Difference between revisions of "Network Time Protocol daemon (简体中文)"

From ArchWiki
Jump to: navigation, search
(启动时同步一次时钟: Update for systemd.)
(flagged broken section links)
(Tag: wiki-scripts)
 
(18 intermediate revisions by 7 users not shown)
Line 1: Line 1:
 +
[[Category:简体中文]]
 
[[Category:Networking (简体中文)]]
 
[[Category:Networking (简体中文)]]
 
[[Category:Daemons and system services (简体中文)]]
 
[[Category:Daemons and system services (简体中文)]]
[[Category:简体中文]]
 
{{translateme (简体中文)}}
 
 
[[en:Network Time Protocol daemon]]
 
[[en:Network Time Protocol daemon]]
 
[[es:Network Time Protocol daemon]]
 
[[es:Network Time Protocol daemon]]
 
[[fr:ntp]]
 
[[fr:ntp]]
 
[[it:Network Time Protocol daemon]]
 
[[it:Network Time Protocol daemon]]
 +
[[ja:Network Time Protocol daemon]]
 
[[ru:Network Time Protocol daemon]]
 
[[ru:Network Time Protocol daemon]]
本文描述如何设置和运行 '''NTPd''' (Network Time Protocol daemon)。NTPd是使用网络时间协议将 GNU/Linux 系统的[[Time (简体中文)|软件时钟]]与 Internet 时间服务器同步的最常见的方法。如果正确设置,NTPd 可以使你的计算机作为时间服务器运行。
+
{{Related articles start (简体中文)}}
 +
{{Related|Time (简体中文)}}
 +
{{Related|systemd-timesyncd}}
 +
{{Related|OpenNTPD}}
 +
{{Related|Chrony}}
 +
{{Related articles end}}
 +
{{TranslationStatus (简体中文)|Network_Time_Protocol_daemon|2016-05-08|412005}}
 +
[[Wikipedia:Network Time Protocol|Network Time Protocol]] (网络时间协议)是 GNU/Linux 系统通过互联网时间服务器同步系统[[Time (简体中文)|软件时钟]]的最常见方法。设计时考虑到了各种网络延迟,通过公共网络同步时,误差可以降低到10毫秒以内;通过本地网络同步时,误差可以降低到 1 毫秒。
 +
 
 +
[http://support.ntp.org/bin/view/Main/WebHome#The_NTP_Project NTP 项目]提供了一个名为简单 NTP 的参考实现。本文介绍如何设置和运行服务器和客户端 NTP 进程。
  
 
==安装==
 
==安装==
[[安装]] {{pkg|ntp}},可以从[[官方源]]得到。
+
[[安装]] {{pkg|ntp}} 软件包。如果不做任何配置, ''ntpd'' 默认工作于客户端模式。如果使用 Arch Linux 默认的配置,请跳转到 [[#使用]]。作为服务器的配置,请参阅 [[#NTP 服务器模式]]。
  
 
==配置==
 
==配置==
{{小贴士|{{pkg|ntp}} 包带有一个默认的 {{ic|/etc/ntp.conf}} 配置文件,可以让 NTPd 不需要自定义配置就可以运行}}
 
  
===配置连接到 NTP 服务器===
+
主要的后台进程是 ''ntpd'', 可以通过 {{ic|/etc/ntp.conf}} 配置。详细信息可以参考手册 {{ic|man ntp.conf}} 和相关的 {{ic|man <nowiki>{ntpd|ntp_auth|ntp_mon|ntp_acc|ntp_clock|ntp_misc}</nowiki>}}.
在你的 {{ic|/etc/ntp.conf}} 配置文件中定义的第一件事是你机器想同步的服务器。
+
  
NTP servers are classified in a hierarchical system with many levels called ''strata'': the devices which are considered independent time sources are classified as ''stratum 0'' sources; the servers directly connected to ''stratum 0'' devices are classified as ''stratum 1'' sources; servers connected to ''stratum 1'' sources are then classified as ''stratum 2'' sources and so on.
+
=== 连接到 NTP 服务器 ===
  
