NTP:修订间差异

来自Ubuntu中文
跳到导航跳到搜索
Fei3ban留言 | 贡献
无编辑摘要
 
(未显示2个用户的31个中间版本)
第1行: 第1行:
{{Translation}}  
{{Copyedit translation}}  


{{From|http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch24_:_The_NTP_Server}}  
{{From|http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch24_:_The_NTP_Server}}  
第7行: 第7行:
{{Languages|Quick_HOWTO_:_Ch24_:_The_NTP_Server}}  
{{Languages|Quick_HOWTO_:_Ch24_:_The_NTP_Server}}  


<br>
= 简介  =
 
<br>
 
<br>
 
Introduction
 
The Network Time Protocol (NTP) is a protocol used to help synchronize your Linux system's clock with an accurate time source. There are that allow the general public to synchronize with them. They are divided into two types:
 
<br> * Stratum 1: NTP sites using an atomic clock for timing.<br> * Stratum 2: NTP sites with slightly less accurate time sources.
 
It is good practice to have at least one server on your network be the local time server for all your other devices. This makes the correlation of system events on different systems much easier. It also reduces Internet bandwidth usage due to NTP traffic and reduces the need to manage firewall rules for each NTP client on your network. Sometimes, not all your servers will have Internet access; in such cases you'll need a central server that all can access.


For a list of available Stratum 1 and 2 servers consult http://www.ntp.org/
网络时间协议(NTP)是用来帮助Linux系统时钟与准确的时间源同步的协议.允许让网上所有站点同步时间.分为两类:


<br>Download and Install The NTP Package
<br>*第1类: NTP站点使用的原子钟计时.<br>*第2类: NTP站点和较小的准确时间源.( NTP sites with slightly less accurate time sources)


Most RedHat and Fedora Linux software products are available in the RPM format. Downloading and installing RPMs isn't hard. If you need a refresher, Chapter 6, "Installing Linux Software", has all the details.  
这个做法好处是至少有一个服务器在您的网络上成为本地时间服务器,为其他设备服务。(This makes the correlation of system events on different systems much easie)这使得在不同的系统上的系统事件相关性对比变得容易。它也降低了由于NTP的通讯需要的互联网带宽使用量,并减少为每个NTP的客户端配置防火墙规则.而且并非所有服务器将有因特网接入.在这种情况下,您需要一个中央服务器处理所有访问.  


When searching for the file, remember that the NTP RPM's filename usually starts with the word ntp followed by a version number as in ntp-4.1.2-5.i386.rpm.<br>The /etc/ntp.conf File
查询可用的第1类和第2类服务器清单,清请访问http://www.ntp.org/


The /etc/ntp.conf file is the main configuration file for Linux NTP in which you place the IP addresses of the stratum 1 and stratum 2 servers you want to use. Here are the steps to create a configuration file using a pair of sample Internet-based NTP servers:
= <br>下载和安装NTP包  =


1) First we specify the servers you're interested in:
最版RedHat和Fedora Linux软件产品都可以用RPM的格式.从RPMS中下载并安装并不难.如果您需要复修,参考第6章"安装Linux软件"("Installing Linux Software")有所有的细节。


server otherntp.server.org # A stratum 1 server at server.org<br>server ntp.research.gov # A stratum 2 server at research.gov
当寻找该文件,记住NTP RPMs的文件名通常用NTP加版本号,如:NTP - 4.1.2 - 5.i386.rpm


<br>2) Restrict the type of access you allow these servers. In this example the servers are not allowed to modify the run-time configuration or query your Linux NTP server.  
== /etc/ntp.conf 文件  ==


restrict otherntp.server.org mask 255.255.255.255 nomodify notrap noquery<br>restrict ntp.research.gov mask 255.255.255.255 nomodify notrap noquery
/etc/ntp.conf 文件是Linux NTP的主要配置文件,你可以设置NTP服务器的ip地址.下面是建立互联网基础的NTP服务器的步骤


1) 首先指定有兴趣的服务器:
<pre>server  otherntp.server.org    # A stratum 1 server at server.org
server  ntp.research.gov        # A stratum 2 server at research.gov
</pre>
<br>2)限制你允许的这些服务器的访问类型,在这个例子中的服务器是不容许修改运行时配置或查询您的Linux NTP服务器:<br>
<pre>restrict otherntp.server.org mask 255.255.255.255 nomodify notrap noquery
restrict ntp.research.gov mask 255.255.255.255 nomodify notrap noquery
</pre>
<br>The mask 255.255.255.255 statement is really a subnet mask limiting access to the single IP address of the remote NTP servers.  
<br>The mask 255.255.255.255 statement is really a subnet mask limiting access to the single IP address of the remote NTP servers.  


