在使用 Amazon 的 EC2 服务来对抗时钟漂移时，是否应该使用 NTP 服务器? [英] Is there an NTP server I should be using when using Amazon's EC2 service to combat clock drift?

问题描述

我正在使用 AWS 并且在 EC2 服务器上......

I’m using AWS and am on an EC2 server …

[dalvarado@mymachine ~]$ uname -a
Linux mydomain.org 3.14.33-26.47.amzn1.x86_64 #1 SMP Wed Feb 11 22:39:25 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

我的时钟差了一分钟，所以尽管我已经安装并运行了 NTPD

My clock is off by a minute ro so despite the fact that I already have NTPD installed and running

[dalvarado@mymachine ~]$ sudo service ntpd status
ntpd (pid  22963) is running...

看起来 ntp 数据包被阻塞了或者有一些其他问题，因为我收到这个错误......

It would appear ntp packets are blocked or there is some other problem because I get this error …

[dalvarado@mymachine ~]$ sudo ntpdate pool.ntp.org
 2 Apr 16:43:50 ntpdate[23748]: no server suitable for synchronization found

有谁知道 AWS 是否应该联系另一台服务器以获取 NTP 信息，或者我是否需要其他其他配置?

Does anyone know with AWS if there’s another server I should be contacting for NTP info or if there are other additional configurations I need?

谢谢，-戴夫

包括评论的输出......

Including the output from the comment ...

[dalvarado@mymachine ~]$ sudo ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 173.44.32.10    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 deekayen.net    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 dhcp-147-115-21 .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 time-b.timefreq .INIT.          16 u    - 1024    0    0.000    0.000   0.000

第二次

下面是/etc/ntp.conf文件的内容

Below are the contents of the /etc/ntp.conf file

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1 
restrict ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.amazon.pool.ntp.org iburst
server 1.amazon.pool.ntp.org iburst
server 2.amazon.pool.ntp.org iburst
server 3.amazon.pool.ntp.org iburst

#broadcast 192.168.1.255 autokey    # broadcast server
#broadcastclient            # broadcast client
#broadcast 224.0.1.1 autokey        # multicast server
#multicastclient 224.0.1.1      # multicast client
#manycastserver 239.255.254.254     # manycast server
#manycastclient 239.255.254.254 autokey # manycast client

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography. 
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats

# Enable additional logging.
logconfig =clockall =peerall =sysall =syncall

# Listen only on the primary network interface.
interface listen eth0
interface ignore ipv6

# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor

以下是ntpq -p"的输出

and below is the output from "ntpq -p"

sudo ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 173.44.32.10    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 deekayen.net    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 dhcp-147-115-21 .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 time-b.timefreq .INIT.          16 u    - 1024    0    0.000    0.000   0.000

推荐答案

是的，您应该使用至少 3 台，理想情况 5 台或更多服务器，这些服务器是低层和近距离(往返)时间)到您的实例.

Yes, you should be using at least 3 and ideally 5 or more servers which are a low stratum and a close (round trip time) to your instance.

亚马逊提供了一些文档详细说明如何配置ntp.应该注意的是，您不需要使用列出的池服务器 - 它们是 Amazon 负载平衡到的公共 ntp 池的前端；您可以选择任何您喜欢的服务器，但请记住为任何新地址更新您的安全/ACL 设置.

Amazon provide some documents which detail how to configure ntp. It should be noted that you don't need to use the pool servers listed - they are a front for the public ntp pool which Amazon load balance to; you can pick any servers you like, just remember to update your security/ACL settings for any new addresses.

你提供的输出

[dalvarado@mymachine ~]$ sudo ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 173.44.32.10    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 deekayen.net    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 dhcp-147-115-21 .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 time-b.timefreq .INIT.          16 u    - 1024    0    0.000    0.000   0.000

显示您配置的服务器无法访问.

Shows that the servers you have configured are not reachable.

Refid=.INIT. 表示您尚未初始化与引用服务器的通信.您每 1024 秒轮询一次它们，但它们都有 reach=0 因此您无法访问它们并且没有从任何服务器接收时间.这就是为什么您的时钟仍然错误的原因.

Refid=.INIT. means you have not yet initialised comms to the referenced server. You poll them every 1024 sec but they all have reach=0 thus you can't reach them and are not receiving the time from any server. That's why your clock is still wrong.

可能您的防火墙/网络安全设置过于苛刻，并且您阻止了对这些主机的访问，或者更有可能是端口.

It maybe you have your firewall/network security setup too harsh and you are blocking access to those hosts, or more likely the port.

做一些网络级别的诊断，因为它看起来就是你的问题所在 - 如果你需要进一步的，也请包括你的 ntp.conf 和 ntpq -pcrv 的输出帮助.

Do some network level diag as it would appear that's where your problem lies - also please include your ntp.conf and the output from ntpq -pcrv if you need further help.

一旦您解决了可达性问题，请检查 ntpq -p 中的数字是否显示有效数据，您应该会发现您的问题已排序并且时钟按预期进行检查.

Once you fix the reachability issue, check the numbers in ntpq -p are showing valid data and you should find your problem sorted and clock gets kept in check as expected.

只是在 169.254.169.123;该服务器不是 true ntp 服务器，因为它不能正确处理闰秒.相反，AWS 服务器会跳跃涂抹".

Just a warning to folks about using the AWS time service at 169.254.169.123; This server is not a true ntp server as it doest not correctly handle leap seconds. Instead the AWS server does 'leap smearing'.

这可能适合也可能不适合您的设置，并且您应该永远在相同的配置或相同的时间域中将普通 NTP 和跳跃涂抹的 NTP 服务器混合在一起.您应该选择一个标准并坚持下去，以避免出现任何问题.

This may or may not be suitable for your setup, and you should never mix normal NTP and leap smeared NTP servers together in the same config, or the same timing domain. You should pick one standard and stick to it to avoid any problems.

这篇关于在使用 Amazon 的 EC2 服务来对抗时钟漂移时，是否应该使用 NTP 服务器?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！