It has to be understood that a server's stratum cannot be taken as an indication of its accuracy or reliability. Typically, stratum 2 servers are used for general synchronization purposes: if you do not already know the servers you are going to connect to, you should use the [http://www.pool.ntp.org/ pool.ntp.org] servers ([http://support.ntp.org/bin/view/Servers/NTPPoolServers alternate link]) and choose the server pool that is closest to your location.
+
NTP 服务器通过一个层级系统进行分类,不同的层级称为 ''strata'': 独立的时间源为''stratum 0''; 直接连接到 ''stratum 0'' 的设备为 ''stratum 1'';直接连接到 ''stratum 1'' 的源为 ''stratum 2'',以此类推。
  
下面几行仅仅是例子:
+
服务器的 stratum 并不能完全等同于它的精度和可靠度。通常的时间同步都使用 stratum 2 服务器。通过[http://www.pool.ntp.org/ pool.ntp.org] 服务器或[http://support.ntp.org/bin/view/Servers/NTPPoolServers 这个链接] 可以选择比较近的服务器池。
  
server 0.pool.ntp.org iburst
+
下面几行仅仅是例子:
server 1.pool.ntp.org iburst
+
{{hc|/etc/ntp.conf|
server 2.pool.ntp.org iburst
+
server 0.fr.pool.ntp.org iburst
server 3.pool.ntp.org iburst
+
server 1.fr.pool.ntp.org iburst
 +
server 2.fr.pool.ntp.org iburst
 +
server 3.fr.pool.ntp.org iburst
 +
}}
  
''iburst'' 选项是推荐的,如果第一次尝试无法建立连接的话,会发送一系列的包。''burst'' 选项总是发送一系列的包,即使第一次尝试也是这样。如果没有明确的允许的话不要使用 ''burst'' 选项,有可能被封禁。
+
推荐使用{{ic|iburst}}选项,如果第一次尝试无法建立连接,程序会发送一系列的包。{{ic|burst}} 选项则总是发送一系列的包,即使第一次也是这样。如果没有明确的允许的话不要使用 ''burst'' 选项,有可能被封禁。
  
===配置自己的 NTP 服务器===
+
===NTP 服务器模式===
 
如果建立一个 NTP 服务器,你需要添加 [http://www.ntp.org/ntpfaq/NTP-s-refclk.htm#Q-LOCAL-CLOCK ''local clock''] 作为一个服务器,这样,即便它失去网络连接,它也可以继续为网络提供服务;添加 ''local clock'' 作为一个 stratum 10 服务器 (使用 ''fudge'' 命令)这样它就只会在失去连接时使用本地时钟:
 
如果建立一个 NTP 服务器,你需要添加 [http://www.ntp.org/ntpfaq/NTP-s-refclk.htm#Q-LOCAL-CLOCK ''local clock''] 作为一个服务器,这样,即便它失去网络连接,它也可以继续为网络提供服务;添加 ''local clock'' 作为一个 stratum 10 服务器 (使用 ''fudge'' 命令)这样它就只会在失去连接时使用本地时钟:
  
Line 42: Line 52:
 
  restrict default nomodify nopeer noquery
 
  restrict default nomodify nopeer noquery
  
This restricts everyone from modifying anything and prevents everyone from querying the status of your time server: {{ic|nomodify}} prevents reconfiguring your ntpd (with ''ntpq'' or ''ntpdc''), and {{ic|noquery}} prevents dumping status data from your ntpd (also with ''ntpq'' or ''ntpdc'').
+
这限制了每个人做任何修改并阻止每个人请求你的时间服务器状态:{{ic|nomodify}} 防止重新配置你的ntpd(使用''ntpq'' ''ntpdc'' ),{{ic|noquery}} 防止从你的nptd(或是''ntpq'' ''ntpdc'')获取状态数据。
  
 
你也能添加其它选项:
 