3) If this server is also going to provide time for other computers, such as PCs, other Linux servers and networking devices, then you'll have to define the networks from which this server will accept NTP synchronization requests. You do so with a modified restrict statement removing the noquery keyword to allow the network to query your NTP server. The syntax is:
3)如果此服务器也是要提供时间给其他计算机,如PC,其他Linux服务器和网络设备,那么您必须界定网络从这个服务器接受NTP同步的请求。你要修改restric语句,去掉noquery关键字,让网络查询您的NTP服务器。语法是:
<pre>restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
</pre>
<br>在这种情况下,mask包括所有255个在本地网络内可能的IP地址.  


restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
4) 还要确保localhost(这个常用的IP地址用来指Linux服务器本身)有足够权限.使用没有任何限制关键词的语法:&nbsp;
<pre>restrict 127.0.0.1
</pre>
<br>5) 保存文件并重新启动NTP,这些设置才会生效.现在,您可以用相似的方式设定您的网络上其他的Linux主机与这个新的主NTP服务器同步.<br>


<br>In this case the mask statement has been expanded to include all 255 possible IP addresses on the local network.
= 怎样开始NTP  =


4) We also want to make sure that localhost (the universal IP address used to refer to a Linux server itself) has full access without any restricting keywords:
当你修改了配置信息,你必须重新启动NTP进程以取得及时的效果.


restrict 127.0.0.1
开始配置NTP,用下面的命令:
<pre>[root@bigboy tmp]# chkconfig ntpd on
</pre>
启动,停止,重启NTP,用下面的命令:
<pre>[root@bigboy tmp]# service ntp start
[root@bigboy tmp]# service ntp stop
[root@bigboy tmp]# service ntp restart
</pre>
测试和解决NTP问题


<br>5) Save the file and restart NTP for these settings to take effect. You can now configure other Linux hosts on your network to synchronize with this new master NTP server in a similar fashion.<br>How To Get NTP Started
在配置和启动NTP后,你应该测试以确定NTP是否在工作,参考下面的指引去检测NTP的工作.  


You have to restart the NTP process every time you make a change to the configuration file for the changes to take effect on the running process.
== 检查NTP运行  ==


To get NTP configured to start at boot, use the line:
使用下面的命令检查NTP服务是否运行
<pre>[root@bigboy tmp]# pgrep ntpd
</pre>
<br>这时你应该能得到一个进程ID.


[root@bigboy tmp]# chkconfig ntpd on
== <br>同步初始化  ==


To start, stop and restart NTP after booting, follow these examples:
如果本地主机的时间和主时间服务器的差距很大,你的NTP的进程可能会终止,并且在/var/log/messages 留下错误信息.你应该在同步服务器时间之前,运行ntpdate -u命令预先得道时间.不过ntpdate命令不会一直运行,你仍然需要运行ntpd后台进程去自动同步时间.


[root@bigboy tmp]# service ntpd start<br>[root@bigboy tmp]# service ntpd stop<br>[root@bigboy tmp]# service ntpd restart
下面的范例中,服务器最初的时间是在午夜,然后同步时间到am 8:03.


Testing And Troubleshooting NTP
*先检查自己的服务器的时间
<pre>[root@smallfry tmp]# date
Thu Aug 12 00:00:00 PDT 2004
[root@smallfry tmp]#
</pre>
*ntpdate 命令在smallfry机器上运行了3次去同步192.168.1.100服务器的时间,不过它必须在ntpd进程停止的时候运行,所以你要先停止ntpd,运行ntpdate,然后再运行ntpd.
<pre>[root@smallfry tmp]# service ntpd stop
[root@smallfry tmp]# ntpdate -u 192.168.1.100
Looking for host 192.168.1.100 and service ntp
host found&nbsp;: bigboy.my-site.com
12 Aug 08:03:38 ntpdate[2472]: step time server 192.168.1.100 offset 28993.084943 sec
[root@smallfry tmp]# ntpdate -u 192.168.1.100
Looking for host 192.168.1.100 and service ntp
host found&nbsp;: bigboy.my-site.com
12 Aug 08:03:40 ntpdate[2472]: step time server 192.168.1.100 offset 2.467652 sec
[root@smallfry tmp]# ntpdate -u 192.168.1.100
Looking for host 192.168.1.100 and service ntp
host found&nbsp;: bigboy.my-site.com
12 Aug 08:03:42 ntpdate[2472]: step time server 192.168.1.100 offset 0.084943 sec
[root@smallfry tmp]# service ntpd start
[root@smallfry tmp]#
</pre>
*现在时间改正过来了.
<pre>[root@smallfry tmp]# date
Thu Aug 12 08:03:45 PDT 2004
[root@smallfry tmp]#
</pre>
== <br>检定NTP 同步  ==


