20

我正在使用 AWS,并且在 EC2 服务器上……</p> 

[dalvarado@mymachine ~]$ uname -a
Linux mydomain.org 3.14.33-26.47.amzn1.x86_64 #1 SMP Wed Feb 11 22:39:25 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

我的时钟差了一分钟,所以尽管我已经安装并运行了 NTPD

[dalvarado@mymachine ~]$ sudo service ntpd status
ntpd (pid  22963) is running...

由于我收到此错误,因此会出现 ntp 数据包被阻止或存在其他问题...</p> 

[dalvarado@mymachine ~]$ sudo ntpdate pool.ntp.org
 2 Apr 16:43:50 ntpdate[23748]: no server suitable for synchronization found

如果我应该联系另一台服务器以获取 NTP 信息,或者我是否需要其他其他配置,有人知道 AWS 吗?

谢谢, - 戴夫

编辑:包括评论的输出......

[dalvarado@mymachine ~]$ sudo ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 173.44.32.10    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 deekayen.net    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 dhcp-147-115-21 .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 time-b.timefreq .INIT.          16 u    - 1024    0    0.000    0.000   0.000

第二次编辑:

以下是 /etc/ntp.conf 文件的内容

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1 
restrict ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.amazon.pool.ntp.org iburst
server 1.amazon.pool.ntp.org iburst
server 2.amazon.pool.ntp.org iburst
server 3.amazon.pool.ntp.org iburst

#broadcast 192.168.1.255 autokey    # broadcast server
#broadcastclient            # broadcast client
#broadcast 224.0.1.1 autokey        # multicast server
#multicastclient 224.0.1.1      # multicast client
#manycastserver 239.255.254.254     # manycast server
#manycastclient 239.255.254.254 autokey # manycast client

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography. 
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats

# Enable additional logging.
logconfig =clockall =peerall =sysall =syncall

# Listen only on the primary network interface.
interface listen eth0
interface ignore ipv6

# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor

以下是“ntpq -p”的输出

sudo ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 173.44.32.10    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 deekayen.net    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 dhcp-147-115-21 .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 time-b.timefreq .INIT.          16 u    - 1024    0    0.000    0.000   0.000
4

3 回答 3

16

(2018) Amazon now recommend "just" using their 169.254.169.123 NTP server because

Your instance does not require access to the internet, and you do not have to configure your security group rules or your network ACL rules to allow access.

(It looks like the link-local "Amazon Time Sync Service" was introduced in late 2017)

Note: The 169.254.169.123 server does "leap smearing" and SHOULD NOT be mixed with other (non-Amazon) NTP servers from out on the internet that aren't doing the smearing exactly the same way. Amazon also recommend using chrony instead of ntpd unless you are stuck in a legacy situation where chrony is unavailable as compared to ntpd, chrony is faster at achieving synchronization, more accurate and more robust.

于 2018-08-19T20:06:15.447 回答
13

是的,您应该使用至少 3 台,理想情况下是 5 台或更多服务器,这些服务器属于低层且与您的实例相距很近(往返时间)。

亚马逊提供了一些详细说明如何配置 ntp 的文档。应该注意的是,您不需要使用列出的池服务器 - 它们是 Amazon 负载均衡到的公共 ntp 池的前端;您可以选择任何您喜欢的服务器,只需记住为任何新地址更新您的安全/ACL 设置。

您提供的输出

[dalvarado@mymachine ~]$ sudo ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 173.44.32.10    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 deekayen.net    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 dhcp-147-115-21 .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 time-b.timefreq .INIT.          16 u    - 1024    0    0.000    0.000   0.000

显示您配置的服务器不可访问。

Refid=.INIT.表示您尚未初始化与引用服务器的通信。您每 1024 秒轮询一次它们,但它们都有,reach=0因此您无法访问它们并且没有从任何服务器接收时间。这就是为什么你的时钟仍然是错误的。

可能您的防火墙/网络安全设置过于苛刻,并且您阻止了对这些主机的访问,或者更有可能是端口。

做一些网络级别的诊断,因为这似乎是您的问题所在 -如果您需要进一步的帮助,也请包括您的ntp.conf和输出。ntpq -pcrv

解决可访问性问题后,检查中的数字ntpq -p是否显示有效数据,您应该会发现问题已排序并且时钟按预期进行检查。

只是警告人们在169.254.169.123使用 AWS 时间服务;该服务器不是真正的ntp 服务器,因为它不能正确处理闰秒。相反,AWS 服务器会进行“跳跃式涂抹”。

这可能适合您的设置,也可能不适合您的设置,并且您永远不应该在同一配置或同一计时域中将普通 NTP 和跳跃涂抹 NTP 服务器混合在一起。您应该选择一个标准并坚持下去以避免任何问题。

于 2015-04-07T18:27:48.273 回答
10

亚马逊在此处记录 NTP。它们包括 NTP 配置及其 Amazon linux 发行版。我当前运行的一个 Amazon 实例在 /etc/ntp.conf 中列出了这些服务器,这也是他们的文档推荐的内容:

server 0.amazon.pool.ntp.org iburst 
server 1.amazon.pool.ntp.org iburst
server 2.amazon.pool.ntp.org iburst 
server 3.amazon.pool.ntp.org iburst
于 2015-04-02T19:33:56.080 回答