Configure NTP time server under Redhat6.5
Some concepts you need to know before configuring the service:
[A lot of the whole article is borrowed from others, and a small part is written by myself, I hope it can be beneficial to everyone]
1. Time and time zone
If someone asks you what time is it? You look at your watch and tell him it's 8 pm. This answer doesn't seem to be a problem, but if the person asking you is in Europe then your answer will confuse him , because the sun is still in the sky where he is.
Here comes a problem of how to define time. Because in the 24 hours that the earth rotates around the sun, the times of sunrise and sunset are different around the world. So we have the need to divide the time zone, that is Divide the world into 24 different time zones. So we can understand the definition of time as a time value plus the time zone of the location (note that the location can be accurate to the city)
We have all learned Greenwich Mean Time (GMT) in geography class, which is also 0 time zone time. But what we often see in computers is UTC. It is the abbreviation of Coordinated Universal Time. Although the values of UTC and GMT can be considered equal (with a fairly small error), but UTC has been recognized as an international standard, so we should all stick to the standard and only use UTC
So if the local time in China is 8 o'clock in the evening, we can have the following two representations
20:00 CST
12:00 UTC
The CST here is Chinese Standard Time, which is what we usually call Beijing time. Because China is in the UTC+8 time zone, and so on, it is 12:00 UTC.
First, no matter what channel we want to synchronize the time of the system, usually the provider will only give the time value of UTC+0 and not provide the time zone (because it does not know where you are). So when we set the system time When, setting the time zone is the first thing to do
Second, many countries have daylight saving time, that is, on a certain day of the year, the clock is moved forward by one hour (for example, it changes from UTC+8 to UTC+9), then in the same way, it needs to be set back again. .If we set the correct time zone, the system will automatically adjust it for us when we need to change the time
2. How to Set the Linux Time Zone
Under Linux, glibc provides many timezone files that we have compiled in advance. They are placed in the directory /usr/share/zoneinfo, which basically covers most countries and cities.
# ls -F /usr/share/zoneinfo/
Africa/ Chile/ Factory Iceland Mexico/ posix/ Universal
America/ CST6CDT GB Indian/ Mideast/ posixrules US/
Antarctica/ Cuba GB-Eire Iran MST PRC UTC
Arctic/ EET GMT iso3166.tab MST7MDT PST8PDT WET
Asia/ Egypt GMT0 Israel Navajo right/ W-SU
Atlantic/ Eire GMT-0 Jamaica NZ ROC zone.tab
Australia / EST GMT + 0 Japan NZ-CHAT ROK Zulu
Brazil/ EST5EDT Greenwich Kwajalein Pacific/ Singapore
Canada/ Etc/ Hongkong Libya Poland Turkey
CET Europe/ HST MET Portugal UCT
Here we can find the time zone file of our city. Then if we want to view the current time for each time zone, we can use the zdump command
Code:
# zdump Hongkong
Hong Kong Fri Jul 6 06:13:57 2007 HKT
So how do we tell the system which time zone we are in? There are many methods, here are two
The first is to modify the file /etc/localtime, which defines the local time zone where we are located.
We can find our time zone file under /usr/share/zoneinfo and copy it to /etc/localtimezone (or make a symbolic link)
Suppose our current time zone is BST (that is, British summer time, UTC+1)
Code:
# date
Thu Jul 5 23:33:40 BST 2007 If we want to change the time zone to the time zone where Shanghai is located, we can do this
Code:
# ln -sf /usr/share/zoneinfo/posix/Asia/Shanghai /etc/localtime
# date
Fri Jul 6 06:35:52 CST 2007
In this way, the time zone has been changed (note that the time has also been adjusted accordingly)
3. Real Time Clock(RTC) and System Clock
When it comes to setting the time, another concept that needs to be clarified here is that we have two clocks on a computer: one is called the hardware time clock (RTC), and the other is called the system clock (System Clock).
The hardware clock refers to a special circuit embedded on the motherboard. Its existence is the reason why we can calculate the time after we shut down.
The system clock is the clock used by the kernel of the operating system to calculate the time. It is the sum of the seconds since January 1, 1970 00:00:00 UTC time. Under Linux, the system time will be the same as the hardware time at boot time. Synchronization, and then run independently
So since the two clocks run alone, errors will inevitably occur over time. Let's look at an example.
