猿教程 Logo

如何配置NTP在Ubuntu 16.04中的NTP池项目中使用 (How to Configure NTP for Use in the NTP Pool Project on Ubuntu 16.04)


Introduction

Accurate time keeping is critical for almost any service or software. Emails, loggers, event systems and schedulers, user authentication mechanisms, and services running on distributed platforms all need accurate timestamps to record events in chronological order. These services use the Network Time Protocol, or NTP, to synchronize the system clock with a trusted external source. This source can be an atomic clock, a GPS receiver, or another time server that already uses NTP.

This is where the NTP Pool Project project comes into play. It's a huge worldwide cluster of time servers that provides easy access to known "good time" for tens of millions of clients around the world. It's the default time server for Ubuntu and most of the other major Linux distributions, as well as many networked appliances and software applications.

In this guide, you will set up NTP on your server and configure it to be part of the NTP Pool Project, so it provides accurate time to other users of the NTP Pool Project. Providing your spare CPU cycles and unused bandwidth is a perfect way to give something back to the community.

The required bandwidth is relatively low and can be adjusted depending on the amount you can provide and where your server resides. Each client will only send a couple of UDP packets every 20 minutes, so most servers only receive about a dozen NTP packets per second, with spikes a couple of times a day of up to one hundred packets per second. This translates to bandwidth usage of 10-15Kb/sec with spikes of 50-120Kb/sec.

There are three basic requirements you must satisfy before joining the NTP Pool Project:

For most cloud-based servers, the first two requirements are usually met automatically. The third requirement emphasizes that joining the NTP Pool Project constitutes a long-term commitment. Of course, if your circumstances change, it's fine to take a server out of the pool, but it will take a long time (mostly weeks, but sometimes months or even years) before the traffic completely vanishes.


Prerequisites

To complete this tutorial, you will need:

  • One Ubuntu 16.04 server with IPv6 networking configured. If you need to configure IPv6 networking on an exising Droplet, you can follow this tutorial.
  • A sudo non-root user and a firewall, which you can set up by following the Initial Server Setup with Ubuntu 16.04 tutorial.

Step 1 — Installing NTP

The NTP package is not installed by default, so you'll use the package manager to install it. First, update your packages:

$ sudo apt-get update
sudo apt-get update

Then install NTP:

$ sudo apt-get install ntp
sudo apt-get install ntp

If you've configured the firewall as specified in the prerequisites, you must allow UDP traffic on port 123 in order to communicate with the NTP pool:

$ sudo ufw allow 123/udp
sudo ufw allow 123/udp

For more on UFW, refer to How To Set Up a Firewall with UFW on Ubuntu.

NTP is now installed, but it's configured to use the default NTP pool time servers. Lets pick some specific time servers instead.


Step 2 — Choosing a Suitable Upstream Server

The NTP Pool project asks operators who want to join the pool to choose good network-local time servers rather than using the default pool.ntp.org servers. This ensures that the NTP Pool Project remains reliable, fast, and healthy. When choosing your time source, you'll want a stable network connection with no packet loss and as few hops as possible between the servers.

The multi-tiered and hierarchical NTP protocol separates the parties involved into primary servers, secondary servers, and clients. The primary servers are called Stratum 1 and are connected directly to the source of time, which is called Stratum 0. This source can be an atomic clock, a GPS receiver, or a radio navigation system. Secondary servers in the chain are called Stratum 2, Stratum 3 and so on.

Each server is also a client. A Stratum 2 client receives time from an upstream Stratum 1 server, and provides time to downstream Stratum 3 servers or other clients. For NTP Pool Project members to work properly, the NTP daemon needs at least three servers configured. The project recommends a minimum of four, and no more than seven sources.

The NTP Pool Project provides a list of public Stratum 1 and Startum 2 time servers. The lists designate the NTP time servers available for public access under stated restrictions. You'll find three types:

  • OpenAccess: This time server is open to any client complying with the NTP Pool usage recommendations.
  • RestrictedAccess: This time server has some access restrictions in addition to the NTP Pool usage recommendations.
  • ClosedAccess: This time server is closed or requires prior arrangement.

Warning: Don't use servers that are not listed as OpenAccess unless you've received approval to do so.

Visit the Stratum 1 Time Servers list. You'll see a list like the following:

Sort the list by the ISO code column and find one or two servers that are geographically close to your server's data center. When the server's Access Policy column states OpenAccess, you can use it without issue. If it says "RestrictedAccess", click to open the entry and read the instructions noted in the AccessDetails field. Often, you'll find that NotificationMessage is set to Yes, which means you have to craft an informal email directed to the address provided in ServerContact, informing the server operator about your desire to use this time server as a time source for your NTP Pool Project member.

