When ntpd Service startup , Will be automatically associated with the upper layer of the record in the file NTP Service time proofreading )

[[email protected] ntp]# more /etc/ntp/step-tickers

 

# List of servers used for initial synchronization.

 

[[email protected] ntp]# vi /etc/ntp/step-tickers

 

# List of servers used for initial synchronization.

 

server 192.168.7.49 prefer

 

server 0.rhel.pool.ntp.org

 

server 1.rhel.pool.ntp.org

 

server 2.rhel.pool.ntp.org

 

server 3.rhel.pool.ntp.org

About ntp.conf and step-tickers difference :

step-tickers is used by ntpdate where as ntp.conf is the configuration file for the ntpd daemon. ntpdate is initially run to set the clock before ntpd to make sure time is within 1000 sec. ntp will not run if the time difference between the server and client by more then 1000 sec ( or there about). The start up script will read step-tickers for servers to be polled by ntpdate.

C: To configure /etc/sysconfig/ntpd file

ntp service , By default, only the system time will be synchronized . If you want to ntp Synchronize hardware time simultaneously , You can set /etc/sysconfig/ntpd file , stay /etc/sysconfig/ntpd In file , add to SYNC_HWCLOCK=yes such , The hardware time can be synchronized with the system time .

# allow BIOS Synchronize with system time , It can also be done through hwclock -w command

SYNC_HWCLOCK=yes

 

IPTABLES To configure

because NTP Services need to be used to UDP Port number 123, So when the firewall of the system (Iptables) In case of startup , It has to be open UDP Port number 123.

[[email protected] ~]#  /etc/init.d/iptables status

 

Table: filter

 

Chain INPUT (policy ACCEPT)

 

num  target     prot opt source               destination

 

1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

 

2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0

 

3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

 

4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22

 

5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

 

 

 

Chain FORWARD (policy ACCEPT)

 

num  target     prot opt source               destination

 

1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

 

 

 

Chain OUTPUT (policy ACCEPT)

 

num  target     prot opt source               destination

 

 

 

[[email protected] ~]# /sbin/iptables -I INPUT -p udp --dport 123 -j ACCEPT

 

[[email protected] ~]#  /etc/init.d/iptables status

 

Table: filter

 

Chain INPUT (policy ACCEPT)

 

num  target     prot opt source               destination

 

1    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:123

 

2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

 

3    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0

 

4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

 

5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22

 

6    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

 

 

 

Chain FORWARD (policy ACCEPT)

 

num  target     prot opt source               destination

 

1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

 

 

 

Chain OUTPUT (policy ACCEPT)

 

num  target     prot opt source               destination

 

 

 

[[email protected] ~]#

clip_image002

If the firewall is not open UDP Port number 123, It is possible that .

[[email protected] ~]# /usr/sbin/ntpq -c rv | grep stratum

stratum=16, precision=-24, rootdelay=0.000, rootdisp=3.525, refid=INIT,

[[email protected]~]#

A stratum level of 16 indicates that NTP is not synchronizing correctly.If a stratum level of 16 is detected, wait 15 minutes and issue the command again. It may take this long for the NTP server to stabilize.If NTP continues to detect a stratum level of 16, verify that the NTP port (UDP Port 123) is open on all firewalls between the cluster and the remote machine you are attempting to synchronize to.

 

 

start-up NTP service

 

 

[[email protected] ~]# service ntpd status

 

ntpd is stopped

 

[[email protected] ~]# service ntpd start

 

Starting ntpd: [  OK  ]

 

[[email protected] ~]#

 

 

 

service ntpd status      # see ntpd Service status 

 

service ntpd start           # start-up ntpd service 

 

service ntpd stop            # stop it ntpd service 

 

service ntpd restart         # restart ntpd service 

Check ntp Whether the service is powered on , Set it to boot up .

[[email protected] ~]# chkconfig --list ntpd

ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off

[[email protected] ~]# runlevel

N 3

[[email protected] ~]# chkconfig ntpd on # At the run level 2、3、4、5 Set to run automatically on

[[email protected] ~]# chkconfig --list ntpd

ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

[[email protected] ~]#

If you want to set to run automatically at the run level , You can use the following command

chkconfig --level 345 ntpd on

You can use the following command to detect NTP Whether the service is running

[[email protected] ~]# pgrep ntpd

 

2639

 

2641

 

[[email protected] ~]# netstat -tlunp | grep ntp   # If you see 123 port , explain ntp Service started successfully .

