chrony主動時間同步安裝與調試總結

大寶 259 0

萊蕪網站建設最近在維護服務器時遇到對時問題,解決處理整理資料如下:

所需端口:

chrony兼容ntpd監聽在udp123端口上,自己則監聽在udp的323端口上。

程序環境:

rpm安裝需要文件:


rpm -ivh libseccomp-2.3.1-3.el7.x86_64.rpm

rpm -ivh chrony-3.2-2.el7.x86_64.rpm


    配置文件:/etc/chrony.conf
    主程序文件:chronyd #一個守護daemon程序
    工具程序:chronyc   #一個交互式命令行工具
    unit file: chronyd.service

配置文件:chrony.conf

NTP 客戶端需要知道它要連接到哪個 NTP 服務器來獲取當前時間。我們可以直接在該 NTP 配置文件中的 server 或者 pool 項指定 NTP 服務器。通常,默認的配置文件位于 /etc/chrony/chrony.conf 或者 /etc/chrony.conf,取決于 Linux 發行版版本。為了更可靠的同步時間,建議指定至少三個服務器。

    server:指明時間服務器地址;
    allow NETADD/NETMASK
    allow all:允許所有客戶端主機;
    deny NETADDR/NETMASK
    deny all:拒絕所有客戶端;
    bindcmdaddress:命令管理接口監聽的地址;
    local stratum 10:即使自己未能通過網絡時間服務器同步到時間,也允許將本地時間作為標準時間授時給其它客戶

chrony的交互工具chronyc

chrony 有一個命令行工具叫做 chronyc 用來控制和監控 chrony 守護進程(chronyd)。

chronyc有很多的子命令,可以輸入help來查看
chronyc help
    選項:
    sources [-v]    顯示關于當前來源的信息
    sourcestats [-v]      顯示時間同步狀態(如時間偏移了多少之類)
   
#例如:
chronyc sources -v
210 Number of sources = 1

  .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| /   '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||      Reachability register (octal) -.           |  xxxx = adjusted offset,
||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
||                                \     |          |  zzzz = estimated error.
||                                 |    |           \
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^* 37.22.10.49                  2  10   104   64m  +1485us[ +417us] +/-   81ms

#主要關注第一列的MS,
^*  ^是指該行所給出的IP是服務器,也就是我們指定的互聯網時間服務器;*是指當前已同步

########
 
chronyc sourcestats -v #sourcestats是顯示同步狀態,-v是詳細西信息
210 Number of sources = 1
                             .- Number of sample points in measurement set.
                            /    .- Number of residual runs with same sign.
                           |    /    .- Length of measurement set (time).
                           |   |    /      .- Est. clock freq error (ppm).
                           |   |   |      /           .- Est. error in freq.
                           |   |   |     |           /         .- Est. offset.
                           |   |   |     |          |          |   On the -.
                           |   |   |     |          |          |   samples. \
                           |   |   |     |          |          |             |
Name/IP Address            NP  NR  Span  Frequency  Freq Skew  Offset  Std Dev
==============================================================================
37.22.10.49               29  18   18h     -0.003      0.132    -14us  5055us


為了檢查是否 chrony 已經同步,我們可以使用下面展示的 tracking 命令。


  1. $ chronyc tracking

  2. Reference ID : 6A0ABAC8 (t1.time.sg3.yahoo.com)

  3. Stratum : 3

  4. Ref time (UTC) : Wed Oct 17 11:48:51 2018

  5. System time : 0.000984587 seconds slow of NTP time

  6. Last offset : -0.000912981 seconds

  7. RMS offset : 0.007983995 seconds

  8. Frequency : 23.704 ppm slow

  9. Residual freq : +0.006 ppm

  10. Skew : 1.734 ppm

  11. Root delay : 0.089718960 seconds

  12. Root dispersion : 0.008760406 seconds

  13. Update interval : 515.1 seconds

  14. Leap status : Normal

如果你的系統沒有連接到互聯網,你需要告知 Chrony 系統沒有連接到 互聯網。為了這樣做,運行:

  1. # chronyc offline

  2. 200 OK

為了確認你的 NTP 源的狀態,只需要運行:

  1. $ chronyc activity

  2. 200 OK

  3. 0 sources online

  4. 3 sources offline

  5. 0 sources doing burst (return to online)

  6. 0 sources doing burst (return to offline)

  7. 0 sources with unknown address

可以看到,我的所有源此時都是離線狀態。

一旦你連接到互聯網,只需要使用命令告知 Chrony 你的系統已經回到在線狀態:

  1. # chronyc online

  2. 200 OK

所有選項和參數的詳細解釋,請參考其幫助手冊。

  1. $ man chronyc

  2. $ man chronyd




========================具體實施=========================



關閉NTP服務,防止123端口占用:

[[email protected] ~]# service ntpd stop

[[email protected] ~]# chkconfig ntpd off


防火墻關閉:

[[email protected] ~]# systemctl status firewalld.service

???firewalld.service - firewalld - dynamic firewall daemon

   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)

   Active: inactive (dead)

selinux關閉:

[[email protected] ~]# getenforce

Disabled

[[email protected] ~]# systemctl status chrony

● chrony.service

   Loaded: not-found (Reason: No such file or directory)

   Active: inactive (dead)  

========================服務端=========================


1.安裝chrony(所有機器)

yum install chrony -y

2.啟動chrony

[[email protected] ~]# systemctl start chronyd.service

[[email protected] ~]# systemctl status chronyd.service

  1. chrony.service - chrony, an NTP client/server

  2. Loaded: loaded (/lib/systemd/system/chrony.service; enabled; vendor preset: ena

  3. Active: active (running) since Wed 2018-10-17 10:34:53 UTC; 3min 15s ago

  4. Docs: man:chronyd(8)

  5. man:chronyc(1)

  6. man:chrony.conf(5)

  7. Main PID: 2482 (chronyd)

  8. Tasks: 1 (limit: 2320)

  9. CGroup: /system.slice/chrony.service

  10. └─2482 /usr/sbin/chronyd

每次重啟自動運行

[[email protected] ~]# systemctl enable chronyd.service



3.編輯配置文件(注意:現在是服務器端的修改)

     22 allow 37.0.0.0/8

     23 allow 192.168.0.0/16

     24 # Listen for commands only on localhost.

     25 bindcmdaddress 127.0.0.1

     26 bindcmdaddress ::1

     27

     28 # Serve time even if not synchronized to any NTP server.

     29 local stratum 10  

#第22行設置為本網段

#第29行的注釋取消

4.查看配置文件如下

[[email protected] ~]# egrep -v "#|^$" /etc/chrony.conf

server ntp1.aliyun.com

server time1.aliyun.com

stratumweight 0

driftfile /var/lib/chrony/drift

rtcsync

makestep 10 3

allow 37.0.0.0/8

allow 192.168.0.0/16

bindcmdaddress 127.0.0.1

bindcmdaddress ::1

local stratum 10

keyfile /etc/chrony.keys

commandkey 1

generatecommandkey

noclientlog

logchange 0.5

logdir /var/log/chrony

5.重啟時間同步服務

[[email protected] ~]# systemctl restart chronyd.service   

======================客戶端=====================


客戶端的配置文件是同一個文件(/etc/chrony.conf)

1.刪掉哪些沒用的server xxxxxxxxxx iburst

1 # Use public servers from the pool.ntp.org project.

2 # Please consider joining the pool (http://www.pool.ntp.org/j    oin.html).

3 server  37.22.10.49      iburst

4 # Ignore stratum in source selection.  

2.在server端把配置文件編輯好然后用ansible批量分發過去

[[email protected] ~]# ansible client -m copy -a "src=/etc/chrony.conf dest=/etc/"