After configuring and starting NTP, you should test it to make sure it is working. Here are some guidelines you can follow to get NTP working correctly.
使用ntpq命令查看与您同步的服务器.它提供你一份时间服务器配置清单,包括延误值(delay),偏差值(offset)和抖动值(jitter).为了能正确同步,延迟值和偏移值应该不为零,抖动值(jitter)应小于100 .
<pre>[root@bigboy tmp]# ntpq -p
</pre>
这是命令输出的结果:
<pre>remote refid st t when poll reach delay offset jitter
==============================================================================
-jj.cs.umb.edu gandalf.sigmaso 3 u 95 1024 377 31.681 -18.549 1.572
milo.mcs.anl.go ntp0.mcs.anl.go 2 u 818 1024 125 41.993 -15.264 1.392
-mailer1.psc.edu ntp1.usno.navy. 2 u 972 1024 377 38.206 19.589 28.028
-dr-zaius.cs.wis ben.cs.wisc.edu 2 u 502 1024 357 55.098 3.979 0.333
+taylor.cs.wisc. ben.cs.wisc.edu 2 u 454 1024 347 54.127 3.379 0.047
-ntp0.cis.strath harris.cc.strat 3 u 507 1024 377 115.274 -5.025 1.642
*clock.via.net .GPS. 1 u 426 1024 377 107.424 -3.018 2.534
ntp1.conectiv.c 0.0.0.0 16 u - 1024 0 0.000 0.000 4000.00
</pre>
== <br>Linux NTP 客户端无法同步  ==


<br>Verifying NTP is Running
下表的迹象表明你没有得到适当的同步,因为所有远程服务器的jitter值为4000,delay和reach值为0
<pre>remote refid st t when poll reach delay offset jitter
=============================================================================
LOCAL(0) LOCAL(0) 10 l - 64 7 0.000 0.000 0.008
ntp-cup.externa 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
snvl-smtp1.trim 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
nist1.aol-ca.tr 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
</pre>
可能的原因:


To test whether the NTP process is running use the command
*如果您使用的DNS名称做为NTP服务器时旧版本的的NTP包会工作不正常.在这样的情况下,您要使用的实际IP地址代替.
*防火墙阻止访问NTP服务器.这可能是NTP服务器和它的时间源之间有防火墙软件如iptables的限制.
*在NTP客户端的restrict字段里面有notrust nomodify notrap的关键字.Fedora Core 2的某些版本中除非NTP客户端的restrict字段里面删除notrust nomodify notrap的关键字,否则不能执行NTP同步.


[root@bigboy tmp]# pgrep ntpd
在下面例子中,restrict字段只是客户端网络的定义而没有任何关键字:<br>
<pre>#-- CLIENT NETWORK -------
#restrict 172.16.1.0 mask 255.255.255.0 notrust nomodify notrap
restrict 172.16.1.0 mask 255.255.255.0
</pre>
== <br> <br>Fedora Core 2 文件权限  ==


<br>You should get a response of plain old process ID numbers.  
所有的Fedora/RedHat的NTP后台进程要写临时文件到/etc/NTP这个目录.不幸的是,Fedora Core 2这个目录不允许保存临时文件.所以你要设定组,所有者等权限给NTP.
<pre>[root@bigboy tmp]# chown ntp:ntp /etc/ntp
</pre>  
如果你没有那样做,你会在/var/log/messages得到错误信息.  
<pre>Aug 12 00:29:45 smallfry ntpd[2097]: can't open /etc/ntp/drift.TEMP: Permission denied
</pre>


<br>Doing An Initial Synchronization
= 配置Cisco 设备去使用NTP服务器  =


If the time on the local server is very different from that of its primary time server your NTP daemon will eventually terminate itself leaving an error message in the /var/log/messages file. You should run the ntpdate -u command to force your server to become instantly synchronized with its NTP servers before starting the NTP daemon for the first time. The ntpdate command doesn't run continuously in the background, you will still have to run the ntpd daemon to get continuous NTP updates.
您可以使用的NTP对各种设备同步时间,包括网络设备。我已概括必要的用于多种思科系统公司产品的NTP命令,因为这是一个最热门的网络设备制造商,可能用于的许多家庭办公/小型办公室( SOHO )环境和企业部门<br>


Take a look at some sample output of the ntpdate command in which a server whose initial time was set to midnight, was correctly set to 8:03 am.
== Cisco IOS  ==


*The date was originally set to midnight which was verified by using the date command.
使您的路由器与IP地址 192.168.1.100和192.168.1.201 的NTP服务器同步,使用命令:


[root@smallfry tmp]# date<br>Thu Aug 12 00:00:00 PDT 2004<br>[root@smallfry tmp]#
<br>  
 
