Knowledge NTP server consolidation

1. What is GMT (Greenwich Mean) time and UTC time?

GMT time is the moment the sun through Greenwich as the standard timing, the Earth a total of 24 time zones, and to the Greenwich Mean Time (GMT) as the standard time, Taiwan's local time is GMT + 8 hours. Inaccurate, but easy to remember and understand.
UTC time is to use a physical clock "atomic shock period" calculated. The most accurate.
Two different ways of counting time, GMT and UTC time there almost 16 minutes error!

2. Now, you will have one month to travel to the United States to New York, the time will be inconsistent ah! How do you manually adjust the time parameters?

Because in the time zone data files in / usr / share / zoneinfo, find / usr / share / zoneinfo / America / New_York this time zone file in that directory. The time zone configuration file in / etc / sysconfig / clock, and the current time format in the / etc / localtime, so you should do:

[root@www ~]# date 
Thu Jul 28 15:08:39 CST 2011 <==重点是CST这个时区喔！ [root@www ~]# vim /etc/sysconfig/clock ZONE=" America/New_York " <==改的是这里啦！ [root@www ~]# cp /usr/share/zoneinfo/America/New_York /etc/localtime [root@www ~]# date Thu Jul 28 03:09:21 EDT 2011 <==时区与时间都改变了！ 

3. NTP service profile parameters to explain.

• Restrict use to manage access control

restrict [你的IP] mask [netmask_IP] [parameter]

Where the parameter of the main parameters under these:

1. ignore: reject all types of NTP connection;
2. nomodify: the client can not use ntpc ntpq these two programs to modify the time parameters of the server, but the client may still pass through this network host when correction is performed;
3. noquery: the client can not use ntpq, ntpc other instructions to query the server time, equal to the correction does not provide network NTP time La;
4. notrap: this does not provide a trap event log on the distal (remote event logging) function.
5. notrust: no client authentication denied.
6. kod: sending visitors to unsafe Kiss-Of-Death packets ^[1] .
7. nopeer: time service, but not as a peer, and try to prevent the host server, etc., it does not allow a fraudulent server to control the clock.

What if you do not add any parameters, then the parameter in place, which means "the IP or network without any restriction," meaning Oh! In general, we can turn off the permissions NTP, and then allowed to sign a one-enabled network segments.

Common configuration is as follows:

# 1.对于默认的客户端拒绝所有的操作
restrict default kod nomodify notrap nopeer noquery      <==拒绝IPv4的用户 
restrict -6 default kod nomodify notrap nopeer noquery <==拒绝IPv6的用户 # 2.启内部递归网络接口lo 即允许本机地址一切的操作 restrict 127.0.0.1 <==底下两个是预设值，放行本机来源 restrict -6 ::1 # 3.允许上层时间服务器主动修改本机时间 restrict 220.130.158.71 <==放行tock.stdtime.gov.tw进入本NTP伺服器 restrict 59.124.196.83 <==放行tick.stdtime.gov.tw进入本NTP伺服器 restrict 59.124.196.84 <==放行time.stdtime.gov.tw进入本NTP伺服器 # 4.放行网段来源 restrict 192.168.100.0 mask 255.255.255.0 nomodify <==放行区网来源 

• NTP server using the server settings of your parent

server [IP or hostname] [ key n ] [ version n ] [ prefer ] [ mode n ] [ minpoll n ] [ maxpoll n ] [ iburst ]

1. host: IP address or domain name is the top of the NTP server.
2. key: indicates that all packets sent to the server's secret key encrypted with the authentication information, n being an integer of 32 bits, indicates the secret key number.
3. version: the version number of packets to be sent to an upper server, n is the default is 3, 1 or 2 may be.
4. prefer: If you have multiple server option, the server has a priority to use this parameter.
5. mode: the specified value of the text field in the datagram mode.
6. minpoll: Specifies the minimum time interval query the server for the second n-th power of 2, n is 6 default, range 4-14.
7. maxpoll: querying the server specifies a maximum time interval of 2 seconds to the power of n, n default is 10, the range of 4-14.
8. iburst: When the initial synchronization request, sending a burst mode eight successive packets, the time interval is 2 seconds.

