Difference between revisions of "Network Time Protocol daemon (简体中文)"

From ArchWiki
Jump to: navigation, search
m
(启动时同步一次时钟: Update for systemd.)
(14 intermediate revisions by 8 users not shown)
Line 1: Line 1:
{{out of date}}
 
 
[[Category:Networking (简体中文)]]
 
[[Category:Networking (简体中文)]]
 
[[Category:Daemons and system services (简体中文)]]
 
[[Category:Daemons and system services (简体中文)]]
 
[[Category:简体中文]]
 
[[Category:简体中文]]
{{i18n|Network Time Protocol daemon}}
+
{{translateme (简体中文)}}
 +
[[en:Network Time Protocol daemon]]
 +
[[es:Network Time Protocol daemon]]
 +
[[fr:ntp]]
 +
[[it:Network Time Protocol daemon]]
 +
[[ru:Network Time Protocol daemon]]
 +
本文描述如何设置和运行 '''NTPd''' (Network Time Protocol daemon)。NTPd是使用网络时间协议将 GNU/Linux 系统的[[Time (简体中文)|软件时钟]]与 Internet 时间服务器同步的最常见的方法。如果正确设置,NTPd 可以使你的计算机作为时间服务器运行。
  
本文介绍Arch Linux中,如何让系统时间和标准时间同步的方法。第一种是openntpd:一种比较简单的方法;第二种,最完备的方法:ntpd。
+
==安装==
 +
[[安装]] {{pkg|ntp}},可以从[[官方源]]得到。
  
= OpenNTPD =
+
==配置==
 +
{{小贴士|{{pkg|ntp}} 包带有一个默认的 {{ic|/etc/ntp.conf}} 配置文件,可以让 NTPd 不需要自定义配置就可以运行}}
  
'''用OpenNTPD替代ntpd'''
+
===配置连接到 NTP 服务器===
 +
在你的 {{ic|/etc/ntp.conf}} 配置文件中定义的第一件事是你机器想同步的服务器。
  
OpenNTPD is a FREE, easy to use implementation of the Network Time Protocol. 能够使本地时间和NTP服务器的时间同步,同时也能使本地时间变成一个NTP服务器,发布给其他用户。
+
NTP servers are classified in a hierarchical system with many levels called ''strata'': the devices which are considered independent time sources are classified as ''stratum 0'' sources; the servers directly connected to ''stratum 0'' devices are classified as ''stratum 1'' sources; servers connected to ''stratum 1'' sources are then classified as ''stratum 2'' sources and so on.
  
OpenNTPD is primarily developed by Henning Brauer as part of the OpenBSD Project.
+
It has to be understood that a server's stratum cannot be taken as an indication of its accuracy or reliability. Typically, stratum 2 servers are used for general synchronization purposes: if you do not already know the servers you are going to connect to, you should use the [http://www.pool.ntp.org/ pool.ntp.org] servers ([http://support.ntp.org/bin/view/Servers/NTPPoolServers alternate link]) and choose the server pool that is closest to your location.
  
OpenNTPD is a brand new implementation of the ntp protocol.  相对于NTPD,OpenNTPD比较容易配置和使用。
+
下面几行仅仅是例子:
  
首先,安装 OpenNTPD package ——这包Arch Linux社区已经提供了(in the Arch Linux community repository)。
+
server 0.pool.ntp.org iburst
 +
server 1.pool.ntp.org iburst
 +
server 2.pool.ntp.org iburst
 +
server 3.pool.ntp.org iburst
  
<pre>
+
''iburst'' 选项是推荐的,如果第一次尝试无法建立连接的话,会发送一系列的包。''burst'' 选项总是发送一系列的包,即使第一次尝试也是这样。如果没有明确的允许的话不要使用 ''burst'' 选项,有可能被封禁。
pacman -S openntpd
+
</pre>
+
  