Once you've identified the servers you'd like to use, click the link for each server in the ISO column and copy its host name or IP address. You'll use these addresses in Step 3.

Next, select three or four servers from the Stratum 2 list, following the same process.

Once you have selected your time servers, it's time to configure your NTP client to use them.


Step 3 — Configuring NTP to Join the Pool

To use your server with the NTP pool, and configure your new time servers, you'll need to make some modifications to your NTP daemon's configuration. To do so, edit the /etc/ntp.conf file:

$ sudo nano /etc/ntp.conf
sudo nano /etc/ntp.conf

First, make sure a driftfile is configured. A driftfile stores the frequency offset between the system clock running at its nominal frequency, and the frequency required to remain in synchronization with correct time. It helps to achieve a stable and accurate time. You should find this at the top of your configuration file on a default installation:

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift
...

Next, remove the default time source entries from the configuration. You're looking for all lines which are of the pattern pool [0-3].ubuntu.pool.ntp.org iburst or pool ntp.ubuntu.com. If you're using a default configuration, remove the highlighted lines:

# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
# more information.
pool 0.ubuntu.pool.ntp.org iburst
pool 1.ubuntu.pool.ntp.org iburst
pool 2.ubuntu.pool.ntp.org iburst
pool 3.ubuntu.pool.ntp.org iburst

# Use Ubuntu's ntp server as a fallback.
pool ntp.ubuntu.com

Replace the lines you removed with the hand-picked servers you selected in the previous step, using the server keyword instead of the pool keyword.

...
server ntp_server_hostname_1 iburst
server ntp_server_hostname_2 iburst
server ntp_server_hostname_3 iburst
server ntp_server_hostname_4 iburst
server ntp_server_hostname_5 iburst
...

We use the iburst option for each servers, per the NTP Pool recommendations. That way, if the server is unreachable, this will send a burst of eight packets instead of the usual one packet. Using the burst option in the NTP Pool Project is considered abuse as it will send those eight packets every poll interval, whereas iburst sends the eight packets only the first time.

Next, make sure the default configuration does not allow management queries. If you don't, your server could be used in NTP reflection attacks, or could be vulnerable to ntpq and ntpdc queries that attempt to modify the state of the server. Check that the noquery option is added to the default restrict lines:

...
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

You can find more information about the other options in the official documentation.

Your NTP daemon configuration file now should look like the following, although your file may have additional comments, which you can safely disregard:

driftfile /var/lib/ntp/ntp.drift

server ntp_server_hostname_1 iburst
server ntp_server_hostname_2 iburst
server ntp_server_hostname_3 iburst
server ntp_server_hostname_4 iburst
server ntp_server_hostname_5 iburst

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

Save the file and exit the editor.

Now restart the NTP service and let your time server synchronize its clock to the upstream servers.

$ sudo systemctl restart ntp.service
sudo systemctl restart ntp.service

After a few minutes, check the health of your time server with the ntpq command:

$ ntpq -p
ntpq -p

The output should look similar to this:

Output
            remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 mizbeaver.udel. .INIT.          16 u    -   64    0    0.000    0.000   0.000
 montpelier.ilan .GPS.            1 u   25   64    7   55.190    2.121 130.492
+nist1-lnk.binar .ACTS.           1 u   28   64    7   52.728   23.860   3.247
*ntp.okstate.edu .GPS.            1 u   31   64    7   19.708   -8.344   6.853
+ntp.colby.edu   .GPS.            1 u   34   64    7   51.518   -5.914   6.669

The remote column tells you the hostname of the servers the NTP daemon is using, and the refid column tells you the source the servers are using. So for Stratum 1 servers, the refid field should show GPS, PPS, ACTS, or PTB, and Stratum 2 and higher servers will show the IP address of the upstream server. The st column shows the stratum, and delay, offset and jitter tell you about the quality of the time source. Lower values are better for these three fields.

Your time server is now able to serve time to the public. You can verify this by calling ntpdate from another host:

$ ntpdate -q your_server_ip
ntpdate -q your_server_ip

The output should look similar to this and it tells you it adjusted the time server and the offset:

Output
       server your_server_ip, stratum 2, offset 0.001172, delay 0.16428
 2 Mar 23:06:44 ntpdate[18427]: adjust time server your_server_ip offset 0.001172 sec

You are now ready to register your NTP server with the NTP Pool Project so others can use it.


