Linux（Centos7.4和RHEL7.4）环境下基于chrony的NTP服务器的构建

一、操作环境

操作系统：CentOS Linux release 7.4.1708 (Core) 最小化安装版

chrony版本：chrony-3.1-2.x86_64

二、配置过程

由于在CentOS7.4系统中以默认安装chrony，因此无需再执行安装过程。其他未安装chrony的操作系统要执行安装chrony也是极其简单的，以CentOS7以下没有自带chrony的操作系统版本为例，执行yum -y install chrony一键即可完成chrony的安装。

1、检查服务状态。

[root@Geeklp-Chrony ~]# systemctl status chronyd
● chronyd.service - NTP client/server
Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled)
Active: active (running) since 五 2018-01-12 10:20:17 CST; 1h 26min ago

从以上信息中我们可以看到，chrony服务已经启动，默认开机启动，厂商预置状态为开机启动。

2、配置防火墙

[root@Geeklp-Chrony ~]# firewall-cmd --permanent --add-service=ntp
success
[root@Geeklp-Chrony ~]# firewall-cmd --reload
success

3、测试。

本次测试使用的客户端IP为：10.1.1.23，客户端同样安装的是chrony软件。

（1）将客户端chronyd的配置文件中以下几行注释了，并在后面新增一行：

#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 10.1.1.21 iburst

（2）将客户时间修改为错误时间。

[root@JDK-Tomcat ~]# date -s 18:23:12

（3）重启客户端chrony。

[root@JDK-Tomcat ~]# systemctl restart chronyd

(4)查看客户端时间同步情况。

[root@JDK-Tomcat ~]# date
2018年 01月 12日 星期五 19:39:37 CST

结果与服务器时间一致，配置成功。测试完毕。

4、chrony也支持ntpdate，我们现在来卸载客户端上的chrony，然后使用ntpdate尝试同步。

[root@JDK-Tomcat ~]# yum -y remove chronyd
[root@JDK-Tomcat ~]# yum -y install ntpdate
[root@JDK-Tomcat ~]# ntpdate 10.1.1.21
12 Jan 19:41:49 ntpdate[3407]: step time server 10.1.1.21 offset 4702.851108 sec

以上效果也是很明显的。我们也可以使用定时任务来同步时间，关于定时任务设置，此处不再赘述。

三、高级设置

chrony是ntp协议的另外一种实现，关于chrony与ntp的对比我们可以参考文末参考资料。一般情况下，建议使用chrony代替ntp。

1、关于chronyc。chronyc支持命令行模式与交互式模式。我们来看一下帮助文档。

System clock:
tracking                    Display system time information
makestep                    Correct clock by stepping immediately
makestep <threshold> <updates>
Configure automatic clock stepping
maxupdateskew <skew>        Modify maximum valid skew to update frequency
waitsync [<max-tries> [<max-correction> [<max-skew> [<interval>]]]]
Wait until synchronised in specified limits

Time sources:
sources [-v]                Display information about current sources
sourcestats [-v]            Display statistics about collected measurements
reselect                    Force reselecting synchronisation source
reselectdist <dist>         Modify reselection distance

NTP sources:
activity                    Check how many NTP sources are online/offline
ntpdata [<address>]         Display information about last valid measurement
add server <address> [options]
Add new NTP server
add peer <address> [options]
Add new NTP peer
delete <address>            Remove server or peer
burst <n-good>/<n-max> [<mask>/<address>]
Start rapid set of measurements
maxdelay <address> <delay>  Modify maximum valid sample delay
maxdelayratio <address> <ratio>
Modify maximum valid delay/minimum ratio
maxdelaydevratio <address> <ratio>
Modify maximum valid delay/deviation ratio
minpoll <address> <poll>    Modify minimum polling interval
maxpoll <address> <poll>    Modify maximum polling interval
minstratum <address> <stratum>
Modify minimum stratum
offline [<mask>/<address>]  Set sources in subnet to offline status
online [<mask>/<address>]   Set sources in subnet to online status
polltarget <address> <target>
Modify poll target
refresh                     Refresh IP addresses

Manual time input:
manual off|on|reset         Disable/enable/reset settime command
manual list                 Show previous settime entries
manual delete <index>       Delete previous settime entry
settime <time>              Set daemon time
(e.g. Sep 25, 2015 16:30:05 or 16:30:05)

NTP access:
accheck <address>           Check whether address is allowed
clients                     Report on clients that have accessed the server
serverstats                 Display statistics of the server
allow [<subnet>]            Allow access to subnet as a default
allow all [<subnet>]        Allow access to subnet and all children
deny [<subnet>]             Deny access to subnet as a default
deny all [<subnet>]         Deny access to subnet and all children
local [options]             Serve time even when not synchronised
local off                   Don't serve time when not synchronised
smoothtime reset|activate   Reset/activate time smoothing
smoothing                   Display current time smoothing state

Monitoring access:
cmdaccheck <address>        Check whether address is allowed
cmdallow [<subnet>]         Allow access to subnet as a default
cmdallow all [<subnet>]     Allow access to subnet and all children
cmddeny [<subnet>]          Deny access to subnet as a default
cmddeny all [<subnet>]      Deny access to subnet and all children

Real-time clock:
rtcdata                     Print current RTC performance parameters
trimrtc                     Correct RTC relative to system clock
writertc                    Save RTC performance parameters to file

Other daemon commands:
cyclelogs                   Close and re-open log files
dump                        Dump all measurements to save files
rekey                       Re-read keys from key file

Client commands:
dns -n|+n                   Disable/enable resolving IP addresses to hostnames
dns -4|-6|-46               Resolve hostnames only to IPv4/IPv6/both addresses
timeout <milliseconds>      Set initial response timeout
retries <retries>           Set maximum number of retries
keygen [<id> [<type> [<bits>]]]
Generate key for key file
exit|quit                   Leave the program
help                        Generate this help

以上命令在交互模式中支持自动补全哦，十分方便。让我们来实践一下吧。

（1）查看时间同步源。在命令行中输入chronyc进入交互模式。



怎么样？是不是比ntpq中显示的要直观得多。图中展示了一些命令补全的效果。

（2）查看时间同步状态。



2、关于chrony。

[root@Geeklp-Chrony ~]# man  chrony.conf

（3）关于chronyd。

[root@Geeklp-Chrony ~]# man  chronyd

（4）最重要的chronyc。

[root@Geeklp-Chrony ~]# man  chronyc

参考资料：

https://chrony.tuxfamily.org/doc/3.1/chrony.conf.html

https://chrony.tuxfamily.org/doc/3.2/chronyd.html

https://chrony.tuxfamily.org/doc/3.2/chronyc.html

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sect-using_chrony