<pre>ciscorouter&gt; enable
*The ntpdate command is run three times to synchronize smallfry's clock to server 192.168.1.100, but it must be run while the ntpd process is stopped. So you'll have to stop ntpd, run ntpdate and then start ntpd again.
password: *********
 
ciscorouter# config t
[root@smallfry tmp]# service ntpd stop<br>[root@smallfry tmp]# ntpdate -u 192.168.1.100<br>Looking for host 192.168.1.100 and service ntp<br>host found&nbsp;: bigboy.my-site.com<br>12 Aug 08:03:38 ntpdate[2472]: step time server 192.168.1.100 offset 28993.084943 sec<br>[root@smallfry tmp]# ntpdate -u 192.168.1.100<br>Looking for host 192.168.1.100 and service ntp<br>host found&nbsp;: bigboy.my-site.com<br>12 Aug 08:03:40 ntpdate[2472]: step time server 192.168.1.100 offset 2.467652 sec<br>[root@smallfry tmp]# ntpdate -u 192.168.1.100<br>Looking for host 192.168.1.100 and service ntp<br>host found&nbsp;: bigboy.my-site.com<br>12 Aug 08:03:42 ntpdate[2472]: step time server 192.168.1.100 offset 0.084943 sec<br>[root@smallfry tmp]# service ntpd start<br>[root@smallfry tmp]#
ciscorouter(config)# ntp update-calendar
 
ciscorouter(config)# ntp server 192.168.1.100
*The date is now corrected.
ciscorouter(config)# ntp server 192.168.1.201
 
ciscorouter(config)# exit
[root@smallfry tmp]# date<br>Thu Aug 12 08:03:45 PDT 2004<br>[root@smallfry tmp]#
ciscorouter# wr mem  
 
</pre>
<br>Determining If NTP Is Synchronized Properly
NTP server 命令结合其他系统,形成了一个服务关联,ntp update-calendar配置系统从软件时钟更新其硬件时钟.<br>
 
Use the ntpq command to see the servers with which you are synchronized. It provided you with a list of configured time servers and the delay, offset and jitter that your server is experiencing with them. For correct synchronization, the delay and offset values should be non-zero and the jitter value should be under 100.
 
[root@bigboy tmp]# ntpq -p
 
Here is some sample output of the command:
 
remote refid st t when poll reach delay offset jitter<br>==============================================================================<br>-jj.cs.umb.edu gandalf.sigmaso 3 u 95 1024 377 31.681 -18.549 1.572 <br>milo.mcs.anl.go ntp0.mcs.anl.go 2 u 818 1024 125 41.993 -15.264 1.392<br>-mailer1.psc.edu ntp1.usno.navy. 2 u 972 1024 377 38.206 19.589 28.028<br>-dr-zaius.cs.wis ben.cs.wisc.edu 2 u 502 1024 357 55.098 3.979 0.333<br>+taylor.cs.wisc. ben.cs.wisc.edu 2 u 454 1024 347 54.127 3.379 0.047<br>-ntp0.cis.strath harris.cc.strat 3 u 507 1024 377 115.274 -5.025 1.642<br>*clock.via.net .GPS. 1 u 426 1024 377 107.424 -3.018 2.534<br>ntp1.conectiv.c 0.0.0.0 16 u - 1024 0 0.000 0.000 4000.00
 
<br>Your Linux NTP clients cannot Synchronize Properly
 
A telltale sign that you haven't got proper synchronization is when all the remote servers have jitters of 4000 with delay and reach values of 0.
 
remote refid st t when poll reach delay offset jitter<br> =============================================================================<br>LOCAL(0) LOCAL(0) 10 l - 64 7 0.000 0.000 0.008<br>ntp-cup.externa 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00<br>snvl-smtp1.trim 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00<br>nist1.aol-ca.tr 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
 
This could be caused by the following:
 
*Older versions of the NTP package that don't work correctly if you use the DNS name for the NTP servers. In these cases you will want to use the actual IP addresses instead.<br> * A firewall blocking access to your Stratum 1 and 2 NTP servers. This could be located on one of the networks between the NTP server and its time source, or firewall software such as iptables could be running on the server itself.<br> * The notrust nomodify notrap keywords are present in the restrict statement for the NTP client. In some versions of the Fedora Core 2's implementation of NTP, clients will not be able to synchronize with a Fedora Core 2 time server unless the notrust nomodify notrap keywords are removed from the NTP client's restrict statement.
 