安装完后,'''必须'''编辑配置文件: /etc/ntpd.conf
+
===配置自己的 NTP 服务器===
 +
如果建立一个 NTP 服务器,你需要添加 [http://www.ntp.org/ntpfaq/NTP-s-refclk.htm#Q-LOCAL-CLOCK ''local clock''] 作为一个服务器,这样,即便它失去网络连接,它也可以继续为网络提供服务;添加 ''local clock'' 作为一个 stratum 10 服务器 (使用 ''fudge'' 命令)这样它就只会在失去连接时使用本地时钟:
  
默认配置已经做好,本身就能够同步网络和本地时间。
+
server 127.127.1.0
<pre>
+
fudge  127.127.1.0 stratum 10
# $OpenBSD: ntpd.conf,v 1.7 2004/07/20 17:38:35 henning Exp $
+
# sample ntpd configuration file, see ntpd.conf(5)
+
  
# Addresses to listen on (ntpd does not listen by default)
+
下一步,定义规则允许客户端连接你的服务(''localhost'' 也被认为是一个客户端)。使用 ''restrict'' 命令;你应该在文件中已经有一行:
#listen on *
+
#listen on 127.0.0.1
+
#listen on ::1
+
  
# sync to a single server
+
restrict default nomodify nopeer noquery
#server ntp.example.org
+
  
# use a random selection of 8 public stratum 2 servers
+
This restricts everyone from modifying anything and prevents everyone from querying the status of your time server: {{ic|nomodify}} prevents reconfiguring your ntpd (with ''ntpq'' or ''ntpdc''), and {{ic|noquery}} prevents dumping status data from your ntpd (also with ''ntpq'' or ''ntpdc'').
# see http://twiki.ntp.org/bin/view/Servers/NTPPoolServers
+
servers pool.ntp.org
+
</pre>
+
  
如果要和特定的服务器时间同步,去掉注释,并把服务器地址替换掉 "ntp.example.org"。
+
你也能添加其它选项:
<pre>
+
server ntp.example.org
+
</pre>
+
  
The "servers" directive works the same as the "server" directive, however, if the dns name resolves to multiple IP address, ALL of them will be synced to. 其实,默认的 "pool.ntp.org"已经可以满足大部分要求了。具体的时间服务器可以到这查看:www.pool.ntp.org/zone/asia
+
  restrict default kod nomodify notrap nopeer noquery
<pre>
+
pool.ntp.org
+
</pre>
+
  
Any number of "server" or "servers" directives may be used.
+
{{注意|这会允许其他人查询你的时间服务器。你需要添加 {{ic|noserve}} 来停止提供时间。}}
  
If you want the computer you run OpenNTPD on to also be a time server, simply uncomment and edit the "listen" directive.
+
"restrict"选项的完整文档可以从 {{ic|man ntp_acc}} 中查找到。详见 https://support.ntp.org/bin/view/Support/AccessRestrictions 。
  
For example:
+
你需要在这一行之后告诉 ''ntpd'' 什么可以访问你的服务器;如果你不是在配置一台 NTP 服务器的话,下面一行就足够了。
<pre>
+
listen on *
+
</pre>
+
will listen on all interfaces.
+
  
and
+
restrict 127.0.0.1
<pre>
+
listen on 127.0.0.1
+
</pre>
+
will only listen on the loopback interface.
+
  
If you would like to run OpenNTPD at boot, add openntpd the DAEMONS variable in your /etc/rc.conf.
+
If you want to force DNS resolution to the IPv6 namespace, write {{ic|-6}} before the IP address or host name ({{ic|-4}} forces IPv4 instead), for example:
  
查看同步进度,可以查看 /var/log/daemon.log
+
restrict -6 default kod nomodify notrap nopeer noquery
 +
restrict -6 ::1    # ::1 is the IPv6 equivalent for 127.0.0.1
  
即刻同步时间:
+
Lastly, specify the drift file (which keeps track of your clock's time deviation) and optionally the log file location:
<pre>
+
net time set /bin/date
+
</pre>
+
  
