Linux地NTP配置总结材料

1、Linux的NTP配置总结2015-08-20 12:29 by潇湘隐者，4678 阅读，2 评论， 收藏， 编辑在Linux系统中，为了避免主机时间因为在长时间运行下所导致的时间偏差，进行时间同步(synchronize)的工作是非常必要的。Linux系统下，一般使用 ntp服务来同步不同机器的时间。NTP是网络时间协议(Network Time Protocol )的简称，干嘛用的呢？就是通过网络协议使计算机之间的时间同步化。安装NTP包检查是否安装了 ntp相关包。如果没有安装 ntp相关包，使用rpm或yum安装，安装也非常简单方便。rootlocalhost # rpm -qa |

2、grep ntpNTP的配置A：配置 /etc/ ntp.c onfNTP Server的主要配置文件为/etc/ntp.conf ,没有修改过的ntp.conf 文件容如下所示，配置选项都有相关注释信息(Linux 版本为 Red Hat Enterprise Linux Server release 6.6)rootlocalhost # more /etc/ ntp.c onf# For more information about this file, see the man pages# n tp.c on f(5), n tp_acc(5), ntp_auth(5), n tp_c

3、lock(5), ntp_misc(5), ntp_ mon (5).driftfile /var/lib/ntp/drift# Permit time synchronization with our time source, but do not# permit the source to query or modify the service on this system.restrict default kod no modify no trap n opeer no queryrestrict -6 default kod no modify no trap n opeer no q

4、uery# Permit all access over the loopback in terface.This could# be tighte ned as well, but to do so would effect some of# the admi nistrative fun ctio ns.restrict -6 :1# Hosts on local n etwork are less restricted.#restrict mask nomodify notrap# Use public servers from the

5、 pool. project.# Please con sider joi ning the pool (.pool. /joi n.html).server 0.rhel.pool. iburstserver 1.rhel.pool. iburstserver 2.rhel.pool. iburstserver 3.rhel.pool. iburst# broadcast server# broadcast clie nt# multicast server# multicast clie nt#

6、many cast serverbroadcast 55 autokey#broadcastclie nt #broadcast autokey#multicastclie nt #ma ny castserver 54 #many castclie nt 54 autokey # ma nycast clie nt# En able public key cryptography.#cryptoin cludefile /etc/ ntp/crypto/pw# Key file

7、containing the keys and key identifiers used when operating# with symmetric key cryptography.keys /etc/ ntp/keys# Specify the key ide ntifiers which are trusted.#trustedkey 4 8 42# Specify the key ide ntifier to use with the n tpdc utility.#requestkey 8# Specify the key ide ntifier to use with the n

8、 tpq utility.#con trolkey 8# En able writi ng of statistics records.#statistics clockstats cryptostats loopstats peerstats各个选项信息：#系统时间与BIOS事件的偏差记录driftfile /etc/ntp/driftrestrict控制相关权限。语法为：restrict IP 地址mask子网掩码参数其中IP地址也可以是default ， default就是指所有的IP参数有以下几个：ign ore:关闭所有的NTP联机服务nomodify :客户端不能更改服务端的时间参

9、数，但是客户端可以通过服务端进行网络校时。notrust :客户端除非通过认证，否则该客户端来源将被视为不信任子网noquery :不提供客户端的时间查询：用户端不能使用ntpq， ntpc等命令来查询ntp服务器notrap :不提供trap远端登陆：拒绝为匹配的主机提供模式6控制消息陷阱服务。陷阱服务是ntpdq控制消息协议的子系统，用于远程事件日志记录程序。nopeer :用于阻止主机尝试与服务器对等，并允许欺诈性服务器控制时钟kod :访问违规时发送 KoD包。restrict -6 表示IPV6地址的权限设置。1设定NTP主机来源（其中prefer表示优先主机），192.168.7.

10、49 是本地的NTP服务器，所以优先指定从该主 机同步时间。server 9 preferserver O.rhel.pool. iburstserver 1.rhel.pool. iburstserver 2.rhel.pool. iburstserver 3.rhel.pool. iburst* Permit a.11 access over the loopback interface. Thi苦 could# be tightened as ure 11, but to do so vould eff

11、ect same of t the adninistrative functioriE-reitiict 127- 0. 0.1restrict -6 : 1# Hosts on lccal network are less rtsirict&df restrict 192- 16S, 1, 0 mask 25E- 255. 255. 0 nonLodify not rap址 Use public servers口m the poiol- rttp. org projecif Please consider joining the pflpl server server server serv

12、erserver192. 168. 7. 49 preferCL rhelpool. ntp. org： 1 rhel poo丄.rrtp or2. rhelpool n-tp., 匚3, rhelpool rftp- ougiturs il)ursti burst#broadeast 1S2, 168. 1.255 ant ckeyHtb r o adc ast c11antSbroadcast 224. 0. 1. 1 utokey尊Multicast client 224, C, l 1#frjuanycast server 為乳黄5 2同#m.aiiyc as t client254.

