Bird Brother Server Erection--NTP Server Setup

NTP Server Setup

One, NTP communication protocol

In fact, the timing of the Linux operating system is mainly calculated from January 1, 1970, the total number of seconds, so if you remember the date this command, you will find that he has a +%s parameter, can go to the total number of seconds, this is the software clock. However, as mentioned earlier, the computer hardware is mainly based on the internal BIOS time as the main time basis (hardware clock), but this time may be due to the BIOS internal chip itself, resulting in BIOS time and Standard Time (UTC) There is a little difference. Therefore, in order to avoid the host time because of long-term operation caused by time skew, time synchronization (synchronize) work is very important.

Software Clock: The total number of seconds calculated by the Linux operating system based on 1970/01/01.

Hardware clock: The clock above the host hardware system, such as the time of the BIOS recording.

So how to synchronize time? If we select several major hosts (Primary server) to tune the time, let these Primary server time synchronize, in open Network Service let client segment link, and allow client side to adjust their time, It is not possible to synchronize the time of all computers. So what protocol can achieve this function, that is network time Protocol, that is, the NTP protocol, plus digital time synchronization Protocol (DTSS) can also achieve the same function. However, how does NTP allow the server to synchronize their time with the client?

1) First of all, the host will of course need to start this daemon.

2) After that, the client sends a message of the proofing time to the NTP server.

3) The NTP server then sends the current standard time to the client.

4) After the client has accepted the time from the server, it adjusts its time accordingly, thus realizing the network school.

As for NTP, the daemon is a port123 interface (using UDP packets), so we need to use time server to synchronize the updates with the ntpdateup that the NTP software provides to make the port123 connection.

Second, the hierarchical concept of NTP server

Because the NTP time server uses a similar hierarchical architecture (Straum) to handle time synchronization, it uses a master-slave architecture similar to general server/client. The network society will provide some primary and secondary time servers, which belong to the first and second level of the time server.

When the NTP host is set up, it will select multiple upper-level time servers to be used as the school of our NTP server, and the reason for the choice of abortion is that the other hosts can still provide an NTP host to update themselves because of a sudden outage of one time server, and then NTP Server does not provide its own client-side update time.

Third, the installation and configuration of NTP server

1. Required software and software structure

Yum Install NTP

Yum Install Tzdata

The configuration files associated with the time and NTP server settings are the following with important data files.

/etc/ntp.conf : Is the primary configuration file of the NTP server and the only

/usr/share/zoneinfo/: Provided by Tzdata, the time format corresponds to the file for a timezone. For example, my time zone format corresponding file is/usr/share/zoneinfo/asia/shanghai. The price in this directory is related to the two files (clock and localtime) to be discussed below.

/etc/sysconfig/clock: Sets the time zone and whether to use a UTC clock configuration file. Linux automatically reads this file each time it is powered on to set the default time it will be displayed for your system. For example, in our local time setting in China, there should be a line zone= "Asia/shanghai" in this file, which means that our time profile will use the/usr/share/zoneinfo/asia/shanghai file.

[Email protected] zoneinfo]# Cat/etc/sysconfig/clock

Zone= "Asia/shanghai"

/etc/localtime: It is the local time profile. Just that clock file within the specified time configuration file for the/usr/share/zoneinfo/asia/shanghai, so that this is the local time, the Linux system will be Shanghai that time configuration files prevail.

As for the time server and the change Time command, there are several main :

/bin/date: a command for modifying and displaying Linux time (software time).

/sbin/hwclock: The command used to modify and display the BIOS clock (hardware clock). This command can only be performed by root, because the BIOS time on the Linux system is separate from the Linux system time, so after adjusting the time with date this command will need to use Hwclock to write the modified time to the BIOS.

/usr/sbin/ntpd: A program that mainly provides NTP services. Configuration file is/etc/ntp.conf

/usr/sbin/ntpdate: Used for client time correction, this command is used if NTP is not enabled and only wants to use the NtpClient function.

2, the main configuration file ntp.conf processing

Example configuration

The Upper NTP server has tock.stdtime.gov.tw, tick. stdtime.gov.tw, Time stdtime.gov.tw Three, of which tock.stdtime.gov.tw is the most preferred use.

does not provide services to the Internet, only queries from internal network 912.168.100.0/24 are allowed.

Detects the difference between the BIOS clock and the Linux system time and writes to the/var/lib/ntp/drift file.

