在使用 Amazon 的 EC2 服务来对抗时钟漂移时,是否应该使用 NTP 服务器?
Is there an NTP server I should be using when using Amazon's EC2 service to combat clock drift?
我正在使用 AWS 并在 EC2 服务器上……
[dalvarado@mymachine ~]$ uname -a
Linux mydomain.org 3.14.33-26.47.amzn1.x86_64 #1 SMP Wed Feb 11 22:39:25 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
尽管我已经安装了 NTPD 并且 运行
,但我的时钟却慢了一分钟
[dalvarado@mymachine ~]$ sudo service ntpd status
ntpd (pid 22963) is running...
似乎 ntp 数据包被阻止或存在其他问题,因为我收到此错误...
[dalvarado@mymachine ~]$ sudo ntpdate pool.ntp.org
2 Apr 16:43:50 ntpdate[23748]: no server suitable for synchronization found
有人知道 AWS 是否应该联系另一台服务器以获取 NTP 信息,或者是否需要其他额外配置?
谢谢,-戴夫
编辑:包括评论的输出...
[dalvarado@mymachine ~]$ sudo ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
173.44.32.10 .INIT. 16 u - 1024 0 0.000 0.000 0.000
deekayen.net .INIT. 16 u - 1024 0 0.000 0.000 0.000
dhcp-147-115-21 .INIT. 16 u - 1024 0 0.000 0.000 0.000
time-b.timefreq .INIT. 16 u - 1024 0 0.000 0.000 0.000
第二次编辑:
下面是 /etc/ntp.conf 文件的内容
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.amazon.pool.ntp.org iburst
server 1.amazon.pool.ntp.org iburst
server 2.amazon.pool.ntp.org iburst
server 3.amazon.pool.ntp.org iburst
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Enable additional logging.
logconfig =clockall =peerall =sysall =syncall
# Listen only on the primary network interface.
interface listen eth0
interface ignore ipv6
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
以下是"ntpq -p"
的输出
sudo ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
173.44.32.10 .INIT. 16 u - 1024 0 0.000 0.000 0.000
deekayen.net .INIT. 16 u - 1024 0 0.000 0.000 0.000
dhcp-147-115-21 .INIT. 16 u - 1024 0 0.000 0.000 0.000
time-b.timefreq .INIT. 16 u - 1024 0 0.000 0.000 0.000
亚马逊documents NTP here。他们在 Amazon linux 发行版中包含 NTP 配置。我目前拥有的一个 Amazon 实例 运行 在 /etc/ntp.conf 中列出了这些服务器,这也是他们的文档推荐的内容:
server 0.amazon.pool.ntp.org iburst
server 1.amazon.pool.ntp.org iburst
server 2.amazon.pool.ntp.org iburst
server 3.amazon.pool.ntp.org iburst
是的,您应该使用至少 3 台,理想情况下 5 台或更多服务器,这些服务器的层数较低且与您的实例接近(往返时间)。
Amazon 提供了一些 documents 详细说明了如何配置 ntp。应该注意的是,您不需要使用列出的池服务器 - 它们是 Amazon 负载平衡到的 public ntp 池的前端;您可以选择任何您喜欢的服务器,只要记得为任何新地址更新您的 security/ACL 设置。
您提供的输出
[dalvarado@mymachine ~]$ sudo ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
173.44.32.10 .INIT. 16 u - 1024 0 0.000 0.000 0.000
deekayen.net .INIT. 16 u - 1024 0 0.000 0.000 0.000
dhcp-147-115-21 .INIT. 16 u - 1024 0 0.000 0.000 0.000
time-b.timefreq .INIT. 16 u - 1024 0 0.000 0.000 0.000
显示您配置的服务器无法访问。
Refid=.INIT. 表示您尚未初始化与引用服务器的通信。您每 1024 秒对它们进行一次轮询,但它们都有 reach=0 因此您无法访问它们并且没有从任何服务器接收时间。这就是为什么你的时钟仍然不对。
可能您的 firewall/network 安全设置过于苛刻,您阻止了对这些主机的访问,或者更可能是端口。
做一些网络级别的诊断,因为这似乎就是您的问题所在 - 如果您需要进一步的帮助,还请附上您的 ntp.conf 和 ntpq -pcrv 的输出。
解决可达性问题后,检查 ntpq -p 中的数字是否显示有效数据,您应该会发现问题已解决,并且时钟会按预期得到检查。
只是警告人们在 169.254.169.123 使用 AWS 时间服务;该服务器不是 true ntp 服务器,因为它不能正确处理闰秒。相反,AWS 服务器执行 'leap smearing'。
这可能适合也可能不适合您的设置,您应该永远不要在同一个配置或同一个计时域中混合使用正常的 NTP 和 leap 模糊的 NTP 服务器。你应该选择一个标准并坚持它,以避免出现任何问题。
(2018) Amazon now recommend "just" using their 169.254.169.123 NTP server 因为
Your instance does not require access to the internet, and you do not have to configure your security group rules or your network ACL rules to allow access.
(看起来像 link-local "Amazon Time Sync Service" was introduced in late 2017)
注意:169.254.169.123 服务器执行“leap smearing" and SHOULD NOT be mixed with other (non-Amazon) NTP servers from out on the internet that aren't doing the smearing exactly the same way. Amazon also recommend using chrony instead of ntpd unless you are stuck in a legacy situation where chrony is unavailable as compared to ntpd, chrony is faster at achieving synchronization, more accurate and more robust.