Code:
# date
Fri Jul 6 00:27:13 BST 2007
# hwclock --show
Fri 06 Jul 2007 12:27:17 AM BST -0.968931 seconds
Through the hwclock --show command we can view the hardware time on the machine (always in local time zone), we can see that there is still a certain error between it and the system time, then we need to synchronize them
If we want to set the hardware time to the system time we can run the following command
Code:
# hwclock --hctosys
Conversely, we can also set the system time to the hardware time
Code:
# hwclock --systohc
Then if we want to set the hardware time, we can set it in the BIOS when booting. You can also use the hwclock command
Code:
# hwclock --set --date="mm/dd/yy hh:mm:ss"
If you want to change the system time, it is easiest to use the date command
Code:
# date -s "dd/mm/yyyy hh:mm:ss"
Now we know how to set the system and hardware time. But the question is what if these two times are not accurate? Then we need to find a server on the Internet that can provide our accurate time and synchronize it through a protocol Our system time, then this protocol is NTP. Note that the synchronization we will talk about next refers to the synchronization between the system time and the network server.
1. Introduction to NTP Service
NTP (Network Time Protocol, Network Time Protocol) is a protocol used to synchronize computer time. It can synchronize the computer with its server or clock source, and it can provide high-precision time correction.
2. The port used
Default NTP service port:
UDP/123
The NTP working mode configured in this article:
Use the client/server method, which is suitable for a time server to receive time information from the upper-level time server and provide time information to the lower-level users.
3. Test environment:
NTPserver:222.24.24.21
NTPclient:222.24.24.19
Configuration Environment
Turn off selinux:
vi /etc/selinux/config
SELINUX=disabled
Close iptables:
service iptables stop
chkconfig iptables off
Fourth, install the NTP software package
Whether the NTP package has been installed can be determined with this command:
# rpm -qa | grep ntp
ntp-4.2.2p1-9.el5_4.1
If the above code appears, it means that the NTP package has been installed, otherwise use the following method to install:
Code:
# rpm -ivh ntp-4.2.2p1-5.el5.rpm
Or install with yum source
yum -y install ntp /*yum installs NTP service*/
chkconfig --add ntpd /*添加NTP*/
chkconfig ntpd on /*Auto-start NTP service at boot*/
To find the NTP Server that provides us with synchronization services on the Internet
http://www.pool.ntp.org is the official website of NTP, where we can find the nearest NTP Server to our city. NTP recommends that we find at least two NTP Servers in order to ensure the accuracy of the time
Then, for example, in the UK, you can choose the following two servers
0.uk.pool.ntp.org
1.uk.pool.ntp.org
Its general format is number.country.pool.ntp.org [number, country, ntp server]
The second step is to do a synchronization with these servers before opening the NTP server, so that the time of our machine is as close to the standard time as possible.
Here we can manually update the time with the ntpdate command
Code:
# ntpdate 0.uk.pool.ntp.org
6 Jul 01:21:49 ntpdate[4528]: step time server 213.222.193.35 offset -38908.575181 sec
# ntpdate 0.pool.ntp.org
6 Jul 01:21:56 ntpdate[4530]: adjust time server 213.222.193.35 offset -0.000065 sec
If your time difference is outrageous, the first time you will see the adjustment is relatively large, so you can run it twice to be safe. So why manually run synchronization before turning on the NTP service?
1. Because according to the settings of NTP, if your system time is faster than the correct time, then NTP will not adjust it for you, so either you set the time back, or do a manual synchronization first
2. When your time setting is very different from the time of the NTP server, NTP will take a long time to adjust. So manual synchronization can reduce this time
Five, configure the NTP service
vi /etc/ntp.conf
***************************************************************
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
operation file / var / lib / ntp / operation
restrict default ignore Set the default policy to deny all access requests
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1
# Hosts on local network are less restricted.
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap Allow machines in the LAN to synchronize time
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.rhel.pool.ntp.org iburst
server 1.rhel.pool.ntp.org iburst #Set up synchronization server
server 2.rhel.pool.ntp.org iburst
server 3.rhel.pool.ntp.org iburst
server 210.72.145.44 #This is the IP of China National Timing Center
server 0.uk.pool.ntp.org
server 1.uk.pool.ntp.org
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
restrict 0.centos.pool.ntp.org nomodify notrap noquery
restrict 1.centos.pool.ntp.org nomodify notrap noquery Allow time synchronization with the upper server
restrict 2.centos.pool.ntp.org nomodify notrap noquery
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available.