Let's take a look at how to set permissions control in ntp.conf.

1) use Restrict to manage authority control

Restrict parameter setting Method:

Restrict [your IP] mask [netmask_ip] [parameter]

The main parameters of parameter are the following.

Ignore: Denies all types of NTP connections.

Nomodify: The client cannot use the NTPC and NTPQ to modify the server's time parameters, but the client can still make the network through this host.

Noquery: The client cannot query the time server by using commands such as NTPQ, NTPC, etc., which is equivalent to not providing NTP for network school.

Notrap: does not provide the ability to trap this remote event login (logging).

Notrust: Denies clients that are not authenticated.

If no parameters are added to the parameter, this means "The IP or network segment is not subject to any restrictions". In general, we can turn off the permissions of NTP first, and then enable the network segment that is allowed to log in one at a time.

2) using server to set up the upper NTP server

The previous NTP server is set up as follows:

server [IP or hostname] [prefer]

In the server backend you can press the IP or host name, preferably with IP, to prevent the trouble of modifying the host name. The prefer represents the preferred server.

3) record time differences with Driftfile

driftfile [directories or files that can be ntpd written]

Because the default NTP server itself is calculated on the basis of the BIOS's chip-time oscillation cycle frequency, this value is not consistent with the upper time server. So NTP this daemon (NTPD) will automatically calculate the frequency of our host and the frequency of the upper time server, and record the error of two frequency, the recorded file is the full file name behind the Driftfile. You must know about the file name:

the full path file name is required for files that follow the driftfile.

The file cannot be a linked file.

The value recorded in this file is one out of 10,000 seconds (ppm).

Dirftfile the file will be ntpd automatically updated, so his permissions must be able to let ntpd write to the line.

4) Keys[key_file]

In addition to the restrict to limit the client connection, we can also pass the key system to the client authentication, so that the host side can rest assured.

[[email protected] JBOSS6] #vim/etc/ntp.conf

#1, handling permissions issues first, including releasing upper-level servers and open LAN user sources

Restrict default Kod nomodify notrap nopeer noquery user denied IPv4

restrict-6 default Kod nomodify notrap nopeer noquery user denied IPv6

Restrict 220.130.158.71 release tock.stdtime.gov.tw access to this NTP server

Restrict 59.124.196.83 release tick. stdtime.gov.tw access to this NTP server

Restrict 59.124.196.84 release time. stdtime.gov.tw access to this NTP server

Restrict 127.0.0.1 These two are the default values

Restrict-6:: 1

Restrict 192.168.10.0 mask 255.255.255.0 nomodify release Local area network source

#2, set the host source, you can first comment out the contents of the following

# Use public servers from the Pool.ntp.org project.

# Please consider joining the pool (http://www.pool.ntp.org/join.html).

#server 0.rhel.pool.ntp.org Iburst

#server 1.rhel.pool.ntp.org Iburst

#server 2.rhel.pool.ntp.org Iburst

#server 3.rhel.pool.ntp.org Iburst

Server 220.130.158.71 prefer takes precedence over this host

Server 59.124.196.83

Server 59.124.196.84

#3, default time difference analysis file with the keys we don't need to change him.

Driftfile/var/lib/ntp/drift

Keys/etc/ntp/keys

So it's set.

3, the start and observation of NTP

#1, start NTP

[[email protected] zoneinfo]#/etc/init.d/ntpd start

Starting ntpd: [OK]

[[email protected] zoneinfo]# chkconfig ntpd on set boot up

[[email protected] zoneinfo]# tail/var/log/messages View log information

Jan 17:09:28 localhost ntpd[33990]: deferring DNS for 1.rhel.pool.ntp.org 1

Jan 17:09:28 localhost ntpd[33990]: deferring DNS for 2.rhel.pool.ntp.org 1

Jan 17:09:28 localhost ntpd[33990]: deferring DNS for 3.rhel.pool.ntp.org 1

Jan 17:09:28 localhost ntpd[33990]: 0.0.0.0 c016 restart

Jan 17:09:28 localhost ntpd[33990]: 0.0.0.0 c012 freq_set kernel 0.000 PPM

Jan 17:09:28 localhost ntpd[33990]: 0.0.0.0 c011 freq_not_set

Jan 17:09:30 localhost ntpd_intres[33992]: host name not found:0.rhel.pool.ntp.org

