使用Amazon的EC2服务来应对时钟漂移时,我应该使用NTP服务器吗? [英] Is there an NTP server I should be using when using Amazon's EC2 service to combat clock drift?
问题描述
我正在使用AWS,并且正在EC2服务器上……
[dalvarado @ mymachine〜] $ uname -a
Linux mydomain.org 3.14.33-26.47.amzn1.x86_64#1 SMP周二2月11日22:39:25 UTC 2015 x86_64 x86_64 x86_64 GNU / Linux
我的时钟每分钟转一分钟,所以尽管我已经安装并运行了NTPD
[dalvarado @ mymachine〜] $ sudo服务ntpd状态
ntpd(pid 22963)正在运行...
由于我收到此错误,看来ntp数据包被阻止或存在其他问题……
[dalvarado @ mymachine〜] $ sudo ntpdate pool.ntp.org
4月2日16:43:50 ntpdate [23748]:找不到适合同步的服务器
有人知道AWS是否应该联系另一台服务器以获取NTP信息,或者是否需要其他配置?
谢谢-戴夫
编辑:包括注释的输出...
[dalvarado @ mymachine〜] $ sudo ntpq -p
remote轮询到达延迟偏移抖动
时的参考时间t ==================================== ========================================
173.44.32.10 .INIT 。 16 u-1024 0 0.000 0.000 0.000
deekayen.net .INIT。 16 u-1024 0 0.000 0.000 0.000
dhcp-147-115-21 .INIT。 16 u-1024 0 0.000 0.000 0.000
time-b.timefreq .INIT。 16 u-1024 0 0.000 0.000 0.000
第二编辑:
下面是/etc/ntp.conf文件的内容
#有关此文件的更多信息,请参见手册页
#ntp.conf(5),ntp_acc(5),ntp_auth(5),ntp_clock(5),ntp_misc(5),ntp_mon(5)。
driftfile / var / lib / ntp / drift
#允许与我们的时间源进行时间同步,但不允许
#允许源查询或修改该系统上的服务。
限制默认值nomodify notrap nopeer noquery
#允许通过环回接口进行所有访问。
#也可以收紧,但是这样做会影响
#的某些管理功能。
限制127.0.0.1
限制:: 1
#限制本地网络上的主机。
#限制192.168.1.0掩码255.255.255.0 nomodify notrap
#使用pool.ntp.org项目中的公共服务器。
#请考虑加入该池(http://www.pool.ntp.org/join.html)。
服务器0.amazon.pool.ntp.org iburst
服务器1.amazon.pool.ntp.org iburst
服务器2.amazon.pool.ntp.org iburst
服务器3.amazon.pool.ntp.org iburst
#broadcast 192.168.1.255 autokey#广播服务器
#broadcastclient#广播客户端
#broadcast 224.0.1.1 autokey#组播服务器
#multicastclient 224.0.1.1#多播客户端
#manycastserver 239.255.254.254#多播服务器
#manycastclient 239.255.254.254自动密钥#多播客户端
#启用公共密钥加密。
#crypto
includefile / etc / ntp / crypto / pw
#密钥文件包含在操作
时使用的密钥和密钥标识符密钥密码学。
keys / etc / ntp / keys
#指定受信任的密钥标识符。
#trustedkey 4 8 42
#指定要与ntpdc实用程序一起使用的密钥标识符。
#requestkey 8
#指定要与ntpq实用程序一起使用的密钥标识符。
#controlkey 8
#启用写入统计记录的功能。
#统计信息clockstats cryptostats loopstats peerstats
#启用其他日志记录。
logconfig = clockall = peerall = sysall = syncall
#仅在主网络接口上侦听。
接口监听eth0
接口忽略ipv6
#当默认限制不包括noquery标志时,禁用监视功能以防止使用ntpdc
#monlist命令进行放大攻击。有关更多详细信息,请参见
#CVE-2013-5211。
#注意:不会通过限制限制标志禁用监视。
禁用监视器
以下是 ntpq -p的输出
sudo ntpq -p
当轮询到达延迟偏移抖动时的远程参考时间
======== ================================================== ===================
173.44.32.10 .INIT。 16 u-1024 0 0.000 0.000 0.000
deekayen.net .INIT。 16 u-1024 0 0.000 0.000 0.000
dhcp-147-115-21 .INIT。 16 u-1024 0 0.000 0.000 0.000
time-b.timefreq .INIT。 16 u-1024 0 0.000 0.000 0.000
是的,您应该至少使用3台,并且理想地 5台或更多服务器,这些服务器的层数较低并且与您的实例接近(往返时间)。
亚马逊提供了一些文档,其中详细介绍了如何配置ntp。请注意,您不需要使用列出的池服务器-它们是Amazon负载平衡到的公共ntp池的前端。您可以选择任何喜欢的服务器,只记得为任何新地址更新安全性/ ACL设置。
您提供的输出
[dalvarado @ mymachine〜] $ sudo ntpq -p
当轮询到达延迟偏移抖动时的远程引用
====== ================================================== ======================
173.44.32.10 .INIT。 16 u-1024 0 0.000 0.000 0.000
deekayen.net .INIT。 16 u-1024 0 0.000 0.000 0.000
dhcp-147-115-21 .INIT。 16 u-1024 0 0.000 0.000 0.000
time-b.timefreq .INIT。 16 u-1024 0 0.000 0.000 0.000
显示无法访问您配置的服务器。
Refid = .INIT。表示您尚未初始化到参考服务器的通信。您每隔1024秒对它们进行一次轮询,但是它们都具有 reach = 0 ,因此您无法访问它们并且没有从任何服务器接收时间。这就是为什么您的时钟仍然不正确的原因。
进行一些网络级诊断,因为这似乎是您的问题所在-还请包括您的 ntp.conf 以及 ntpq -pcrv 的输出,如果您需要进一步的帮助。
一旦解决了可达性问题,请检查 ntpq -p 中的数字显示有效数据,您应该找到已解决的问题,并且时钟将按预期进行检查。
在 169.254.169.123 ;该服务器不是 true ntp服务器,因为它不能正确处理leap秒。相反,AWS服务器不会拖尾。
这可能适合您,也可能不适合您的设置,您应该从不将普通NTP和涂污的NTP服务器在同一配置中混合使用,或相同的时域。您应该选择一种标准并坚持使用以避免任何问题。
I’m using AWS and am on an EC2 server …
[dalvarado@mymachine ~]$ uname -a
Linux mydomain.org 3.14.33-26.47.amzn1.x86_64 #1 SMP Wed Feb 11 22:39:25 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
My clock is off by a minute ro so despite the fact that I already have NTPD installed and running