= ntp =
+
driftfile /var/lib/ntp/ntp.drift
 +
logfile /var/log/ntp.log
  
pacman -S ntp
+
一份基础的配置文件是这样的 ('''为了清晰起见,已删掉了所有的注释'''):
  
'''/etc/ntp.conf''' '''Configuration'''
+
{{hc|/etc/ntp.conf|
 +
server 0.pool.ntp.org iburst
 +
server 1.pool.ntp.org iburst
 +
server 2.pool.ntp.org iburst
 +
server 3.pool.ntp.org iburst
  
The very first line of your ntp.conf file should contain a line such as the following:
+
restrict default kod nomodify notrap nopeer noquery
restrict default noquery notrust nomodify
+
restrict -6 default kod nomodify notrap nopeer noquery
  
This essentially restricts everyone from modifying anything. Following this, you need to let ntpd know what you want to let through into your NTP server. Here is where you would specify any other ip addresses you would like to synchronize on your NTP server. For example:
 
 
restrict 1.2.3.4
 
restrict 192.168.0.0 mask 255.255.255.0 nomodify
 
 
This tells ntpd that 1.2.3.4 and all ip addresses from the 192.168.0.0 range will be allowed to synchronize on this server, but they will not be allowed to modify anything. All other IP addresses in the world will still obey the default restrictions (the first line in the ntp.conf).
 
 
Now, is where the stratum 2 servers that our server will synchronize with come into play. The lines in ntp.conf will be used to tell ntpd what servers we would like to use for synchronizing (these are just examples; use ntp servers that are closest to your location). Please see http://ntp.isc.org/bin/view/Servers/NTPPoolServers for a list a closer servers.
 
 
<pre>
 
server ntp1.cs.wisc.edu
 
server ntp3.cs.wisc.edu
 
server ntp3.sf-bay.org
 
</pre>
 
 
Unless you have a good reason not to, it is advisable to use the pool.ntp.org servers: http://www.pool.ntp.org/.
 
Alternatively, a list of ntp servers is available at http://www.eecis.udel.edu/~mills/ntp/clock2a.html. Please pay attention to the Access Policies.
 
 
If we left it alone right now, we would never connect to a server because the response from any of the three servers listed above would never be allowed back into our server due to the fact that our default restrict statement would be in use (since we did not add the servers to our lesser restrictions (like we did with 127.0.0.1 and the subnet of 192.168.0.0).
 
 
To correct this, enter the following lines in ntp.conf:
 
 
<pre>
 
restrict ntp1.cs.wisc.edu noquery nomodify
 
restrict ntp3.cs.wisc.edu noquery nomodify
 
restrict ntp3.sf-bay.org noquery nomodify
 
</pre>
 
 
This will allow the response from the above servers into our system so our local clock can be synchronized. The noquery restriction will not allow any of the above three servers to query for information from our server. The nomodify restriction will not allow the three servers to modify anything (synchronization will still take place).
 
 
The only thing left to do is add the drift file (which keeps track of yours clocks time deviation). and the log file location:
 
 
<pre>
 
driftfile /etc/ntp.drift
 
logfile /var/log/ntp.log
 
</pre>
 
 
The complete file will look like this:
 
 
<pre>
 
# default restrictions
 
restrict default noquery notrust nomodify
 
 
# override the default restrictions here
 
restrict 10.1.1.0 mask 255.255.255.0 nomodify
 
 
# public NTP servers to sync with (all stratum 2)
 
server ntp1.cs.wisc.edu
 
server ntp3.cs.wisc.edu
 
server ntp3.sf-bay.org
 
 
restrict ntp1.cs.wisc.edu noquery nomodify
 
restrict ntp3.cs.wisc.edu noquery nomodify
 
restrict ntp3.sf-bay.org noquery nomodify
 
 
# NTP drift file - used to keep track of your system clocks
 
# time deviation
 
driftfile /etc/ntp.drift
 
 
# NTP log file
 
logfile /var/log/ntp.log
 
</pre>
 
 
Take note that this is for a client and a server ntp.conf configuration. If you just want to synchronize with a stratum server and are not concerned with other PCs synchronizing with your ntp server, then you can do something like the following (note that only 127.0.0.1 is allowed to be synchronized):
 