你也能添加其它选项:
Line 56: Line 66:
 
  restrict 127.0.0.1
 
  restrict 127.0.0.1
  
If you want to force DNS resolution to the IPv6 namespace, write {{ic|-6}} before the IP address or host name ({{ic|-4}} forces IPv4 instead), for example:
+
如果你想要强制DNS解析到IPv6域名,在IP地址或域名前写上 {{ic|-6}}{{ic|-4}} 则强制使用IPv4域名),例如:
  
 
  restrict -6 default kod nomodify notrap nopeer noquery
 
  restrict -6 default kod nomodify notrap nopeer noquery
 
  restrict -6 ::1    # ::1 is the IPv6 equivalent for 127.0.0.1
 
  restrict -6 ::1    # ::1 is the IPv6 equivalent for 127.0.0.1
  
Lastly, specify the drift file (which keeps track of your clock's time deviation) and optionally the log file location:
+
最后,指定drift文件(它能时刻监控你的时钟的时间漂移)和log文件的位置:
  
 
  driftfile /var/lib/ntp/ntp.drift
 
  driftfile /var/lib/ntp/ntp.drift
Line 86: Line 96:
 
{{注意|定义日志文件不是必须的,但是它对于反馈 ''ntpd'' 操作是有好处的。}}
 
{{注意|定义日志文件不是必须的,但是它对于反馈 ''ntpd'' 操作是有好处的。}}
  
===其他关于配置 NTP 的资源===
+
== 使用 ==
总之,永远不要忘记手册页: {{ic|man ntp.conf}} 有可能可以回答你仍旧有的任何疑问。(见相关的手册页: {{ic|man <nowiki>{ntpd|ntp_auth|ntp_mon|ntp_acc|ntp_clock|ntp_misc}</nowiki>}})。
+
  
{{Gentoo|NTP}}
+
软件包默认包含客户端模式的配置,并且使用单独的用户和群组,启动时就会移除 root 权限。如果在终端中启动,请使用 {{ic|-u}} 选项:
  
==不以守护进程使用==
+
  # ntpd -u ntp:ntp
想要仅仅同步时钟一次,不想启动守护进程的话,运行:
+
  # ntpd -qg
+
# hwclock -w
+
  
{{ic|ntpd -qg}} {{ic|ntpdate}} 程序效果相同,而ntpdate 已经[http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate 不推荐使用]. {{ic|hwclock -w}} 把时间存储到硬件时钟上,这样重启的时候就不会丢失了。
+
systemd 服务默认使用 {{ic|-u}} 选项和 {{ic|-g}} 选项禁用一个阈值(''panic-gate''). 这样即使 ntp-server 的时间和系统时间的差异超过阈值,依然会同步时间。
  
{{ic|ntpd}} 的 {{ic|-g}} 选项允许时钟漂移大于警报级别(默认是 15 分钟)而不发出警告。注意这种误差是不正常的,也许意味着失去设置错误,时钟芯片错误,或仅仅是长时间的忽略。如果在这些情况下你不想设置时钟而且输出错误到 syslog,删除 {{ic|-g}}:
+
{{Warning|使用 panic-gate 的原因是某些后台任务或服务会引起时间跳跃. 如果系统的时间从来没有同步过,请考虑先禁用其他服务再进行同步。}}
# ntpd -q
+
  
===启动时同步一次时钟===
+
两个服务都依赖系统网络状况,会在检测到网络连接时开始同步。
{{Warning|Using this method is discouraged on servers and in general on machines that need to run continuously for more than 2 or 3 days, as the system clock will be updated only once at boot time.}}
+
  
Write a ''oneshot'' [[systemd]] unit:
+
=== 启动时启用 ntpd ===
{{hc|/etc/systemd/system/ntp-once.service|2=
+
[Unit]
+
Description=Network Time Service (once)
+
After=network.target nss-lookup.target
+
  