In this example the restrict statement has only the client network defined without any keywords and the configuration line that works with other NTP versions has been commented out:
 
#-- CLIENT NETWORK -------<br>#restrict 172.16.1.0 mask 255.255.255.0 notrust nomodify notrap<br>restrict 172.16.1.0 mask 255.255.255.0
 
<br>Fedora Core 2 File Permissions
 
All the Fedora/RedHat NTP daemons write temporary files to the /etc/ntp directory. Unfortunately, in Fedora Core 2, the permissions on this directory don't allow writing of temporary files. Instead you have to set the group and owner of the directory to be ntp.
 
[root@bigboy tmp]# chown ntp:ntp /etc/ntp
 
If you don't, you'll get errors like this in the /var/log/messages file.
 
Aug 12 00:29:45 smallfry ntpd[2097]: can't open /etc/ntp/drift.TEMP: Permission denied
 
Configuring Cisco Devices To Use An NTP Server
 
You can use NTP to synchronize time on a variety of devices including networking equipment. I have included the necessary NTP commands for a variety of Cisco Systems products because it is one of the most popular manufacturers of networking equipment and would feature in the overall architectures of many home office/small office (SOHO) environments and corporate departments.
 
<br>Cisco IOS
 
To make your router synchronize with NTP servers with IP addresses 192.168.1.100 and 192.168.1.201, use the commands:
 
ciscorouter&gt; enable<br>password: *********<br>ciscorouter# config t<br>ciscorouter(config)# ntp update-calendar<br>ciscorouter(config)# ntp server 192.168.1.100<br>ciscorouter(config)# ntp server 192.168.1.201<br>ciscorouter(config)# exit<br>ciscorouter# wr mem  


The ntp server command forms a server association with another system, and ntp update-calendar configures the system to update its hardware clock from the software clock at periodic intervals.
== CATOS  ==


<br>CATOS
使您的路由器与IP地址 192.168.1.100和192.168.1.201 的NTP服务器同步,使用命令:
<pre>ciscoswitch&gt; enable
password: *********
ciscoswitch# set ntp client enable
ciscoswitch# ntp server 192.168.1.100
ciscoswitch# ntp server 192.168.1.201
ciscoswitch# exit
</pre>
NTP server命令与其他系统,形成了服务关联,"set ntp client enable"设置激活NTP客户端


To make your router synchronize with NTP servers with IP addresses 192.168.1.100 and 192.168.1.201, use the commands:
= <br>NTP安全  =


ciscoswitch&gt; enable<br>password: *********<br>ciscoswitch# set ntp client enable<br>ciscoswitch# ntp server 192.168.1.100<br>ciscoswitch# ntp server 192.168.1.201<br>ciscoswitch# exit
你应该知道NTP如何受到您的网络安全政策影响。这里有一些共同关注的领域.<br>  


The ntp server command forms a server association with another system, and set ntp client enable activates the NTP client.
== 防火墙和NTP  ==


<br>NTP Security
NTP服务器使用UDP的123目的端口通讯.不同于大多数UDP协议,源端口不是一个高端口(1023以上).您必须允许UDP源/目的端口123在您的服务器和straum1/2类服务器之间通讯.<br>  


You should always be aware of how NTP can be affected by your network's security policy. Here are some common areas of concern.<br>Firewalls and NTP
Linux iptables 防火墙脚本片段样本在附录 II, "Codes, Scripts, and Configurations".<br>  


NTP servers communicate with one another using UDP with a destination port of 123. Unlike most UDP protocols, the source port isn't a high port (above 1023), but 123 also. You'll have to allow UDP traffic on source/destination port 123 between your server and the Stratum 1/2 server with which you are synchronizing.
== NTP认证  ==


A sample Linux iptables firewall script snippet is in Appendix II, "Codes, Scripts, and Configurations".<br>NTP Authentication
有可能的情况下,你不仅想限制的NTP同步到指定的网络,还需要一个同步密码。但这是本书范围以外的,所涵盖的详细信息可以去NTP网站www.ntp.org<br>  


There may be cases where you want to not only restrict NTP synchronization to specific networks but also to require a synchronization password. This is beyond the scope of this book, but is covered in detail at the NTP website www.ntp.org.<br>Configuring A Windows NTP Client
= 配置windows NTP 客户端  =


Windows clients that are part of an Active Directory domain automatically get their time synchronized from the domain server. If your client is not part of a domain you can add your new NTP server to your Windows client. Here's how:
作为Active Directory(活动目录)域一部分的Windows客户端会自动从域服务器获得时间同步,如果您的客户端不是某个域的一部分,您可以添加新的NTP服务器到Windows客户端.在这里的:


1. Click on the time at the bottom right hand side of your screen.<br> 2. Click on the "Internet Time" tab of the dialog box<br> 3. Click the check box labeled "Automatically synchronize with an Internet time server" and enter the name or IP address in the box underneath it.<br> 4. Click on the "Update Now" button
1 。在屏幕右下角按一下时间图标.<br>2 。点击"Internet时间"标签的对话框.<br>3 。点击复选框标记为“自动同步与Internet时间服务器”并输入名称或IP地址.<br>4 。点击“立即更新”按钮.  