 
<pre>
 
# default restrictions
 
restrict default noquery notrust nomodify
 
 
# Permit all access over the loopback interface
 
 
restrict 127.0.0.1
 
restrict 127.0.0.1
 +
restrict -6 ::1 
  
# public NTP servers to sync with (all stratum 2)
+
driftfile /var/lib/ntp/ntp.drift
server ntp1.cs.wisc.edu
+
server ntp3.cs.wisc.edu
+
server ntp3.sf-bay.org
+
 
+
restrict ntp1.cs.wisc.edu noquery nomodify
+
restrict ntp3.cs.wisc.edu noquery nomodify
+
restrict ntp3.sf-bay.org noquery nomodify
+
 
+
# NTP drift file - used to keep track of your system clocks
+
# time deviation
+
driftfile /etc/ntp.drift
+
 
+
# NTP log file
+
 
logfile /var/log/ntp.log
 
logfile /var/log/ntp.log
</pre>
+
}}
 
+
... or if you don't care about restrictions at all, something like this (note there are no restrictions, thus no need to reduce restrictions for 127.0.0.1 to allow your local clock to synchronize):
+
 
+
<pre>
+
# public NTP servers to sync with (all stratum 2)
+
server ntp1.cs.wisc.edu
+
server ntp3.cs.wisc.edu
+
server ntp3.sf-bay.org
+
 
+
# NTP drift file - used to keep track of your system clocks
+
# time deviation
+
driftfile /etc/ntp.drift
+
 
+
# NTP log file
+
logfile /var/log/ntp.log
+
</pre>
+
 
+
 
+
'''A''' '''Note''' '''about''' '''Security'''
+
 
+
You may wonder about all of the restrict lines.  The reason for them is security.  If you don't want a secure NTP server, don't add any restrict lines to your ntp.conf file.  If you want a secure NTP server, start out by adding a default restrict that doesn't allow anything to contact your server, then add more (less restrictive) restrict lines - allowing certain addresses various access privileges.
+
 
+
  
'''/etc/rc.d/network''' '''file''' '''modification'''
+
{{注意|定义日志文件不是必须的,但是它对于反馈 ''ntpd'' 操作是有好处的。}}
  
One more thing that you may want to do.  大多数情况下, /etc/ntp.conf 会被dhcp重写,为防止发生这情况,编辑 the /etc/conf.d/dhcpcd , add -N to the line that starts with 'dhcpcd -t 10'.
+
===其他关于配置 NTP 的资源===
 +
总之,永远不要忘记手册页: {{ic|man ntp.conf}} 有可能可以回答你仍旧有的任何疑问。(见相关的手册页: {{ic|man <nowiki>{ntpd|ntp_auth|ntp_mon|ntp_acc|ntp_clock|ntp_misc}</nowiki>}})。
  
 +
{{Gentoo|NTP}}
  
 +
==不以守护进程使用==
 +
想要仅仅同步时钟一次,不想启动守护进程的话,运行:
 +
# ntpd -qg
 +
# hwclock -w
  
FYI: This was my experience/solution with setting the time.
+
{{ic|ntpd -qg}} 与 {{ic|ntpdate}} 程序效果相同,而ntpdate 已经[http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate 不推荐使用]. {{ic|hwclock -w}} 把时间存储到硬件时钟上,这样重启的时候就不会丢失了。
  
On my system my /etc/conf.d/dhcpcd contains a single line:
+
{{ic|ntpd}} 的 {{ic|-g}} 选项允许时钟漂移大于警报级别(默认是 15 分钟)而不发出警告。注意这种误差是不正常的,也许意味着失去设置错误,时钟芯片错误,或仅仅是长时间的忽略。如果在这些情况下你不想设置时钟而且输出错误到 syslog,删除 {{ic|-g}}:
    DHCPCD_ARGS="-t 30 -h $HOSTNAME"
+
# ntpd -q
  
