1 概述
NTP(Network Time Protocol)是网络时间协议,用来同步网络中各个计算机的时间的协议,客户端向一个或者多个服务端进行时间同步。
在RHEL 7中有两种方法来配置同步客户端。
(1)ntp: this is the classic package, already existing in RHEL 6, RHEL 5, etc.
(2)chrony: this is a new solution better suited for portable PC or servers with network connection problems (time synchronization is quicker). chrony is the default package in RHEL 7.
关于ntpd 和chronyd的区别参考红帽官网:
Chrony consists of chronyd, a daemon that runs in user space, and chronyc, a command line program for making adjustments to chronyd. Systems which are not permanently connected, or not permanently powered up, take a relatively long time to adjust their system clocks with ntpd. This is because many small corrections are made based on observations of the clocks drift and offset. Temperature changes, which may be significant when powering up a system, affect the stability of hardware clocks. Although adjustments begin within a few milliseconds of booting a system, acceptable accuracy may take anything from ten seconds from a warm restart to a number of hours depending on your requirements, operating environment and hardware. chrony is a different implementation of the NTP protocol than ntpd, it can adjust the system clock more rapidly.
Differences Between ntpd and chronyd
One of the main differences between ntpd and chronyd is in the algorithms used to control the computer's clock. Things chronyd can do better than ntpd are:
chronyd can work well when external time references are only intermittently accessible, whereas ntpd needs regular polling of time reference to work well.
chronyd can perform well even when the network is congested for longer periods of time.
chronyd can usually synchronize the clock faster and with better time accuracy.
chronyd quickly adapts to sudden changes in the rate of the clock, for example, due to changes in the temperature of the crystal oscillator, whereas ntpd may need a long time to settle down again.
In the default configuration, chronyd never steps the time after the clock has been synchronized at system start, in order not to upset other running programs. ntpd can be configured to never step the time too, but it has to use a different means of adjusting the clock, which has some disadvantages.
chronyd can adjust the rate of the clock on a Linux system in a larger range, which allows it to operate even on machines with a broken or unstable clock. For example, on some virtual machines.
Things chronyd can do that ntpd cannot do:
chronyd provides support for isolated networks where the only method of time correction is manual entry. For example, by the administrator looking at a clock. chronyd can examine the errors corrected at different updates to estimate the rate at which the computer gains or loses time, and use this estimate to trim the computer clock subsequently.
chronyd provides support to work out the rate of gain or loss of the real-time clock, the hardware clock, that maintains the time when the computer is turned off. It can use this data when the system boots to set the system time using an adjusted value of the time taken from the real-time clock. This is, at time of writing, only available in Linux.
Things ntpd can do that chronyd cannot do:
ntpd fully supports NTP version 4 (RFC 5905), including broadcast, multicast, manycast clients and servers, and the orphan mode. It also supports extra authentication schemes based on public-key cryptography (RFC 5906). chronyd uses NTP version 3 (RFC 1305), which is compatible with version 4.
ntpd includes drivers for many reference clocks whereas chronyd relies on other programs, for example gpsd, to access the data from the reference clocks.
Choosing Between NTP Daemons
Chrony should be considered for all systems which are frequently suspended or otherwise intermittently disconnected and reconnected to a network. Mobile and virtual systems for example.
The NTP daemon (ntpd) should be considered for systems which are normally kept permanently on. Systems which are required to use broadcast or multicast IP, or to perform authentication of packets with the Autokey protocol, should consider using ntpd. Chrony only supports symmetric key authentication using a message authentication code (MAC) with MD5, SHA1 or stronger hash functions, whereas ntpd also supports the Autokey authentication protocol which can make use of the PKI system. Autokey is described in RFC 5906.
