签到成功

知道了

CNDBA社区CNDBA社区

Linux 7 chrony 时间同步服务配置

2017-03-22 14:47 14966 0 原创 Linux
作者: dave

 

1       概述

NTP(Network Time Protocol)是网络时间协议,用来同步网络中各个计算机的时间的协议,客户端向一个或者多个服务端进行时间同步。

 

在RHEL 7中有两种方法来配置同步客户端。

(1)ntp: this is the classic package, already existing in RHEL 6, RHEL 5, etc.

(2)chrony: this is a new solution better suited for portable PC or servers with network connection problems (time synchronization is quicker). chrony is the default package in RHEL 7.

 

关于ntpd 和chronyd的区别参考红帽官网:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html

Chrony consists of chronyd, a daemon that runs in user space, and chronyc, a command line program for making adjustments to chronyd. Systems which are not permanently connected, or not permanently powered up, take a relatively long time to adjust their system clocks with ntpd. This is because many small corrections are made based on observations of the clocks drift and offset. Temperature changes, which may be significant when powering up a system, affect the stability of hardware clocks. Although adjustments begin within a few milliseconds of booting a system, acceptable accuracy may take anything from ten seconds from a warm restart to a number of hours depending on your requirements, operating environment and hardware. chrony is a different implementation of the NTP protocol than ntpd, it can adjust the system clock more rapidly.


Differences Between ntpd and chronyd

One of the main differences between ntpd and chronyd is in the algorithms used to control the computer's clock. Things chronyd can do better than ntpd are:

chronyd can work well when external time references are only intermittently accessible, whereas ntpd needs regular polling of time reference to work well.
chronyd can perform well even when the network is congested for longer periods of time.
chronyd can usually synchronize the clock faster and with better time accuracy.
chronyd quickly adapts to sudden changes in the rate of the clock, for example, due to changes in the temperature of the crystal oscillator, whereas ntpd may need a long time to settle down again.

 
In the default configuration, chronyd never steps the time after the clock has been synchronized at system start, in order not to upset other running programs. ntpd can be configured to never step the time too, but it has to use a different means of adjusting the clock, which has some disadvantages.
chronyd can adjust the rate of the clock on a Linux system in a larger range, which allows it to operate even on machines with a broken or unstable clock. For example, on some virtual machines.

 
Things chronyd can do that ntpd cannot do:
chronyd provides support for isolated networks where the only method of time correction is manual entry. For example, by the administrator looking at a clock. chronyd can examine the errors corrected at different updates to estimate the rate at which the computer gains or loses time, and use this estimate to trim the computer clock subsequently.
chronyd provides support to work out the rate of gain or loss of the real-time clock, the hardware clock, that maintains the time when the computer is turned off. It can use this data when the system boots to set the system time using an adjusted value of the time taken from the real-time clock. This is, at time of writing, only available in Linux.


Things ntpd can do that chronyd cannot do:
ntpd fully supports NTP version 4 (RFC 5905), including broadcast, multicast, manycast clients and servers, and the orphan mode. It also supports extra authentication schemes based on public-key cryptography (RFC 5906). chronyd uses NTP version 3 (RFC 1305), which is compatible with version 4.
ntpd includes drivers for many reference clocks whereas chronyd relies on other programs, for example gpsd, to access the data from the reference clocks.

 

Choosing Between NTP Daemons
Chrony should be considered for all systems which are frequently suspended or otherwise intermittently disconnected and reconnected to a network. Mobile and virtual systems for example.
The NTP daemon (ntpd) should be considered for systems which are normally kept permanently on. Systems which are required to use broadcast or multicast IP, or to perform authentication of packets with the Autokey protocol, should consider using ntpd. Chrony only supports symmetric key authentication using a message authentication code (MAC) with MD5, SHA1 or stronger hash functions, whereas ntpd also supports the Autokey authentication protocol which can make use of the PKI system. Autokey is described in RFC 5906.

 


 https://www.cndba.cn/cndba/dave/article/1820

2       Chrony 配置

在RHEL 7中,默认已经安装了chrony。  配置文件是/etc/chrony.conf。

 

如果添加新的时间同步源,在chrony.conf 文件中添加服务器信息即可。https://www.cndba.cn/cndba/dave/article/1820

https://www.cndba.cn/cndba/dave/article/1820

[root@12cr2db ~]# cat /etc/chrony.conf
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.rhel.pool.ntp.org iburst
server 1.rhel.pool.ntp.org iburst
server 2.rhel.pool.ntp.org iburst
server 3.rhel.pool.ntp.org iburst

2.1         启动时间同步服务

[root@12cr2db ~]# systemctl start chronyd.service

 

2.2         查看时间同步状态


https://www.cndba.cn/cndba/dave/article/1820

[root@12cr2db ~]# systemctl status chronyd

● chronyd.service - NTP client/server

   Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled)

   Active: active (running) since Mon 2017-03-20 16:51:28 CST; 11h ago

 Main PID: 680 (chronyd)

   CGroup: /system.slice/chronyd.service

           └─680 /usr/sbin/chronyd

 

Mar 20 18:33:28 12cr2db chronyd[680]: System clock wrong by -9703.338692 seconds, adjustment started

Mar 20 18:34:32 12cr2db chronyd[680]: Selected source 85.199.214.101

Mar 20 18:36:40 12cr2db chronyd[680]: Selected source 212.47.249.141

Mar 20 18:41:00 12cr2db chronyd[680]: Selected source 61.216.153.104

Mar 21 04:22:56 12cr2db chronyd[680]: Source 85.199.214.101 replaced with 166.111.206.172

