Centos7搭建ntp时间服务器
文章目录
- 1、准备
- 2、ntp 安装
- 3、ntp.conf 配置
- 3.1、服务端配置
- 3.2、客户端配置
- 4、启动
- 5、ntp服务状态
- 5.1、 ntpq -p
- 5.2、timedatectl
- 5.3、ntpstat
- 6、ntp.conf 参数详解
- 6.1、restrict
- 6.2、server
- 6.3、fudge
- 7、ERROR
- 7.1、 NTP enabled: no
- 7.2、NTP synchronized: no
- 7.2.1、解决方案一
- 7.2.1、解决方案二
- 7.3、unsynchronised
1、准备
| 服务器 | 作用 |
|---|---|
| 192.168.0.1 | 服务端 |
| 192.168.0.2 | 客户端 |
注意:timedatectl 和date命令有冲突,安装配置期间千万不要执行date命令,不然会出现服务ntp长时间不生效的问题,有可能需要半个小时左右的时间等待ntp服务恢复正常
2、ntp 安装
yum install ntp ntpdate -y
3、ntp.conf 配置
3.1、服务端配置
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
logconfig all
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
# 因为是内网,没有外部网络,所以注释以下server
# server 0.centos.pool.ntp.org iburst
# server 1.centos.pool.ntp.org iburst
# server 2.centos.pool.ntp.org iburst
# server 3.centos.pool.ntp.org iburst
restrict 0.0.0.0 mask 255.255.255.0 nomodify notrap
# 表示从本机获取时间
server 127.127.1.0
fudge 127.127.1.0 stratum 10
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
3.2、客户端配置
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
logconfig all
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
# server 0.centos.pool.ntp.org iburst
# server 1.centos.pool.ntp.org iburst
# server 2.centos.pool.ntp.org iburst
# server 3.centos.pool.ntp.org iburst
server 192.168.0.1
restrict 192.168.0.1 nomodify notrap noquery
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
4、启动
服务端、客户端一样的操作
启动前务必执行,不然会发生错误
timedatectl set-ntp no
timedatectl set-time "当前时间"
timedatectl set-ntp yes
timedatectl set-local-rtc 0
ntpd -gq
启动命令如下,务必把服务设为开机启动
# 停止服务
systemctl stop ntpd
# 启动服务
systemctl start ntpd
# 重新启动
systemctl restart ntpd
# 开机启动
systemctl enable ntpd
5、ntp服务状态
5.1、 ntpq -p
[root@localhost ~]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*LOCAL(0) .LOCL. 10 l 54 64 377 0.000 0.000 0.000
| 字段 | 描述 |
|---|---|
| remote | 本机和上层ntp的ip或主机名,“+”表示优先,“*”表示次优先 |
| refid | 参考上一层ntp主机地址 |
| st | stratum阶层 |
| when | 多少秒前曾经同步过时间 |
| poll | 下次更新在多少秒后 |
| reach | 已经向上层ntp服务器要求更新的次数 |
| delay | 网络延迟 |
| offset | 时间补偿 |
| jitter | 系统时间与bios时间差 |
5.2、timedatectl
NTP enabled: yes
NTP synchronized: yes
这两个参数为yes表示服务正常,synchronized反应比较慢,可以稍等四五分钟再看
[root@localhost ~]# timedatectl
Local time: 四 2023-04-06 15:33:57 CST
Universal time: 四 2023-04-06 07:33:57 UTC
RTC time: 四 2023-04-06 07:38:20
Time zone: Asia/Shanghai (CST, +0800)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
DST active: n/a
5.3、ntpstat
[root@localhost home]# ntpstat
synchronised to local net (127.127.1.0) at stratum 11
time correct to within 12 ms
polling server every 64 s
6、ntp.conf 参数详解
6.1、restrict
作用:对ntp做权限控制,如果没有任何参数则表示不做任何限制
| 参数 | 描述 |
|---|---|
| ignore | 忽略所以类型的ntp连接请求 |
| nomodify | 限制客户端不能使用命令ntpc和ntpq来修改服务器端的时间 |
| noquery | 不提供NTP网络校时服务 |
| notrap | 不接受远程登录请求 |
| notrust | 不接受没有经过认证的客户端的请求 |
6.2、server
作用:指定ntp服务器地址
server [ip or hostname] [perfer]
6.3、fudge
作用:设置时间服务器的层级,fudge必须和server一块用, 而且是在server的下一行
fudge ip [stratum int]
stratum:0~15
0: 表示顶级
10: 用于给局域网主机提供时间服务
7、ERROR
7.1、 NTP enabled: no
[root@localhost]# timedatectl
Local time: 四 2023-04-06 11:27:29 CST
Universal time: 四 2023-04-06 03:27:29 UTC
RTC time: 四 2023-04-06 11:27:29
Time zone: Asia/Shanghai (CST, +0800)
NTP enabled: no
NTP synchronized: yes
RTC in local TZ: yes
DST active: n/a
Warning: The system is configured to read the RTC time in the local time zone.
This mode can not be fully supported. It will create various problems
with time zone changes and daylight saving time adjustments. The RTC
time is never updated, it relies on external facilities to maintain it.
If at all possible, use RTC in UTC by calling
'timedatectl set-local-rtc 0'.
错误查看 Warning: 的内容
解决方案:
timedatectl set-local-rtc 0
然后重启服务
# 停止服务
systemctl stop ntpd
# 启动服务
systemctl start ntpd
7.2、NTP synchronized: no
这个问题出错比较多,也有可能是服务器没有反应过来,需要最多半个小时的等待
建议:7.2、7.3中三种方案全部执行一遍
7.2.1、解决方案一
时间相差过大引起错误
# 停止服务
systemctl stop ntpd
timedatectl set-ntp no
timedatectl set-time "当前时间"
timedatectl set-ntp yes
# 启动服务
systemctl start ntpd
7.2.1、解决方案二
防火墙引起错误
# 停止服务
systemctl stop ntpd
firewall-cmd --permanent --add-port=123/udp
firewall-cmd --permanent --add-service=ntp
firewall-cmd --reload
firewall-cmd --list-port
# 启动服务
systemctl start ntpd
7.3、unsynchronised
这个问题出错比较多,也有可能是服务器没有反应过来,需要最多半个小时的等待
建议:7.2、7.3中三种方案全部执行一遍
[root@localhost home]# ntpstat
unsynchronised
time server re-starting
polling server every 8 s
解决方案
# 停止服务
systemctl stop ntpd
ntpd -gq
systemctl start ntpd