You will get a message saying "Your time has been successfully synchronized" when the operation is complete.<br>Conclusion
当操作完成你会得到一个讯息说:"你的时间已成功地同步".  


It is important that all the systems under your control have the same accurate time. It can help to give a very clear indication of a chain of events that involve multiple devices and it can also help in the synchronization of time sensitive-transactions.
= 结尾  =


Having an NTP server on your local network can make this easier to do. Sometimes it isn't desirable for all your NTP clients to have access to the Internet to synchronize with stratum 1 and 2 servers, even when they all have access there is the risk of them losing synchronization if the central connection to the Internet is lost. The maintenance of firewall rules for multiple NTP connections to the Internet can also be daunting especially if the management of the firewall is handled by another group.  
在您的控制下的所有系统具有相同的准确时间,这是很重要的.它可以帮助你在多种设备下很清楚的了解一连串的事件,它也可以协助对时间敏感的交易的同步.  


A local NTP server can ensure that the clients all have the same time relative to the server even when Internet connectivity is temporarily lost thereby reducing the problems of them being out of synchronization with each other. The firewall rules can also be greatly simplified. A local NTP server is frequently a good thing to have for these reasons.<br>取自"http://wiki.ubuntu.org.cn/index.php?title=Quick_HOWTO_:_Ch24_:_The_NTP_Server&amp;variant=zh-cn"
在您的本地网络有一个NTP服务器,可以很容易做这些事.有时,您的所有NTP的客户都有机会在互联网上获得与1类2类服务器同步,这不是合意的办法,如果中央到Internet的连接丢失,就有风险,失去同步.并且为多个NTP服务连接到互联网维护防火墙规则,也是艰巨的,特别是如果管理防火墙的是其他部门。


<br>
本地的NTP服务器,甚至当网际网路连线暂时丢失,也可确保客户端均拥有相同的时间,从而减少的问题.防火墙规则也可以大大简化。设置本地的NTP服务器也是经常基于这些原因。
[[Category:服务器]]

2012年1月17日 (二) 17:31的最新版本


{{#ifexist: :NTP/zh | | {{#ifexist: NTP/zh | | {{#ifeq: {{#titleparts:NTP|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:NTP|1|-1|}} | zh | | }}


简介

网络时间协议(NTP)是用来帮助Linux系统时钟与准确的时间源同步的协议.允许让网上所有站点同步时间.分为两类:


*第1类: NTP站点使用的原子钟计时.
*第2类: NTP站点和较小的准确时间源.( NTP sites with slightly less accurate time sources)

这个做法好处是至少有一个服务器在您的网络上成为本地时间服务器,为其他设备服务。(This makes the correlation of system events on different systems much easie)这使得在不同的系统上的系统事件相关性对比变得容易。它也降低了由于NTP的通讯需要的互联网带宽使用量,并减少为每个NTP的客户端配置防火墙规则.而且并非所有服务器将有因特网接入.在这种情况下,您需要一个中央服务器处理所有访问.

查询可用的第1类和第2类服务器清单,清请访问http://www.ntp.org/


下载和安装NTP包

最版RedHat和Fedora Linux软件产品都可以用RPM的格式.从RPMS中下载并安装并不难.如果您需要复修,参考第6章"安装Linux软件"("Installing Linux Software")有所有的细节。

当寻找该文件,记住NTP RPMs的文件名通常用NTP加版本号,如:NTP - 4.1.2 - 5.i386.rpm

/etc/ntp.conf 文件

/etc/ntp.conf 文件是Linux NTP的主要配置文件,你可以设置NTP服务器的ip地址.下面是建立互联网基础的NTP服务器的步骤

1) 首先指定有兴趣的服务器:

server  otherntp.server.org     # A stratum 1 server at server.org
server  ntp.research.gov        # A stratum 2 server at research.gov 


2)限制你允许的这些服务器的访问类型,在这个例子中的服务器是不容许修改运行时配置或查询您的Linux NTP服务器:

restrict otherntp.server.org mask 255.255.255.255 nomodify notrap noquery
restrict ntp.research.gov mask 255.255.255.255 nomodify notrap noquery 


The mask 255.255.255.255 statement is really a subnet mask limiting access to the single IP address of the remote NTP servers.

3)如果此服务器也是要提供时间给其他计算机,如PC,其他Linux服务器和网络设备,那么您必须界定网络从这个服务器接受NTP同步的请求。你要修改restric语句,去掉noquery关键字,让网络查询您的NTP服务器。语法是:

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap 


在这种情况下,mask包括所有255个在本地网络内可能的IP地址.

