In the privatization platform, ntp server needs to be deployed. Because it is two physical servers, in order to avoid single point problem, two ntp servers need to be deployed here. Other clients in the same network segment need to calibrate and synchronize the clock with these two servers through ntp service.
Since it is a private platform, only in the deployment and implementation stage can it be directly connected to the Internet, which may not be available in the subsequent actual use process.
Consideration: in the deployment and implementation phase, S1 synchronizes the network time through ntpdate ip and writes the hardware clock. The upper time server of ntp server in S2 is S1.
#Ubuntu /sbin/hwclock --systohc #CentOS /usr/sbin/hwclock --systohc
| Server 1 | S1 |
| Server 2 | S2 |
| Client | C |
1. Firewall, open 123 udp port
#Close iptables rule or open UDP port 123 #CentOS firewall-cmd --permanent --add-port=123/udp firewall-cmd --reload firewall-cmd --list-all #Ubuntu iptables -A INPUT -p udp --dport 123 -j ACCEPT iptables -A OUTPUT -p udp --sport 123 -j ACCEPT
2. ntp server deployment and installation
Both ntp server and client side need to install ntp service.
#CentOS yum -y install ntp #Ubuntu apt-get -y install ntp #You can also install directly through dpkg -i *.deb, but you need to install several dependent packages in turn dpkg –i libopts25_5.12-0.1ubuntu1_amd64.deb dpkg –i libcap2_2.22-1ubuntu3_amd64.deb dpkg –i libssl1.0.0_1.0.1-4ubuntu5.38_amd64.deb dpkg –i ntp_4.2.6.p3+dfsg-1ubuntu3.11_amd64.deb
3. ntp server configuration
#S1 tee /etc/ntp.conf <<-'EOF' driftfile /var/lib/ntp/ntp.drift server 120.25.108.11 perfer server ntp1.aliyun.com server ntp.ubuntu.com restrict 127.0.0.1 restrict -6 ::1 restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap server 127.127.1.0 iburst fudge 127.127.1.0 stratum 10 EOF ntpdate 120.25.108.11 /sbin/hwclock --systohc service ntp start #server in S2 configures ip of S1 tee /etc/ntp.conf <<-'EOF' driftfile /var/lib/ntp/ntp.drift server S1 perfer restrict 127.0.0.1 restrict -6 ::1 restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap server 127.127.1.0 iburst fudge 127.127.1.0 stratum 10 EOF ntpdate 120.25.108.11 /sbin/hwclock --systohc service ntp start
Common parameters of the restrict command:
| ignore | Deny all types of NTP Online |
| nomodify | The client can not use ntpc and ntpq to modify the time parameters of the server, but the client can still use this host to carry out network timing |
| noquery | The client can not use ntpq, ntpc and other instructions to query the time server, which is equal to the network timing without NTP |
| notrap | The remote event login function of trap is not provided |
| notrust | Deny clients without authentication |
4. ntp client configuration
#The server of C configures the ip of S1 and S2 tee /etc/ntp.conf <<-'EOF' driftfile /var/lib/ntp/drift restrict 127.0.0.1 restrict -6 ::1 #Set the time gap between the client and the server. The default maximum is 1000, and 0 is unlimited tinker panic 0 #minpoll is the minimum time for the client to synchronize with the server. The power of unit 2 is 3 seconds server S1 prefer minpoll 3 maxpoll 3 #Maxprol represents the maximum time that the client synchronizes with the server. The power of 2 is 10 seconds server S2 iburst minpoll 3 maxpoll 3 restrict S1 restrict S2 server 127.127.1.0 # local clock fudge 127.127.1.0 stratum 10 EOF
5. View
#View port netstat -ln|grep 123 #View service connections and ports netstat -tlunp | grep ntp #Is it connected with the upper server ntpstat #And the state of the upper ntp nptq -p #Monitoring status watch nptq -p
Detailed explanation of ntpq-p command parameters remote: IP or hostname of NTP host, symbol on the left If there is a 「 * 」 to represent the top NTP currently in effect If it is a 「 + 」 representative, it can also be online, and it can be the next candidate to provide time update. If yes, it means unqualified ntp server refid: the address of the NTP host on the previous layer st: the layer level of the remote server, 0-16,0 is the highest level, when: I did time synchronization update a few seconds ago; poll: the next update is a few seconds later; reach: the number of times an update has been requested from the upper NTP server Delay: the delay time during network transmission, in 10 ^ (- 6) seconds offset: the result of time compensation, in 10 ^ (- 3) seconds jitter: time difference between Linux system time and BIOS hardware time, unit: 10 ^ (- 6) seconds
6. Testing
Under normal conditions, S1 and S2 are started. Now check the C status through the watch ntpq-p command, and do the following operations
*S1 120.25.108.11 3 u 6 8 377 0.130 -1.079 0.180 +S2 192.168.0.2 4 u 5 8 377 0.238 -13.534 0.923 LOCAL(0) .LOCL.
(1) Close S1
S1 120.25.108.11 *S2 192.168.0.2 LOCAL(0) .LOCL.
(2) Close S1 and then S2
S1 .INIT. S2 .INIT. *LOCAL(0) .LOCL.
(3) From the above S1,S2 is closed, only S2 is started
On S2
S1 .INIT. *LOCAL(0) .LOCL.
On C
S1 .INIT. *S2 LOCAL(0) LOCAL(0) .LOCL.
(4) When S1 and S2 are closed from above, start S2 first and then S1
*S1 120.25.108.11 +S2 192.168.0.2 LOCAL(0) .LOCL.
(5)