我正在使用 AWS 并在 EC2 服务器上……
[dalvarado@mymachine ~]$ uname -a
Linux mydomain.org 3.14.33-26.47.amzn1.x86_64 #1 SMP Wed Feb 11 22:39:25 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
尽管我已经安装了 NTPD 并且 运行
,但我的时钟却慢了一分钟[dalvarado@mymachine ~]$ sudo service ntpd status
ntpd (pid 22963) is running...
似乎 ntp 数据包被阻止或存在其他问题,因为我收到此错误...
[dalvarado@mymachine ~]$ sudo ntpdate pool.ntp.org
2 Apr 16:43:50 ntpdate[23748]: no server suitable for synchronization found
有人知道 AWS 是否应该联系另一台服务器以获取 NTP 信息,或者是否需要其他额外配置?
谢谢,-戴夫
编辑:包括评论的输出...
[dalvarado@mymachine ~]$ sudo ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
173.44.32.10 .INIT. 16 u - 1024 0 0.000 0.000 0.000
deekayen.net .INIT. 16 u - 1024 0 0.000 0.000 0.000
dhcp-147-115-21 .INIT. 16 u - 1024 0 0.000 0.000 0.000
time-b.timefreq .INIT. 16 u - 1024 0 0.000 0.000 0.000
第二次编辑:
下面是 /etc/ntp.conf 文件的内容
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.amazon.pool.ntp.org iburst
server 1.amazon.pool.ntp.org iburst
server 2.amazon.pool.ntp.org iburst
server 3.amazon.pool.ntp.org iburst
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Enable additional logging.
logconfig =clockall =peerall =sysall =syncall
# Listen only on the primary network interface.
interface listen eth0
interface ignore ipv6
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
以下是"ntpq -p"
的输出sudo ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
173.44.32.10 .INIT. 16 u - 1024 0 0.000 0.000 0.000
deekayen.net .INIT. 16 u - 1024 0 0.000 0.000 0.000
dhcp-147-115-21 .INIT. 16 u - 1024 0 0.000 0.000 0.000
time-b.timefreq .INIT. 16 u - 1024 0 0.000 0.000 0.000
亚马逊documents NTP here。他们在 Amazon linux 发行版中包含 NTP 配置。我目前拥有的一个 Amazon 实例 运行 在 /etc/ntp.conf 中列出了这些服务器,这也是他们的文档推荐的内容:
server 0.amazon.pool.ntp.org iburst
server 1.amazon.pool.ntp.org iburst
server 2.amazon.pool.ntp.org iburst
server 3.amazon.pool.ntp.org iburst
是的,您应该使用至少 3 台,理想情况下 5 台或更多服务器,这些服务器的层数较低且与您的实例接近(往返时间)。
Amazon 提供了一些 documents 详细说明了如何配置 ntp。应该注意的是,您不需要使用列出的池服务器 - 它们是 Amazon 负载平衡到的 public ntp 池的前端;您可以选择任何您喜欢的服务器,只要记得为任何新地址更新您的 security/ACL 设置。
您提供的输出
[dalvarado@mymachine ~]$ sudo ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
173.44.32.10 .INIT. 16 u - 1024 0 0.000 0.000 0.000
deekayen.net .INIT. 16 u - 1024 0 0.000 0.000 0.000
dhcp-147-115-21 .INIT. 16 u - 1024 0 0.000 0.000 0.000
time-b.timefreq .INIT. 16 u - 1024 0 0.000 0.000 0.000
显示您配置的服务器无法访问。
Refid=.INIT. 表示您尚未初始化与引用服务器的通信。您每 1024 秒对它们进行一次轮询,但它们都有 reach=0 因此您无法访问它们并且没有从任何服务器接收时间。这就是为什么你的时钟仍然不对。
可能您的 firewall/network 安全设置过于苛刻,您阻止了对这些主机的访问,或者更可能是端口。
做一些网络级别的诊断,因为这似乎就是您的问题所在 - 如果您需要进一步的帮助,还请附上您的 ntp.conf 和 ntpq -pcrv 的输出。
解决可达性问题后,检查 ntpq -p 中的数字是否显示有效数据,您应该会发现问题已解决,并且时钟会按预期得到检查。
只是警告人们在 169.254.169.123 使用 AWS 时间服务;该服务器不是 true ntp 服务器,因为它不能正确处理闰秒。相反,AWS 服务器执行 'leap smearing'。
这可能适合也可能不适合您的设置,您应该永远不要在同一个配置或同一个计时域中混合使用正常的 NTP 和 leap 模糊的 NTP 服务器。你应该选择一个标准并坚持它,以避免出现任何问题。
(2018) Amazon now recommend "just" using their 169.254.169.123 NTP server 因为
Your instance does not require access to the internet, and you do not have to configure your security group rules or your network ACL rules to allow access.
(看起来像 link-local "Amazon Time Sync Service" was introduced in late 2017)
注意:169.254.169.123 服务器执行“leap smearing" and SHOULD NOT be mixed with other (non-Amazon) NTP servers from out on the internet that aren't doing the smearing exactly the same way. Amazon also recommend using chrony instead of ntpd unless you are stuck in a legacy situation where chrony is unavailable as compared to ntpd, chrony is faster at achieving synchronization, more accurate and more robust.