4) 还要确保localhost(这个常用的IP地址用来指Linux服务器本身)有足够权限.使用没有任何限制关键词的语法: 

restrict 127.0.0.1 


5) 保存文件并重新启动NTP,这些设置才会生效.现在,您可以用相似的方式设定您的网络上其他的Linux主机与这个新的主NTP服务器同步.

怎样开始NTP

当你修改了配置信息,你必须重新启动NTP进程以取得及时的效果.

开始配置NTP,用下面的命令:

[root@bigboy tmp]# chkconfig ntpd on 

启动,停止,重启NTP,用下面的命令:

[root@bigboy tmp]# service ntp start
[root@bigboy tmp]# service ntp stop
[root@bigboy tmp]# service ntp restart 

测试和解决NTP问题

在配置和启动NTP后,你应该测试以确定NTP是否在工作,参考下面的指引去检测NTP的工作.

检查NTP运行

使用下面的命令检查NTP服务是否运行

[root@bigboy tmp]# pgrep ntpd 


这时你应该能得到一个进程ID.


同步初始化

如果本地主机的时间和主时间服务器的差距很大,你的NTP的进程可能会终止,并且在/var/log/messages 留下错误信息.你应该在同步服务器时间之前,运行ntpdate -u命令预先得道时间.不过ntpdate命令不会一直运行,你仍然需要运行ntpd后台进程去自动同步时间.

下面的范例中,服务器最初的时间是在午夜,然后同步时间到am 8:03.

  • 先检查自己的服务器的时间
[root@smallfry tmp]# date
Thu Aug 12 00:00:00 PDT 2004
[root@smallfry tmp]# 
  • ntpdate 命令在smallfry机器上运行了3次去同步192.168.1.100服务器的时间,不过它必须在ntpd进程停止的时候运行,所以你要先停止ntpd,运行ntpdate,然后再运行ntpd.
[root@smallfry tmp]# service ntpd stop
[root@smallfry tmp]# ntpdate -u 192.168.1.100
Looking for host 192.168.1.100 and service ntp
host found : bigboy.my-site.com
12 Aug 08:03:38 ntpdate[2472]: step time server 192.168.1.100 offset 28993.084943 sec
[root@smallfry tmp]# ntpdate -u 192.168.1.100
Looking for host 192.168.1.100 and service ntp
host found : bigboy.my-site.com
12 Aug 08:03:40 ntpdate[2472]: step time server 192.168.1.100 offset 2.467652 sec
[root@smallfry tmp]# ntpdate -u 192.168.1.100
Looking for host 192.168.1.100 and service ntp
host found : bigboy.my-site.com
12 Aug 08:03:42 ntpdate[2472]: step time server 192.168.1.100 offset 0.084943 sec
[root@smallfry tmp]# service ntpd start
[root@smallfry tmp]# 
  • 现在时间改正过来了.
[root@smallfry tmp]# date
Thu Aug 12 08:03:45 PDT 2004
[root@smallfry tmp]# 


检定NTP 同步

使用ntpq命令查看与您同步的服务器.它提供你一份时间服务器配置清单,包括延误值(delay),偏差值(offset)和抖动值(jitter).为了能正确同步,延迟值和偏移值应该不为零,抖动值(jitter)应小于100 .

[root@bigboy tmp]# ntpq -p 

这是命令输出的结果:

remote refid st t when poll reach delay offset jitter
==============================================================================
-jj.cs.umb.edu gandalf.sigmaso 3 u 95 1024 377 31.681 -18.549 1.572 
milo.mcs.anl.go ntp0.mcs.anl.go 2 u 818 1024 125 41.993 -15.264 1.392
-mailer1.psc.edu ntp1.usno.navy. 2 u 972 1024 377 38.206 19.589 28.028
-dr-zaius.cs.wis ben.cs.wisc.edu 2 u 502 1024 357 55.098 3.979 0.333
+taylor.cs.wisc. ben.cs.wisc.edu 2 u 454 1024 347 54.127 3.379 0.047
-ntp0.cis.strath harris.cc.strat 3 u 507 1024 377 115.274 -5.025 1.642
*clock.via.net .GPS. 1 u 426 1024 377 107.424 -3.018 2.534
ntp1.conectiv.c 0.0.0.0 16 u - 1024 0 0.000 0.000 4000.00 


Linux NTP 客户端无法同步

下表的迹象表明你没有得到适当的同步,因为所有远程服务器的jitter值为4000,delay和reach值为0

remote refid st t when poll reach delay offset jitter
 =============================================================================
LOCAL(0) LOCAL(0) 10 l - 64 7 0.000 0.000 0.008
ntp-cup.externa 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
snvl-smtp1.trim 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
nist1.aol-ca.tr 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00 

可能的原因:

  • 如果您使用的DNS名称做为NTP服务器时旧版本的的NTP包会工作不正常.在这样的情况下,您要使用的实际IP地址代替.
  • 防火墙阻止访问NTP服务器.这可能是NTP服务器和它的时间源之间有防火墙软件如iptables的限制.
  • 在NTP客户端的restrict字段里面有notrust nomodify notrap的关键字.Fedora Core 2的某些版本中除非NTP客户端的restrict字段里面删除notrust nomodify notrap的关键字,否则不能执行NTP同步.