Step 4 — Adding the Server to the NTP Pool

To add your server so others can use it, visit manage.ntppool.org and sign up for an account. You will receive an email from NTP Pool help@ntppool.org requesting that you verify your account. Confirm your account by following the instructions in the email, and then log in to manage.ntppool.org.

Once logged in, you'll see the simple interface for adding servers:

Enter your server's IP address and click Submit.

The next screen asks you to verify that it identified the region of your server. If it shows your server in a different region than you expect, use the Comment box to let them know.

If you are happy, confirm the entry by clicking Yes, this is my server, add it!

Your server is now part of the NTP Pool Project. Visit http://www.pool.ntp.org/scores/your_server_ip to see information the NTP Pool's monitoring system has collected about your server. It checks your server a few times per hour and displays offset data, alog with the score of your system. As long as your server is keeping good time and is reachable, the score will rise untill it reaches 20 points. Only servers with a score higher than 10 are used in the pool.


Troubleshooting Connectivity Issues

If you are having trouble getting your server to sync you might have a packet firewall in place dropping your outgoing packets on port 123. Take a look at How To Set Up a Firewall with UFW on Ubuntu to learn how to check the status of the firewall.

If the NTP Pool Project's monitoring station can't reach your NTP server and your server score is going down, or you can't use your server to sync some other clock, you might have a packet firewall in place dropping your incoming traffic on port 123. Check your firewall status.

If you are certain that you have no firewall in place, or you have opened port 123 for both incoming and outgoing traffic, your server provider or another transit provider might be dropping your packets along the way. If you do not have the knowledge to solve those problems on your own, it's best to turn to the community and reach for help. The NTP Pool Projects forum is a good place to start. You can also join the mailing list or send an emaill to the NTP Pool Project operator. Just be sure you can show all the steps you've already tried to resolve the issue before asking for help.


Conclusion

In this tutorial, you successfully set up your own time server and made it a member of the NTP Pool Project, serving time to the community. To keep in touch with the time-keeping community. join the NTP Pool Projects forum or the mailing list. Be sure to monitor your server's score and make any adjustments necessary.

介绍

准确的时间保持对于几乎任何服务或软件至关重要。 电子邮件,记录器,事件系统和调度程序,用户认证机制和在分布式平台上运行的服务都需要准确的时间戳记,以按时间顺序记录事件。 这些服务使用网络时间协议(NTP)来将系统时钟与受信任的外部源进行同步。 该源可以是原子钟,GPS接收器或已经使用NTP的另一个时间服务器。

这就是NTP Pool Project项目所在。 这是一个巨大的全球时间服务器集群,可以方便地访问世界各地数千万客户的已知“快乐时光”。 这是Ubuntu和大多数其他主要Linux发行版以及许多联网设备和软件应用程序的默认时间服务器。

在本指南中,您将在服务器上设置NTP,并将其配置为NTP Pool Project的一部分,从而为NTP Pool Project的其他用户提供准确的时间。 提供您的备用CPU周期和未使用的带宽是向社区提供回馈的完美方式。

所需的带宽相对较低,可以根据您可以提供的数量和服务器所在的位置进行调整。 每个客户端只需要每20分钟发送几个UDP数据包,所以大多数服务器每秒只能收到大约十几个NTP数据包,每秒高达一百个数据包每秒的峰值几次。 这转换为10-15Kb /秒的带宽使用,峰值为50-120Kb /秒。

在加入NTP Pool Project之前,您必须满足以下三个基本要求:

对于大多数基于云的服务器,通常会自动满足前两个要求。 第三个要求强调,加入NTP池项目是长期的承诺。 当然,如果你的情况发生变化,把服务器从池中取出来就可以了,但在流量完全消失之前需要很长时间(大部分是几周,但有时甚至数年甚至数年)。


先决条件

要完成本教程,您将需要:

  • 一个配置了IPv6网络的Ubuntu 16.04服务器。 如果您需要在提供的Droplet上配置IPv6网络,可以按照本教程进行。
  • sudo非root用户和防火墙,您可以通过使用Ubuntu 16.04教程遵循初始服务器设置进行设置。

步骤1 - 安装NTP

默认情况下不安装NTP软件包,因此您将使用软件包管理器进行安装。 首先,更新您的软件包:

$ sudo apt-get update
sudo apt-get update

然后安装NTP:

$ sudo apt-get install ntp
sudo apt-get install ntp

如果您已配置了先决条件中指定的防火墙,则必须在端口123上允许UDP流量才能与NTP池进行通信:

$ sudo ufw allow 123/udp
sudo ufw allow 123/udp

有关UFW的更多信息,请参阅如何在Ubuntu上使用UFW设置防火墙。

NTP已安装,但配置为使用默认的NTP池时间服务器。 让我们选择一些特定的时间服务器。


步骤2 - 选择合适的上游服务器

NTP池项目询问希望加入池的运营商选择好的网络本地时间服务器,而不是使用默认的pool.ntp.org服务器。 这样可以确保NTP Pool项目的可靠性,快速性和健康性。 选择时间源时,您需要一个稳定的网络连接,不会丢失数据包,并且在服务器之间尽可能少的跳数。

多层次和分层的NTP协议将所涉及的各方分为主服务器,辅助服务器和客户端。 主服务器被称为层1,并直接连接到时间源(称为层0)。该源可以是原子钟,GPS接收器或无线电导航系统。 链中的辅助服务器称为Stratum 2,Stratum 3等。

每个服务器也是客户端。 层2客户端从上游Stratum 1服务器接收时间,并向下游第3层服务器或其他客户端提供时间。 要使NTP Pool Project成员正常工作,NTP守护程序至少需要配置三个服务器。 该项目建议至少四个,不超过七个来源。

NTP池项目提供公共Stratum 1和Startum 2时间服务器的列表。 这些列表根据规定的限制指定可用于公共访问的NTP时间服务器。 你会发现三种类型:

  • OpenAccess:此时间服务器对任何符合NTP Pool使用建议的客户端都是开放的。
  • RestrictedAccess:此时间服务器除了NTP池使用建议之外,还有一些访问限制。
  • ClosedAccess:此时间服务器关闭或需要事先安排。

警告:请勿使用未列为OpenAccess的服务器,除非您已获得批准。

访问Stratum 1时间服务器列表。 您会看到如下列表:

按ISO代码列对列表进行排序,并找到一个或两个地理位置靠近服务器数据中心的服务器。 当服务器的访问策略列显示OpenAccess时,可以使用它,而不会出现问题。 如果说“RestrictedAccess”,点击打开该条目并阅读AccessDetails字段中提到的说明。 通常,您会发现NotificationMessage设置为Yes,这意味着您必须制作一个针对ServerContact中提供的地址的非正式电子邮件,通知服务器运营商您希望将此时间服务器用作NTP池的时间源 项目成员。

确定要使用的服务器后,请单击ISO列中每个服务器的链接,并复制其主机名或IP地址。 您将在步骤3中使用这些地址。

接下来,按照相同的过程,从Stratum 2列表中选择三个或四个服务器。

一旦您选择了时间服务器,就可以配置NTP客户端来使用它们了。


步骤3 - 配置NTP加入池

要使用服务器与NTP池,并配置新的时间服务器,您需要对NTP守护程序的配置进行一些修改。 为此,请编辑/etc/ntp.conf文件:

$ sudo nano /etc/ntp.conf
sudo nano /etc/ntp.conf

首先,确保配置了一个漂移文件。 漂移文件存储以标称频率运行的系统时钟与保持与正确时间同步所需的频率之间的频率偏移。 它有助于实现稳定准确的时间。 您应该在默认安装的配置文件的顶部找到它:

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift
...

接下来,从配置中删除默认的时间源条目。 您正在寻找所有的模式池[0-3] .ubuntu.pool.ntp.org iburst或池ntp.ubuntu.com的行。 如果您使用默认配置,请删除突出显示的行:

# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
# more information.
pool 0.ubuntu.pool.ntp.org iburst
pool 1.ubuntu.pool.ntp.org iburst
pool 2.ubuntu.pool.ntp.org iburst
pool 3.ubuntu.pool.ntp.org iburst

# Use Ubuntu's ntp server as a fallback.
pool ntp.ubuntu.com

使用server关键字而不是pool关键字替换您在上一步中选择的手动选择的服务器删除的行。

...
server ntp_server_hostname_1 iburst
server ntp_server_hostname_2 iburst
server ntp_server_hostname_3 iburst
server ntp_server_hostname_4 iburst
server ntp_server_hostname_5 iburst
...

