在使用亚马逊的EC2服务来对抗时钟漂移时,我应该使用NTP服务器吗？

Question

我正在使用AWS并且我在EC2服务器上......

[dalvarado@mymachine ~]$ uname -a
Linux mydomain.org 3.14.33-26.47.amzn1.x86_64 #1 SMP Wed Feb 11 22:39:25 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

尽管我已经安装并运行了NTPD,但我的时钟已经关闭了一分钟

[dalvarado@mymachine ~]$ sudo service ntpd status
ntpd (pid  22963) is running...

它会出现ntp数据包被阻止或存在其他问题,因为我收到此错误...

[dalvarado@mymachine ~]$ sudo ntpdate pool.ntp.org
 2 Apr 16:43:50 ntpdate[23748]: no server suitable for synchronization found

有没有人知道AWS是否有另一台服务器我应该联系NTP信息,或者我还需要其他其他配置吗？

谢谢, - 戴夫

编辑:包括评论的输出...

[dalvarado@mymachine ~]$ sudo ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 173.44.32.10    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 deekayen.net    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 dhcp-147-115-21 .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 time-b.timefreq .INIT.          16 u    - 1024    0    0.000    0.000   0.000

第二次编辑:

以下是/etc/ntp.conf文件的内容

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1 
restrict ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.amazon.pool.ntp.org iburst
server 1.amazon.pool.ntp.org iburst
server 2.amazon.pool.ntp.org iburst
server 3.amazon.pool.ntp.org iburst

#broadcast 192.168.1.255 autokey    # broadcast server
#broadcastclient            # broadcast client
#broadcast 224.0.1.1 autokey        # multicast server
#multicastclient 224.0.1.1      # multicast client
#manycastserver 239.255.254.254     # manycast server
#manycastclient 239.255.254.254 autokey # manycast client

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography. 
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats

# Enable additional logging.
logconfig =clockall =peerall =sysall =syncall

# Listen only on the primary network interface.
interface listen eth0
interface ignore ipv6

# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor

以下是"ntpq -p"的输出

sudo ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 173.44.32.10    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 deekayen.net    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 dhcp-147-115-21 .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 time-b.timefreq .INIT.          16 u    - 1024    0    0.000    0.000   0.000

Answer 1

是的,您应该使用至少3个,理想情况下 5个或更多服务器,这些服务器是您的实例的低层和近距离(往返时间).

亚马逊提供了一些详细说明如何配置ntp的文档.应该注意的是,您不需要使用列出的池服务器 - 它们是Amazon负载均衡的公共ntp池的前端; 您可以选择任何您喜欢的服务器,只需记住更新任何新地址的安全/ ACL设置.

您提供的输出

[dalvarado@mymachine ~]$ sudo ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 173.44.32.10    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 deekayen.net    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 dhcp-147-115-21 .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 time-b.timefreq .INIT.          16 u    - 1024    0    0.000    0.000   0.000

显示您配置的服务器无法访问.

Refid=.INIT.表示您尚未将引用初始化为引用的服务器.您每隔1024秒轮询它们,但它们都reach=0无法访问它们,并且没有从任何服务器接收时间.这就是你的时钟仍然错误的原因.

也许您的防火墙/网络安全设置过于苛刻,并且您阻止访问这些主机,或者更可能是端口.

做一些网络级别的诊断,因为它看起来就像你的问题所在 - 如果你需要进一步的帮助,请包括你的ntp.conf和输出ntpq -pcrv.

一旦修复了可达性问题,检查ntpq -p显示有效数据的数字,您应该发现问题已排序,并且时钟会按预期进行检查.

Answer 2

(2018)亚马逊现在建议"只"使用他们的169.254.169.123NTP服务器,因为

您的实例不需要访问Internet,也不必配置安全组规则或网络ACL规则以允许访问.

(看起来像2017年末推出的链接本地"亚马逊时间同步服务")

注意:169.254.169.123服务器确实" 飞跃涂抹 ",并且不应该与互联网上的其他(非亚马逊)NTP服务器混合使用,这些服务器没有完全相同的涂抹方式.亚马逊还建议使用chrony而不是ntpd除非你陷入遗留的情况,chrony与之相比ntpd,chrony实现同步的速度更快,更准确,更强大.

Answer 3

亚马逊在这里记录NTP.它们包括NTP配置及其Amazon Linux发行版.我当前运行的Amazon实例在/etc/ntp.conf中列出了这些服务器,这也是他们的文档推荐的内容:

server 0.amazon.pool.ntp.org iburst 
server 1.amazon.pool.ntp.org iburst
server 2.amazon.pool.ntp.org iburst 
server 3.amazon.pool.ntp.org iburst