Jan 17:09:30 localhost ntpd_intres[33992]: host name not found:1.rhel.pool.ntp.org

Jan 17:09:30 localhost ntpd_intres[33992]: host name not found:2.rhel.pool.ntp.org

Jan 17:09:30 localhost ntpd_intres[33992]: host name not found:3.rhel.pool.ntp.org

#2, view the ports that are started

[Email protected] zoneinfo]# NETSTAT-TLUNP | grep NTP

UDP 0 0 192.168.211.128:123 0.0.0.0:* 33990/ntpd

UDP 0 0 127.0.0.1:123 0.0.0.0:* 33990/ntpd

UDP 0 0 0.0.0.0:123 0.0.0.0:* 33990/ntpd

UDP 0 0 fe80::20c:29ff:fe82:6e49:123:::* 33990/ntpd

UDP 0 0:: 1:123:::* 33990/ntpd

UDP 0 0::: 123:::* 33990/ntpd

#主要是UDP数据包, and at Port 123

This means that our NTP server is up and running, but it will take some time to connect to the upper NTP server, typically starting NTP for about 15 minutes before connecting to the upper NTP server. So how do we know that our NTP server has successfully updated its own time?

[[email protected] zoneinfo]# Ntpstat This is my own virtual machine, no upper server

Unsynchronised

Time Server re-starting

Polling server every 8 s

[Email protected] zoneinfo]# Ntpstat example of bird brother

Synchronized to NTP server (220.130.158.71) at Stratum 3

Time correct to within 538 ms

Polling server every S

This command lists whether our NTP server is already connected to the upper layer. The output from the above can be known, the time has been corrected about 538ms, and every 128 seconds will be active to update the time.

[Email protected] zoneinfo]# ntpq–p

This command lists the current state of our NTP with the associated upper NTP.

4. Security Settings

Server firewall is open on UDP port 123

[Email protected] zoneinfo]# Vi/etc/sysconfig/iptables

Iptables–a input–i $EXTIF –p udp–s 192.168.100.0/24–dport 123–j ACCEPT

Four, the client time update mode

1, Linux Manual school work: Date Hwclock

Date mmddhhmmyyyyy Month Day hour minute public

[[Email protected] zoneinfo]# date 012809511016

Date:cannot Set Date:invalid argument

Sun Jan 09:51:00 LMT 1016

[[email protected] zoneinfo] #hwclock [-RW]

-r:read read out the time parameters in the current BIOS

-w:write, writes the current Linux system time to the BIOS

Check the BIOS time and write the changed time

[Email protected] zoneinfo]# date; hwclock–r

[Email protected] zoneinfo]# hwclock–w;hwclock–r;date

[[Email protected] zoneinfo]# date 012809572016

Thu Jan 09:57:00 CST 2016

[[Email protected] zoneinfo]# Date

Thu Jan 09:57:11 CST 2016

[Email protected] zoneinfo]# Hwclock-r

Thu 05:58:18 PM CST-0.283336 seconds

[Email protected] zoneinfo]# hwclock-w

[Email protected] zoneinfo]# Hwclock-r

Thu 09:57:30 AM CST-0.095152 seconds

[[Email protected] zoneinfo]# Date

Thu Jan 09:57:34 CST 2016

[Email protected] zoneinfo]#

2, Linux Network School Time

Because NTP servers are inherently synchronized with the upper-level time servers, NTP servers are not allowed to use Ntpdate by default. That is, ntpdate and NTPD cannot be enabled at the same time.

[[email protected] zoneinfo] #ntpdate 192.168.100.254 Server

It is best for the client to start the NTP service and to proactively update the time through NTP.

[[email protected] zoneinfo] #ntpdate 192.168.100.254

[[email protected] zoneinfo] #vi/etc/ntp.conf

Restrict 192.168.100.254 release server source

Server 192.168.100.254 This is the servers

[[email protected] zoneinfo]#/etc/init.d/ntpd start

[[email protected] zoneinfo] #chkconfig ntpd on

This way the client computer will proactively go to the NTP server to update the time.

No, it's possible.

[[email protected] zoneinfo] #vi/etc/crontab

5 * * * Root (/usr/sbin/ntpdate tock.ssdtime.gov.tw &&/sbin/hwclock–w) &>/dev/null

In this way, the 05:10linux system will be automatically networked during the day.

Bird Brother Server Erection--NTP Server Setup