我在 debian 系统上设置 ntp 客户端功能时遇到了麻烦。
当输入 ntpq -p 时,输出总是相同的(输出中全为零且没有统计信息),如下所示:
sudo ntpq -p4
remote refid st t when poll reach delay offset jitter
==============================================================================
ntp2.mojsite.co .INIT. 16 - - 1024 0 0.000 0.000 0.000
panel1.web2.clu .INIT. 16 - - 1024 0 0.000 0.000 0.000
85.93.216.115 .INIT. 16 - - 1024 0 0.000 0.000 0.000
如您所见,到达率、延迟、偏移和抖动都为零,并且这种情况已经持续了几天,没有任何变化。
我认为配置可能配置错误,这是我的 ntp.conf 文件:
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
#complete guide at:
#http://doc.ntp.org/4.1.0/ntpd.htm
#######################
# Monitoring Options #
#######################
#Enable this if you want statistics to be logged.
statsdir /var/log/ntpstats/
#what to log (keyword "statistics")
#clockstats: for reference clock
#peerstats: for peers (remote ntp servers)
#loopstats: Record clock discipline loop statistics
#raw stats: for raw output
statistics loopstats peerstats clockstats rawstats
#type: generate files per day(day), per NTP process (pid), single file (none)
#per month (month) ... (year), or 24 hours of server operation (age)
#enable/disable output and
#link/nolink convenient to be able to access the current element of a file
#generation set by a fixed name
#recording of loop filter statistics information.
filegen loopstats file loopstats.log type day nolink enable
#recording of peer statistics information.
filegen peerstats file peerstats.log type day nolink enable
#recording of clock driver statistics information.
filegen clockstats file clockstats.log type day nolink enable
#recording of raw-timestamp statistics information.
filegen rawstats file rawstats.log type day nolink disable
###########################
# Reference Clock Options #
###########################
#server 127.127.t.u [prefer] [mode int] [minpoll int] [maxpoll int]
#fudge 127.127.t.u [time1 sec] [stratum int] [refid string] [mode int] [flag1 0|1] [flag2 0|1] [flag3 0|1] [flag4 0|1]
##########
# SERVER #
##########
#interface and ip setup, wildcard equals to 0.0.0.0
#This command controls which network addresses ntpd opens,
#and whether input is dropped without processing.
#ignore: don't listen on this address
#drop: listen but drop
#listen: listen and accept
interface ignore ipv6
interface listen 127.0.0.1
interface ignore 192.168.1.100
interface ignore wildcard
##########
# CLIENT #
##########
#The various operating modes are determined by the command keyword
#and the type of the required IP address.
# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
#The iburst option is recommended, and sends a burst of packets only if
#it cannot obtain a connection with the first attempt.
#The burst option always does this, even on the first attempt,
#and should never be used without explicit permission
#and may result in blacklisting.
#this command mobilizes a persistent client mode association with the specified
#remote server or local radio clock.
#In this mode the local clock can synchronized to the remote server,
#but the remote server can never be synchronized to the local clock.
#The various operating modes are determined by the command keyword:
#server, peer, broadcast, manycastclient and the type of the required IP address.
server 1.hr.pool.ntp.org
server 0.europe.pool.ntp.org
server 3.europe.pool.ntp.org
##################
# Access Control #
##################
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
# restrict address mask / -4 -6 / default
# default: (everybody) equal to 0.0.0.0 255.255.255.255
# kod: If access is denied, send a kiss-of-death packet.
# let client know more about why is it blocked to fix the problem
# notrap: subsystem intended for remote event logging programs.
restrict -4 default kod notrap nomodify nopeer noquery noserve
restrict -6 default kod notrap nomodify nopeer noquery noserve
# Local users may interrogate the ntp server more closely.
# If ignoring interface on ipv6 run "ntpq -p -4" instead of just "-p"
restrict 192.168.1.100 kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 172.16.1.1 mask 255.255.255.0 notrust
#########################
# Miscellaneous Options #
#########################
#Provides a way to enable or disable various server options.
disable bclient #if not specified default is: disable
disable calibrate #disable
enable kernel #enable
enable monitor #enable
enable stats #enable
enable ntp #enable
#This command controls the amount and type of output written to the system
#syslog facility or the alternate logfile.
logconfig=syncall +clockall +sysall +peerall
logfile /var/log/ntp.log
#This command specifies the name of the file used to record
#the frequency offset of the local clock oscillator.
driftfile /var/lib/ntp/ntp.drift
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
# broadcast 172.16.1.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient
NTP 防火墙规则已设置,阻止的连接也已记录,到目前为止尚未阻止任何连接。如果需要,我还会提供防火墙信息。
答案1
我弄清楚了这个问题:
interface ignore 192.168.1.100
应该
interface listen 192.168.1.100
和
restrict -4 default kod notrap nomodify nopeer noquery noserve
应该
restrict -4 default kod notrap nomodify nopeer noquery
基本上,我们需要监听来自 ntp 服务器的传入数据包,即使这只是客户端的设置。
答案2
您的 NTP 未连接到服务器。如果您使用的是 IPv6,请尝试使用 IPv6 地址上的服务器。自从 NTP 被用于 DDOS 攻击以来,我也遇到过类似的问题。似乎许多服务器都在限制到达端口 123 的连接。请参阅:https://askubuntu.com/questions/825869/ntpd-does-not-sync-clock-while-ntpdate-does/825969#825969