Deploy NTP in RHEL6.5 Cluster

Deploy NTP in RHEL6.5 Cluster

NTP is called Network Time Protocol, which is the Network Time Protocol. It is generally used in Linux to synchronize the time of different machines in the cluster.

Shows the ntp service deployment framework described in this document.

 

For example, the framework includes an Internet ntp server, an Intranet ntp server, and other machines in the intranet. The following assumptions are made for the convenience of explanation:

Internet ntp server: xx.cn.pool.ntp.org

Intranet ntp server: 10. xxx. xxx.189

Other machines in the Intranet: 10. xxx. xxx.148 and 10. xxx. xxx.149

(Red Hat 189, 148, and 149 Operating Systems)

The relationship between machines is as follows:

(1) Relationship between the Internet ntp server and the Intranet ntp server:

Intranet ntp server 189 first adjusts its time to the same time as the accurate time according to the time of the Internet ntp server, and then synchronizes the time to the Internet ntp server through ntpd or ntpdate. At this time, the Internet server is the ntp server and 189 is the ntp client;

(2) Relationship between the Intranet ntp server and other Intranet machines:

After 189 of the time adjustment is accurate, it can serve as an ntp server for other machines in the intranet. At this time, 189 is the ntp server, and other machines such as 148 and 149 are the ntp client.

That is to say, in the entire architecture, 189 coexist as both the ntp server and the client. Just like in a third-party family, dad is both a father and a son.

1. Intranet ntp server (10. xxx. xxx.189) settings

1. Check and install ntp

Run the rpm-qa | grep ntp command to check whether ntp is installed on the server. If the following two instructions are displayed, they are installed.

 

If no installation is available, run the yum install-y ntp command to install the tool. (The premise is that the yum of the server is available. If yum cannot be used, you can find the appropriate rpm package on the Internet for manual installation)

2. Use ntpdate to synchronize NTP server time

The main Commands in this step include:

(1) ntpdate 0.cn.pool.ntp.org # ntpdate: modify the system time

(2) hwclock-systohc # change the hardware time to the same as the system time

Due to NTP restrictions, if the system time is too different from the correct time, NTP will not help you adjust it-there is another saying on the internet, that is, when your time settings are very different from the correct time, NTP will not directly not synchronize, but it will take a long time to adjust the synchronization-I have not actually tested this, anyway, for whatever reason, we need to first use ntpdate for a time synchronization and adjust the 189 time to the same as the actual time. The (1) command is used.

2.1

First, determine your time zone (if the time zone is correct, skip this step ).

Reset the time zone based on the location. Shanghai is an example.

Cp/usr/share/zoneinfo/Asia/Shanghai/etc/localtime # set the time zone to Shanghai

 

[Root @ zabbix ~] # Date

Mon Mar 12 18:28:42 CST 2018 # We can see that our time zone has been set, because the time zone is CST, and CST is china standard time.

 

2.2

Before synchronization, you need to know the available Internet NTP server is how much, through the NTP official website http://www.pool.ntp.org to find their own city closest NTP server, such:

 

The Internet NTP server address I obtained is as follows:

Server 0.cn.pool.ntp.org

Server 1.cn.pool.ntp.org

Server 2.cn.pool.ntp.org

Server 3.cn.pool.ntp.org

2.3

After finding the Internet ntp server, use ntpdate to adjust the time.

[Root @ zabbix ~] # Ntpdate 0.cn.pool.ntp.org

12 Mar 14:03:12 ntpdate [19868]: step time server 85.199.214.100 offset 1114.672613 sec

Note: It can be executed twice or three times to reduce latency.

The system time before execution is 01:42 P.M., which is incorrect.

 

After the command is executed, the system time is changed to 02:03 P.M. and the correct time has been modified.

 

Note:

(1) When ntpdate is used for modification, it uses a hop mode. That is to say, the ntpdate command simply modifies the time from a certain point to another time point without a smooth transition.

