在一些特定场景中,为保障内网服务器的安全,一般情况下是不允许服务器访问公网资源的,而且国内很多IDC提供商也拒绝了时间同步,这样做就是为了防止UDP攻击,所以在内网中往往都存在自己的时间服务器,以供内网的其他服务器来同步时间。
chrony是网络时间协议NTP的实现,它替代了ntpd,即使在网络拥塞的情况下也可以同步时间,并且时间的同步精度也高的多,在红帽8版本中,已经使用chrony作为默认的时间同步工具了。
通俗的讲ntpd是个过时的产品了,是时候使用chrony了,如果你想在Redhat8/CentOS8中继续使用ntp来同步时间,可参考:https://blog.whsir.com/post-4925.html
本文以CentOS7为例来部署chrony时间服务器,chrony服务器需要有访问公网权限。
1、安装chrony
yum install chrony
1
yum install chrony
2、修改chrony配置文件
目前国内有很多时间服务器节点,我们只需要从中选取几个作为我们的上游时间节点即可。
以下是我已经修改好的配置文件,主要改动了两处:一是增加了4个上游时间服务器节点,我这里选取了两个阿里云时间服务器、两个腾讯云服务器,二是设置允许哪些地址的服务器同步时间,allow 0.0.0.0/0,这里表示允许所有IP段。
vi /etc/chrony.conf
1
vi /etc/chrony.conf
Use public servers from the pool.ntp.org project.
Please consider joining the pool (http://www.pool.ntp.org/join.html).
server ntp1.aliyun.com iburst
server ntp2.aliyun.com iburst
server time1.cloud.tencent.com iburst
server time2.cloud.tencent.com iburst
Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
Allow the system clock to be stepped in the first three updates
if its offset is larger than 1 second.
makestep 1.0 3
Enable kernel synchronization of the real-time clock (RTC).
rtcsync
Enable hardware timestamping on all interfaces that support it.
hwtimestamp *
Increase the minimum number of selectable sources required to adjust
the system clock.
minsources 2
Allow NTP client access from local network.
allow 192.168.0.0/16
allow 0.0.0.0/0
Serve time even if not synchronized to a time source.
local stratum 10
Specify file containing keys for NTP authentication.
keyfile /etc/chrony.keys
Specify directory for log files.
logdir /var/log/chrony
Select which information is logged.
log measurements statistics tracking
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Use public servers from the pool.ntp.org project.
Please consider joining the pool (http://www.pool.ntp.org/join.html).
server ntp1.aliyun.com iburst
server ntp2.aliyun.com iburst
server time1.cloud.tencent.com iburst
server time2.cloud.tencent.com iburst
Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
Allow the system clock to be stepped in the first three updates
if its offset is larger than 1 second.
makestep 1.0 3
Enable kernel synchronization of the real-time clock (RTC).
rtcsync
Enable hardware timestamping on all interfaces that support it.
hwtimestamp *
Increase the minimum number of selectable sources required to adjust
the system clock.
minsources 2
Allow NTP client access from local network.
allow 192.168.0.0/16
allow 0.0.0.0/0
Serve time even if not synchronized to a time source.
local stratum 10
Specify file containing keys for NTP authentication.
keyfile /etc/chrony.keys
Specify directory for log files.
logdir /var/log/chrony
Select which information is logged.
log measurements statistics tracking
3、启动服务
systemctl enable chronyd
systemctl start chronyd
1
2
systemctl enable chronyd
systemctl start chronyd
如果你没有特殊需求,此时内网的时间服务器就配置好了,只要在内网其他服务器上安装chrony,然后修改/etc/chrony.conf配置文件中的server IP iburst字段就可以了,这里的IP就填写刚刚配置好的内网服务器IP。
注:chrony和ntpdate同步方式不同,无需设置定时同步,只要chrony服务正常运行,那么就会自动同步时间。
4、配置防火墙(可选)
如果开启了firewalld防火墙,请注意开放相关端口
firewall-cmd --add-service=ntp --permanent
firewall-cmd --add-port=123/udp --permanent
firewall-cmd --reload
1
2
3
firewall-cmd --add-service=ntp --permanent
firewall-cmd --add-port=123/udp --permanent
firewall-cmd --reload
5、查询时间同步是否正常
可以通过以下命令查看当前时间同步是否正常
timedatectl
1
timedatectl
主要观察以下两项是否是yes,如果是yes则表示同步正常
NTP enabled: yes
NTP synchronized: yes
6、一些其他命令
检查有多少个时间服务器在线
chronyc activity
1
chronyc activity
查看同步源服务器列表
chronyc -n sources -v
1
chronyc -n sources -v