51工具盒子在一些特定场景中,为保障内网服务器的安全,一般情况下是不允许服务器访问公网资源的,而且国内很多IDC提供商也拒绝了时间同步,这样做就是为了防止UDP攻击,所以在内网中往往都存在自己的时间服务器,以供内网的其他服务器来同步时间。
chrony是网络时间协议NTP的实现,它替代了ntpd,即使在网络拥塞的情况下也可以同步时间,并且时间的同步精度也高的多,在红帽8版本中,已经使用chrony作为默认的时间同步工具了。
通俗的讲ntpd是个过时的产品了,是时候使用chrony了,如果你想在Redhat8/CentOS8中继续使用ntp来同步时间,可参考:https://blog.whsir.com/post-4925.html
本文以CentOS7为例来部署chrony时间服务器,chrony服务器需要有访问公网权限。
1、安装chrony
yum install chrony
|---|--------------------| | 1 | yum install chrony |
2、修改chrony配置文件
目前国内有很多时间服务器节点,我们只需要从中选取几个作为我们的上游时间节点即可。
以下是我已经修改好的配置文件,主要改动了两处:一是增加了4个上游时间服务器节点,我这里选取了两个阿里云时间服务器、两个腾讯云服务器,二是设置允许哪些地址的服务器同步时间,allow 0.0.0.0/0,这里表示允许所有IP段。
vi /etc/chrony.conf
|---|---------------------| | 1 | vi /etc/chrony.conf |
Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). server ntp1.aliyun.com iburst server ntp2.aliyun.com iburst server time1.cloud.tencent.com iburst server time2.cloud.tencent.com iburst # Record the rate at which the system clock gains/losses time. driftfile /var/lib/chrony/drift # Allow the system clock to be stepped in the first three updates # if its offset is larger than 1 second. makestep 1.0 3 # Enable kernel synchronization of the real-time clock (RTC). rtcsync # Enable hardware timestamping on all interfaces that support it. #hwtimestamp * # Increase the minimum number of selectable sources required to adjust # the system clock. #minsources 2 # Allow NTP client access from local network. #allow 192.168.0.0/16 allow 0.0.0.0/0 # Serve time even if not synchronized to a time source. #local stratum 10 # Specify file containing keys for NTP authentication. #keyfile /etc/chrony.keys # Specify directory for log files. logdir /var/log/chrony # Select which information is logged. #log measurements statistics tracking
|-------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). server ntp1.aliyun.com iburst server ntp2.aliyun.com iburst server time1.cloud.tencent.com iburst server time2.cloud.tencent.com iburst # Record the rate at which the system clock gains/losses time. driftfile /var/lib/chrony/drift # Allow the system clock to be stepped in the first three updates # if its offset is larger than 1 second. makestep 1.0 3 # Enable kernel synchronization of the real-time clock (RTC). rtcsync # Enable hardware timestamping on all interfaces that support it. #hwtimestamp * # Increase the minimum number of selectable sources required to adjust # the system clock. #minsources 2 # Allow NTP client access from local network. #allow 192.168.0.0/16 allow 0.0.0.0/0 # Serve time even if not synchronized to a time source. #local stratum 10 # Specify file containing keys for NTP authentication. #keyfile /etc/chrony.keys # Specify directory for log files. logdir /var/log/chrony # Select which information is logged. #log measurements statistics tracking |
3、启动服务
systemctl enable chronyd systemctl start chronyd
|-----|--------------------------------------------------| | 1 2 | systemctl enable chronyd systemctl start chronyd |
如果你没有特殊需求,此时内网的时间服务器就配置好了,只要在内网其他服务器上安装chrony,然后修改/etc/chrony.conf配置文件中的server IP iburst字段就可以了,这里的IP就填写刚刚配置好的内网服务器IP。
注:chrony和ntpdate同步方式不同,无需设置定时同步,只要chrony服务正常运行,那么就会自动同步时间。
4、配置防火墙(可选)
如果开启了firewalld防火墙,请注意开放相关端口
firewall-cmd --add-service=ntp --permanent firewall-cmd --add-port=123/udp --permanent firewall-cmd --reload
|-------|--------------------------------------------------------------------------------------------------------------| | 1 2 3 | firewall-cmd --add-service=ntp --permanent firewall-cmd --add-port=123/udp --permanent firewall-cmd --reload |
5、查询时间同步是否正常
可以通过以下命令查看当前时间同步是否正常
timedatectl
|---|-------------| | 1 | timedatectl |
主要观察以下两项是否是yes,如果是yes则表示同步正常
NTP enabled: yes
NTP synchronized: yes
6、一些其他命令
检查有多少个时间服务器在线
chronyc activity
|---|------------------| | 1 | chronyc activity |
查看同步源服务器列表
chronyc -n sources -v
|---|-----------------------| | 1 | chronyc -n sources -v |
更多参数请查看:https://chrony.tuxfamily.org/doc/3.4/chrony.conf.html