I assume it needs to be changed to:
+
===启动时同步一次时钟===
    DHCPCD_ARGS="-N -t 30 -h $HOSTNAME"
+
{{Warning|Using this method is discouraged on servers and in general on machines that need to run continuously for more than 2 or 3 days, as the system clock will be updated only once at boot time.}}
  
Some have suggested adding -R to preserve /etc/resolv.conf as well.
+
Write a ''oneshot'' [[systemd]] unit:
 +
{{hc|/etc/systemd/system/ntp-once.service|2=
 +
[Unit]
 +
Description=Network Time Service (once)
 +
After=network.target nss-lookup.target
  
'''To''' '''fix''' '''Time''' '''use''' '''/etc/rc.local'''
+
[Service]
 +
Type=oneshot
 +
ExecStart=/usr/bin/ntpd -q -g -u ntp:ntp ; /sbin/hwclock -w
  
To set the correct time; Set time and start ntpd at boot via  /etc/rc.local
+
[Install]
 +
WantedBy=multi-user.target}}
  
 +
and enable it: {{bc|# systemctl enable ntp-once}}
  
Relevant sections of /etc/rc.conf
+
==作为守护进程运行==
 +
===启动 ntpd===
 +
启动:
 +
# systemctl start ntpd
  
   
+
开机启动:
    HARDWARECLOCK="UTC"
+
# systemctl enable ntpd
    TIMEZONE="US/Mountain"
+
   
+
    Network/ DHCP section:
+
       
+
    lo="lo 127.0.0.1"
+
    eth0="dhcp"
+
    INTERFACES=(lo eth0)
+
   
+
    Daemons subsection:
+
   
+
    DAEMONS=(syslog-ng hotplug !pcmcia network netfs !ntpd crond dbus hal alsa gdm)
+
  
This is my /etc/rc.local
+
或者使用:
 +
# timedatectl set-ntp 1
  
 +
===NetworkManager===
 +
{{Note|ntpd should still be running when the network is down if the hwclock daemon is disabled, so you should not use this.}}
 +
''ntpd'' can be brought up/down along with a network connection through the use of [[NetworkManager#Network Services with NetworkManager Dispatcher|NetworkManager's dispatcher scripts]]. You can install the needed script from [community]:
  
    #!/bin/bash
+
{{bc|# pacman -S networkmanager-dispatcher-ntpd}}
    #
+
    # /etc/rc.local: Local multi-user startup script.
+
    #
+
   
+
    # Re-copy ntp.conf (was over written by dhcp)
+
    cp /root/CONFIG.BAK/ntp.conf.bac /etc/ntp.conf
+
    # I advise you keep your desired /etc/ntp.conf
+
    # OUTSIDE of /etc
+
   
+
    # Set time
+
    /usr/bin/ntpdate ntp.nasa.gov #Use any time server you like here
+
   
+
    # Start ntpd
+
    /etc/rc.d/ntpd start
+
  
 +
===Running in a chroot===
 +
{{Note|Before attempting this, complete the previous section on running as non-root, since chroots are relatively useless at securing processes running as root.}}
  
And here is my /root/CONFIG.BAK/ntp.conf.bac (this is just a copy of the desired /etc/ntp.conf)
+
Edit {{ic|/etc/conf.d/ntpd.conf}} and change
  
 +
NTPD_ARGS="-g -u ntp:ntp"
  
    # default restrictions
+
to
    restrict default noquery notrust nomodify
+
   
+
    # override the default restrictions here
+
    restrict 127.0.0.1 nomodify
+
    restrict 192.168.2.0 mask 255.255.255.0 nomodify
+
   
+
    # public NTP servers to sync with (all stratum 2)
+
    server ntp.nasa.gov #Use any time server you like here
+
   
