如何证明systemd-timesyncd正在定期轮询 NTP 服务器以确保系统时钟保持“同步”?
我知道我可以通过运行来检查同步状态是否为是timedatectl,而且它确实告诉我“是”,但那难道不是几个月前的陈旧状态吗?我没有看到任何证据表明任何软件组件实际上正在定期联系 NTP 服务器池进行实际检查。
根据我的理解,使用默认配置PollIntervalMaxSec2048,它最多每 34 分钟应与 NTP 进行一次时钟比较。它应该这样工作吗?
如果我运行,journalctl -u systemd-timesyncd我只会看到重新启动或 s 的同步事件证据apt upgrade。事实上,几周过去了,却没有任何时钟同步日志条目。
对于我的时间敏感型应用程序,我担心如果几周/几个月过去而没有任何 NTP 检查,我的系统时钟可能会出现很大偏差。我希望它每天检查一次并证明确实如此。
NIST 美国官方时间网站显示当前 UTC 以及我的设备的时间并计算偏移量,请参阅所附的屏幕截图:
令我惊讶的是,一天中的时间差通常约为 1..2 秒。我确实知道可能会有各种网络延迟,但我仍然希望 NTP 协议比这更准确。
据我所知,这种差异不是由于 NTP 配置错误造成的,因为我已经在多台机器上观察到了这种情况:
time.apple.com;我的问题是这是否“正常”,或者是否有办法连接到特定的 NTP 服务器以实现更高的系统时间精度,例如相对于 NIST 的 UTC +/- 0.1 秒?谢谢。
看来使用本地时钟的 ntp 服务器必须使用默认的环回 ip 地址 (127.127.1.0)。
如果我使用 ntp 服务器的本地以太网 ip 地址作为源本地时钟,它就会卡在 .INIT. 状态。
root@THCDB:/root# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*LOCAL(0) .LOCL. 5 l 53 64 1 0.000 0.000 0.000
root@THCDB:/root# grep ^server /etc/ntp.conf
server 127.127.1.0
root@THCDB:/root# sed -i '/^server/s/127.127.1.0/172.25.180.170/' /etc/ntp.conf
root@THCDB:/root# grep ^server /etc/ntp.conf
server 172.25.180.170
root@THCDB:/root# service ntpd restart
Shutting down ntpd: [ OK ]
Starting ntpd: [ OK ]
root@THCDB:/root# ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
172.25.180.170 .INIT. 16 u - 64 0 0.000 0.000 0.000
root@THCDB:/root# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
THCDB .INIT. 16 u - 64 0 0.000 0.000 0.000
环境:RHEL 6.4 带有 ntp-4.2.6p5-15.el6_10.x86_64
问题:以下 ntp 客户端可以将其时间同步到远程 ntp 服务器,但是为什么它无法与远程 ntp 服务器运行 ntpq -c 子命令?
#
#
# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.130.22.10 .GPS. 1 u 17 1024 377 0.859 -0.178 0.428
#
#
# ntpq -n -cas
ind assid status conf reach auth condition last_event cnt
===========================================================
1 15314 963a yes yes none sys.peer sys_peer 3
#
#
#
# ntpq
ntpq> as
ind assid status conf reach auth condition last_event cnt
===========================================================
1 15314 963a yes yes none sys.peer sys_peer 3
ntpq>
ntpq>
ntpq> quit
#
#
#
# ntpq 10.130.22.10
ntpq> as
10.130.22.10: timed out, nothing received
***Request timed out
ntpq>
ntpq>
ntpq> pe
10.130.22.10: timed out, nothing received
***Request timed out
ntpq>
ntpq>
ntpq> quit
#
#
在NTP配置中,为本地时钟指定高层值的目的是什么?
fudge 127.127.1.0 stratum 10
如果我错了,请纠正我:如果远程 NTP 服务器(层数较低,例如 2 或 3)无法访问,服务器无论如何都会依赖内部时钟。否则,它将与这些 NTP 服务器同步时间。
因此,上述配置行是否不必要,并且仅当该层值低于某些远程 NTP 服务器层时设置本地时钟层才有意义?
