linux下NTP服务

1. NTP安装

• 搭建环境两台redhat6.5主机，通过网络10.83.250.0/23连接互通， server 10.83.250.5
  client 10.83.250.4
• 查询NTP安装版本状态

[root@localhost ~]# rpm -qa | grep ntp
fontpackages-filesystem-1.41-1.1.el6.noarch
ntpdate-4.2.6p5-1.el6.x86_64
ntp-4.2.6p5-1.el6.x86_64
如果没安装信息先下载cp到本机进入安装目录安装
rpm -i ntpdate-4.2.6p5-1.el6.x86_64.rpm
rpm -i ntp-4.2.6p5-1.el6.x86_64.rpm

2. 配置文件

• 备份配置文件,先拷贝一份做备份

cp /etc/ntp.conf /etc/ntp.conf.bak 

• sever配置文件

[root@NTP-server ~]# vi /etc/ntp.conf 
###server config### 
server 202.108.6.95
server 202.112.29.82
server cn.ntp.org.cn
server 127.127.1.0 #同步本机clock 时钟；
driftfile /etc/ntp/drift   #记录clock 与 bios 事件偏差；
broadcastdelay 0.008   #
#权限控制 
restrict 0.0.0.0 nomodify notrap noquery  #不允许该网络client 修改、登陆、及时间查询，但可以较时；
restrict 0.0.0.0 mask 0.0.0.0 nomodify notrap  #允许向该网络的client提供NTP服务； 
#restrict default ignore#默认允许任何主机进行时间同步；
#确保localhost权限足够；
restrict 127.0.0.1
restrict  -6 ::1

#level number 
fudge 127.127.1.1 stratum 2  #如果远程server地址不可用，ntp客户端会同步自身clock时间；

#ntp log path  
statsdir /var/log/ntp/   #状态日志路径

#ntp log file  
logfile /var/log/ntp/ntp.log   #日志文件

includefile /etc/ntp/crypto/pw  #开机启动

keys /etc/ntp/keys #签名验证` 

• client配置文件

[root@NTP-client ~]# vi /etc/ntp.conf
###client config
#fast ntp server
server 10.83.250.5
server 127.127.1.0

#store last time
driftfile /etc/ntp/drift

#allow upper modify localhost
restrict 0.0.0.0 nomodify notrap noquery

#allow any host
restrict 0.0.0.0 mask 0.0.0.0 nomodify notrap

restrict 127.0.0.1
restrict -6 ::1
#restrict 10.83.250.4 #client ip
#level number
fudge 127.127.1.1 stratum 2

#ntp log path   
statsdir /var/log/ntp/

#ntp log file   
logfile /var/log/ntp/ntp.log

3. 服务管理

• 启用NTP服务

[root@localhost ~]# service ntpd start
正在启动 ntpd：[确定]

• 重启NTP服务

[root@localhost ~]# service ntpd restart
关闭 ntpd：[确定]
正在启动 ntpd：[确定]

也可用重读init.d下的ntpd重启
[root@localhost ~]# /etc/init.d/ntpd restart
关闭 ntpd：[确定]
正在启动 ntpd：[确定]

• 查询服务运行状态

[root@localhost ~]# service dhcpd status
dhcpd (pid  18489) 正在运行...

• 查看NTP运行状态

[root@qy-dhcp ~]# ntpstat
synchronised to local net at stratum 6 
   time correct to within 11 ms
   polling server every 64 s

• 查询监听端口

[root@localhost ~]# lsof -i:123
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
ntpd21812  ntp   16u  IPv4 159463  0t0  UDP *:ntp 
ntpd21812  ntp   17u  IPv6 159464  0t0  UDP *:ntp 
ntpd21812  ntp   18u  IPv4 159470  0t0  UDP localhost:ntp 
ntpd21812  ntp   19u  IPv4 159471  0t0  UDP 10.83.250.5:ntp 
ntpd21812  ntp   20u  IPv4 159472  0t0  UDP 10.29.207.244:ntp 
ntpd21812  ntp   21u  IPv6 159473  0t0  UDP localhost:ntp 
ntpd21812  ntp   22u  IPv6 159474  0t0  UDP [fe80::20c:29ff:fed4:3e72]:ntp 
ntpd21812  ntp   23u  IPv6 159475  0t0  UDP [fe80::20c:29ff:fed4:3e7c]:ntp 

4. iptable 防火墙配置

• NTP服务使用的是UDP 123端口 防火墙开启状态下需开放123端口

[root@localhost ~]# /sbin/iptables -I INPUT -p udp --dport 123 -j ACCEPT

• 查看iptable 端口状态

[root@localhost ~]# /etc/init.d/iptables status
表格：filter
Chain INPUT (policy ACCEPT)
num  target prot opt source   destination 
1ACCEPT udp  --  0.0.0.0/00.0.0.0/0   udp dpt:123 
2ACCEPT all  --  0.0.0.0/00.0.0.0/0   state RELATED,ESTABLISHED 
3ACCEPT icmp --  0.0.0.0/00.0.0.0/0   
4ACCEPT all  --  0.0.0.0/00.0.0.0/0   
5ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   state NEW tcp dpt:22 
6ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   state NEW tcp dpt:647 
7ACCEPT udp  --  0.0.0.0/00.0.0.0/0   state NEW udp dpt:67 
8ACCEPT udp  --  0.0.0.0/00.0.0.0/0   state NEW udp dpt:68 
9REJECT all  --  0.0.0.0/00.0.0.0/0   reject-with icmp-host-prohibited 
10   ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   state NEW tcp dpt:123 