+
    restrict ntp.nasa.gov noquery nomodify
+
   
+
    # NTP drift file - used to keep track of your system clocks
+
    driftfile /etc/ntp.drift
+
   
+
    # NTP log file
+
    logfile /var/log/ntp.log
+
  
 +
NTPD_ARGS="-g -i /var/lib/ntp -u ntp:ntp"
  
Leave /etc/conf.d/dhcpcd at default. Mine is a single line and reads
+
Then, edit {{ic|/etc/ntp.conf}} to change the driftfile path such that it is relative to the chroot directory, rather than to the real system root. Change:
  
 +
driftfile      /var/lib/ntp/ntp.drift
  
    DHCPCD_ARGS="-t 30 -h $HOSTNAME"
+
to
  
 +
driftfile      /ntp.drift
  
With this configuration I get the correct time and ntpd running at boot.
+
Create a suitable chroot environment so that getaddrinfo() will work by creating pertinent directories and files (as root):
There may be a better way, but this worked for me.
+
I hope it helps.
+
  
 +
{{bc|<nowiki># mkdir /var/lib/ntp/etc /var/lib/ntp/lib /var/lib/ntp/proc
 +
# touch /var/lib/ntp/etc/resolv.conf /var/lib/ntp/etc/services</nowiki>}}
  
 +
and by bind-mounting the aformentioned files:
  
'''Updating''' '''your''' '''system''' '''immediately''' '''using''' '''ntpdate'''
+
{{hc|/etc/fstab|
 +
...
 +
#ntpd chroot mounts
 +
/etc/resolv.conf  /var/lib/ntp/etc/resolv.conf none bind 0 0
 +
/etc/services   /var/lib/ntp/etc/services none bind 0 0
 +
/lib           /var/lib/ntp/lib none bind 0 0
 +
/proc   /var/lib/ntp/proc none bind 0 0
 +
}}
  
建议在/etc/rc.local加上下面一行,这样在系统启动时,就能和NTP时间同步 (服务器地址用一个对你来说快点的 NTP 服务器).
+
{{bc|# mount -a}}
  
<pre>
+
Finally, restart the daemon again:
/usr/bin/ntpdate ntp1.cs.wisc.edu
+
</pre>
+
  
Running ''ntpdate'' when you boot up is a good idea because ntpd may take a long time to synchronize your local clock depending on how far off the time is. If your clock is synchronized when ntpd starts, then it's sole purpose is to keep it synchronized.  To run ntpd at startup, add ''ntpd'' to the daemons section of the /etc/rc.conf file.
+
{{bc|# rc.d restart ntpd}}
  
ntpd will work well if you have a connection to the internet all the time. If you are using dialup, you may just want to stick with using ntpdate via the command line.
+
It is relatively difficult to be sure that your driftfile configuration is actually working without waiting a while, as ntpd does not read or write it very often. If you get it wrong, it will log an error; if you get it right, it will update the timestamp. If you do not see any errors about it after a full day of running, and the timestamp is updated, you should be confident of success.
  
'''Querying''' '''your''' '''NTP''' '''server''' '''using''' '''ntpq'''
+
==Alternatives==
 +
Available alternative to NTPd are [[Chrony]], a dial-up friendly and specifically designed for systems that are not online all the time, and [[OpenNTPD]], part of the OpenBSD project and currently not maintained for Linux.
  
