Time Server 時間服務器,我們經常會發現服務器上的時間不正確,這樣會影響到我們的應用,有時甚至會帶來一些不良後果。比如影響我們的備份,影響我們的數據庫的更新等。比較常見的解決方行了,後面的195.13.1法是與公網上的時間服務器同步(只用使用crontab執行00 02 * * * /usr/sbin/ntpdate 195.13.1.153就.153就是公網上可以用的時間服務器之一),但這樣做計算機必須能連接公網,這樣也許會有一些安全問題。並且如果你的計算機在內網不能直接連接公網的時間服務器的話,那就…… 今天我們就來講一講搭建我們自己的時間服務器的做法。
方法一:時間服務器與公網上的時間服務器同步,其它機器與自己的時間服務器同步。
缺點:時間服務器還要暴露在公網上;步驟如下:
1. 檢查是否有相應的包:
# rpm -qa |grep ntp
cyrus-imapd-nntp-2.2.3-11
chkfontpath-1.10.0-1
ntp-4.2.0-7
如果沒有ntp這個包,則從光盤上裝上,執行下面命令安裝NTP的RPM包:# rpm -ivh ntp-4.2.0-7.i386.rpm;
2. 修改配置文件
/etc/ntp.conf 是ntp的主要配置文件,裏面設置了你用來同步時間的時間服務器的域名或者IP地址,下面是到互聯網同步時間的最基本的配置:
首先我們來定義自己喜歡的時間服務器:(可用的時間服務器,參看http://chinaunix.net/jh/5/100591.html,或者參看:http://www.eecis.udel.edu/~mills/ntp/servers.html)
server 195.13.1.153
server 210.72.145.44
接下來,我們設置上面兩臺服務器的訪問權限,在這個例子中我們不允許它們修改或者查詢我們配置在Linux上的NTP服務器。
restrict 195.13.1.153 mask 255.255.255.255 nomodify notrap noquery
restrict 210.72.145.44 mask 255.255.255.255 nomodify notrap noquery
說明:掩碼255.255.255.255 是用來限制遠程NTP服務器的掩碼地址。然後設置允許訪問的內網機器。請注意,配置中noquery已經去掉了:
restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
在此例中,掩碼地址擴展爲255,因此從192.168.1.1-192.168.1.254 的計算機都可以使用我們的NTP服務器來同步時間。如果你想限制的更嚴格一點,你可以修改你的掩碼。
最後,也是最重要的是默認的限制配置要從你配置文件中刪除,否則它將覆蓋你所有的配置選項,你會發現如果不刪除該配置,你的時間服務器將只能和自己通訊。如果ntp.conf 中有以下一行,請將它註釋:# restrict default ignore
/etc/ntp.conf 範例:
# Prohibit general access to this service.
# restrict default ignore
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
# restrict 127.0.0.1
# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service. Do not permit those systems to modify the
# configuration of this service. Also, do not use those
# systems as peers for synchronization.
restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
# --- OUR TIMESERVERS -----
# or remove the default restrict line
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
# restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noque
restrict 210.72.145.44 mask 255.255.255.255 nomodify notrap noquery
restrict 195.13.1.153 mask 255.255.255.255 nomodify notrap noquery
# server mytrustedtimeserverip
server 210.72.145.44
server 195.13.1.153
# --- NTP MULTICASTCLIENT ---
#multicastclient # listen on default 224.0.1.1
# restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
# --- GENERAL CONFIGURATION ---
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
# server 127.127.1.0 # local clock
# fudge 127.127.1.0 stratum 10
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /var/lib/ntp/drift
broadcastdelay 0.008
#
# Authentication delay. If you use, or plan to use someday, the
# authentication facility you should make the programs in the auth_stuff
# directory and figure out what this number should be on your machine.
#
authenticate yes
#
# Keys file. If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
keys /etc/ntp/keys
3. 檢查可用性
a.保存你的配置文件,然後對每個你在ntp.conf裏配置的時間服務器執一下查詢命令,確保這些上游時間服務器可用。
# ntpdate 195.13.1.153
27 Jun 10:12:01 ntpdate[25475]: adjust time server 133.100.11.8 offset -0.127154 sec
b.執行下列命令
# ntpq -p
…… ……輸出略
一個可以證明同步問題的證據是所有遠程服務器的jitter值是4000並且delay和reach的值是0;
remote refid st t when poll reach delay offset jitter
===================================================================
*210.72.145.44 .ACTS. 1 u 40 16 377 55.211 9.172 16.620
xntp2.belbone.be 195.13.23.6 2 u 106 128 367 384.904 -63.946 6.518
4. 設置自啓動
爲了使NTP服務可以在系統引導的時候自動啓動,執行:
# chkconfig ntpd on
啓動/關閉/重啓NTP的命令是:
# /etc/init.d/ntpd start
# /etc/init.d/ntpd stop
# /etc/init.d/ntpd restart
5. 客戶端的設置
a. linux 客戶端
以root身份登錄,執行crontab -e 輸入00 02 * * * /usr/sbin/ntpdate 192.168.1.1(換成你的Time Server的ip)
這樣就會在每天的凌晨兩點自動與Time Server同步時間。
b. windows Xp 客戶端
雙擊右下角的時間,出現“日期和時間屬性”的窗口,選擇Internet 時間,在服務器一欄中輸入你的Time Server的ip,點擊"立即更新",過幾秒鐘將能看到更新成功的提示。然後勾選“自動與Internet時間服務器同步”。點擊確定。
方法二:時間服務器與自己的硬件時鐘同步,其它機器與時間服務器同步。
缺點:如果Time Server的硬件時鐘不準確,則所有的時間將不準確。優點:更安全,沒有暴露在公網上的機器。
unix 類系統的時鐘都有兩種,一種是硬件時鐘,一種是系統時鐘。在此不在詳述。步驟如下:
1.校準Time server的硬件時鐘(可以直接在bios中設置),或者用hwclock 命令來校對,例如: hwclock --set --date="6/16/04 11:14:05"
2.設置系統時間和硬件時鐘同步:# hwclock --hctosys.
3.修改配置文件
vi /etc/ntp.conf,我的ntp.conf如下
# Prohibit general access to this service.
# restrict default ignore
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service. Do not permit those systems to modify the
# configuration of this service. Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
# --- OUR TIMESERVERS -----
# or remove the default restrict line
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
# restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noquery
# --- NTP MULTICASTCLIENT ---
#multicastclient # listen on default 224.0.1.1
# restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
# --- GENERAL CONFIGURATION ---
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition
#
#server 127.127.1.0 # local clock
server 127.127.1.0 prefer
fudge 127.127.1.0 stratum 10
#
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /etc/ntp/drift
broadcastdelay 0.008
#
# Authentication delay. If you use, or plan to use someday, the
# authentication facility you should make the programs in the auth_stuff
# directory and figure out what this number should be on your machine.
#
authenticate yes
#
# Keys file. If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
keys /etc/ntp/keys
其它設置和方法一相同,啓動ntp服務,配置客戶端即可。