 

udp        0      0 192.168.7.224:123           0.0.0.0:*                               2639/ntpd

 

udp        0      0 127.0.0.1:123               0.0.0.0:*                               2639/ntpd

 

udp        0      0 0.0.0.0:123                 0.0.0.0:*                               2639/ntpd

 

udp        0      0 fe80::250:56ff:feb3:b5:123  :::*                                    2639/ntpd

 

udp        0      0 ::1:123                     :::*                                    2639/ntpd

 

udp        0      0 :::123                      :::*                                    2639/ntpd

 

[[email protected] ~]#

clip_image003

see ntp Whether the server and the upper layer ntp connected

 

[[email protected] ~]# ntpstat

 

synchronised to NTP server (192.168.7.49) at stratum 6

 

   time correct to within 440 ms

 

   polling server every 128 s

 

[[email protected] ~]#

see ntp Server and upper layer ntp The state of

[[email protected] ~]# ntpq -p

 

     remote           refid      st t when poll reach   delay   offset  jitter

 

==============================================================================

 

 192.168.7.49    192.168.7.50     5 u   13   64    3    5.853  1137178   2.696

 

[[email protected] ~]# ntpq -p

 

     remote           refid      st t when poll reach   delay   offset  jitter

 

==============================================================================

 

 192.168.7.49    192.168.7.50     5 u   17   64    3    5.853  1137178   2.696

 

[[email protected] ~]# ntpq -p

 

     remote           refid      st t when poll reach   delay   offset  jitter

 

==============================================================================

 

 192.168.7.49    192.168.7.50     5 u    1   64    1    0.937   -9.570   0.000

clip_image004

remote   - This machine and the upper layer ntp Of ip Or host name ,“+” Give priority to ,“*” Second priority

refid    - Refer to the previous layer ntp The host address

st       - stratum Stratum

when     - How many seconds ago I synced time

poll     - How many seconds after the next update

reach    - Up to the top ntp The number of times the server requested updates

delay    - Network delay

offset   - Time compensation

jitter   - System time and bios Time difference

To see ntpd State of process , Please run the following command , Press Ctrl+C Stop viewing process .

clip_image005

The characters in the first column indicate the quality of the source . asterisk ( * ) Indicates that the source is the current reference .

remote List the sources of IP Address or host name .

when   Indicates the time that has passed since polling the source ( second ).

poll   Indicates the polling interval . This value will be increased according to the accuracy of the local clock .

reach  It's an octal number , Point out the accessibility of the source . value 377 Indicates that the source has answered the first eight consecutive polling .

offset Is the time difference between the source clock and the local clock ( millisecond ).

 

ntpd、ntpdate The difference between

Here's what's on the Internet about ntpd And ntpdate Information about the difference . As shown below :

There's a problem to be solved before using it ,ntpd And ntpdate What's the difference when updating time .ntpd It's not just a time synchronization server , It can also be used as a client to synchronize time with the standard time server , And it's smooth synchronization , Is not ntpdate Sync now , Use with caution in the production environment ntpdate, That's why they can't run at the same time .

The jump of the clock , For some programs, it can cause serious problems . Many applications rely on continuous clocks —— After all , This is a common assumption , namely , The time taken is linear , Some operations , For example, database transactions , It's very common to rely on the fact that : Time doesn't jump back . Unfortunately ,ntpdate The way to adjust time is what we call ” Jump “: After getting a time ,ntpdate Use settimeofday(2) Set system time , There are several very obvious problems :

First of all , It's not safe to do this .ntpdate The setting of depends on ntp Server security ,*** Developers can take advantage of some software design flaws , Take down ntp Server and make the server synchronized with it perform some consuming tasks . because ntpdate The way to do it is jump , The server that follows cannot know if an exception has occurred ( When the time is different , The only way is to take the server as the standard ).

second , It's not accurate . once ntp Server down , The server that follows it will not be able to synchronize time . Unlike the ,ntpd Not only can you calibrate the time of the computer , And can calibrate the computer clock .

Third , It's not elegant enough . Because it's a jump , Instead of making time faster or slower , Programs that depend on timing can go wrong ( for example , If ntpdate It's time to find you , You may experience two identical moments , For some applications , This is fatal ). thus , The only point that can make time jump , It's the computer that just started up , But not when a lot of services started . The rest of the time , Ideally, use ntpd To calibrate the clock , Instead of adjusting the time on the computer clock .

NTPD In the process of synchronization with the time server , Will be able to BIOS The oscillation frequency deviation of the timer —— Or say Local Clock The natural drift of (drift)—— recorded . So even if there's a problem with the network , This machine can still maintain a fairly accurate travel time .

 

 

Reference material :

http://blog.sina.com.cn/s/blog_5369bee10100aysx.html

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2085950

http://wiki.ubuntu.com.cn/NTP

http://blog.csdn.net/suer0101/article/details/7868813