There is a default restrict statement for the localhost that includes an ignore flag.  Without overriding it (adding the line ''restrict'' ''127.0.0.1'') you will not be able to query your NTP server.  If that's not a concern to you, then leave out the restrict line for your localhost.  You will still be able to synchronize with your stratum 2 servers.
+
==参见==
 +
* [[Time (简体中文)]] (更多关于计算机计时的信息)
  
= External Resources =
+
==外部链接==
 
* http://www.ntp.org/
 
* http://www.ntp.org/
* http://twiki.ntp.org/bin/view/Main/WebHome
+
* http://support.ntp.org/
 +
* http://www.pool.ntp.org/
 
* http://www.eecis.udel.edu/~mills/ntp/html/index.html
 
* http://www.eecis.udel.edu/~mills/ntp/html/index.html
* http://www.openntpd.org
+
* http://www.akadia.com/services/ntp_synchronize.html

Revision as of 05:45, 7 March 2013

Tango-preferences-desktop-locale.png本页面需要更新翻译,内容可能已经与英文脱节。要贡献翻译,请访问简体中文翻译组Tango-preferences-desktop-locale.png

附注: please use the first argument of the template to provide more detailed indications.

本文描述如何设置和运行 NTPd (Network Time Protocol daemon)。NTPd是使用网络时间协议将 GNU/Linux 系统的软件时钟与 Internet 时间服务器同步的最常见的方法。如果正确设置,NTPd 可以使你的计算机作为时间服务器运行。

安装

安装 ntp,可以从官方源得到。

配置

提示: ntp 包带有一个默认的 /etc/ntp.conf 配置文件,可以让 NTPd 不需要自定义配置就可以运行

配置连接到 NTP 服务器

在你的 /etc/ntp.conf 配置文件中定义的第一件事是你机器想同步的服务器。

NTP servers are classified in a hierarchical system with many levels called strata: the devices which are considered independent time sources are classified as stratum 0 sources; the servers directly connected to stratum 0 devices are classified as stratum 1 sources; servers connected to stratum 1 sources are then classified as stratum 2 sources and so on.

It has to be understood that a server's stratum cannot be taken as an indication of its accuracy or reliability. Typically, stratum 2 servers are used for general synchronization purposes: if you do not already know the servers you are going to connect to, you should use the pool.ntp.org servers (alternate link) and choose the server pool that is closest to your location.

下面几行仅仅是例子:

server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

iburst 选项是推荐的,如果第一次尝试无法建立连接的话,会发送一系列的包。burst 选项总是发送一系列的包,即使第一次尝试也是这样。如果没有明确的允许的话不要使用 burst 选项,有可能被封禁。

配置自己的 NTP 服务器

如果建立一个 NTP 服务器,你需要添加 local clock 作为一个服务器,这样,即便它失去网络连接,它也可以继续为网络提供服务;添加 local clock 作为一个 stratum 10 服务器 (使用 fudge 命令)这样它就只会在失去连接时使用本地时钟:

server 127.127.1.0
fudge  127.127.1.0 stratum 10

下一步,定义规则允许客户端连接你的服务(localhost 也被认为是一个客户端)。使用 restrict 命令;你应该在文件中已经有一行:

restrict default nomodify nopeer noquery

This restricts everyone from modifying anything and prevents everyone from querying the status of your time server: nomodify prevents reconfiguring your ntpd (with ntpq or ntpdc), and noquery prevents dumping status data from your ntpd (also with ntpq or ntpdc).

你也能添加其它选项:

restrict default kod nomodify notrap nopeer noquery
注意: 这会允许其他人查询你的时间服务器。你需要添加 noserve 来停止提供时间。

"restrict"选项的完整文档可以从 man ntp_acc 中查找到。详见 https://support.ntp.org/bin/view/Support/AccessRestrictions

你需要在这一行之后告诉 ntpd 什么可以访问你的服务器;如果你不是在配置一台 NTP 服务器的话,下面一行就足够了。

restrict 127.0.0.1

If you want to force DNS resolution to the IPv6 namespace, write -6 before the IP address or host name (-4 forces IPv4 instead), for example:

restrict -6 default kod nomodify notrap nopeer noquery
restrict -6 ::1    # ::1 is the IPv6 equivalent for 127.0.0.1

Lastly, specify the drift file (which keeps track of your clock's time deviation) and optionally the log file location:

driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log

一份基础的配置文件是这样的 (为了清晰起见,已删掉了所有的注释):