Common configuration is as follows:

# 5.默认的一个内部时钟数据，用在没有外部 NTP 服务器时，使用它为局域网用户提供服务
server 127.127.1.0
fudge  127.127.1.0 stratum 10

# 6.定义使用上层ntp服务
server 220.130.158.71 iburst minpoll 5 maxpoll 10  prefer  <==以这部主机为最优先
server 59.124.196.83  iburst minpoll 5 maxpoll 10
server 59.124.196.84  iburst minpoll 5 maxpoll 10

• To record the time difference driftfile

driftfile [可以被ntpd 写入的目录与档案]

Because the pre-set time NTP Server itself is calculated based on the frequency of oscillation cycle BIOS chip to be calculated, but this value with the upper Time Server will not necessarily consistent. So the NTP daemon (ntpd) will automatically calculate the frequency to the frequency of our own top Time server host, and the error two frequencies recorded file is recorded in the back driftfile take full file name among the!
About file names you need to know:

1. Driftfile back contact file requires full filename path;
2. Link file is not the file;
3. The file permissions need to be set to the ntpd daemon can be written.
4. Value Unit is recorded in the file: one millionth second (ppm).

Driftfile back then ntpd file will be automatically updated, so his authority must be able to make ntpd written job. In CentOS 6.x preset NTP server in, ntpd the owner using ntp, this part can be found / etc / sysconfig / ntpd can know it!

Common configuration is as follows:

driftfile /var/lib/ntp/drift 

• keys [key_file]

In addition to restrict to limit client connection than we can through the key system to authenticate to the client. This will allow host more at ease. You may refer to the instructions of this ntp-keygen instructions.

• Other configurations

pidfile   /var/run/ntpd.pid <==进程位置 logfile /var/log/ntp.log <==日志文件 service 192.168.75.132 <==监听地址 

4. Firewall settings

The daemon is ntp port (packet using UDP) port 123 is coupled to

[root@www ~]# vim /usr/local/virus/iptables/iptables.allow iptables -A INPUT -i eth0 -p udp -s 192.168.100.0/24 --dport 123 -j ACCEPT 

5. NTP start observation

After setting up the ntp.conf you can start the ntp server. Start with the observation as follows:

# 1.启动NTP 
[root@www ~]# /etc/init.d/ntpd start [root@www ~]# chkconfig ntpd on [root@www ~]# tail /var/log/messages <==自行检查看看有无错误 # 2.观察启动的埠口看看： [root@www ~]# netstat -tlunp | grep ntp Proto Recv-Q Send-Q Local Address Foreign Address PID/Program name udp 0 0 192.168.100.254:123 0.0.0.0:* 3492/ntpd udp 0 0 192.168.1.100:123 0.0.0.0:* 3492/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 3492/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 3492/ntpd udp 0 0 ::1:123 :::* 3492/ntpd udp 0 0 :::123 :::* 3492/ntpd # 主要是UDP 封包，且在port 123 这个端口的啦！ 

This means that our NTP server has been launched, but to connect with the upper NTP server will also need some time, usually after about 15 minutes before starting the NTP and NTP servers successfully connected to the upper layer.

Please wait a few minutes to self-inspection following command:

[root@www ~]# ntpstat
synchronised to NTP server (220.130.158.71) at stratum 3
   time correct to within 538 ms
   polling server every 128 s

This command can list our NTP server has no connection with the upper layer. By the output result can know, there is a correction time about 538 * 10 ^ (- 3), second (538ms), and 128 seconds will take the initiative to update every time!

[root@www ~]# ntpq -p remote refid st t when poll reach delay offset jitter ================================================== ============================ *tock.stdtime.go 59.124.196.87 2 u 19 128 377 12.092 -0.953 0.942 +59-124-196-83.H 59.124.196.86 2 u 8 128 377 14.154 7.616 1.533 +59-124-196-84.H 59.124.196.86 2 u 2 128 377 14.524 4.354 1.079 

This ntpq -p lists the current state of our upper NTP and NTP-related, meaning the top of several fields as:

1. remote: That is the IP or host name of the NTP host. Note that the leftmost symbol ^[2] :
2. refid: a layer of NTP host referenced address
3. st: is the stratum class.
4. when: you have done time for a few seconds before the action update synchronization;
5. poll: the next update after a few seconds;
6. reach: the number of updates have been requested to the upper NTP server
7. delay: which network transmission delay time in units of 10 ^ (- 3) seconds, i.e. milliseconds
8. offset: time compensation result, the unit 10 ^ (- 3) seconds, i.e. milliseconds
9. jitter: Linux system time and the time difference BIOS hardware time, in 10 ^ (- 3) seconds, i.e. milliseconds.