 +
[[Enable|启用]] {{ic|ntpd.service}} 服务.
 +
 +
{{Note|systemd 命令 ''timedatectl'' 仅可以控制 [[systemd-timesyncd]], 用 root 执行 {{ic|timedatectl set-ntp 1}} 会停止运行中的 {{ic|ntpd.service}}.[http://lists.freedesktop.org/archives/systemd-devel/2015-April/030277.html]}}
 +
 +
用 ''ntpq'' 可以查看同步的状态:
 +
 +
$ ntpq -p
 +
 +
delay, offset 和 jitter 不应该为零,''ntpd'' 同步的服务器前有星号,''ntpd'' 可能等待很多分钟后才会进行同步,请等 17 分钟 (1024 秒).
 +
 +
=== 每次启动同步一次 ===
 +
 +
另一种方式是 [[enable|启用]] {{ic|ntpdate.service}} 服务,每次启动都同步一次({{ic|-q}}) 并且是 non-forking ({{ic|-n}}), 进程不会在后台运行。如果是服务器或者很多天才会重启一次,不建议使用此方式。
 +
 +
如果需要把同步到的时间写入硬件时钟,请按照 [[systemd#Editing provided units|这里]] 的说明修改服务并启动:
 +
 +
{{hc|/etc/systemd/system/ntpdate.service.d/hwclock.conf|2=
 
[Service]
 
[Service]
Type=oneshot
+
ExecStart=/usr/bin/hwclock -w
ExecStart=/usr/bin/ntpd -q -g -u ntp:ntp ; /sbin/hwclock -w
+
}}
  
[Install]
+
== 技巧 ==
WantedBy=multi-user.target}}
+
  
and enable it: {{bc|# systemctl enable ntp-once}}
+
=== Start ntpd on network connection ===
  
==作为守护进程运行==
+
''ntpd'' can be started by your network manager, so that the daemon only runs when the computer is online.
===启动 ntpd===
+
启动:
+
# systemctl start ntpd
+
  
开机启动:
+
;Netctl
# systemctl enable ntpd
+
  
或者使用:
+
{{Style|add {{ic|-u}} and optionally refer to [[#Usage]], or use systemctl if possible}}
# timedatectl set-ntp 1
+
  
===NetworkManager===
+
Append the following lines to your [[netctl]] profile:
{{Note|ntpd should still be running when the network is down if the hwclock daemon is disabled, so you should not use this.}}
+
''ntpd'' can be brought up/down along with a network connection through the use of [[NetworkManager#Network Services with NetworkManager Dispatcher|NetworkManager's dispatcher scripts]]. You can install the needed script from [community]:
+
  
{{bc|# pacman -S networkmanager-dispatcher-ntpd}}
+
ExecUpPost='/usr/bin/ntpd || true'
 +
ExecDownPre='killall ntpd || true'
  
===Running in a chroot===
+
;NetworkManager
{{Note|Before attempting this, complete the previous section on running as non-root, since chroots are relatively useless at securing processes running as root.}}
+
  
Edit {{ic|/etc/conf.d/ntpd.conf}} and change
+
The ''ntpd'' daemon can be brought up/down along with a network connection through the use of NetworkManager's [[NetworkManager#Network services with NetworkManager dispatcher|dispatcher]] scripts. The {{Pkg|networkmanager-dispatcher-ntpd}} package installs one, pre-configured to start and stop the [[#Start ntpd at boot|ntpd service]]{{Broken section link}} with a connection.
  
NTPD_ARGS="-g -u ntp:ntp"
+
;Wicd
  
to
+
For [[Wicd]], create a start script in the {{ic|postconnect}} directory and a stop script in the {{ic|predisconnect}} directory. Remember to make them executable:
  
NTPD_ARGS="-g -i /var/lib/ntp -u ntp:ntp"
+
{{hc|/etc/wicd/scripts/postconnect/ntpd|
 +
#!/bin/bash
 +
systemctl start ntpd &
 +
}}
  
Then, edit {{ic|/etc/ntp.conf}} to change the driftfile path such that it is relative to the chroot directory, rather than to the real system root. Change:
+
{{hc|/etc/wicd/scripts/predisconnect/ntpd|
 +
#!/bin/bash
 +
systemctl stop ntpd &
 +
}}
  