(2) When you run the ntpdate xx.cn.pool.ntp.org command, the "the NTP socket is in use" error may be reported, for example:

 

Cause: this error is generally because the ntpd server is running, and udp port 123 is occupied by ntpd. This can be done throughService ntpd status orPs aux | grep ntpd command to verify-this is the reason in most cases.

Solution: if this is the cause, run the service ntpd stop command to terminate the ntpd service. You can force kill the pid corresponding to ntpd. After the ntpd service is disabled, you can continue to execute the command. For example.

(3) another possible error is: no server suitable for synchronization found. This may be the cause of the firewall. You can directly jump to the following firewall section, follow these steps to enable the 123 udp port of the firewall. The word "maybe" makes this sentence seem less confident. In fact, I did report this error during testing on the local Virtual Machine. Then I fixed it after enabling port 123, but it was not left. But in any case, port 123 must be enabled regardless of the situation. Therefore, as an troubleshooting method, you have set it in this step.

2.4

The system time is synchronized in Step 2.3 above. Next, use the hwclock-systohc command (sys (system time) to (write) hc (Hard Clock) to set the system time to hardware time.

 

3. Configure the main configuration file/etc/ntp. conf.

If you directly use the service ntpd start command to start the ntp service of 189, you can already provide the time update service to the client-this is because you only need to set the time of the NTP server to the correct time, start the ntp service, and 189 can serve as the ntp server for other machines in the internal network, without configuring its ntp master configuration file. However, this does not meet enterprise security requirements (ntp needs to be configured. conf), and no one can guarantee that after the one-time adjustment of 189, in the next time, its time will always be correct (189 requires timed time synchronization with the Internet ntp server ).

Therefore, during the next running period of the server, 189 needs to synchronize time with the ntp server on the Internet at regular intervals to ensure that its own time will not run improperly. There are two methods:

(1) ntpdate + crontab method.

As we know before, the ntpdate 0.cn.pool.ntp.org command can synchronize 189 of the time with the Internet ntp server, therefore, you only need to create a corresponding crontab task on the machine and execute this command regularly to ensure the time consistency of 189 during its running. For example, add:

0 12 **** ntpdate 0.cn.pool.ntp.org

If this method is used, you do not need to continue reading it here.

(2) ntpd service method.

This method is better than the first method, because ntpdate directly modifies the time in a hop mode, which may affect some time-dependent applications. The ideal practice is to use ntpdate to force the synchronization time when the machine is started (because many services on the machine have not been started yet, in addition, even if some applications have been started and the ntpdate command has a relatively small impact on them, the ntpd service is used to smoothly synchronize the time in other cases.

The following describes how to set the ntp master configuration file/etc/ntp. conf In the second method. The following parameters need to be noted in this file:

1) driftfile parameter: Solves the transfer delay during NTP server Calibration Time

Format: driftfile file name

Purpose: record the time spent in contacting the upper-level time server in the file specified after the driftfile parameter.

Note: driftfile must be followed by a complete file path, not a link file, and must have the permissions that the ntpd daemon can write.

Default Configuration items: driftfile/var/lib/ntp/drift

 

Note: I have not changed the driftfile parameter in actual operations.

2) restrict parameter: Permission control (a very important parameter. The intranet ntp server needs to be modified, but the Intranet ntp client does not need to be modified)

Format: restrict IP mask parameter

Purpose: The IP address specifies the addresses that are allowed or not allowed to access (if default is used here, all ip addresses are 0.0.0.0). A mask can be used to restrict a network segment.

Restrict parameters include:

Ignore: Disable all NTP services

Nomodify: the client cannot modify the Time of the server, but can be used as the correction server of the client.

Noquery: No Time query is provided. You cannot use commands such as ntpq and ntpc to query ntp servers.

Nopeer: synchronize time with other servers on the same layer.

Kod: The kod technology can prevent "kiss of death" Package (a DOS attack) from damaging the server.

Notrap: remote event logon is not supported.

Notrust: unless the client passes authentication, the specified CIDR block is untrusted CIDR block # Versions later than ntp4.2. this parameter is no longer used by default. If you add this parameter, an error is returned.