server 127.127.1.0 # local clock #When the external synchronization source cannot be contacted, use the local time as the synchronization service
fudge 127.127.1.0 stratum 0 #stratum This line is the stratum of the time server. Set to 0 to be the top level, if you want to update the time to another NTP server, please do not set it to 0
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loops
6. Check the running status of the NTP service
Now we have started the NTP service, but is our system time synchronized with the server? NTP provides a good viewing tool for this: ntpq (NTP query)
I suggest that you can run the ntpq command to monitor the operation of the server after opening the NTP server. Here we can use the watch command to view the changes in the values of the server over a period of time
Code:
# watch ntpq -p
Every 2.0s: ntpq -p Sat Jul 7 00:41:45 2007
remote refid st t when poll reach delay offset jitter
===========================================================
+193.60.199.75 193.62.22.98 2 u 52 64 377 8.578 10.203 289.032
*mozart.musicbox 192.5.41.41 2 u 54 64 377 19.301 -60.218 292.411
Now let me explain what it means
remote: It refers to the remote NTP server connected to the local machine
refid: It refers to the server that provides time synchronization to the remote server (eg 193.60.199.75)
st: The stratum level of the remote server. Since NTP is a hierarchical structure, there are top servers, multi-layer Relay Servers and then to the client. So the server can be set from high to low level from 1-16. In order to slow down Load and network congestion, in principle, direct connections to servers with level 1 should be avoided.
t: This...I don't know what it means ^_^
when: I personally understand it as a timer to tell us how long the local machine needs to synchronize with the remote server
poll: How often the local machine and the remote server are synchronized (in seconds). When NTP is running at the beginning, the poll value will be relatively small, so the frequency of synchronization with the server will increase, and the correct time can be adjusted as soon as possible Range. After that, the poll value will gradually increase, and the frequency of synchronization will decrease accordingly.
reach: This is an octal value used to test whether the connection to the server can be reached. Its value will increase for each successful connection
delay: round trip time to send synchronization request from local machine to server
offset: This is the most critical value, it tells us the time difference between the local machine and the server. The closer the offset is to 0, the closer we are to the server's time
jitter: This is a value used for statistics. It counts the distribution of offsets in a specific number of consecutive connections. Simply put, the smaller the absolute value of this value, the more accurate our time with the server.
Then if you are careful, you will find two problems: First, why is the connection to 0.uk.pool.ntp.org different from the remote server? Second, what do the + and * in the front mean?
The first question is not difficult to understand, because NTP provides us with a cluster server, so the server obtained by each connection may be different. It also tells us that we should use hostname instead of hostname when specifying NTP Server. IP
The second question is related to the first one. Since there are so many servers, other servers can still provide services to us normally when a problem occurs. So how do we know the status of these servers? This is the first sign information that will tell us
* It tells us that the remote server has been confirmed as our main NTP Server, and our system's time will be provided by this machine
+ It will act as a secondary NTP server to provide synchronization services for us together with the server marked with *. It can take over when the server marked with * is unavailable
- The remote server is considered to be an unqualified NTP Server by the clustering algorithm
x The remote server is unavailable
After understanding this, we can monitor the time synchronization status of our system in real time.
7. NTP security settings
Running an NTP Server does not require a lot of system resources, so there is no need to configure an independent server to provide time synchronization services to many clients, but some basic security settings are still necessary.
So a very simple idea here is that firstly, we only allow some users in the local area network to connect to our server. The second is that these clients cannot modify the time on our server
About the permission setting section
The setting of permissions is mainly set by the parameter restrict. The main syntax is:
restrict IP address mask subnet mask parameter
Where IP can be an IP address or default, default refers to all IPs
The parameters are as follows:
ignore : Turn off all NTP online services
nomodify: The client cannot change the time parameters of the server, but the client can perform network time calibration through the server.
notrust : This client origin will be treated as a non-trust subnet unless the client is authenticated
noquery : do not provide client-side time queries
Note: If the parameter is not set, it means that the IP (or subnet) has no restrictions!
In the /etc/ntp.conf file we can use the restrict keyword to configure the above requirements
First we deny all operations to the default client
Code:
restrict default kod nomodify notrap nopeer noquery
Then allow all operations on the local address
Code:
restrict 127.0.0.1
Finally, we allow all clients in the LAN to connect to this server to synchronize time. But refuse to let them modify the time on the server
Code:
restrict 192.168.1.0 mask 255.255.255.0 nomodify
Adding these three items to /etc/ntp.conf completes our simple configuration. NTP can also use key for authentication, which will not be described in detail here.
