CDH之Centos7部署NTP时间同步及 NTP客户端提示unsynchronised
本配置使用五台虚拟机演示:IP配置172.17.0.102ntp服务器:本地同步标准时间172.17.0.103ntp客户端:与内部ntp服务器(85)同步时间172.17.0.104ntp客户端:与内部ntp服务器(85)同步时间查看ntp是否已经安装:rpm -q ntp如果没有安装则使用命令:yum -y install ntp 安装ntp。如果已经安装(如下)则继续:安装完成后设置ntp开
·
本配置使用三台虚拟机演示:
IP配置
172.17.0.102 ntp服务器:本地同步标准时间
172.17.0.103 ntp客户端:与内部ntp服务器(85)同步时间
172.17.0.104 ntp客户端:与内部ntp服务器(85)同步时间
查看ntp是否已经安装:rpm -q ntp
如果没有安装则使用命令:yum -y install ntp 安装ntp。
如果已经安装(如下)则继续:
安装完成后设置ntp开机启动并启动ntp,如下:
systemctl enable ntpd
systemctl start ntpd
首先设置ntp服务器(172.17.0.85)
编辑配置文件(vim /etc/ntp.conf)。
master配置:
[root@master ~]# cat /etc/ntp.conf
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
#新增:日志记录.
logfile /var/log/ntp.log
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are less restricted.
restrict 192.168.56.102 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#注释掉:集群在局域网中,不使用其他的网络时间
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
#新增:当外部时间不可用时,使用本地时间
server 127.127.1.0
fudge 127.127.1.0 stratum 10
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
【!!!】这里需要注意的是,在使用ntp服务器时,如果有防火墙,则需要开启ntp服务器的udp协议123端口,否则其他虚拟机不能成功同步时间。
data1和data2配置相同。这里以data1配置为主:
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
#新增:日志记录.
logfile /var/log/ntp.log
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 192.168.56.102 iburst
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
data2配置
[root@data2 ~]# cat /etc/ntp.conf
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
#新增:日志记录.
logfile /var/log/ntp.log
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 192.168.56.102 iburst
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
You have new mail in /var/spool/mail/root
改完成后保存退出并重启ntp(systemctl restart ntpd)。
#重启后可以使用 查看网络中的NTP服务器
[root@master ~]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*LOCAL(0) .LOCL. 10 l 15 64 377 0.000 0.000 0.000
#查看时间同步状态,但是需要等待几分钟才回看到同步信息
[root@master ~]# ntpstat
synchronised to local net (127.127.1.0) at stratum 11
time correct to within 11 ms
polling server every 64 s
#如果出现unsynchronised,稍等一会就会启动,
[root@data1 ~]# ntpstat
unsynchronised
polling server every 64 s
[root@data1 ~]# ntpstat
synchronised to NTP server (192.168.56.102) at stratum 12
time correct to within 28 ms
polling server every 128 s
如果unsynchronised问题没有解决,以下可参考
定位过程:
1.查询日志:/var/log/messages 查看是否有ntp失败或者fail提示。结果没有
2.查询ntp状态:service ntpd status,如下提示,依然没有fail项:
[root@data1 ~]# service ntpd status
Redirecting to /bin/systemctl status ntpd.service
● ntpd.service - Network Time Service
Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2021-10-11 10:46:07 CST; 6h ago
Process: 987 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 989 (ntpd)
Tasks: 1
CGroup: /system.slice/ntpd.service
└─989 /usr/sbin/ntpd -u ntp:ntp -g
Oct 11 10:46:07 data1 ntpd[989]: ntp_io: estimated max descriptors: 1024, in...16
Oct 11 10:46:07 data1 ntpd[989]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
Oct 11 10:46:07 data1 ntpd[989]: Listen normally on 1 lo 127.0.0.1 UDP 123
Oct 11 10:46:07 data1 ntpd[989]: Listen normally on 2 enp0s3 10.0.2.15 UDP 123
Oct 11 10:46:07 data1 ntpd[989]: Listen normally on 3 enp0s8 192.168.56.103 ...23
Oct 11 10:46:07 data1 ntpd[989]: Listen normally on 4 virbr0 192.168.122.1 U...23
Oct 11 10:46:07 data1 ntpd[989]: Listening on routing socket on fd #21 for i...es
Oct 11 10:46:07 data1 ntpd[989]: 0.0.0.0 c016 06 restart
Oct 11 10:46:07 data1 ntpd[989]: 0.0.0.0 c012 02 freq_set kernel 0.005 PPM
Oct 11 10:49:30 data1 ntpd[989]: 0.0.0.0 c615 05 clock_sync
Hint: Some lines were ellipsized, use -l to show in full.
3.查询 timedatectl:显示同步功能都是开启的
[root@data1 ~]# timedatectl
Local time: Mon 2021-10-11 17:45:35 CST
Universal time: Mon 2021-10-11 09:45:35 UTC
RTC time: Mon 2021-10-11 09:45:33
Time zone: Asia/Shanghai (CST, +0800)
NTP enabled: no
NTP synchronized: yes
RTC in local TZ: no
DST active: n/a
4.尝试与17的网络数据通信 ntpdate -u master
[root@data1 ~]# ntpdate -u master
11 Oct 17:46:21 ntpdate[28693]: adjust time server 192.168.56.102 offset -0.000115 sec
5.查询ntpstat:显示是同步的本地服务。与其他正常设备对比发现不理解stratum后面数字的含义。
[root@data1 ~]# ntpstat
unsynchronised
polling server every 64 s
正常设备:
[root@data1 ~]# ntpstat
synchronised to NTP server (192.168.56.102) at stratum 12
time correct to within 28 ms
polling server every 128 s
补充:查询stratum的含义:
层次(strata) 层的概念
这些问题主要涉及到NTP的层(stratum)的概念,顶层是1,值为0时表示层数不明,层的值是累加的,比如NTP授时方向是A-〉B-〉C,假设A的stratum值是3,那么B从A获取到时间,B的stratum置为4,C从B获取到时间,C的值被置为5。一般只有整个NTP系统最顶层的服务器stratum才设为1。
NTP同步的方向是从stratum值较小的节点向较大的节点传播,如果某个NTP客户端接收到stratum比自己还要大,那么NTP客户端认为自己的时间比接受到的时间更为精确,不会进行时间的更新。
stratum根据上层server的层次而设定(+1)。
对于提供network time service provider的主机来说,stratum的设定要尽可能准确。
而作为局域网的time service provider,通常将stratum设置为10 (Stratum 10 is
conventional for unsynchronized local clocks; it is high enough that
nobody is likely to mistake it for a desirable clock to synchronize
with.),如下:server 127.127.1.0 # local clock fudge 127.127.1.0 stratum
10
#stratum设置为其它值也是可以的,其范围为0~15
6.猜想是否是17到straum的时间较长超过11,所以本地的优先级反而高于17,所以将本地 statum尝试修改为最大值15。
重启服务
华为开发者空间,是为全球开发者打造的专属开发空间,汇聚了华为优质开发资源及工具,致力于让每一位开发者拥有一台云主机,基于华为根生态开发、创新。
更多推荐
4
0- 0
已为社区贡献4条内容
所有评论(0)