 +
{{Note|You are advised to customize the options for the ''ntpd'' command as explained in [[#Usage]]{{Broken section link}}.}}
 +
 +
See also [[Wicd#Scripts]].
 +
 +
;KDE
 +
 +
KDE can use NTP (ntp must be installed) by right clicking the clock and selecting ''Adjust date/time''. However, this requires the ntp daemon to be [[disable]]d before configuring KDE to use NTP. [https://bugs.kde.org/show_bug.cgi?id=178968]
 +
 +
=== Using ntpd with GPS ===
 +
 +
Most of the articles online about configuring ''ntpd'' to receive time from a GPS suggest to use the SHM (shared memory) method. However, at least since ''ntpd'' version 4.2.8 a ''much better'' method is available. It connects directly to ''gpsd'', so {{Pkg|gpsd}} needs to be installed.
 +
 +
Add these lines to your {{ic|/etc/ntp.conf}}:
 +
 +
{{hc|head=/etc/ntp.conf|output=
 +
#=========================================================
 +
#  GPSD native ntpd driver
 +
#=========================================================
 +
# This driver exists from at least ntp version 4.2.8
 +
# Details at
 +
#  https://www.eecis.udel.edu/~mills/ntp/html/drivers/driver46.html
 +
server 127.127.46.0
 +
fudge 127.127.46.0 time1 0.0 time2 0.0 refid GPS
 +
}}
 +
 +
This will work as long as you have ''gpsd'' working. It connects to ''gpsd'' via the local socket and queries the "gpsd_json" object that is returned.
 +
 +
To test the setup, first ensure that ''gpsd'' is working by running:
 +
 +
  $ cgps -s
 +
 +
Then wait a few minutes and run {{ic|ntpq -p}}. This will show if ''ntpd'' is talking to ''gpsd'':
 +
 +
{{hc|$ ntpq -p|output=
 +
    remote          refid            st t when poll reach  delay  offset  jitter
 +
==================================================================================
 +
*GPSD_JSON(0)    .GPS.            0 l  55  64  377    0.000    2.556  14.109
 +
}}
 +
 +
{{Tip|If the ''reach'' column is 0, it means ''ntpd'' has not been able to talk to ''gpsd''. Wait a few minutes and try again. Sometimes it takes ''ntpd'' a while.}}
 +
 +
=== Running in a chroot ===
 +
 +
{{Note|''ntpd'' should be started as non-root (default in the Arch Linux package) before attempting to jail it in a chroot, since chroots are relatively useless at securing processes running as root.}}
 +
 +
Create a new directory {{ic|/etc/systemd/system/ntpd.service.d/}} if it does not exist and a file named {{ic|customexec.conf}} inside with the following content:
 +
[Service]
 +
ExecStart=
 +
ExecStart=/usr/bin/ntpd -g -i /var/lib/ntp -u ntp:ntp -p /run/ntpd.pid
 +
 +
Then, edit {{ic|/etc/ntp.conf}} to change the driftfile path such that it is relative to the chroot directory, rather than to the real system root. Change:
 
  driftfile      /var/lib/ntp/ntp.drift
 
  driftfile      /var/lib/ntp/ntp.drift
  
 
to
 
to
 
 
  driftfile      /ntp.drift
 
  driftfile      /ntp.drift
  
 
Create a suitable chroot environment so that getaddrinfo() will work by creating pertinent directories and files (as root):
 
Create a suitable chroot environment so that getaddrinfo() will work by creating pertinent directories and files (as root):
 
+
# mkdir /var/lib/ntp/etc /var/lib/ntp/lib /var/lib/ntp/proc
{{bc|<nowiki># mkdir /var/lib/ntp/etc /var/lib/ntp/lib /var/lib/ntp/proc
+
# touch /var/lib/ntp/etc/resolv.conf /var/lib/ntp/etc/services
# touch /var/lib/ntp/etc/resolv.conf /var/lib/ntp/etc/services</nowiki>}}
+
  
 
and by bind-mounting the aformentioned files:
 
and by bind-mounting the aformentioned files:
Line 167: Line 231:
 
/etc/resolv.conf  /var/lib/ntp/etc/resolv.conf none bind 0 0
 
/etc/resolv.conf  /var/lib/ntp/etc/resolv.conf none bind 0 0
 
/etc/services   /var/lib/ntp/etc/services none bind 0 0
 
/etc/services   /var/lib/ntp/etc/services none bind 0 0
/lib           /var/lib/ntp/lib none bind 0 0
+
/lib   /var/lib/ntp/lib none bind 0 0
 