Corresponding default configuration items:

Restrict default kod nomodify notrap nopeer noquery # All operations are denied on all clients by default.

Restrict-6 default kod nomodify notrap nopeer noquery

Restrict 127.0.0.1 # Allow all operations on the local address

Restrict-6: 1

3) server parameters: Set the upper-level time server (important parameter, which must be configured for both the Intranet ntp server and the client)

Format: server IP address or domain name [prefer]

Purpose: The IP address or domain name is the superior NTP server specified by the NTP server. When multiple NTP servers are specified, the server with the prefer parameter has the highest priority. If the prefer parameter is not used, the priority of the server increases from top to bottom. After the upper-layer server is specified, the time verification will be performed with the upper-layer NTP server at least 15 minutes.

Default Configuration items:

Server 0.rhel.pool.ntp.org iburst

Server 1.rhel.pool.ntp.org iburst

Server 2.rhel.pool.ntp.org iburst

Server 3.rhel.pool.ntp.org iburst

In practice, I only modify two points: restrict and server. For example

 

4By default, ntp only synchronizes the system time. If you want ntp to be able to modify the machine at the same timeHardware time, you need to add the hardware time modification to the configuration file:In the/etc/sysconfig/ntpd file, add SYNC_HWCLOCK = yes

 

5) There is also a file:/Etc/ntp/step-tickers

In my actual operation, the Intranet ntp server 189 does not modify this file, but the Intranet ntp clients such as 148 and 149 are configured, if this parameter is not set, 148 and 149 cannot be synchronized with 189. The ntpd service of ntp clients such as 148 and 149 is started, but is not synchronized with the ntp server of 189, the ntp status shown on the client is always displayed.

 

The step-tickers file on the Internet explains that when the ntpd service is started, it will automatically proofread the Time of the NTP service recorded in the file.

What are the differences between ntp. conf and step-tickers:

Step-tickers is used by ntpdate where as ntp. conf is the configuration file for the ntpd daemon. ntpdate is initially run to set the clock before ntpd to make sure time is within 1000 sec. ntp will not run if the time difference between the server and client by more then 1000 sec (or there about ). the start up script will read step-tickers for servers to be polled by ntpdate.

By default, the NTP server we configured will not synchronize the time from the time source, so we must modify the/etc/ntp/step-tickers file and add it to our time source, in this way, each time through/etc/init. d/ntpd will automatically update the time when you start the service.

4. Firewall settings

After the configuration is complete, you can start the service, but before starting, let's take a look at the firewall settings.

The NTP service must use the UDP port number 123. When the system firewall (Iptables) is started, the UDP port number 123 must be enabled.

Run the/etc/init. d/iptables status Command to view the Firewall status.

 

My firewall has been disabled before I installed other services, so no need to set it here. But if your firewall is not closed. Follow the steps below to open port 123 of the firewall.

(1)/sbin/iptables-I INPUT-p udp -- dport 123-j ACCEPT # open udp port 123

(2)/etc/rc. d/init. d/iptables save # save the Configuration

(3)/etc/rc. d/init. d/iptables restart # restart the Firewall Service

(4)/etc/init. d/iptables status # view opened ports

Example of enabling the firewall on the server and enabling port 123:

 

(5) You can also run the lsof command to check whether a port is Enabled: lsof-I: 123.

If UDP port 123 is not enabled on the firewall, the problem may occur. If an error occurs, you can directly access the internet.

5. Add the ntp service to start automatically

This step is actually quite necessary, because your cluster seldom pays attention to it after deploying the ntp service, if one of your servers restarts for some reason at some time (this always happens ....), Your ntp service is not self-started, so this server may be out of service after a while.

The procedure is as follows:

(1) run the chkconfig -- list | grep ntpd command to check whether the ntp service has been added to the system and started automatically.

(2) UseAdd the chkconfig ntpd on command

6. Start the ntpd service.

(1) service ntpd start # enable the ntp service

(2) service ntpd status # view the status

(3) service ntpd stop # stop the ntp service

(4) service ntpd restart # restart the ntp service

 

It can be seen that ifThe query status may appear immediately.Unsynchronised.

