[root@Centosszm ~]# date +%s
1364796931 #软件时钟,从1970/01/01开始计算总秒数
#硬件时钟,BIOS上记录(硬件)
时间同步协议:Network Time Protocol、Digital Time Synchronization Protocol(DTSS)
我国授时中心服务器的IP地址为:210.72.145.44
NTP是分层设计,最多15层
所需要的相关软件:
1.ntp:NTP服务主要软件
2.tzdata:Time Zone Data,提供各时区对应的显示格式
相关配置文件与数据库
1./etc/ntp.conf
2./usr/share/zoneinfo/:由tzdata提供,为各时区的时间格式对应文件
3./etc/sysconfig/clock:时区设置文件
4./etc/localtime:复制上面的时区文件到这里就是本地时间配置文件了
相关命令:
1./bin/date
2./sbin/hwclock:硬件时间的修改,date修改软件时间
3./usr/sbin/ntpd:
4./usr/sbin/ntpdate:时间校对
客户端修改时区文件:
[root@Centosszm ~]# date
Mon Apr 1 14:37:00 CST 2013
[root@Centosszm ~]# vim /etc/sysconfig/clock
ZONE="America/New_York"
[root@Centosszm ~]# cp /usr/share/zoneinfo/America/New_York /etc/localtime
[root@Centosszm ~]# date
Mon Apr 1 02:39:05 EDT 2013
1.利用restrict来管理权限控制
restrick [ip] mask [netmask_IP] [parameter] #没有写parameter为允许所有
ignore:
nomodify:禁止使用ntpc,ntpq修改服务器时间参数
noquery:禁止使用ntpc,ntpq查询服务器时间参数,相当于不提供NTP服务
notrap:不提供trap这个远程事件登录功能
notrust:拒绝没有认证的客户端
可以禁止所有再逐渐添加信任网络;
2.利用Server设置上层NTP服务器
server [ip|hostname] [prefer] #设置优先级
3.利用driftfile记录时间差异
driftfile [完整路径文件名]
文件不能是连接文件
ntpd对这个文件可写
数值单位为:ppm(百万分之一秒)
使用ntpd的owner是ntp
[root@Centosszm ~]# cat /etc/sysconfig/ntpd
# Drop root to id 'ntp:ntp' by default.
OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid -g"
4.客户端需认证
keys [key_file]
ntp-kengen
[root@Centosszm ~]# cat /etc/ntp.conf
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 192.168.179.0 mask 255.255.255.0 nomodify
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org
#server 1.centos.pool.ntp.org
#server 2.centos.pool.ntp.org
server 0.rhel.pool.ntp.org
server 2.rhel.pool.ntp.org
server 3.rhel.pool.ntp.org
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available.
#server 127.127.1.0 # local clock
#fudge 127.127.1.0 stratum 10
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
[root@Centosszm ~]# /etc/init.d/ntpd start
Starting ntpd: [ OK ]
[root@Centosszm ~]# tail /var/log/messages
[root@Centosszm ~]# netstat -tlunp | grep ntp
udp 0 0 192.168.111.100:123 0.0.0.0:* 3522/ntpd
udp 0 0 172.16.128.211:123 0.0.0.0:* 3522/ntpd
udp 0 0 192.168.179.7:123 0.0.0.0:* 3522/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 3522/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 3522/ntpd
udp 0 0 fe80::20c:29ff:fe24:123 :::* 3522/ntpd
udp 0 0 fe80::20c:29ff:fe24:123 :::* 3522/ntpd
udp 0 0 ::1:123 :::* 3522/ntpd
udp 0 0 :::123 :::* 3522/ntpd
[root@Centosszm ~]# ntpstat
synchronised to NTP server (218.75.4.130) at stratum 3
time correct to within 547 ms
polling server every 64 s
#通常NTP后约15分钟内才会和上层NTP服务器顺利连接上。等这个结果等了我好久啊....TT
[root@Centosszm ~]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*Hshh.org 66.220.9.122 2 u 62 64 67 26.741 94.969 6.197
+dns1.synet.edu. 202.118.1.46 2 u 1 64 127 176.216 125.383 142.809
#*使用中上层 上层NTP地址
#+连接成功,候选
st:stratum阶层
when:上次更新时间
poll:下次更新时间
reach:已经更新次数
delay:网络延时时间
offset:时间补偿
jitter:Linux与BIOS差异时间,单位为10的-6次方秒;
注意的地方:
1.NTP服务器要和上层NTP连接,否则无法提供服务;
2.防火墙UDP123端口必须打开,否则也无法提供服务;
安全性设置:
[root@Centosszm ~]# iptables -A INPUT -i eth0 -p udp --dport 123 -s 192.168.179.0/24 -j ACCEPT
[root@Centosszm ~]# /etc/init.d/iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
客户端相关设置:
[root@szm ~]# date
Mon Apr 1 15:58:38 CST 2013
[root@szm ~]# date 040116002013 #设置成4月1日的16:00 2013年
Mon Apr 1 16:00:00 CST 2013
[root@szm ~]# hwclock #因为时区为东八,差8个小时
Mon 01 Apr 2013 04:00:26 PM CST -0.901812 seconds
[root@szm ~]# hwclock -w;hwclock -r;date
Mon 01 Apr 2013 04:02:32 PM CST -0.047943 seconds #w为写,r为读
Mon Apr 1 16:02:31 CST 2013
[root@Centosszm ~]# ntpdate
1 Apr 16:06:41 ntpdate[4193]: no servers can be used, exiting
注意:NTP服务器是不可以使用nptdate的,也就是ntpdate与ntpd不能同时启用;
客户端校对时间:
[root@szm ~]# ntpdate 192.168.179.7
1 Apr 16:07:52 ntpdate[8695]: step time server 192.168.179.7 offset 17.691761 sec
[root@szm ~]# hwclock -w;date
Mon Apr 1 16:08:46 CST 2013
客户端自动更新时间到硬件时间;
[root@szm ~]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
10 5 * * * root (/usr/sbin/ntpdate 192.168.179.7 && /sbin/hwclock -w) &>/etc/null