这是我的 timedatectl 命令在 proxmox 虚拟机上的输出,该虚拟机在新西兰的服务器上运行,具有静态 IP:
$ timedatectl
Local time: Wed 2023-11-01 16:01:30 UTC
Universal time: Wed 2023-11-01 16:01:30 UTC
RTC time: Wed 2023-11-01 16:01:30
Time zone: Etc/UTC (UTC, +0000)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
即使时钟同步已打开并且 NTP 处于活动状态,为什么它仍显示错误的本地时间?有没有办法自动纠正这个问题,而不是通过手动设置时区?谢谢!
在我的 ARM 设备上运行 ntp-keygen(或 ntpd)时收到的错误消息是:
./ntp-keygen: relocation error: ./ntp-keygen: symbol DSA_generate_parameters_ex, version OPENSSL_1_1_0 not defined in file libcrypto.so.1.1 with link time reference
配置、构建和安装 OpenSSL 的脚本如下:
#!/bin/bash
# Build dependencies if any.
depends()
{
cd $buildDir
if [ "x${PERL}" = "x" ]; then
export PERL=`which perl`
fi
return $?
}
# Configure software package.
configure()
{
depends
cd $packageDir
# Available ciphers:
# DES, AES, CAMELLIA, MD2, MDC2, MD4, MD5, HMAC, SHA, RIPEMD, WHIRLPOOL,
# RC4, RC5, RC2, IDEA, SEED, BF(blowfish), CAST, RSA, DSA, ECDSA, ECDH
# We use:
# DES, AES, MD4, MD5, HMAC, SHA, RSA, ECDSA, ECDH
./Configure shared threads --prefix=$PWD/install-arm linux-armv4
return $?
}
# Build the software package.
compile()
{
local mmx_machine_type=`echo $MMX_MACHINE_TYPE | tr '[:upper:]' '[:lower:]'`
depends
cd $packageDir
export CFLAGS="$CFLAGS -DCONFIG_MACHINE_${MMX_MACHINE_TYPE}"
configure
if [ "$?" -ne "0" ]; then return 1; fi
make CC=$CC AR=$AR NM=$NM RANLIB=$RANLIB
if [ "$?" -ne "0" ]; then return 1; fi
make CC=$CC AR=$AR NM=$NM RANLIB=$RANLIB install
if [ "$?" -ne "0" ]; then return 1; fi
return 0
}
# Clean-up.
clean()
{
depends
cd $packageDir
rm -rf install-arm/*
rm -rf install-i386/*
make clean
}
# Install to rootfs the necessary pieces (e.g. directories, links...)
install()
{
targetPath=${buildDir}/.tmp.rootfs/rootfs
local openssl="bin/openssl"
local libssl="lib/libssl.so.1.1"
local libcrypto="lib/libcrypto.so.1.1"
cd ${packageDir}/install-arm
if [ -f ${openssl} -a -f ${libssl} -a -f ${libcrypto} ]
then
cp ${openssl} ${targetPath}/sbin/
cp ${libssl} ${targetPath}/lib/
cp ${libcrypto} ${targetPath}/lib/
else
printf " $package not built.\n"
fi
return 0
}
对于 ntp 包,对 OpenSSL 的唯一引用是在配置选项中。下面是完整的 ntp 包配置:
#!/bin/sh
# Configure software package.
configure()
{
cd $packageDir
./bootstrap
./configure --host=arm-linux --with-yielding-select=yes --with-crypto=openssl \
--with-openssl-incdir=$OPENSSL_DIR/install-arm/include/ \
--with-openssl-libdir=$OPENSSL_DIR/install-arm/lib/ \
return $?