/etc/ntp.conf
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

restrict 127.0.0.1
restrict -6 ::1  

driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log
注意: 定义日志文件不是必须的,但是它对于反馈 ntpd 操作是有好处的。

其他关于配置 NTP 的资源

总之,永远不要忘记手册页: man ntp.conf 有可能可以回答你仍旧有的任何疑问。(见相关的手册页: man {ntpd|ntp_auth|ntp_mon|ntp_acc|ntp_clock|ntp_misc})。

Template:Gentoo

不以守护进程使用

想要仅仅同步时钟一次,不想启动守护进程的话,运行:

# ntpd -qg
# hwclock -w

ntpd -qgntpdate 程序效果相同,而ntpdate 已经不推荐使用. hwclock -w 把时间存储到硬件时钟上,这样重启的时候就不会丢失了。

ntpd-g 选项允许时钟漂移大于警报级别(默认是 15 分钟)而不发出警告。注意这种误差是不正常的,也许意味着失去设置错误,时钟芯片错误,或仅仅是长时间的忽略。如果在这些情况下你不想设置时钟而且输出错误到 syslog,删除 -g

# ntpd -q

启动时同步一次时钟

Warning: Using this method is discouraged on servers and in general on machines that need to run continuously for more than 2 or 3 days, as the system clock will be updated only once at boot time.

Write a oneshot systemd unit:

/etc/systemd/system/ntp-once.service
[Unit]
Description=Network Time Service (once)
After=network.target nss-lookup.target 

[Service]
Type=oneshot
ExecStart=/usr/bin/ntpd -q -g -u ntp:ntp ; /sbin/hwclock -w

[Install]
WantedBy=multi-user.target
and enable it:
# systemctl enable ntp-once

作为守护进程运行

启动 ntpd

启动:

# systemctl start ntpd

开机启动:

# systemctl enable ntpd

或者使用:

# timedatectl set-ntp 1

NetworkManager

Note: ntpd should still be running when the network is down if the hwclock daemon is disabled, so you should not use this.

ntpd can be brought up/down along with a network connection through the use of NetworkManager's dispatcher scripts. You can install the needed script from [community]:

# pacman -S networkmanager-dispatcher-ntpd

Running in a chroot

Note: Before attempting this, complete the previous section on running as non-root, since chroots are relatively useless at securing processes running as root.

Edit /etc/conf.d/ntpd.conf and change

NTPD_ARGS="-g -u ntp:ntp"

to

NTPD_ARGS="-g -i /var/lib/ntp -u ntp:ntp"

Then, edit /etc/ntp.conf to change the driftfile path such that it is relative to the chroot directory, rather than to the real system root. Change:

driftfile       /var/lib/ntp/ntp.drift

to

driftfile       /ntp.drift

Create a suitable chroot environment so that getaddrinfo() will work by creating pertinent directories and files (as root):

# mkdir /var/lib/ntp/etc /var/lib/ntp/lib /var/lib/ntp/proc
# touch /var/lib/ntp/etc/resolv.conf /var/lib/ntp/etc/services

and by bind-mounting the aformentioned files:

/etc/fstab
...
#ntpd chroot mounts
/etc/resolv.conf  /var/lib/ntp/etc/resolv.conf none bind 0 0
/etc/services	  /var/lib/ntp/etc/services none bind 0 0
/lib		          /var/lib/ntp/lib none bind 0 0
/proc		  /var/lib/ntp/proc none bind 0 0
# mount -a

Finally, restart the daemon again:

# rc.d restart ntpd

It is relatively difficult to be sure that your driftfile configuration is actually working without waiting a while, as ntpd does not read or write it very often. If you get it wrong, it will log an error; if you get it right, it will update the timestamp. If you do not see any errors about it after a full day of running, and the timestamp is updated, you should be confident of success.

Alternatives

Available alternative to NTPd are Chrony, a dial-up friendly and specifically designed for systems that are not online all the time, and OpenNTPD, part of the OpenBSD project and currently not maintained for Linux.

参见

外部链接