This is because it takes about 3-5 minutes to restart the NTP server before the client can establish a normal communication connection with the server. This information is reported when you connect to the server using a client. It usually takes a few minutes. Therefore, this situation may occur when the client restarts the ntpd service and runs ntpstat for viewing.

After the NTP service is started, you can use the following commands to view its status.

(1) ntpstat command: Check whether the ntp server is connected to the upper-layer ntp

Shows the normal Connectivity:

 

(2) Ntpq-pCommand: This command can be used to list the current NTP status and the related upper-layer NTP status.

 

Where:

Remote: the IP address or Host Name of the NTP host. Note the leftmost symbol. If it is "+", it indicates the upper-layer NTP that is currently working on the clock. If it is "*", it indicates that there are also online connections, but it is used as a secondary online NTP host.

Refid: refer to the address of the NTP host on the previous layer.

St: stratum class-in theory, the NTP server is in the Stratum class, And the NTP server with Stratum = 1 is directly synchronized with the world standard clock, including gps time, WeChat atomic clock, and some mobile phone networks. The first-level time servers of NIST, China National Time Service Center, and CERNET are at this level. The NTP server of Stratum = 2 is synchronized with the server of Stratum = 1. The performance is slightly poor, but the accuracy is also in milliseconds, so there is no difference in use. Next, for each synchronization level, Stratum will add one. (This section is excerpted from the Internet)

When: a few seconds ago, I performed time synchronization updates.

Poll: the next update takes several seconds.

Reach: number of times that NTP servers on the upper layer have requested updates

Delay: the time delay during network transmission

Offset: the result of time compensation

Jitter: time difference between Linux system time and BIOS hardware time

(3) watch "ntpq-p" command:

 

Press Ctrl + C to exit.

2. Intranet ntp client (10. xxx. xxx.148/149) settings

The setting of the Intranet ntp client is not much different from that of the Intranet ntp server 189: In the previous step, 189 is the client, and xx.cn.pool.ntp.org on the Internet is the server. In this step, 148 and 149 are the clients, and 189 is the server.

In this step, you only need to replace all the Internet server addresses in the previous step with 189 addresses.

The procedure is as follows:

1. rpm-qa | grep ntp check whether ntp is installed

2. Synchronize the system time with ntpdate and modify the hardware time.
Ntpdate 10. xxx. xxx.189 (twice)
Hwclock -- systohc

3. Modify the main configuration file/etc/ntp. conf and add the server
Server 10. xxx. xxx.189 prefer
Server 10. xxx. xxx.180

Note: The ntp client does not need to modify the restrict parameter.

4. Modify/etc/ntp/step-tickers and Add server:
Server 10. xxx. xxx.189 prefer
Server 10. xxx. xxx.180

5. Add the hardware time modification to the configuration file.
In the/etc/sysconfig/ntpd file, add
SYNC_HWCLOCK = yes

6. Firewall settings
/Etc/init. d/iptables status

7. Whether to enable automatic startup
Chkconfig -- list | grep ntpd

8. Start the service and view the status
Service ntpd start

Ntpstat

Ntpq-p

There are two main differences:

(1)/etc/ntp of the client. you do not need to configure the restrict parameter in the conf file. Its/etc/ntp. in the conf file, you only need to modify the server to set "189" as its upper-layer time server, and keep the default value for others.

(2) When configuring the Intranet ntp server settings in the previous step,/etc/ntp/step-tickers does not need to be configured, but this file needs to be configured when setting the client here: add 189 to the file as follows:

 

The figure shows two rows because I have implemented simple load balancing and high availability. Therefore, the prefer parameter is used to specify 189 as the preferred ntp server.

I pay more attention to the implementation steps here. More theories can be followed by the following articles, I read these articles at the beginning of implementation, which are easy to understand.

Https://www.bkjia.com/Linux/2013-11/92275.htm

Https://www.bkjia.com/Linux/2013-11/92275p2.htm

This article permanently updates link: https://www.bkjia.com/Linux/2018-03/151402.htm