The differences are less than 0.001 seconds, can meet our general use. In addition, you can also check your BIOS time difference with the system time Linux is / var / lib / ntp / drift contents of this file, you will be able to understand the Linux system time clock hardware and BIOS difference in the end how long.

6. Client time to update the way

• Modified BIOS record

[root@clientlinux ~]# hwclock [-rw] 
选项与参数：
-r ：亦即read ，读出目前BIOS 内的时间参数；
-w ：亦即write ，将目前的Linux 系统时间写入BIOS 当中啊！

# 2.查阅BIOS时间，并且写入更改过的时间啰！
[root@clientlinux ~]# date; hwclock -r 
Thu Jul 28 16:34:00 CST 2011 Thu 28 Jul 2011 03:34:57 PM CST -0.317679 seconds #看一看，是否刚好差异约一个小时啊！这就是BIOS时间！ [root@clientlinux ~]# hwclock -w; hwclock -r; date Thu 28 Jul 2011 04:35:12 PM CST -0.265656 seconds Thu Jul 28 16:35:11 CST 2011 #这样就写入啰～所以软体时钟与硬体时钟就同步啦！很简单吧！ 

• Ntpdate time synchronization of

[root@clientlinux ~]# ntpdate [-dv] [NTP IP/hostname] 选项与参数： -d ：进入除错模式(debug) ，可以显示出更多的有效资讯。 -v ：有较多讯息的显示。 [root@clientlinux ~]# ntpdate 192.168.100.254 28 Jul 17:19:33 ntpdate[3432]: step time server 192.168.100.254 offset -2428.396146 sec #最后面会显示微调的时间有多少(offset)，因为这部主机时间差很多，所以秒数... [root@clientlinux ~]# date; hwclock -r 四7月28 17:20:27 CST 2011 西元2011年07月28日(周四) 18时19分26秒 -0.752303 seconds #知道想要表达什么吗？对啊！还得hwclock -w写入BIOS时间才行啊！ [root@clientlinux ~]# vim /etc/crontab #加入这一行去！ 10 5 * * * root (/usr/sbin/ntpdate tock.stdtime.gov.tw && /sbin/hwclock -w) &> /dev/null 

• NTP time service updates

ntpdate The only way for the case not to start the NTP. If too many of your number of machines, then the client also best to start at the NTP service. To take the initiative by NTP update time.

[root@clientlinux ~]# ntpdate 192.168.100.254 #由于ntpd的server/client之间的时间误差不允许超过1000秒， # 因此你得先手动进行时间同步，然后再设定与启动时间伺服器呦！ [root@clientlinux ~]# vim /etc/ntp.conf #server 0.centos.pool.ntp.org #server 1.centos.pool.ntp.org #server 2.centos.pool.ntp.org restrict 192.168.100.254 <==放行伺服器来源！ server 192.168.100.254 <==这就是伺服器！ #很简单，就是将原本的server项目注解，加入我们要的伺服器即可 [root@clientlinux ~]# /etc/init.d/ntpd start [root@clientlinux ~]# chkconfig ntpd on 

Then cancel crontab updates, so your client computer will take the initiative to the NTP server to update.

---

1. KOD is NTPv4 proposed a new access control technology, mainly used in server access control and provide status reports and other information to the client. After KOD function enabled on the server, and the server sends DENY Kiss RATE Kiss code to the client according to the operating state of the system. When the client receives the DENY Kiss code, the client will disconnect from the server all connected, and stop sending messages to the server. When the client receives RATE Kiss code, the client will immediately shorten the polling time interval to the server, and each subsequent code RATE Kiss received, the polling interval will be further shortened. ↩

2. If there NTP among the top representatives of "*" is currently the role; if it is "+" means there are even on-line, but also as a candidate for the next provide updates. ↩

Author: small operation and maintenance
link: https: //www.jianshu.com/p/98a889b0412e
Source: Jane books
are copyrighted by the author. Commercial reprint please contact the author authorized, non-commercial reprint please indicate the source.