Time Server 快速搭建

Time Server 時間服務器，我們經常會發現服務器上的時間不正確，這樣會影響到我們的應用，有時甚至會帶來一些不良後果。比如影響我們的備份，影響我們的數據庫的更新等。比較常見的解決方行了，後面的195.13.1法是與公網上的時間服務器同步（只用使用crontab執行00 02 * * * /usr/sbin/ntpdate 195.13.1.153就.153就是公網上可以用的時間服務器之一），但這樣做計算機必須能連接公網，這樣也許會有一些安全問題。並且如果你的計算機在內網不能直接連接公網的時間服務器的話，那就…… 今天我們就來講一講搭建我們自己的時間服務器的做法。

方法一：時間服務器與公網上的時間服務器同步，其它機器與自己的時間服務器同步。

缺點：時間服務器還要暴露在公網上；步驟如下：

 1. 檢查是否有相應的包:
   # rpm -qa |grep ntp
   cyrus-imapd-nntp-2.2.3-11
   chkfontpath-1.10.0-1
   ntp-4.2.0-7

   如果沒有ntp這個包，則從光盤上裝上，執行下面命令安裝NTP的RPM包：# rpm -ivh ntp-4.2.0-7.i386.rpm；

 2. 修改配置文件
   /etc/ntp.conf 是ntp的主要配置文件，裏面設置了你用來同步時間的時間服務器的域名或者IP地址，下面是到互聯網同步時間的最基本的配置：
   首先我們來定義自己喜歡的時間服務器：（可用的時間服務器，參看http://chinaunix.net/jh/5/100591.html，或者參看：http://www.eecis.udel.edu/~mills/ntp/servers.html）
       server 195.13.1.153
       server 210.72.145.44
   接下來，我們設置上面兩臺服務器的訪問權限，在這個例子中我們不允許它們修改或者查詢我們配置在Linux上的NTP服務器。
       restrict 195.13.1.153 mask 255.255.255.255 nomodify notrap noquery
       restrict 210.72.145.44 mask 255.255.255.255 nomodify notrap noquery
   說明：掩碼255.255.255.255 是用來限制遠程NTP服務器的掩碼地址。然後設置允許訪問的內網機器。請注意，配置中noquery已經去掉了：
       restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
   在此例中，掩碼地址擴展爲255，因此從192.168.1.1-192.168.1.254 的計算機都可以使用我們的NTP服務器來同步時間。如果你想限制的更嚴格一點，你可以修改你的掩碼。
   最後，也是最重要的是默認的限制配置要從你配置文件中刪除，否則它將覆蓋你所有的配置選項，你會發現如果不刪除該配置，你的時間服務器將只能和自己通訊。如果ntp.conf 中有以下一行，請將它註釋：# restrict default ignore

/etc/ntp.conf  範例:
# Prohibit general access to this service.
# restrict default ignore

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
# restrict 127.0.0.1

# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service.  Do not permit those systems to modify the
# configuration of this service.  Also, do not use those
# systems as peers for synchronization.
restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap

# --- OUR TIMESERVERS -----
# or remove the default restrict line
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.

# restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noque
restrict 210.72.145.44 mask 255.255.255.255 nomodify notrap noquery
restrict 195.13.1.153  mask 255.255.255.255 nomodify notrap noquery
# server mytrustedtimeserverip
server 210.72.145.44
server 195.13.1.153

# --- NTP MULTICASTCLIENT ---
#multicastclient                        # listen on default 224.0.1.1
# restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
# --- GENERAL CONFIGURATION ---
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
# server        127.127.1.0     # local clock
# fudge 127.127.1.0 stratum 10

# Drift file.  Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /var/lib/ntp/drift
broadcastdelay  0.008

#
# Authentication delay.  If you use, or plan to use someday, the
# authentication facility you should make the programs in the auth_stuff
# directory and figure out what this number should be on your machine.
#
authenticate yes

#
# Keys file.  If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
keys            /etc/ntp/keys

  3. 檢查可用性

   a.保存你的配置文件，然後對每個你在ntp.conf裏配置的時間服務器執一下查詢命令，確保這些上游時間服務器可用。
       # ntpdate 195.13.1.153
       27 Jun 10:12:01 ntpdate[25475]: adjust time server 133.100.11.8 offset -0.127154 sec

    b.執行下列命令
       #  ntpq -p
       …… ……輸出略
      一個可以證明同步問題的證據是所有遠程服務器的jitter值是4000並且delay和reach的值是0；
     remote                          refid                   st t when poll reach   delay       offset      jitter
     ===================================================================
     *210.72.145.44          .ACTS.                1 u   40    16     377   55.211      9.172      16.620
     xntp2.belbone.be       195.13.23.6      2 u   106  128  367    384.904   -63.946   6.518

 4. 設置自啓動

   爲了使NTP服務可以在系統引導的時候自動啓動，執行：
    # chkconfig ntpd on
   啓動/關閉/重啓NTP的命令是：
    # /etc/init.d/ntpd start
    # /etc/init.d/ntpd stop
    # /etc/init.d/ntpd restart

 5. 客戶端的設置
    a. linux 客戶端
       以root身份登錄，執行crontab -e 輸入00 02 * * * /usr/sbin/ntpdate 192.168.1.1(換成你的Time Server的ip)
       這樣就會在每天的凌晨兩點自動與Time Server同步時間。
    b. windows Xp 客戶端
       雙擊右下角的時間，出現“日期和時間屬性”的窗口，選擇Internet 時間,在服務器一欄中輸入你的Time Server的ip，點擊＂立即更新＂，過幾秒鐘將能看到更新成功的提示。然後勾選“自動與Internet時間服務器同步”。點擊確定。

方法二：時間服務器與自己的硬件時鐘同步，其它機器與時間服務器同步。

缺點：如果Time Server的硬件時鐘不準確，則所有的時間將不準確。優點：更安全，沒有暴露在公網上的機器。

unix 類系統的時鐘都有兩種，一種是硬件時鐘，一種是系統時鐘。在此不在詳述。步驟如下：
1.校準Time server的硬件時鐘（可以直接在bios中設置），或者用hwclock 命令來校對，例如： hwclock --set --date="6/16/04 11:14:05"

2.設置系統時間和硬件時鐘同步：# hwclock --hctosys.

3.修改配置文件
   vi /etc/ntp.conf，我的ntp.conf如下

# Prohibit general access to this service.
# restrict default ignore
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1

# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service. Do not permit those systems to modify the
# configuration of this service. Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap

# --- OUR TIMESERVERS -----
# or remove the default restrict line
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
# restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noquery

# --- NTP MULTICASTCLIENT ---
#multicastclient # listen on default 224.0.1.1
# restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap

# --- GENERAL CONFIGURATION ---
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition
#
#server 127.127.1.0 # local clock
server 127.127.1.0 prefer
fudge 127.127.1.0 stratum 10
#
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /etc/ntp/drift
broadcastdelay 0.008
#
# Authentication delay. If you use, or plan to use someday, the
# authentication facility you should make the programs in the auth_stuff
# directory and figure out what this number should be on your machine.
#
authenticate yes
#
# Keys file. If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
keys /etc/ntp/keys

其它設置和方法一相同，啓動ntp服務，配置客戶端即可。