Mar 21 04:25:56 12cr2db chronyd[680]: Can't synchronise: no majority

Mar 21 04:26:16 12cr2db chronyd[680]: Selected source 166.111.206.172

Mar 21 04:26:16 12cr2db chronyd[680]: System clock wrong by 71026.271062 seconds, adjustment started

Mar 21 04:31:19 12cr2db chronyd[680]: Can't synchronise: no majority

Mar 21 04:34:13 12cr2db chronyd[680]: Selected source 212.47.249.141

[root@12cr2db ~]#


 

2.3         查看时间同步源状态


https://www.cndba.cn/cndba/dave/article/1820
https://www.cndba.cn/cndba/dave/article/1820

[root@12cr2db ~]# chronyc sourcestats -v

210 Number of sources = 4

                             .- Number of sample points in measurement set.

                            /    .- Number of residual runs with same sign.

                           |    /    .- Length of measurement set (time).

                           |   |    /      .- Est. clock freq error (ppm).

                           |   |   |      /           .- Est. error in freq.

                           |   |   |     |           /         .- Est. offset.

                           |   |   |     |          |          |   On the -.

                           |   |   |     |          |          |   samples. /

                           |   |   |     |          |          |             |

Name/IP Address            NP  NR  Span  Frequency  Freq Skew  Offset  Std Dev

==============================================================================

ntp2.itcompliance.dk        7   5   480    +49.652    187.985  +8863us    12ms

166.111.206.172            14   6   777     -2.573      5.088    -50ms   829us

61-216-153-104.HINET-IP.h  13   7  457m     -5.603      0.119  +71026s   849us

248.51-174-131.customer.l   9   5   659    +70.718    239.128    +32ms    30ms

 


2.4         查看时间同步源


https://www.cndba.cn/cndba/dave/article/1820

[root@12cr2db ~]# chronyc sources -v

210 Number of sources = 4

 

  .-- Source mode  '^' = server, '=' = peer, '#' = local clock.

 / .- Source state '*' = current synced, '+' = combined , '-' = not combined,

| /   '?' = unreachable, 'x' = time may be in error, '~' = time too variable.

||                                                 .- xxxx [ yyyy ] +/- zzzz

||      Reachability register (octal) -.           |  xxxx = adjusted offset,

||      Log2(Polling interval) --.      |          |  yyyy = measured offset,

||                                /     |          |  zzzz = estimated error.

||                                 |    |           /

MS Name/IP address         Stratum Poll Reach LastRx Last sample

===============================================================================

^* ntp2.itcompliance.dk          3   6    77    24  +6998us[+8472us] +/-  193ms

 

^+ 166.111.206.172               2   7   377   222    -52ms[  -37ms] +/-  270ms

^x 61-216-153-104.HINET-IP.h     3  10   202   43m  +71026s[+1891us] +/-   67ms

^+ 248.51-174-131.customer.l     2   6   375    11    +38ms[  +38ms] +/-  227ms


 

2.5         重启时间同步服务

[root@12cr2db ~]# systemctl restart chronyd.service

 

2.6         命令行工具:chronyc


https://www.cndba.cn/cndba/dave/article/1820

[root@12cr2db ~]# chronyc

chrony version 2.1.1

Copyright (C) 1997-2003, 2007, 2009-2015 Richard P. Curnow and others

chrony comes with ABSOLUTELY NO WARRANTY.  This is free software, and

you are welcome to redistribute it under certain conditions.  See the

GNU General Public License version 2 for details.

 

chronyc> help

Commands:

accheck 
: Check whether NTP access is allowed to
activity : Check how many NTP sources are online/offline add peer
... : Add a new NTP peer add server
... : Add a new NTP server allow [ ] : Allow NTP access to that subnet as a default allow all [ ] : Allow NTP access to that subnet and all children burst / [ / ] : Start a rapid set of measurements clients : Report on clients that have accessed the server cmdaccheck
: Check whether command access is allowed to
cmdallow [ ] : Allow command access to that subnet as a default cmdallow all [ ] : Allow command access to that subnet and all children cmddeny [ ] : Deny command access to that subnet as a default cmddeny all [ ] : Deny command access to that subnet and all children


https://www.cndba.cn/cndba/dave/article/1820

 

https://www.cndba.cn/cndba/dave/article/1820

 

版权声明:本文为博主原创文章,未经博主允许不得转载。

Linux7 chrony

用户评论
* 以下用户言论只代表其个人观点,不代表CNDBA社区的观点或立场
dave

dave

关注

人的一生应该是这样度过的:当他回首往事的时候,他不会因为虚度年华而悔恨,也不会因为碌碌无为而羞耻;这样,在临死的时候,他就能够说:“我的整个生命和全部精力,都已经献给世界上最壮丽的事业....."

  • 2256
    原创
  • 3
    翻译
  • 577
    转载
  • 191
    评论
  • 访问:7725611次
  • 积分:4330
  • 等级:核心会员
  • 排名:第1名
精华文章
    最新问题
    查看更多+
    热门文章
      热门用户
      推荐用户
        Copyright © 2016 All Rights Reserved. Powered by CNDBA · 皖ICP备2022006297号-1·

        QQ交流群

        注册联系QQ