/proc   /var/lib/ntp/proc none bind 0 0
 
/proc   /var/lib/ntp/proc none bind 0 0
 
}}
 
}}
  
{{bc|# mount -a}}
+
# mount -a
 
+
Finally, restart the daemon again:
+
 
+
{{bc|# rc.d restart ntpd}}
+
  
It is relatively difficult to be sure that your driftfile configuration is actually working without waiting a while, as ntpd does not read or write it very often. If you get it wrong, it will log an error; if you get it right, it will update the timestamp. If you do not see any errors about it after a full day of running, and the timestamp is updated, you should be confident of success.
+
Finally, restart {{ic|ntpd}} daemon again. Once it restarted you can verify that the daemon process is chrooted by checking where {{ic|/proc/{PID}/root}} symlinks to:
 +
# ps -C ntpd | awk '{print $1}' | sed 1d | while read -r PID; do ls -l /proc/$PID/root; done
 +
should now link to {{ic|/var/lib/ntp}} instead of {{ic|/}}.
  
==Alternatives==
+
It is relatively difficult to be sure that your driftfile configuration is actually working without waiting a while, as ''ntpd'' does not read or write it very often. If you get it wrong, it will log an error; if you get it right, it will update the timestamp. If you do not see any errors about it after a full day of running, and the timestamp is updated, you should be confident of success.
Available alternative to NTPd are [[Chrony]], a dial-up friendly and specifically designed for systems that are not online all the time, and [[OpenNTPD]], part of the OpenBSD project and currently not maintained for Linux.
+
  
 
==参见==
 
==参见==
* [[Time (简体中文)]] (更多关于计算机计时的信息)
 
  
==外部链接==
 
 
* http://www.ntp.org/
 
* http://www.ntp.org/
 
* http://support.ntp.org/
 
* http://support.ntp.org/

Latest revision as of 10:02, 7 August 2016

翻译状态: 本文是英文页面 Network_Time_Protocol_daemon翻译,最后翻译时间:2016-05-08,点击这里可以查看翻译后英文页面的改动。

Network Time Protocol (网络时间协议)是 GNU/Linux 系统通过互联网时间服务器同步系统软件时钟的最常见方法。设计时考虑到了各种网络延迟,通过公共网络同步时,误差可以降低到10毫秒以内;通过本地网络同步时,误差可以降低到 1 毫秒。

NTP 项目提供了一个名为简单 NTP 的参考实现。本文介绍如何设置和运行服务器和客户端 NTP 进程。

安装

安装 ntp 软件包。如果不做任何配置, ntpd 默认工作于客户端模式。如果使用 Arch Linux 默认的配置,请跳转到 #使用。作为服务器的配置,请参阅 #NTP 服务器模式

配置

主要的后台进程是 ntpd, 可以通过 /etc/ntp.conf 配置。详细信息可以参考手册 man ntp.conf 和相关的 man {ntpd|ntp_auth|ntp_mon|ntp_acc|ntp_clock|ntp_misc}.

连接到 NTP 服务器

NTP 服务器通过一个层级系统进行分类,不同的层级称为 strata: 独立的时间源为stratum 0; 直接连接到 stratum 0 的设备为 stratum 1;直接连接到 stratum 1 的源为 stratum 2,以此类推。

服务器的 stratum 并不能完全等同于它的精度和可靠度。通常的时间同步都使用 stratum 2 服务器。通过pool.ntp.org 服务器或这个链接 可以选择比较近的服务器池。

下面几行仅仅是例子:

/etc/ntp.conf
server 0.fr.pool.ntp.org iburst
server 1.fr.pool.ntp.org iburst
server 2.fr.pool.ntp.org iburst
server 3.fr.pool.ntp.org iburst

推荐使用iburst选项,如果第一次尝试无法建立连接,程序会发送一系列的包。burst 选项则总是发送一系列的包,即使第一次也是这样。如果没有明确的允许的话不要使用 burst 选项,有可能被封禁。