Chain FORWARD (policy ACCEPT)
num  target prot opt source   destination 
1REJECT all  --  0.0.0.0/00.0.0.0/0   reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
num  target prot opt source   destination     

• 查看NTP服务iptale状态

[root@localhost ~]# chkconfig | grep ntp
ntpd0:关闭  1:关闭  2:启用  3:启用  4:启用  5:启用  6:关闭
ntpdate 0:关闭  1:关闭  2:关闭  3:关闭  4:关闭  5:关闭  6:关闭

[root@localhost ~]# chkconfig --list ntpd
ntpd0:关闭  1:关闭  2:启用  3:启用  4:启用  5:启用  6:关闭

• 对应运行级别开启NTP服务IPtable开机自启动；

[root@localhost ~]# chkconfig --level 345 ntpd on

5. NTP状态同步查询及手动同步

• 查看系统日志

[root@localhost ~]# tail -f /var/log/messages 
Oct 16 10:13:57 localhost dhcpd: 
Oct 16 10:13:57 localhost dhcpd: Listening on LPF/eth0/00:0c:29:d4:3e:72/10.83.250.0/23
Oct 16 10:13:57 localhost dhcpd: Sending on   LPF/eth0/00:0c:29:d4:3e:72/10.83.250.0/23
Oct 16 10:13:57 localhost dhcpd: Sending on   Socket/fallback/fallback-net
Oct 16 10:13:57 localhost dhcpd: failover peer dhcp-failover: I move from normal to startup
Oct 16 10:13:57 localhost dhcpd: failover peer dhcp-failover: peer moves from normal to communications-interrupted
Oct 16 10:13:57 localhost dhcpd: failover peer dhcp-failover: I move from startup to normal
Oct 16 10:13:57 localhost dhcpd: balancing pool 7fbd4507b400 10.83.250.0/23  total 250  free 125  backup 124  lts 0  max-own (+/-)25
Oct 16 10:13:57 localhost dhcpd: balanced pool 7fbd4507b400 10.83.250.0/23  total 250  free 125  backup 124  lts 0  max-misbal 37
Oct 16 10:13:57 localhost dhcpd: failover peer dhcp-failover: peer moves from communications-interrupted to normal

• 查询当前状态

[root@server ~] #ntpq -p
 remote   refid  st t when poll reach   delay   offset  jitter
==============================================================================
 xk-6-95-a8.bta. 10.69.2.34   2 u   20   64   17   37.950   -0.106   1.141
 dns1.synet.edu. 202.118.1.47 2 u   19   64   17   42.5402.329   0.618
 58.220.207.237  10.137.38.86 3 u   17   64   17   42.5360.833   0.911
*LOCAL(0).LOCL.   5 l   21   64   170.0000.000   0.000

• 查询实时状态

[root@client ~]# watch ntpq -p

Every 2.0s: ntpq -pMon Oct 16 13:58:45 2017

 remote   refid  st t when poll reach   delay   offset  jitter
==============================================================================
 10.83.250.5 LOCAL(0) 6 u   29   64   170.131  -273355 172904.
*LOCAL(0).LOCL.   5 l   11   64  3770.0000.000   0.000

如果出现ntpq: read: Connection refused，说明NTP服务未开启

• 客户端手动初始同步ntp时间,需要先关自身NTP

[root@localhost ~]# service ntpd stop
关闭 ntpd：[确定]
[root@localhost ~]# ntpdate 10.83.250.4
16 Oct 13:08:31 ntpdate[19862]: adjust time server 10.83.250.4 offset 0.000588 sec

6. 配置NTP开机自启动及自动同步

• 配置开机启动

[root@localhost ~]# more /etc/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
mount tmpfs /var/lib/dhcpd -t tmpfs -o size=200m
cd /var/lib/dhcpd
touch dhcpd.leases
service dhcpd restart
server ntpd restart

• client配置定时和NTP-server同步,并保存；

[root@localhost ~]# vi /etc/crontab 
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
0 1 * * * root ntpdate 10.83.250.5;/sbin/hwclock -w  >/root/ntpdate.log 2>&1
#上一条表示每天凌晨1点从NTP-server 10.83.250.5同步时间,并写入hwclock 硬件时钟，在日志中显现同步结果；

• 也可用sed命令修改

sed -i '$a0 1 * * * root ntpdate 10.83.250.5;/sbin/hwclock -w' /etc/crontab >/root/ntpdate.log 2>&1

• 重启定时任务服务生效

[root@localhost ~]# /etc/init.d/crond restart
停止 crond：[确定]
正在启动 crond：[确定]
也可用
[root@localhost ~]# service crond restart
停止 crond：[确定]
正在启动 crond：[确定]