Specific two modes
1. The number of
servers is relatively small and can be directly synchronized with the time server
2. There are many local servers, self-built time synchronization server locally,
Alibaba Cloud Simple Application Server: Anti COVID-19 SME Enablement Program
$300 coupon package for all new SMEs and a $500 coupon for paying customers.
Two commands for time synchronization
ntpd: Calibrate the time, calibrate the time a little bit, and finally correct the time slowly.
The ntpd service can correct the cpu tick while correcting the time
ntpd has a self-protection setting: if the time difference between the local machine and the source is too large, ntpd will not run
ntpdate: Will not consider whether other programs will be in pain, directly adjust the time, it may affect the program
ntpdate [-nv] [IP/hostname]
# ntpdate -u 192.168.0.2
# ntpdate -u time.ntp.org
# ntpdate -u ntp.sjtu.edu.cn >>/var/log/ntp.log 2>&1;hwclock -w
Note: If the -u parameter is not added, the following prompt will appear: no
server suitable for synchronization found
-u: Specifies to use an unprivileged port to send data packets, which can synchronize with the host over the firewall;
The ideal approach is:
Use ntpd to calibrate the clock instead of adjusting the time on the computer clock.
You can use ntpdate to synchronize time when the computer has just started but not many services have been started yet
1. Directly use commands to synchronize with the time server
Examples:
Use ntpdate to synchronize:
ntpdate -u x.x.x.x
Here x.x.x.x can be the IP address of the public network
time server, or the ntp server address built by us in the second section below.
You can add a timing plan, timing synchronization
1. crontab -e
2. */5 * * * * /usr/sbin/ntpdate -u x.x.x.x
3. /etc/init.d/crond restart
2. Here are several public network time server addresses
Alibaba Cloud time server, the timing signal comes from the GPS and Beidou satellite signals, and is equipped with an atomic clock to keep time.
The following 7 domain names provide services and you can use them directly.
http://time1.aliyun.com
http://time2.aliyun.com
http://time3.aliyun.com
http://time4.aliyun.com
http://time5.aliyun.com
http://time6.aliyun.com
http://time7.aliyun.com
Or visit this address directly time.pool.aliyun.com
# ntpdate -u time.pool.aliyun.com
13 Nov 10:48:28 ntpdate[26527]: adjust time server 182.92.12.11 offset 0.000458 sec
Centos also has several time servers (it is better to use domestic ones)
0.centos.pool.ntp.org
1.centos.pool.ntp.org
2.centos.pool.ntp.org
2. Self-built ntpd time synchronization server
NTP communication protocol principle
First, the host starts NTP.
The client will send a time adjustment message to the NTP server.
Then the NTP server will send the current standard time to the client
After the client accepts the time from the server, it will adjust its time based on this information. In this way, the network time synchronization is realized.
The NTP deamon uses UDP port 123.
The level of the remote server (stratum):
Since NTP is a layered structure, there are top servers, multi-layer Relay Servers and then clients.
So the server can be set to 1-16 from high to low.
In order to reduce the load and network congestion, in principle, you should avoid directly connecting to the server of level 1.
1. Configure ntp server
Install
# yum install ntp
Auto start
# chkconfig ntpd on
Modify the configuration file:
[root@test01 ~]# less /etc/ntp.conf
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift System time and BIOS event deviation record
Configure machine permissions synchronized with this machine
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
Deny any operation by default
Any ip4 address and ip6 address cannot be modified, remote login cannot be trapped, peer-to-peer cannot be attempted, time proofreading cannot be performed,
restrict controls related permissions.
The syntax is: restrict [client IP] mask [IP mask] [parameter]
The IP address can also be default, which refers to all IPs
The parameters are as follows:
nomodify: The client cannot modify the time parameters of the server, but the client can perform network time correction through the server.
notrust: Reject clients without authentication
noquery: The client cannot use ntpq, ntpc to query the ntp server, which means that it does not provide proofreading time service
notrap: does not provide trap remote login function, trap service is a remote time log service
Refuse to provide mode 6 control message trap service for matching hosts. The trap service is a subsystem of the ntpdq control message protocol, used for remote event logging programs.
nopeer: Used to prevent the host from trying to peer with the server
kod: KoD packet is sent when access is violated, and Kiss-Of-Death packet is sent to unsafe visitors.
restrict -6 indicates the permission setting of IPV6 address.
How to control the scope of customers
# Permit all access over the loopback interface. This could the following configuration allows running any permission to access the local interface,
# be tightened as well, but to do so would effect some of It’s best to tighten the permissions here, but it will affect some management functions
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are less restricted. Configuration Configure smaller permissions for the local network
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
Local and public time server synchronization options
Set the source of the NTP host (where prefer means the preferred host)
# Use public servers from the pool.ntp.org project. Use public servers from the time pool project
# Please consider joining the pool (http://www.pool.ntp.org/join.html). Please consider joining the pool project
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
server host [key n] [version n] [prefer] [mode n] [minpoll n] [maxpoll n] [iburst]
Where host is the IP address or domain name of the upper-level NTP server, and the following parameters are explained as follows:
◆ key: Indicates that all messages sent to the server contain the authentication information encrypted by the secret key. n is a 32-bit integer that represents the secret key number.
◆ version: Indicates the version number of the message sent to the upper server, n is 3 by default and can be 1 or 2.
◆ prefer: preferential use.
◆ mode: Specify the value of the mode field of the data message.
◆ minpoll: Specify the minimum time interval between querying the server as 2 to the power of n seconds, n is 6 by default, and the range is 4-14.
◆ maxpoll: The maximum time interval between specifying and querying the server is 2 to the power of n seconds, n is 10 by default, and the range is 4-14.
◆ iburst: When the initial synchronization request is made, 8 packets are sent consecutively in burst mode with a time interval of 2 seconds.
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
When the external time is not available, use the local (local) time as the service time
The local time is represented by 127.127.1.0 and the level is 10
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available.
#server 127.127.1.0 # local clock
#fudge 127.127.1.0 stratum 10
The following are some encryption authentication configurations
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
