我在一台 CentOS 7 机器(虚拟机器)上配置了 NTP 服务器,还配置了客户端(也是虚拟的并运行 CentOS 7)的 ntp.conf 文件。当我在客户端计算机上使用“systemctl (re)start ntpd”显式启动/重新启动 ntpd 服务时,NTP 同步工作正常。但是,当我尝试通过更改服务器上的时间来测试“自动”同步时,客户端既不会收到“通知”,也不会更新其时钟(时钟保持上次重新启动 ntpd 期间同步的状态)。我什至尝试从客户端的 ntp.conf 文件更改轮询频率,但似乎没有任何效果。我真的很感激一些帮助。
PS:以下是来自服务器和一个客户端的 ntp.conf 文件:
服务器:
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 127.127.1.0
fudge 127.127.1.0 stratum 1
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
客户:
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 192.168.1.38 #This is the ip address of the server
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
答案1
我认为您还必须取消restrict服务器上该行的注释才能ntp在该网络中可用。然后重新启动ntpd。
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
在客户端,您还可以添加iburst到服务器配置行,这应该会加快初始时钟同步和重新启动的速度ntpd。
server 192.168.1.38 iburst
您ntpq -p可以列出服务器以及是否已建立连接。
答案2
对您的配置的一些注意事项:
我使用的一般规则是:
- 不要把ntp服务器放在虚拟机上
- 不要相信 ntp 服务器上的本地时钟。
您写道您将使用隔离网络(因此无法联系池服务器)。您可能必须依赖硬件时钟。但尝试将 ntp 服务器从虚拟机中取出。
对于客户端,在 VM 上,我始终将 ntp.conf 中的第一行设为:
tinker panic 0
当时间偏移较大时,NTP 不会出现恐慌。
答案3
您可能没有在ntpd(重新)启动期间同步,而是通过使用ntpdate(您可以检查是否/etc/sysconfig/ntpdate存在)
此外,他的客户可能对自己的时钟有一定的信任,不会突然跳跃。ntpd,如果主时钟遇到突然的变化(即对您来说很明显的变化),将假定主时钟有故障并继续使用自己的时间。
由于您没有解释为什么要这样做,所以除了不要玩弄ntp如果你不需要的话。
您还应该仔细检查chronyd和/或 systemd 的 timesyncd 不会干扰您的实验。