網絡時間服務與chrony

防火牆iptable、selinux、時間同步 是配置主機的基礎

初始化：

1. 關閉SELinux
2. 關閉iptables，firewalld
3. 配置chrony

時間同步

NTP（Network Time Protocol，網絡時間協議）是用來使網絡中的各個計算機時間同步的一種協議。它的用途是把計算機的時鐘同步到世界協調時UTC，其精度在局域網內可達0.1ms，在互聯網上絕大多數的地方其精度可以達到1-50ms

時間同步實現工具

• ntp：精度在局域網內可達0.1ms,在互聯網上精度在1-50ms，但是同步時間長，逐漸同步

• chrony：實現NTP協議的軟件，在互聯網同步兩臺機器之間的精度在幾毫秒，在LAN中，精度爲幾十微秒。CentOS7後系統自帶

• 兩者本質既是客戶端也是服務器，客戶端持續運行

clock與date命令的區別：

• clock是顯示硬件時間

• data是顯示操作系統時間，在沒有配置網絡時間的情況下，data會讀取硬件時間

NTP

NTP服務是利用NTP協議提供時間同步服務的

NTP服務安裝

yum install ntp -y

NTP配置

備份配置文件

[root@localhost ~]#cp /etc/ntp.conf{,.bak}
[root@localhost ~]#ls /etc/ntp.conf*
/etc/ntp.conf  /etc/ntp.conf.bak

查看配置文件

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
# 不允許其他主機查詢我的主機時間並修改
# restrict default nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1

# Hosts on local network are less restricted.
# 允許內網其他機器同步時間
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
# 指定互聯網上時間服務器進行時間同步服務，iburst提高時間同步效率
# server 0.centos.pool.ntp.org iburst
# server 1.centos.pool.ntp.org iburst
# server 2.centos.pool.ntp.org iburst
# server 3.centos.pool.ntp.org iburst

# 其他主機和此主機時間同步，可以將IP設置爲該主機IP

# 自己指定同步阿里雲的ntp服務器
server ntp1.aliyun.com iburst
server ntp2.aliyun.com iburst

#broadcast 192.168.1.255 autokey    # broadcast server
#broadcastclient            # broadcast client
#broadcast 224.0.1.1 autokey        # multicast server
#multicastclient 224.0.1.1      # multicast client
#manycastserver 239.255.254.254     # manycast server
#manycastclient 239.255.254.254 autokey # manycast client

# 允許上層時間服務器主動修改本機時間
restrict time1.aliyun.com  nomodify notrap noquery
restrict ntp1.aliyun.com  nomodify notrap noquery

# 外部時間服務器不可用時，以本地時間作爲時間服務
server  127.127.1.0    
fudge   127.127.1.0 stratum 10

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography. 
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats

# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor

iburst 選項

# 一次發送8個數據包

啓動ntp服務

[root@localhost ~]#service ntpd status
Redirecting to /bin/systemctl status ntpd.service
● ntpd.service - Network Time Service
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

[root@localhost ~]#chkconfig ntpd on
Note: Forwarding request to 'systemctl enable ntpd.service'.
Created symlink from /etc/systemd/system/multi-user.target.wants/ntpd.service to /usr/lib/systemd/system/ntpd.service.

[root@localhost ~]#service ntpd start
Redirecting to /bin/systemctl start ntpd.service

[root@localhost ~]#service ntpd status
Redirecting to /bin/systemctl status ntpd.service
● ntpd.service - Network Time Service
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-06-03 09:59:17 CST; 2s ago
  Process: 9790 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 9793 (ntpd)
    Tasks: 1
   CGroup: /system.slice/ntpd.service
           └─9793 /usr/sbin/ntpd -u ntp:ntp -g

Jun 03 09:59:17 localhost.localdomain ntpd[9793]: Listen and drop on 1 v6wildcard :: UDP 123
Jun 03 09:59:17 localhost.localdomain ntpd[9793]: Listen normally on 2 lo 127.0.0.1 UDP 123
Jun 03 09:59:17 localhost.localdomain ntpd[9793]: Listen normally on 3 ens33 192.168.33.128 UDP 123
Jun 03 09:59:17 localhost.localdomain ntpd[9793]: Listen normally on 4 virbr0 192.168.122.1 UDP 123
Jun 03 09:59:17 localhost.localdomain ntpd[9793]: Listen normally on 5 lo ::1 UDP 123
Jun 03 09:59:17 localhost.localdomain ntpd[9793]: Listen normally on 6 ens33 fe80::298d:cfea:e788:42...123
Jun 03 09:59:17 localhost.localdomain ntpd[9793]: Listening on routing socket on fd #23 for interfac...tes
Jun 03 09:59:17 localhost.localdomain ntpd[9793]: 0.0.0.0 c016 06 restart
Jun 03 09:59:17 localhost.localdomain ntpd[9793]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM
Jun 03 09:59:17 localhost.localdomain ntpd[9793]: 0.0.0.0 c011 01 freq_not_set
Hint: Some lines were ellipsized, use -l to show in full.