}
# Build the software package.
compile()
{
cd $packageDir
# make PROJECT_NAME=$project
make
if [ "$?" -ne "0" ]; then return 1; fi
return 0
}
# Clean-up.
clean()
{
cd $packageDir
make clean
}
# Install to rootfs the necessary pieces (e.g. directories, links...)
install()
{
cd $packageDir
sourcePath=.
targetPath=$buildDir/.tmp.rootfs/rootfs
if [[ -f $sourcePath/ntpclient ]]; then
cp $sourcePath/$package $targetPath/sbin/
else
printf " $package not built.\n"
return 1
fi
return 0
}
错误与“ntp_crypto.c:2248:2: error: unknown type name 'DSA_SIG'; did you mean 'ECDSA_SIG'?”
make 失败,输出如下:
tp_crypto.c: In function 'crypto_alice':
ntp_crypto.c:2188:13: warning: implicit declaration of function 'EVP_PKEY_get0_DSA'; did you mean 'EVP_PKEY_get0_RSA'? [-Wimplicit-function-declaration]
if ((dsa = EVP_PKEY_get0_DSA(peer->ident_pkey->pkey)) == NULL) {
^~~~~~~~~~~~~~~~~
EVP_PKEY_get0_RSA
ntp_crypto.c:2188:11: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
if ((dsa = EVP_PKEY_get0_DSA(peer->ident_pkey->pkey)) == NULL) {
^
ntp_crypto.c:2199:2: warning: implicit declaration of function 'DSA_get0_pqg'; did you mean 'DH_get0_pqg'? [-Wimplicit-function-declaration]
DSA_get0_pqg(dsa, NULL, &q, NULL);
^~~~~~~~~~~~
DH_get0_pqg
ntp_crypto.c: In function 'crypto_bob':
ntp_crypto.c:2248:2: error: unknown type name 'DSA_SIG'; did you mean 'ECDSA_SIG'?
DSA_SIG *sdsa; /* DSA signature context fake */
^~~~~~~
ECDSA_SIG
ntp_crypto.c:2266:6: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
dsa = EVP_PKEY_get0_DSA(iffkey_info->pkey);
^
ntp_crypto.c:2268:2: warning: implicit declaration of function 'DSA_get0_key'; did you mean 'RSA_get0_key'? [-Wimplicit-function-declaration]
DSA_get0_key(dsa, NULL, &priv_key);
^~~~~~~~~~~~
RSA_get0_key
ntp_crypto.c:2287:9: warning: implicit declaration of function 'DSA_SIG_new'; did you mean 'ECDSA_SIG_new'? [-Wimplicit-function-declaration]
sdsa = DSA_SIG_new();
^~~~~~~~~~~
ECDSA_SIG_new
ntp_crypto.c:2287:7: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
sdsa = DSA_SIG_new();
^
ntp_crypto.c:2294:2: warning: implicit declaration of function 'DSA_SIG_set0'; did you mean 'ECDSA_SIG_set0'? [-Wimplicit-function-declaration]
DSA_SIG_set0(sdsa, bn, bk);
^~~~~~~~~~~~
ECDSA_SIG_set0
ntp_crypto.c:2299:3: warning: implicit declaration of function 'DSA_print_fp'; did you mean 'RSA_print_fp'? [-Wimplicit-function-declaration]
DSA_print_fp(stdout, dsa, 0);
^~~~~~~~~~~~
RSA_print_fp
ntp_crypto.c:2306:8: warning: implicit declaration of function 'i2d_DSA_SIG'; did you mean 'i2d_ECDSA_SIG'? [-Wimplicit-function-declaration]
len = i2d_DSA_SIG(sdsa, NULL);
^~~~~~~~~~~
i2d_ECDSA_SIG
ntp_crypto.c:2310:3: warning: implicit declaration of function 'DSA_SIG_free'; did you mean 'ECDSA_SIG_free'? [-Wimplicit-function-declaration]
DSA_SIG_free(sdsa);
^~~~~~~~~~~~
ECDSA_SIG_free
ntp_crypto.c: In function 'crypto_iff':
ntp_crypto.c:2363:2: error: unknown type name 'DSA_SIG'; did you mean 'ECDSA_SIG'?
