为什么80%的码农都做不了架构师?>>>
NTP 是一个时间同步服务器,用于网络主机间的时钟同步,Linux上安装
yum install ntp
配置文件解释 /etc/ntp.conf
1 # Permit time synchronization with our time source, but do not
2 # permit the source to query or modify the service on this system.
3 restrict default kod nomodify notrap nopeer noquery 禁止所有主机连接,后面restrict放开
4 #restrict default modify 允许所有的机子连接
5 restrict -6 default kod nomodify notrap nopeer noquery
6
7 # Permit all access over the loopback interface. This could
8 # be tightened as well, but to do so would effect some of
9 # the administrative functions.
10 restrict 127.0.0.1 允许环回地址
11 restrict -6 ::1
12
13 # Hosts on local network are less restricted.
14 #restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
15 restrict 10.8.117.0 mask 255.255.255.0 nomodify 允许10.8.117.0的网段连接,但不能修改
16 restrict 192.168.10.0 mask 255.255.255.0 nomodify notrust 允许192.168.10.0的网段连接,但默认不相信,需要认证
17 restrict 10.8.116.0 mask 255.255.255.0 nomodify
18
19 # Use public servers from the pool.ntp.org project.
20 # Please consider joining the pool (http://www.pool.ntp.org/join.html).
21 server 0.centos.pool.ntp.org 时钟同步服务器
22 server 1.centos.pool.ntp.org
23 server 2.centos.pool.ntp.org
24 server time.stdtime.gov.tw prefer
25
26 #broadcast 192.168.1.255 key 42 # broadcast server
27 #broadcastclient # broadcast client
28 #broadcast 224.0.1.1 key 42 # multicast server
29 #multicastclient 224.0.1.1 # multicast client
30 #manycastserver 239.255.254.254 # manycast server
31 #manycastclient 239.255.254.254 key 42 # manycast client
32
33 # Undisciplined Local Clock. This is a fake driver intended for backup
34 # and when no outside source of synchronized time is available.
35 server 127.127.1.0 # local clock 内部时钟同步服务器
36 fudge 127.127.1.0 stratum 10
37
38 # Drift file. Put this in a directory which the daemon can write to.
39 # No symbolic links allowed, either, since the daemon updates the file
40 # by creating a temporary in the same directory and then rename()'ing
41 # it to the file.
42 driftfile /var/lib/ntp/drift
43
44 # Key file containing the keys and key identifiers used when operating
45 # with symmetric key cryptography.
46 keys /etc/ntp/keys MD5 keys存放位置,用于认证
47
48 # Specify the key identifiers which are trusted.
49 #trustedkey 4 8 42
50 trustedkey 4 8 42 相信哪几个key
51
52 # Specify the key identifier to use with the ntpdc utility.
53 #requestkey 8
54
55 # Specify the key identifier to use with the ntpq utility.
56 #controlkey 8
安全
notrap: 不提供远程事件登入
notrust: 客户端必需提供认证
nomodify: 不提供客户端修改本地服务器的时间参数,但可以网络校准
noquery: 关闭客户端时间查询
ignore: 关闭所有NTP联机服务
MD5 key生成
[root@huan ~]# ntp-keygen -M
Using OpenSSL version 90802f
Random seed file /root/.rnd 1024 bytes
Generating MD5 keys...
Generating new MD5 file and link
ntpkey_MD5_huan.com->ntpkey_MD5key_huan.com.3696848019
Generating RSA keys (512 bits)...
RSA 0 8 12 1 11 24 3 1 2
Generating new host file and link
ntpkey_host_huan.com->ntpkey_RSAkey_huan.com.3696848019
Using host key as sign key
Generating certificate RSA-MD5
X509v3 Basic Constraints: critical,CA:TRUE
X509v3 Key Usage: digitalSignature,keyCertSign
Generating new cert file and link
ntpkey_cert_huan.com->ntpkey_RSA-MD5cert_huan.com.3696848019
这个key保存在~/目录下ntpkey_MD5key_huan.com.3696848019,随后把key 复制到/etc/ntp/keys中
1 #
2 # PLEASE DO NOT USE THE DEFAULT VALUES HERE.