13、 2E4 auto key #braadast tiraadcast mult icagtservermuHicast clientmanycast server manygast client2:限制你允许的这些服务器的访问类型，在这个例子中的服务器是不容许修改运行时配置或查询您的Linux NTP服务器restrict mask notrust nomodify notrap在上例中，掩码地址扩展为255，因此从-54 的服务器都可以使用我们的NTP服务器来同步时间#此时表示限制向从 192.1

14、68.0.1-54 这些IP段的服务器提供 NTP服务。restrict mask notrust nomodify notrap noquery#设置默认策略为允许任何主机进行时间同步restrict default ignore3:确保localhost(这个常用的IP地址用来指Linux服务器本身)有足够权限.使用没有任何限制关键词的语法：restrict -6 :1B：配置 /etc/ntp/stpe-tickers文件修改/etc/ntp/stpe-tickers 文件，容如下(当 ntpd服务启动时，会自动与

15、该文件中记录的上层NTP服务进行时间校对)rootlocalhost n tp# more /etc/ ntp/step-tickers# List of servers used for in itial synchroni zati on.rootlocalhost n tp# vi /etc/ ntp/step-tickers# List of servers used for in itial synchroni zati on.server 9 preferserver 0.rhel.pool. server 1.rhel.pool. ntp.or

16、gserver 2.rhel.pool. server 3.rhel.pool. 关于 ntp.conf and step-tickers区另U：step-tickers is used by ntpdate where as ntp.conf is the configuration file for the ntpd daemon. nt pdate is in itially run to set the clock before n tpd to make sure time is with in 1000 sec. ntp will not run if

17、the time difference between the server and client by more then 1000 sec ( or there abou t). The start up script will read step-tickers for servers to be polled by n tpdate.C:配置 /etc/sysconfig/ntpd文件ntp服务，默认只会同步系统时间。如果想要让ntp同时同步硬件时间，可以设置/etc/sysconfig/ntpd文件，在/etc/sysco nfig/ntpd文件中，添加 SYNC_HWCLOCK=y

18、e这样，就可以让硬件时间与系统时间一起同步。#允许BIOS与系统时间同步，也可以通过hwclock -w 命令SYNC_HWCLOCK=yesIPTABLES 配置由于NTP服务需要使用到 UDP端口号123,所以当系统的防火墙(Iptables )启动的情况下，必须开放UDP端口号123。rootlocalhost # /etc/init.d/iptables statusTable: filterChain INPUT (policy ACCEPT)numtargetprot optsourcedestination1ACCEPTallstate RELATED,ESTABLISHED2A

19、CCEPTicmp3ACCEPTall4ACCEPTtcpstate NEW tcp dpt:225REJECTallreject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT)num targetprot opt sourcedestinationreject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT)num targetprot opt sourcedestinationrootlocalhost rootlocalhost Table: filter# /sbin

20、/iptables -I INPUT -p udp -dport 123 -j ACCEPT# /etc/init.d/iptables statusnumtargetprot opt sourcedestination1ACCEPTudp2ACCEPTall3ACCEPTicmp4ACCEPTall5ACCEPTtcp6REJECTallChain INPUT (policy ACCEPT)bitedudp dpt:123state RELATED,ESTABLISHEDstate NEW tcp dpt:22 reject-with icmp-host-prohiChain FORWARD

21、 (policy ACCEPT)num targetprot opt sourcedestination1REJECTbitedreject-with icmp-host-prohiChain OUTPUT (policy ACCEPT) num targetprot opt sourcedestinationrootlocalhost #J* /etc/initp d/iptablesat us1Tab 1 e; iLterICham INPUT (policy JVCCEPT)num t argetprot opt sourcedetiat ion1ACCEPTall H EL 0- 0/

22、0lj. 0. 0. 0/0state EELATED,ESTABLISHED2ACCEPTlcjilp 0. D. 0- 0/00.0. 0. 0/03JUCCEPTall 0i. 0.0-0/00.0. 0. 0/04ACCEPTt cp -一 0, 0. 0_ 0/ 0O.D. 0. 0/0st at e NEW t cp dpt: 225KEIEGTall 0. Q. D.0.0. 0. 0/0raj ectwith icmp-host-prohibitcdChain FORWARD(policy ACCEPT)run targfetprot cpt sourcedest i_nat

23、ion1EEJECTall 一 D. 0. 0-0/0C.O. 0. 0/0rej e ctwith i cnphost prohxbit edCham OUTPUT(policy MCEFT)nun largertprot opt sourceiest in at ionroot local ho st S /sb in/ip tab les -I IKPUT -p udp 一ilpcrt123 -j ACCEPT1 roolSlocalhost/etc/imt. d/ipt alliesst at us1 Table; filterICham INPUT朋CEPT)nun targetpr