192.168.17.250 | SUCCESS => {

    "changed": true,

    "checksum": "52bda81d895de3c7c54886d342e5eec074df757e",

    "dest": "/etc/chrony.conf",

    "gid": 0,

    "group": "root",

    "md5sum": "aee9cc7faa70a0c189033cdb8692e4b1",

    "mode": "0644",

    "owner": "root",

    "size": 1038,

    "src": "/root/.ansible/tmp/ansible-tmp-1495860905.35-183232559888238/source",

    "state": "file",

    "uid": 0

}

192.168.17.53 | SUCCESS => {

    "changed": true,

    "checksum": "52bda81d895de3c7c54886d342e5eec074df757e",

    "dest": "/etc/chrony.conf",

    "gid": 0,

    "group": "root",

    "md5sum": "aee9cc7faa70a0c189033cdb8692e4b1",

    "mode": "0644",

    "owner": "root",

    "size": 1038,

    "src": "/root/.ansible/tmp/ansible-tmp-1495860905.34-134007063835838/source",

    "state": "file",

    "uid": 0

}

192.168.17.51 | SUCCESS => {

    "changed": true,

    "checksum": "52bda81d895de3c7c54886d342e5eec074df757e",

    "dest": "/etc/chrony.conf",

    "gid": 0,

    "group": "root",

    "md5sum": "aee9cc7faa70a0c189033cdb8692e4b1",

    "mode": "0644",

    "owner": "root",

    "size": 1038,

    "src": "/root/.ansible/tmp/ansible-tmp-1495860905.43-104570916452677/source",

    "state": "file",

    "uid": 0

}

192.168.17.52 | SUCCESS => {

    "changed": true,

    "checksum": "52bda81d895de3c7c54886d342e5eec074df757e",

    "dest": "/etc/chrony.conf",

    "gid": 0,

    "group": "root",

    "md5sum": "aee9cc7faa70a0c189033cdb8692e4b1",

    "mode": "0644",

    "owner": "root",

    "size": 1038,

    "src": "/root/.ansible/tmp/ansible-tmp-1495860905.43-40575778655199/source",

    "state": "file",

    "uid": 0

}

3.啟動同步服務,防火墻也需要關閉

[[email protected] ~]# ansible client -m shell -a "systemctl start chronyd.service"

192.168.17.53 | SUCCESS | rc=0 >>

192.168.17.250 | SUCCESS | rc=0 >>

192.168.17.52 | SUCCESS | rc=0 >>

192.168.17.51 | SUCCESS | rc=0 >>

4.注意客戶端時間同步定時任務關閉

[[email protected] ~]# ansible client -m shell -a "crontab -l"

192.168.17.51 | SUCCESS | rc=0 >>

192.168.17.250 | SUCCESS | rc=0 >>

192.168.17.53 | SUCCESS | rc=0 >>

192.168.17.52 | SUCCESS | rc=0 >>

5.Centos7依然可以用ntpdate命令同步時間

[[email protected] ~]# ansible client -m shell -a "ntpdate 10.0.0.120"

192.168.17.53 | SUCCESS | rc=0 >>

27 May 13:05:57 ntpdate[26817]: adjust time server 10.0.0.120 offset -0.001686 sec

192.168.17.250 | SUCCESS | rc=0 >>

27 May 13:05:57 ntpdate[17419]: adjust time server 10.0.0.120 offset -0.004419 sec

192.168.17.52 | SUCCESS | rc=0 >>

27 May 13:05:57 ntpdate[50111]: adjust time server 10.0.0.120 offset -0.004410 sec

192.168.17.51 | SUCCESS | rc=0 >>

27 May 13:05:57 ntpdate[114089]: adjust time server 10.0.0.120 offset -0.000597 sec

6.查看時間,現在已經都同步了,一秒不差

[[email protected] ~]# ansible client -m shell -a "date"

192.168.17.250 | SUCCESS | rc=0 >>

Sat May 27 13:06:04 CST 2017

192.168.17.51 | SUCCESS | rc=0 >>

Sat May 27 13:06:04 CST 2017

192.168.17.53 | SUCCESS | rc=0 >>

Sat May 27 13:06:04 CST 2017

192.168.17.52 | SUCCESS | rc=0 >>

Sat May 27 13:06:04 CST 2017


小提示:在利用ansible批量分發文件的時候,覆蓋文件是一件很危險的事,如果原文件存在,最好先備份。其實不管是ansible還是其它操作,覆蓋都是很危險的


萊蕪網站建設萊蕪網站制作中心歡迎您隨時撥打服務電話,我們將竭誠為您服務。

上一篇山東電信TEWA-700G破解超級管理員密碼

下一篇當前文章已是最新一篇了

發表評論 (已有0條評論)

還木有評論哦,快來搶沙發吧~

黑彩时时彩