8. NTP client settings
To do this, we already have our own Relay Server. If we want other clients in the LAN to synchronize time, then we should build another Relay Server as well, and then point all clients to these two server (be careful not to point all clients to servers on the Internet). Just add your own server to the client's /etc/ntp.conf
Code:
server ntp1.leonard.com
server ntp2.leonard.com
LINUX client use
ntpdate 172.30.218.114
to synchronize your time with the NTP server
If other LINUX only acts as a client, the ntpd service cannot be started! Otherwise, the ntpdata server address cannot be run to synchronize the time
After that, you can use cron or modify the crontab file to periodically update the time to the NTP server, and use
# hwclock --systohc
Set system time to hardware time
9. Some supplements and supplements (very important)
1. What is the driftfile in the configuration file?
The frequency of each of our system clocks has a small error, which is why the machine will be inaccurate after running for a period of time. NTP will automatically monitor the error value of our clock and adjust it. But the problem is that this is a tedious process, So it will write the recorded errors into driftfile first. So even if you restart the computer, the previous calculation results will not be lost.
2. How to synchronize the hardware clock?
NTP generally only synchronizes the system clock. But if we also want to synchronize the RTC (hwclock), then just turn on the following options
Code:
# vi /etc/sysconfig/ntpd
SYNC_HWCLOCK=yes
3. Use crontab to let LINUX NTP regularly update the time
Note: When letting linux run ntpdate to update the time, linux cannot open the NTP service, otherwise it will prompt that the port is occupied: as follows
[root@ESXI ~]# ntpdate 1.rhel.pool.ntp.org
20 May 09:34:14 ntpdate[6747]: the NTP socket is in use, exiting
Brief description of crontab file configuration
The first part of the command format is the time setting, and the latter part is the command to be executed. We have a certain convention for the setting of time. The first five * signs represent five numbers. The value range and meaning of the numbers are as follows:
minutes (0-59)
Hours (0-23)
Date (1-31)
Month (1-12)
Week (0-6)//0 means Sunday
In addition to numbers, there are several special symbols such as "*", "/" and "-", ",", "*" represents all numbers within the range of values, "/" represents the meaning of each, "*" /5" means every 5 units, "-" means from a certain number to a certain number, "," separates several discrete numbers. Here are a few examples to illustrate the problem:
Every morning at 6 am:
0 6 * * * command
Every two hours:
0 */2 * * * command
Every two hours between 11pm and 8am, at 8am:
0 23-7/2,8 * * * command
4th of every month and every Monday to Wednesday at 11:00 am:
0 11 4 * 1-3 command
January 1st at 4 a.m.:
0 4 1 1 * command
3.3. Set the service to automatically start at boot
Run setup or other service setting tools and check the crond service
chkconfig --level 2345 crond on defines that crond is enabled on these system run levels (this is the default setting after the system is installed)
__________________________________________
10. NTP client settings
1. LINUX automatically synchronizes time as a client
If you want to perform time calibration regularly, you can use the crond service to execute it regularly.
Edit the /etc/crontab file
Add the following line:
30 8 * * * root /usr/sbin/ntpdate 192.168.0.1; /sbin/hwclock -w #192.168.0.1 is the IP address of the NTP server
Then restart the crond service
service crond restart
In this way, the Linux system will automatically perform network time calibration at 8:30 every day.
11. WINDOWS needs to open two services of windows time service and RPC
If the error 1058 is reported when opening the windows time service, do the following
1. Run cmd to enter the command line, then type
w32tm /register to register
The correct response is: W32Time successfully registered.
2. If the previous step is correct, start the service with net start "windows time" or net start w32time.
13. Other reasons for the failure to update successfully:
1. The date of the client must be set correctly and cannot exceed the normal time for 24 hours, otherwise the update will be rejected for security reasons. Secondly, the time zone of the client must be set to ensure that it will not be updated to the time of other time zones.
2. fudge 127.127.1.0 stratum 10 If LINUX is used as the NTP server, the value of stratum (level) should not be too large. If you want to update the superior NTP, you can set it to 2
3. The NTP server of LINUX must remember to write the time updated from the superior NTP from the system time to the hardware hwclock --systohc
NTP generally only synchronizes the system clock. But if we also want to synchronize the RTC (hwclock), then just turn on the following options
Code:
# vi /etc/sysconfig/ntpd
SYNC_HWCLOCK=yes
4. If the NTP service is enabled in Linux, you cannot manually run ntpdate to update the time (it will report that the port is occupied), it can only automatically report to the upper-level NTP server at certain intervals according to the server address after the server field in /etc/ntp.conf Update time. You can run the command ntpstat to view the interval between each update, such as:
[root@ESXI ~]# ntpstat
synchronised to NTP server (210.72.145.44) at stratum 2 #This NTP server has a stratum of 2 and has been synchronized to 210.72.145.44 NTP
time correct to within 93 ms #time correct to within 93ms
polling server every 1024 s #The time will be updated by polling the upper NTP every 1024 seconds