2 Chrony 配置
在RHEL 7中,默认已经安装了chrony。 配置文件是/etc/chrony.conf。
如果添加新的时间同步源,在chrony.conf 文件中添加服务器信息即可。
[root@12cr2db ~]# cat /etc/chrony.conf
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.rhel.pool.ntp.org iburst
server 1.rhel.pool.ntp.org iburst
server 2.rhel.pool.ntp.org iburst
server 3.rhel.pool.ntp.org iburst
2.1 启动时间同步服务
[root@12cr2db ~]# systemctl start chronyd.service
2.2 查看时间同步状态
[root@12cr2db ~]# systemctl status chronyd
● chronyd.service - NTP client/server
Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2017-03-20 16:51:28 CST; 11h ago
Main PID: 680 (chronyd)
CGroup: /system.slice/chronyd.service
└─680 /usr/sbin/chronyd
Mar 20 18:33:28 12cr2db chronyd[680]: System clock wrong by -9703.338692 seconds, adjustment started
Mar 20 18:34:32 12cr2db chronyd[680]: Selected source 85.199.214.101
Mar 20 18:36:40 12cr2db chronyd[680]: Selected source 212.47.249.141
Mar 20 18:41:00 12cr2db chronyd[680]: Selected source 61.216.153.104
Mar 21 04:22:56 12cr2db chronyd[680]: Source 85.199.214.101 replaced with 166.111.206.172
Mar 21 04:25:56 12cr2db chronyd[680]: Can't synchronise: no majority
Mar 21 04:26:16 12cr2db chronyd[680]: Selected source 166.111.206.172
Mar 21 04:26:16 12cr2db chronyd[680]: System clock wrong by 71026.271062 seconds, adjustment started
Mar 21 04:31:19 12cr2db chronyd[680]: Can't synchronise: no majority
Mar 21 04:34:13 12cr2db chronyd[680]: Selected source 212.47.249.141
[root@12cr2db ~]#
2.3 查看时间同步源状态
[root@12cr2db ~]# chronyc sourcestats -v
210 Number of sources = 4
.- Number of sample points in measurement set.
/ .- Number of residual runs with same sign.
| / .- Length of measurement set (time).
| | / .- Est. clock freq error (ppm).
| | | / .- Est. error in freq.
| | | | / .- Est. offset.
| | | | | | On the -.
| | | | | | samples. /
| | | | | | |
Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
==============================================================================
ntp2.itcompliance.dk 7 5 480 +49.652 187.985 +8863us 12ms
166.111.206.172 14 6 777 -2.573 5.088 -50ms 829us
61-216-153-104.HINET-IP.h 13 7 457m -5.603 0.119 +71026s 849us
248.51-174-131.customer.l 9 5 659 +70.718 239.128 +32ms 30ms
2.4 查看时间同步源
[root@12cr2db ~]# chronyc sources -v
210 Number of sources = 4
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| / | | zzzz = estimated error.
|| | | /
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* ntp2.itcompliance.dk 3 6 77 24 +6998us[+8472us] +/- 193ms
^+ 166.111.206.172 2 7 377 222 -52ms[ -37ms] +/- 270ms
^x 61-216-153-104.HINET-IP.h 3 10 202 43m +71026s[+1891us] +/- 67ms
^+ 248.51-174-131.customer.l 2 6 375 11 +38ms[ +38ms] +/- 227ms
2.5 重启时间同步服务
[root@12cr2db ~]# systemctl restart chronyd.service
2.6 命令行工具:chronyc
[root@12cr2db ~]# chronyc chrony version 2.1.1 Copyright (C) 1997-2003, 2007, 2009-2015 Richard P. Curnow and others chrony comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the GNU General Public License version 2 for details. chronyc> help Commands: accheck
: Check whether NTP access is allowed to
activity : Check how many NTP sources are online/offline add peer
... : Add a new NTP peer add server
... : Add a new NTP server allow [
] : Allow NTP access to that subnet as a default allow all [ ] : Allow NTP access to that subnet and all children burst / [ / ] : Start a rapid set of measurements clients : Report on clients that have accessed the server cmdaccheck : Check whether command access is allowed to
cmdallow [
] : Allow command access to that subnet as a default cmdallow all [ ] : Allow command access to that subnet and all children cmddeny [ ] : Deny command access to that subnet as a default cmddeny all [ ] : Deny command access to that subnet and all children
版权声明:本文为博主原创文章,未经博主允许不得转载。
Linux7 chrony