防火牆iptable、selinux、時間同步 是配置主機的基礎
初始化:
- 關閉SELinux
- 關閉iptables,firewalld
- 配置chrony
時間同步
NTP(Network Time Protocol,網絡時間協議)是用來使網絡中的各個計算機時間同步的一種協議。它的用途是把計算機的時鐘同步到世界協調時UTC,其精度在局域網內可達0.1ms,在互聯網上絕大多數的地方其精度可以達到1-50ms
時間同步實現工具
-
ntp:精度在局域網內可達0.1ms,在互聯網上精度在1-50ms,但是同步時間長,逐漸同步
-
chrony:實現NTP協議的軟件,在互聯網同步兩臺機器之間的精度在幾毫秒,在LAN中,精度爲幾十微秒。CentOS7後系統自帶
-
兩者本質既是客戶端也是服務器,客戶端持續運行
clock與date命令的區別:
-
clock是顯示硬件時間
-
data是顯示操作系統時間,在沒有配置網絡時間的情況下,data會讀取硬件時間
NTP
NTP服務是利用NTP協議提供時間同步服務的
NTP服務安裝
yum install ntp -y
NTP配置
備份配置文件
[root@localhost ~]#cp /etc/ntp.conf{,.bak}
[root@localhost ~]#ls /etc/ntp.conf*
/etc/ntp.conf /etc/ntp.conf.bak
查看配置文件
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
# 不允許其他主機查詢我的主機時間並修改
# restrict default nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are less restricted.
# 允許內網其他機器同步時間
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
# 指定互聯網上時間服務器進行時間同步服務,iburst提高時間同步效率
# server 0.centos.pool.ntp.org iburst
# server 1.centos.pool.ntp.org iburst
# server 2.centos.pool.ntp.org iburst
# server 3.centos.pool.ntp.org iburst
# 其他主機和此主機時間同步,可以將IP設置爲該主機IP
# 自己指定同步阿里雲的ntp服務器
server ntp1.aliyun.com iburst
server ntp2.aliyun.com iburst
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
# 允許上層時間服務器主動修改本機時間
restrict time1.aliyun.com nomodify notrap noquery
restrict ntp1.aliyun.com nomodify notrap noquery
# 外部時間服務器不可用時,以本地時間作爲時間服務
server 127.127.1.0
fudge 127.127.1.0 stratum 10
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
iburst 選項
# 一次發送8個數據包
啓動ntp服務
[root@localhost ~]#service ntpd status
Redirecting to /bin/systemctl status ntpd.service
● ntpd.service - Network Time Service
Loaded: loaded (/usr/lib/systemd/system/ntpd.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@localhost ~]#chkconfig ntpd on
Note: Forwarding request to 'systemctl enable ntpd.service'.
Created symlink from /etc/systemd/system/multi-user.target.wants/ntpd.service to /usr/lib/systemd/system/ntpd.service.
[root@localhost ~]#service ntpd start
Redirecting to /bin/systemctl start ntpd.service
[root@localhost ~]#service ntpd status
Redirecting to /bin/systemctl status ntpd.service
● ntpd.service - Network Time Service
Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2020-06-03 09:59:17 CST; 2s ago
Process: 9790 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 9793 (ntpd)
Tasks: 1
CGroup: /system.slice/ntpd.service
└─9793 /usr/sbin/ntpd -u ntp:ntp -g
Jun 03 09:59:17 localhost.localdomain ntpd[9793]: Listen and drop on 1 v6wildcard :: UDP 123
Jun 03 09:59:17 localhost.localdomain ntpd[9793]: Listen normally on 2 lo 127.0.0.1 UDP 123
Jun 03 09:59:17 localhost.localdomain ntpd[9793]: Listen normally on 3 ens33 192.168.33.128 UDP 123
Jun 03 09:59:17 localhost.localdomain ntpd[9793]: Listen normally on 4 virbr0 192.168.122.1 UDP 123
Jun 03 09:59:17 localhost.localdomain ntpd[9793]: Listen normally on 5 lo ::1 UDP 123
Jun 03 09:59:17 localhost.localdomain ntpd[9793]: Listen normally on 6 ens33 fe80::298d:cfea:e788:42...123
Jun 03 09:59:17 localhost.localdomain ntpd[9793]: Listening on routing socket on fd #23 for interfac...tes
Jun 03 09:59:17 localhost.localdomain ntpd[9793]: 0.0.0.0 c016 06 restart
Jun 03 09:59:17 localhost.localdomain ntpd[9793]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM
Jun 03 09:59:17 localhost.localdomain ntpd[9793]: 0.0.0.0 c011 01 freq_not_set
Hint: Some lines were ellipsized, use -l to show in full.