24、ot ept sourcedeatinat ion1ACCEPT口屯一0. 1. CL /C.O. 0. 0/0udp dpt:1232DECEITall =IL U. LL LJ/UU.E. U. U/Ustite KEL ATED, ES TABLI SHED3ACCEPTicuLp 0. 0. 0- 0/0C.O. 0. 0/04ACCEPTall 一 0.0. 0.0/0C_ 0. 0. 0/05ACCEPTtcp -一 0, 0, 0- 0/00.0. 0. 0/0、st at e MEW t 口 dpt ； 22SREJECTall 1 0,山 0/00-0. o. o/orohi

25、bit cdChain FORWARD(policy ACCEPT)韦弓月nun. ,+ arg&+prot cpt sourcedest mat ion1REJECTall 一 0.0. 0-0/0C.O. 0. 0/0rej ectwi七11 i cmphost-prohxbit edChaiTi OUTPUT(policy ACCEPT)nun targertprot opt sourcetisstinat ion如果防火墙没有开放UDP端 口号123，有可能出现下面情况。rootlocalhost # /usr/sbin/ntpq -c rv | grep stratumstratum

26、=16, precisi on=-24, rootdelay=0.000, rootdisp=3.525, refid=INIT,rootlocalhost#A stratum level of 16 in dicates that NTP is not syn chro nizing correct ly.If a stratum level of 16 is detected, wait 15 minu tes and issue the comma nd aga in. It may take this long for the NTP server to stabilize.If NT

27、P con tin ues to detect a stratum level of 16, verify that the NTP port (UDP Port 123) is open on all firewalls between the cluster and the remote machine you are attempting to synchron ize to.启动NTP服务rootlocalhost n tpd is stopped rootlocalhost Starti ng n tpd: rootlocalhost # service n tpd status#

28、service n tpd start OK #service n tpd status service n tpd start service n tpd stop service n tpd restart#查看ntpd服务状态#启动ntpd服务#停止ntpd服务#重启ntpd服务检查ntp服务是否开机启动，将其设置为开机启动。rootlocalhost # chkc onfig -list n tpd ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rootlocalhost # runl evelrootlocalhost # chkcon

29、fig ntpd on #在运行级别 2、3、4、5 上设置为自动运行rootlocalhost # chkc onfig -list n tpdntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:offrootlocalhost #如果要设置在运行级别上自动运行，可以使用下面命令chkc onfig -level 345 n tpd on可以用下面命令检测NTP服务是否运行rootlocalhost # pgrep n tpd26392641rootlocalhost # netstat -tlunp | grep ntp#如果看到 123 端口，说明 ntp 服务

30、成功启动。udp00 24:1:*2639/ntpdudp00 :1:*2639/ntpdudp00 :123*2639/ntpdudp00 fe80:250:56ff:feb3:b5:123*2639/ntpdudp00 :1:123*2639/ntpdudp00 :123*2639/ntpdrootlocalhost #Lr o otSlocalhos 七s e rvx c e nrt pd st at henrtpd ise+ oppedr ootlocalhcstT#service jitpdar

31、tSt a rt ingntpd: 1oy JLrootlocalhostpgrep ntpd26392641Lr oolSlacalhcstnet st atlunp | grep ntpud.p00192. 168. 7.224: 1230. Q, 0,D：ud.pD0127. . 0. 1:1230. 0. 0. 0:*dp000. 0. 0. 0; 1230. 0. 0. 0;*nip00fe30;:250:56ff:fBb3:b5;t23ud.p00;:*udp00；:123:*fcroolloc atlhio s 七爭2639/ntpd 2533/ntpd 2633/ rrtpd

32、2633/ntpd、2033/ntpd查看ntp服务器有无和上层ntp连通rootlocalhost # n tpstatsynchronised to NTP server (9) at stratum 6 time correct to within 440 mspoll ing server every 128 srootlocalhost #查看ntp服务器与上层ntp的状态rootlocalhost remote ter# n tpq -prefidst t whe n poll reachdelayoffsetjit5 u136435.85311371782.

33、696rootlocalhost # n tpq -premoterefidst t whe n poll reachdelayoffsetjitter5 u176435.85311371782.696rootlocalhost # n tpq -premoterefidst t whe n poll reachdelayoffsetjitter5 u16410.937-9.5700.000QroolOlocalhost 曲 rrtpq -premoterefrilst + wtien poll reach d巳lay uJfset jilzter192, 168,7.49l?2. 163.

34、7, 505 n 13643 E. SE3 11371732,696CraotOlocalhost t rrtpq -pxemoterefidst t vhen poll x&ach delay!S132, 168.7.40L32. 168. 7.50 B ti 176436.85311371732.60SLrf-utl&ralhot 北 dateremote -本机和上层ntp的ip或主机名，+”表示优先，*”表示次优先refid-参考上一层ntp主机地址st-stratum 阶层whe n多少秒前曾经同步过时间poll下次更新在多少秒后reach已经向上层ntp服务器要求更新的次数delayoffsetjitter系统时间与bios时间差要查看ntpd进程的状态，请运行以下命令，按Ctrl+C 停止查看进程。网络延迟时间补偿rootilocalhcst ff v