NTP 服务器模式

如果建立一个 NTP 服务器,你需要添加 local clock 作为一个服务器,这样,即便它失去网络连接,它也可以继续为网络提供服务;添加 local clock 作为一个 stratum 10 服务器 (使用 fudge 命令)这样它就只会在失去连接时使用本地时钟:

server 127.127.1.0
fudge  127.127.1.0 stratum 10

下一步,定义规则允许客户端连接你的服务(localhost 也被认为是一个客户端)。使用 restrict 命令;你应该在文件中已经有一行:

restrict default nomodify nopeer noquery

这限制了每个人做任何修改并阻止每个人请求你的时间服务器状态:nomodify 防止重新配置你的ntpd(使用ntpqntpdc ),noquery 防止从你的nptd(或是ntpqntpdc)获取状态数据。

你也能添加其它选项:

restrict default kod nomodify notrap nopeer noquery
注意: 这会允许其他人查询你的时间服务器。你需要添加 noserve 来停止提供时间。

"restrict"选项的完整文档可以从 man ntp_acc 中查找到。详见 https://support.ntp.org/bin/view/Support/AccessRestrictions

你需要在这一行之后告诉 ntpd 什么可以访问你的服务器;如果你不是在配置一台 NTP 服务器的话,下面一行就足够了。

restrict 127.0.0.1

如果你想要强制DNS解析到IPv6域名,在IP地址或域名前写上 -6-4 则强制使用IPv4域名),例如:

restrict -6 default kod nomodify notrap nopeer noquery
restrict -6 ::1    # ::1 is the IPv6 equivalent for 127.0.0.1

最后,指定drift文件(它能时刻监控你的时钟的时间漂移)和log文件的位置:

driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log

一份基础的配置文件是这样的 (为了清晰起见,已删掉了所有的注释):

/etc/ntp.conf
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

restrict 127.0.0.1
restrict -6 ::1  

driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log
注意: 定义日志文件不是必须的,但是它对于反馈 ntpd 操作是有好处的。

使用

软件包默认包含客户端模式的配置,并且使用单独的用户和群组,启动时就会移除 root 权限。如果在终端中启动,请使用 -u 选项:

# ntpd -u ntp:ntp

systemd 服务默认使用 -u 选项和 -g 选项禁用一个阈值(panic-gate). 这样即使 ntp-server 的时间和系统时间的差异超过阈值,依然会同步时间。

Warning: 使用 panic-gate 的原因是某些后台任务或服务会引起时间跳跃. 如果系统的时间从来没有同步过,请考虑先禁用其他服务再进行同步。

两个服务都依赖系统网络状况,会在检测到网络连接时开始同步。

启动时启用 ntpd

启用 ntpd.service 服务.

Note: systemd 命令 timedatectl 仅可以控制 systemd-timesyncd, 用 root 执行 timedatectl set-ntp 1 会停止运行中的 ntpd.service.[1]

ntpq 可以查看同步的状态:

$ ntpq -p

delay, offset 和 jitter 不应该为零,ntpd 同步的服务器前有星号,ntpd 可能等待很多分钟后才会进行同步,请等 17 分钟 (1024 秒).

每次启动同步一次

另一种方式是 启用 ntpdate.service 服务,每次启动都同步一次(-q) 并且是 non-forking (-n), 进程不会在后台运行。如果是服务器或者很多天才会重启一次,不建议使用此方式。

如果需要把同步到的时间写入硬件时钟,请按照 这里 的说明修改服务并启动:

/etc/systemd/system/ntpdate.service.d/hwclock.conf
[Service]
ExecStart=/usr/bin/hwclock -w

技巧

Start ntpd on network connection

ntpd can be started by your network manager, so that the daemon only runs when the computer is online.

Netctl

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: add -u and optionally refer to #Usage, or use systemctl if possible (Discuss in Talk:Network Time Protocol daemon (简体中文)#)

Append the following lines to your netctl profile:

ExecUpPost='/usr/bin/ntpd || true'
ExecDownPre='killall ntpd || true'
NetworkManager

The ntpd daemon can be brought up/down along with a network connection through the use of NetworkManager's dispatcher scripts. The networkmanager-dispatcher-ntpd package installs one, pre-configured to start and stop the ntpd service[broken link: invalid section] with a connection.