設置ntpd爲開機啓動

[root@localhost ~]#systemctl enable ntpd

查看同步情況

[root@localhost ~]#ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*120.25.115.20   10.137.53.7      2 u    5   64    1   18.014   -7.647   0.454
# 帶*說明同步了

ntp服務停止

[root@localhost ~]#service ntpd stop

chrony

chrony是一個開源的自由軟件，它能保持系統時鐘與時鐘服務器（NTP）同步，讓時間保持精確。

它由兩個程序組成：chronyd和chronyc。

chronyd是一個後臺運行的守護進程，用於調整內核中運行的系統時鐘和時鐘服務器同步。它確定計算機增減時間的比率，並對此進行補償。

chrony是CentOS7.x上自帶的時間同步軟件

配置chrony服務，實現服務器時間自動同步

chrony服務安裝

# 查詢是否存在chrony
[root@localhost ~]#rpm -q chrony
chrony-3.4-1.el7.x86_64

# 不存在的話直接安裝
yum install chrony -y

查看當前chrony服務狀態

[root@localhost ~]#systemctl status chrony
Unit chrony.service could not be found.

啓動chrony服務

[root@localhost ~]#systemctl start chronyd

設置爲開機啓動

[root@localhost ~]#systemctl enable chronyd

服務unit文件

/usr/lib/ststemd/system/chronyd.service

監聽端口

323/udp
123/udp

配置文件

/etc/chrony.conf

chrony服務配置

chrony服務使用的配置文件爲/etc/chrony.conf內容格式和ntp配置文件相似。

備份配置文件

[root@localhost ~]#cp /etc/chrony.conf{,.bak}
[root@localhost ~]#ls /etc/chrony.conf*
/etc/chrony.conf  /etc/chrony.conf.bak

查看配置文件內容

[root@localhost ~]#vim /etc/chrony.conf

  1 # Use public servers from the pool.ntp.org project.
  2 # Please consider joining the pool (http://www.pool.ntp.org/join.html).
  3 #server 0.centos.pool.ntp.org iburst
  4 #server 1.centos.pool.ntp.org iburst
  5 server ntp1.aliyun.com iburst
  6 server ntp2.aliyun.com iburst
  7

  8 # Record the rate at which the system clock gains/losses time.
  9 driftfile /var/lib/chrony/drift
 10 
 11 # Allow the system clock to be stepped in the first three updates
 12 # if its offset is larger than 1 second.
 13 makestep 1.0 3
 14 
 15 # Enable kernel synchronization of the real-time clock (RTC).
 16 rtcsync
 17 
 18 # Enable hardware timestamping on all interfaces that support it.
 19 #hwtimestamp *
 20 
 21 # Increase the minimum number of selectable sources required to adjust
 22 # the system clock.
 23 #minsources 2
 24 
 25 # Allow NTP client access from local network.
 	# 允許哪個NTP客戶端訪問你的主機，當不能同步互聯網服務器時，該主機無法作爲時間服務器
 26 allow 192.168.0.0/16
 27 
 28 # Serve time even if not synchronized to a time source.
 	# 此無服務作爲時間服務器主機，啓動後，當與互聯網聯結斷開時，該主機也可以作爲時間服務器
 29 local stratum 10
 30 
 31 # Specify file containing keys for NTP authentication.
 32 #keyfile /etc/chrony.keys
 33 
 34 # Specify directory for log files.
 35 logdir /var/log/chrony
 36 
 37 # Select which information is logged.
 38 #log measurements statistics tracking

查看同步情況

[root@localhost ~]#chronyc sources -v
210 Number of sources = 4

  .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| /   '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||      Reachability register (octal) -.           |  xxxx = adjusted offset,
||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
||                                \     |          |  zzzz = estimated error.
||                                 |    |           \
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^- 5.79.108.34                   2   8   377   202  +1695us[+1695us] +/-  196ms
^- 94.130.49.186                 3   7   367   332    +12ms[  +13ms] +/-  118ms
^+ 203.107.6.88                  2   6   377    12  +1033us[+1033us] +/-   23ms
^* 120.25.115.20                 2   8   377   208  +1011us[+1620us] +/-   11ms

公共NTP服務

阿里雲時間服務器

#阿里雲提供了7個NTP時間服務器也就是Internet時間同步服務器地址

ntp1.aliyun.com
ntp2.aliyun.com
ntp3.aliyun.com
ntp4.aliyun.com
ntp5.aliyun.com
ntp6.aliyun.com
ntp7.aliyun.com

# windows類
time.pool.aliyun.com

pool.ntp.org 一個提供可靠易用的NTP服務的虛擬集羣

cn.pool.ntp.org
0-3.cn.pool.ntp.org

大學ntp服務

s1a.time.edu.cn	#北京郵電大學
s1b.time.edu.cn	#清華大學
s1c.time.edu.cn	#北京大學

國家授時中心服務器

210.72.145.44

troubleshooting

506 Cannot talk to daemon