根据NTP Pool的建议,我们为每个服务器使用iburst选项。 这样,如果服务器不可达,则会发送八个数据包的突发而不是通常的一个数据包。 使用NTP池项目中的突发选项被认为是滥用,因为它将每个轮询间隔发送这8个数据包,而iburst仅在第一次发送8个数据包。

接下来,确保默认配置不允许管理查询。 如果没有,您的服务器可能会用于NTP反射攻击,或者可能会受到试图修改服务器状态的ntpq和ntpdc查询的攻击。 检查noquery选项是否添加到默认限制行:

...
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

您可以在官方文档中找到有关其他选项的更多信息。

您的NTP守护程序配置文件现在应如下所示,尽管您的文件可能有其他注释,您可以安全地忽略它们:

driftfile /var/lib/ntp/ntp.drift

server ntp_server_hostname_1 iburst
server ntp_server_hostname_2 iburst
server ntp_server_hostname_3 iburst
server ntp_server_hostname_4 iburst
server ntp_server_hostname_5 iburst

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

保存文件并退出编辑器。

现在重新启动NTP服务,让您的时间服务器将其时钟同步到上游服务器。

$ sudo systemctl restart ntp.service
sudo systemctl restart ntp.service

几分钟后,使用ntpq命令检查您的时间服务器的运行状况:

$ ntpq -p
ntpq -p

输出应该类似于:

Output
            remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 mizbeaver.udel. .INIT.          16 u    -   64    0    0.000    0.000   0.000
 montpelier.ilan .GPS.            1 u   25   64    7   55.190    2.121 130.492
+nist1-lnk.binar .ACTS.           1 u   28   64    7   52.728   23.860   3.247
*ntp.okstate.edu .GPS.            1 u   31   64    7   19.708   -8.344   6.853
+ntp.colby.edu   .GPS.            1 u   34   64    7   51.518   -5.914   6.669

远程列告诉您NTP守护程序正在使用的服务器的主机名,refid列会告诉您服务器正在使用的源。 因此,对于1层服务器,refid字段应显示GPS,PPS,ACTS或PTB,而Stratum 2和更高版本的服务器将显示上游服务器的IP地址。 st列显示层次,延迟,偏移和抖动告诉您时间源的质量。 这三个字段的值越小越好。

您的时间服务器现在可以为公众服务。 您可以通过从另一个主机调用ntpdate来验证这一点:

$ ntpdate -q your_server_ip
ntpdate -q your_server_ip

输出应该看起来类似于此,它告诉你它调整了时间服务器和偏移量:

Output
       server your_server_ip, stratum 2, offset 0.001172, delay 0.16428
 2 Mar 23:06:44 ntpdate[18427]: adjust time server your_server_ip offset 0.001172 sec

您现在可以使用NTP池项目注册NTP服务器,以便其他人可以使用它。


步骤4 - 将服务器添加到NTP池

要添加服务器以便其他人可以使用它,请访问manage.ntppool.org并注册一个帐户。 您将收到来自NTP Pool help@ntppool.org的电子邮件,要求您验证您的帐户。 按照电子邮件中的说明确认您的帐户,然后登录manage.ntppool.org。

登录后,您将看到添加服务器的简单界面:

输入您的服务器的IP地址,然后单击提交。

下一个屏幕要求您验证它是否确定了服务器的区域。 如果您的服务器在不同于您期望的区域中显示,请使用“注释”框来让他们知道。

如果你快乐,点击是的确认输入,这是我的服务器,添加它!

您的服务器现在是NTP池项目的一部分。 请访问http://www.pool.ntp.org/scores/your_server_ip以查看NTP Pool的监控系统收集的有关您的服务器的信息。 它每小时检查您的服务器几次,并显示偏移量数据,与您系统的分数一致。 只要您的服务器保持良好的时间和可达性,分数将上升至20分。 在池中只能使用分数高于10的服务器。


排除连接问题

如果您无法使服务器同步,则可能有一个数据包防火墙丢弃了端口123上的传出数据包。查看如何使用UFW在Ubuntu上设置防火墙,以了解如何检查防火墙的状态。

如果NTP Pool Project的监控工作站无法连接到您的NTP服务器,并且您的服务器分数正在下降,或者您无法使用服务器同步其他时钟,则可能会有一个数据包防火墙将您的入站流量丢弃在端口 检查你的防火墙状态。

如果您确定您没有防火墙,或者为传入和传出流量打开了端口123,则您的服务器提供商或另一个传输提供商可能会沿途丢弃数据包。 如果您没有自己的知识来解决这些问题,最好转向社区并寻求帮助。 NTP池项目论坛是一个很好的开始。 您还可以加入邮件列表或发送emaill到NTP池项目运营商。 请确保您可以在请求帮助之前显示您已经尝试解决问题的所有步骤。


结论

在本教程中,您成功地设置了自己的时间服务器,并将其作为NTP池项目的成员,为社区提供服务。 与时间保持社区保持联系。 加入NTP Pool Projects论坛或邮件列表。 一定要监控您的服务器的分数,并进行必要的调整。