Wicd

For Wicd, create a start script in the postconnect directory and a stop script in the predisconnect directory. Remember to make them executable:

/etc/wicd/scripts/postconnect/ntpd
#!/bin/bash
systemctl start ntpd &
/etc/wicd/scripts/predisconnect/ntpd
#!/bin/bash
systemctl stop ntpd &
Note: You are advised to customize the options for the ntpd command as explained in #Usage[broken link: invalid section].

See also Wicd#Scripts.

KDE

KDE can use NTP (ntp must be installed) by right clicking the clock and selecting Adjust date/time. However, this requires the ntp daemon to be disabled before configuring KDE to use NTP. [2]

Using ntpd with GPS

Most of the articles online about configuring ntpd to receive time from a GPS suggest to use the SHM (shared memory) method. However, at least since ntpd version 4.2.8 a much better method is available. It connects directly to gpsd, so gpsd needs to be installed.

Add these lines to your /etc/ntp.conf:

/etc/ntp.conf
#=========================================================
#  GPSD native ntpd driver
#=========================================================
# This driver exists from at least ntp version 4.2.8
# Details at
#   https://www.eecis.udel.edu/~mills/ntp/html/drivers/driver46.html
server 127.127.46.0 
fudge 127.127.46.0 time1 0.0 time2 0.0 refid GPS

This will work as long as you have gpsd working. It connects to gpsd via the local socket and queries the "gpsd_json" object that is returned.

To test the setup, first ensure that gpsd is working by running:

 $ cgps -s 

Then wait a few minutes and run ntpq -p. This will show if ntpd is talking to gpsd:

$ ntpq -p
remote           refid            st t when poll reach   delay   offset  jitter
 ==================================================================================
*GPSD_JSON(0)    .GPS.            0 l   55   64  377    0.000    2.556  14.109
Tip: If the reach column is 0, it means ntpd has not been able to talk to gpsd. Wait a few minutes and try again. Sometimes it takes ntpd a while.

Running in a chroot

Note: ntpd should be started as non-root (default in the Arch Linux package) before attempting to jail it in a chroot, since chroots are relatively useless at securing processes running as root.

Create a new directory /etc/systemd/system/ntpd.service.d/ if it does not exist and a file named customexec.conf inside with the following content:

[Service]
ExecStart=
ExecStart=/usr/bin/ntpd -g -i /var/lib/ntp -u ntp:ntp -p /run/ntpd.pid

Then, edit /etc/ntp.conf to change the driftfile path such that it is relative to the chroot directory, rather than to the real system root. Change:

driftfile       /var/lib/ntp/ntp.drift

to

driftfile       /ntp.drift

Create a suitable chroot environment so that getaddrinfo() will work by creating pertinent directories and files (as root):

# mkdir /var/lib/ntp/etc /var/lib/ntp/lib /var/lib/ntp/proc
# touch /var/lib/ntp/etc/resolv.conf /var/lib/ntp/etc/services

and by bind-mounting the aformentioned files:

/etc/fstab
...
#ntpd chroot mounts
/etc/resolv.conf  /var/lib/ntp/etc/resolv.conf none bind 0 0
/etc/services	  /var/lib/ntp/etc/services none bind 0 0
/lib		  /var/lib/ntp/lib none bind 0 0
/proc		  /var/lib/ntp/proc none bind 0 0
# mount -a

Finally, restart ntpd daemon again. Once it restarted you can verify that the daemon process is chrooted by checking where /proc/{PID}/root symlinks to:

# ps -C ntpd | awk '{print $1}' | sed 1d | while read -r PID; do ls -l /proc/$PID/root; done

should now link to /var/lib/ntp instead of /.

It is relatively difficult to be sure that your driftfile configuration is actually working without waiting a while, as ntpd does not read or write it very often. If you get it wrong, it will log an error; if you get it right, it will update the timestamp. If you do not see any errors about it after a full day of running, and the timestamp is updated, you should be confident of success.

参见