3 #
4 #65535 M akey
5 #1 M pass
6 # ntpkey_MD5key_huan.com.3696848019
7 # Thu Feb 23 22:13:39 2017
8 1 MD5 4Ty+F=}TweR;KoX # MD5 key
9 2 MD5 %>\u]cuR]&{U)PM # MD5 key
10 3 MD5 }l`]~;_(=Hzjpp+ # MD5 key
11 4 MD5 +&":$)dll2IM0CA # MD5 key
12 5 MD5 `&.oX2hp'sMMD"r # MD5 key
13 6 MD5 3-QlatYBazg18tb # MD5 key
14 7 MD5 $W*ElJr=t<a.5'4 # MD5 key
15 8 MD5 s2/>_,,g^N6Vhsd # MD5 key
16 9 MD5 D&%-=qbm<Fs'r$+ # MD5 key
17 10 MD5 xJGA6]MvGAwW3tp # MD5 key
18 11 MD5 Q~ZAg|u*%2$0F,G # MD5 key
19 12 MD5 5H9&G:iY|\8bcaT # MD5 key
20 13 MD5 ?:<Z?f>]{/`0]U. # MD5 key
21 14 MD5 ChD"Gwc{[a\SMXK # MD5 key
22 15 MD5 vgU!;"XOOsps[%w # MD5 key
23 16 MD5 &G)C)<SfxL7O1VI # MD5 key
~
查看本地ntp server是否正常watch ntpq -p
[root@huan ~]# watch ntpq -p
Every 2.0s: ntpq -p Thu Feb 23 15:57:06 2017
remote refid st t when poll reach delay offset jitter
==============================================================================
61-216-153-104. 211.22.103.158 3 u 277 64 260 61.655 19.030 2.011
+ntp1.ams1.nl.le 130.133.1.10 2 u 9 64 377 186.245 11.931 0.344
+2001:1af8:4700: 130.133.1.10 2 u 17 64 377 385.413 -1.070 19.065
*2001:b031:5c02: 192.168.0.3 2 u 9 64 377 409.217 -0.232 21.774
LOCAL(0) .LOCL. 10 l 13 64 377 0.000 0.000 0.001
remote: 远程server
refid: 远程server上一级的IP地址,远程server也是参考它上一级的时间
st: 远程服务器的层级stratum
t: 单位? us
when: 上一次成功请求后到现在的秒数
poll: 本地与远程多久同步一次,一开始不稳定同步频率高,稳定后这个值会大,直到256
reach: 本地与远程服务器成功连接的次数,一般要17次以上就稳定
delay: RRT本地与远程服务来回在路上的时间
offset: 本地与远程服务器之间的偏差
jitter: 特定连接数时的offset情况,越小越好
两台LAN 网内的PC测试, 10.8.116.111是NTP Server, 10.8.116.8是局域网主机
由于10.8.116.0网段是允许接入的
root@qa-VL:~# date -s "2011-1-1" 客户端修改时间
Sat Jan 1 00:00:00 CST 2011
root@qa-VL:~# date
Sat Jan 1 00:00:01 CST 2011
root@qa-VL:~# ntpdate 10.8.116.111 客户端向server索要同步时间
23 Feb 16:32:59 ntpdate[647]: step time server 10.8.116.111 offset 194027559.388183 sec
root@qa-VL:~# date 验证
Thu Feb 23 16:33:01 CST 2017
带认证的server对客户端进行时间同步
首先要把server上的/etc/ntp/keys传到本地/etc/ntp.keys
root@qa-VL:~# scp root@10.8.116.111:/etc/ntp/keys /etc/ntp.keys
The authenticity of host '10.8.116.111 (10.8.116.111)' can't be established.
RSA key fingerprint is 63:57:2f:55:ab:b6:ab:cf:10:7f:d9:f9:6d:5b:ae:6a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.8.116.111' (RSA) to the list of known hosts.
root@10.8.116.111's password:
keys 100% 680 0.7KB/s 00:00
root@qa-VL:~# ntpdate -d -a 4 10.8.116.111
23 Feb 16:44:07 ntpdate[674]: ntpdate 4.2.6p3@1.2290-o Tue Jun 5 20:12:12 UTC 2012 (1)
Looking for host 10.8.116.111 and service ntp
host found : huan.local
transmit(10.8.116.111)
receive(10.8.116.111)
receive: authentication passed
transmit(10.8.116.111)
receive(10.8.116.111)
receive: authentication passed
transmit(10.8.116.111)
receive(10.8.116.111)
receive: authentication passed
transmit(10.8.116.111)
receive(10.8.116.111)
receive: authentication passed
transmit(10.8.116.111)
server 10.8.116.111, port 123
stratum 11, precision -20, leap 00, trust 000
refid [10.8.116.111], delay 0.02582, dispersion 0.00002
transmitted 4, in filter 4
reference time: dc591ead.357266ee Thu, Feb 23 2017 16:41:17.208
originate timestamp: dc591f5d.de62f183 Thu, Feb 23 2017 16:44:13.868
transmit timestamp: dc591f5d.de0c01f0 Thu, Feb 23 2017 16:44:13.867
filter delay: 0.02583 0.02582 0.02582 0.02586
0.00000 0.00000 0.00000 0.00000
filter offset: 0.001206 0.001172 0.001117 0.001127
0.000000 0.000000 0.000000 0.000000
delay 0.02582, dispersion 0.00002
offset 0.001172
23 Feb 16:44:15 ntpdate[674]: adjust time server 10.8.116.111 offset 0.001172 sec
第三方设备防火墙同步本server上的时间 , 10.8.117.0的网段设置为notrust
配置
NTP Server 10.8.116.111
NTP Auth Type: MD5
Trust Key No: 4
Key Number: 4
password: +&":$)dll2IM0CA #MD5密码
抓包客户端
服务器端
注意:
server起来后需要一定的时间才能完成自己的同步,因此在这段时间内不提供服务
watch ntpq -p 看reach值
对网段增加了notrust选项,在4.1时只是不相信这个主机,4.2是必需认证
参考
http://blog.csdn.net/gycool21/article/details/51746174 综合,面面俱到
http://blog.chinaunix.net/uid-71729-id-605471.html ntpq -p 参数详解