在下面例子中,restrict字段只是客户端网络的定义而没有任何关键字:

#-- CLIENT NETWORK -------
#restrict 172.16.1.0 mask 255.255.255.0 notrust nomodify notrap
restrict 172.16.1.0 mask 255.255.255.0



Fedora Core 2 文件权限

所有的Fedora/RedHat的NTP后台进程要写临时文件到/etc/NTP这个目录.不幸的是,Fedora Core 2这个目录不允许保存临时文件.所以你要设定组,所有者等权限给NTP.

[root@bigboy tmp]# chown ntp:ntp /etc/ntp 

如果你没有那样做,你会在/var/log/messages得到错误信息.

Aug 12 00:29:45 smallfry ntpd[2097]: can't open /etc/ntp/drift.TEMP: Permission denied

配置Cisco 设备去使用NTP服务器

您可以使用的NTP对各种设备同步时间,包括网络设备。我已概括必要的用于多种思科系统公司产品的NTP命令,因为这是一个最热门的网络设备制造商,可能用于的许多家庭办公/小型办公室( SOHO )环境和企业部门

Cisco IOS

使您的路由器与IP地址 192.168.1.100和192.168.1.201 的NTP服务器同步,使用命令:


ciscorouter> enable
password: *********
ciscorouter# config t
ciscorouter(config)# ntp update-calendar
ciscorouter(config)# ntp server 192.168.1.100
ciscorouter(config)# ntp server 192.168.1.201
ciscorouter(config)# exit
ciscorouter# wr mem 

NTP server 命令结合其他系统,形成了一个服务关联,ntp update-calendar配置系统从软件时钟更新其硬件时钟.

CATOS

使您的路由器与IP地址 192.168.1.100和192.168.1.201 的NTP服务器同步,使用命令:

ciscoswitch> enable
password: *********
ciscoswitch# set ntp client enable
ciscoswitch# ntp server 192.168.1.100
ciscoswitch# ntp server 192.168.1.201
ciscoswitch# exit 

NTP server命令与其他系统,形成了服务关联,"set ntp client enable"设置激活NTP客户端


NTP安全

你应该知道NTP如何受到您的网络安全政策影响。这里有一些共同关注的领域.

防火墙和NTP

NTP服务器使用UDP的123目的端口通讯.不同于大多数UDP协议,源端口不是一个高端口(1023以上).您必须允许UDP源/目的端口123在您的服务器和straum1/2类服务器之间通讯.

Linux iptables 防火墙脚本片段样本在附录 II, "Codes, Scripts, and Configurations".

NTP认证

有可能的情况下,你不仅想限制的NTP同步到指定的网络,还需要一个同步密码。但这是本书范围以外的,所涵盖的详细信息可以去NTP网站www.ntp.org

配置windows NTP 客户端

作为Active Directory(活动目录)域一部分的Windows客户端会自动从域服务器获得时间同步,如果您的客户端不是某个域的一部分,您可以添加新的NTP服务器到Windows客户端.在这里的:

1 。在屏幕右下角按一下时间图标.
2 。点击"Internet时间"标签的对话框.
3 。点击复选框标记为“自动同步与Internet时间服务器”并输入名称或IP地址.
4 。点击“立即更新”按钮.

当操作完成你会得到一个讯息说:"你的时间已成功地同步".

结尾

在您的控制下的所有系统具有相同的准确时间,这是很重要的.它可以帮助你在多种设备下很清楚的了解一连串的事件,它也可以协助对时间敏感的交易的同步.

在您的本地网络有一个NTP服务器,可以很容易做这些事.有时,您的所有NTP的客户都有机会在互联网上获得与1类2类服务器同步,这不是合意的办法,如果中央到Internet的连接丢失,就有风险,失去同步.并且为多个NTP服务连接到互联网维护防火墙规则,也是艰巨的,特别是如果管理防火墙的是其他部门。

本地的NTP服务器,甚至当网际网路连线暂时丢失,也可确保客户端均拥有相同的时间,从而减少的问题.防火墙规则也可以大大简化。设置本地的NTP服务器也是经常基于这些原因。