[dalvarado@mymachine ~]$ sudo service ntpd status
ntpd (pid 22963) is running...
It would appear ntp packets are blocked or there is some other problem because I get this error …
[dalvarado@mymachine ~]$ sudo ntpdate pool.ntp.org
2 Apr 16:43:50 ntpdate[23748]: no server suitable for synchronization found
Does anyone know with AWS if there’s another server I should be contacting for NTP info or if there are other additional configurations I need?
Thanks, - Dave
Edit: Including the output from the comment ...
[dalvarado@mymachine ~]$ sudo ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
173.44.32.10 .INIT. 16 u - 1024 0 0.000 0.000 0.000
deekayen.net .INIT. 16 u - 1024 0 0.000 0.000 0.000
dhcp-147-115-21 .INIT. 16 u - 1024 0 0.000 0.000 0.000
time-b.timefreq .INIT. 16 u - 1024 0 0.000 0.000 0.000
Second edit:
Below are the contents of the /etc/ntp.conf file
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.amazon.pool.ntp.org iburst
server 1.amazon.pool.ntp.org iburst
server 2.amazon.pool.ntp.org iburst
server 3.amazon.pool.ntp.org iburst
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Enable additional logging.
logconfig =clockall =peerall =sysall =syncall
# Listen only on the primary network interface.
interface listen eth0
interface ignore ipv6
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
and below is the output from "ntpq -p"
sudo ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
173.44.32.10 .INIT. 16 u - 1024 0 0.000 0.000 0.000
deekayen.net .INIT. 16 u - 1024 0 0.000 0.000 0.000
dhcp-147-115-21 .INIT. 16 u - 1024 0 0.000 0.000 0.000
time-b.timefreq .INIT. 16 u - 1024 0 0.000 0.000 0.000
Yes, you should be using at least 3 and ideally 5 or more servers which are a low stratum and a close (round trip time) to your instance.
Amazon provide some documents which detail how to configure ntp. It should be noted that you don't need to use the pool servers listed - they are a front for the public ntp pool which Amazon load balance to; you can pick any servers you like, just remember to update your security/ACL settings for any new addresses.
The output you provided
[dalvarado@mymachine ~]$ sudo ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
173.44.32.10 .INIT. 16 u - 1024 0 0.000 0.000 0.000
deekayen.net .INIT. 16 u - 1024 0 0.000 0.000 0.000
dhcp-147-115-21 .INIT. 16 u - 1024 0 0.000 0.000 0.000
time-b.timefreq .INIT. 16 u - 1024 0 0.000 0.000 0.000
Shows that the servers you have configured are not reachable.
Refid=.INIT. means you have not yet initialised comms to the referenced server. You poll them every 1024 sec but they all have reach=0 thus you can't reach them and are not receiving the time from any server. That's why your clock is still wrong.
It maybe you have your firewall/network security setup too harsh and you are blocking access to those hosts, or more likely the port.
Do some network level diag as it would appear that's where your problem lies - also please include your ntp.conf and the output from ntpq -pcrv if you need further help.
Once you fix the reachability issue, check the numbers in ntpq -p are showing valid data and you should find your problem sorted and clock gets kept in check as expected.
Just a warning to folks about using the AWS time service at 169.254.169.123; This server is not a true ntp server as it doest not correctly handle leap seconds. Instead the AWS server does 'leap smearing'.
This may or may not be suitable for your setup, and you should never mix normal NTP and leap smeared NTP servers together in the same config, or the same timing domain. You should pick one standard and stick to it to avoid any problems.
这篇关于使用Amazon的EC2服务来应对时钟漂移时,我应该使用NTP服务器吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