設置ntpd爲開機啓動
[root@localhost ~]#systemctl enable ntpd
查看同步情況
[root@localhost ~]#ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*120.25.115.20 10.137.53.7 2 u 5 64 1 18.014 -7.647 0.454
# 帶*說明同步了
ntp服務停止
[root@localhost ~]#service ntpd stop
chrony
chrony是一個開源的自由軟件,它能保持系統時鐘與時鐘服務器(NTP)同步,讓時間保持精確。
它由兩個程序組成:chronyd和chronyc。
chronyd是一個後臺運行的守護進程,用於調整內核中運行的系統時鐘和時鐘服務器同步。它確定計算機增減時間的比率,並對此進行補償。
chrony是CentOS7.x上自帶的時間同步軟件
配置chrony服務,實現服務器時間自動同步
chrony服務安裝
# 查詢是否存在chrony
[root@localhost ~]#rpm -q chrony
chrony-3.4-1.el7.x86_64
# 不存在的話直接安裝
yum install chrony -y
查看當前chrony服務狀態
[root@localhost ~]#systemctl status chrony
Unit chrony.service could not be found.
啓動chrony服務
[root@localhost ~]#systemctl start chronyd
設置爲開機啓動
[root@localhost ~]#systemctl enable chronyd
服務unit文件
/usr/lib/ststemd/system/chronyd.service
監聽端口
323/udp
123/udp
配置文件
/etc/chrony.conf
chrony服務配置
chrony服務使用的配置文件爲/etc/chrony.conf
內容格式和ntp配置文件相似。
備份配置文件
[root@localhost ~]#cp /etc/chrony.conf{,.bak}
[root@localhost ~]#ls /etc/chrony.conf*
/etc/chrony.conf /etc/chrony.conf.bak
查看配置文件內容
[root@localhost ~]#vim /etc/chrony.conf
1 # Use public servers from the pool.ntp.org project.
2 # Please consider joining the pool (http://www.pool.ntp.org/join.html).
3 #server 0.centos.pool.ntp.org iburst
4 #server 1.centos.pool.ntp.org iburst
5 server ntp1.aliyun.com iburst
6 server ntp2.aliyun.com iburst
7
8 # Record the rate at which the system clock gains/losses time.
9 driftfile /var/lib/chrony/drift
10
11 # Allow the system clock to be stepped in the first three updates
12 # if its offset is larger than 1 second.
13 makestep 1.0 3
14
15 # Enable kernel synchronization of the real-time clock (RTC).
16 rtcsync
17
18 # Enable hardware timestamping on all interfaces that support it.
19 #hwtimestamp *
20
21 # Increase the minimum number of selectable sources required to adjust
22 # the system clock.
23 #minsources 2
24
25 # Allow NTP client access from local network.
# 允許哪個NTP客戶端訪問你的主機,當不能同步互聯網服務器時,該主機無法作爲時間服務器
26 allow 192.168.0.0/16
27
28 # Serve time even if not synchronized to a time source.
# 此無服務作爲時間服務器主機,啓動後,當與互聯網聯結斷開時,該主機也可以作爲時間服務器
29 local stratum 10
30
31 # Specify file containing keys for NTP authentication.
32 #keyfile /etc/chrony.keys
33
34 # Specify directory for log files.
35 logdir /var/log/chrony
36
37 # Select which information is logged.
38 #log measurements statistics tracking
查看同步情況
[root@localhost ~]#chronyc sources -v
210 Number of sources = 4
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^- 5.79.108.34 2 8 377 202 +1695us[+1695us] +/- 196ms
^- 94.130.49.186 3 7 367 332 +12ms[ +13ms] +/- 118ms
^+ 203.107.6.88 2 6 377 12 +1033us[+1033us] +/- 23ms
^* 120.25.115.20 2 8 377 208 +1011us[+1620us] +/- 11ms
公共NTP服務
阿里雲時間服務器
#阿里雲提供了7個NTP時間服務器也就是Internet時間同步服務器地址
ntp1.aliyun.com
ntp2.aliyun.com
ntp3.aliyun.com
ntp4.aliyun.com
ntp5.aliyun.com
ntp6.aliyun.com
ntp7.aliyun.com
# windows類
time.pool.aliyun.com
pool.ntp.org 一個提供可靠易用的NTP服務的虛擬集羣
cn.pool.ntp.org
0-3.cn.pool.ntp.org
大學ntp服務
s1a.time.edu.cn #北京郵電大學
s1b.time.edu.cn #清華大學
s1c.time.edu.cn #北京大學
國家授時中心服務器
210.72.145.44