DSA_SIG *sdsa; /* DSA parameters */
^~~~~~~
ECDSA_SIG
ntp_crypto.c:2385:11: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
if ((dsa = EVP_PKEY_get0_DSA(peer->ident_pkey->pkey)) == NULL) {
^
ntp_crypto.c:2400:14: warning: implicit declaration of function 'd2i_DSA_SIG'; did you mean 'd2i_ECDSA_SIG'? [-Wimplicit-function-declaration]
if ((sdsa = d2i_DSA_SIG(NULL, &ptr, len)) == NULL) {
^~~~~~~~~~~
d2i_ECDSA_SIG
ntp_crypto.c:2400:12: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
if ((sdsa = d2i_DSA_SIG(NULL, &ptr, len)) == NULL) {
^
ntp_crypto.c:2412:2: warning: implicit declaration of function 'DSA_SIG_get0'; did you mean 'ECDSA_SIG_get0'? [-Wimplicit-function-declaration]
DSA_SIG_get0(sdsa, &r, &s);
^~~~~~~~~~~~
ECDSA_SIG_get0
ntp_crypto.c: In function 'crypto_bob2':
ntp_crypto.c:2578:2: error: unknown type name 'DSA_SIG'; did you mean 'ECDSA_SIG'?
DSA_SIG *sdsa; /* DSA parameters */
^~~~~~~
ECDSA_SIG
ntp_crypto.c:2616:7: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
sdsa = DSA_SIG_new();
^
ntp_crypto.c: In function 'crypto_gq':
ntp_crypto.c:2686:2: error: unknown type name 'DSA_SIG'; did you mean 'ECDSA_SIG'?
DSA_SIG *sdsa; /* RSA signature context fake */
^~~~~~~
ECDSA_SIG
ntp_crypto.c:2726:12: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
if ((sdsa = d2i_DSA_SIG(NULL, &ptr, len)) == NULL) {
^
ntp_crypto.c: In function 'crypto_alice3':
ntp_crypto.c:2862:11: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
if ((dsa = EVP_PKEY_get0_DSA(peer->ident_pkey->pkey)) == NULL) {
^
ntp_crypto.c: In function 'crypto_bob3':
ntp_crypto.c:2940:6: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
dsa = EVP_PKEY_get0_DSA(mvkey_info->pkey);
^
ntp_crypto.c:2962:9: warning: implicit declaration of function 'DSA_new'; did you mean 'RSA_new'? [-Wimplicit-function-declaration]
sdsa = DSA_new();
^~~~~~~
RSA_new
ntp_crypto.c:2962:7: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
sdsa = DSA_new();
^
ntp_crypto.c:2975:2: warning: implicit declaration of function 'DSA_set0_key'; did you mean 'RSA_set0_key'? [-Wimplicit-function-declaration]
DSA_set0_key(sdsa, BN_dup(pub_key), NULL);
^~~~~~~~~~~~
RSA_set0_key
ntp_crypto.c:2976:2: warning: implicit declaration of function 'DSA_set0_pqg'; did you mean 'DH_set0_pqg'? [-Wimplicit-function-declaration]
DSA_set0_pqg(sdsa, sp, sq, sg);
^~~~~~~~~~~~
DH_set0_pqg
ntp_crypto.c:2991:8: warning: implicit declaration of function 'i2d_DSAparams'; did you mean 'i2d_DHxparams'? [-Wimplicit-function-declaration]
len = i2d_DSAparams(sdsa, NULL);
^~~~~~~~~~~~~
i2d_DHxparams
ntp_crypto.c:2995:3: warning: implicit declaration of function 'DSA_free'; did you mean 'RSA_free'? [-Wimplicit-function-declaration]
DSA_free(sdsa);
^~~~~~~~
RSA_free
ntp_crypto.c: In function 'crypto_mv':
ntp_crypto.c:3060:11: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
if ((dsa = EVP_PKEY_get0_DSA(peer->ident_pkey->pkey)) == NULL) {
^
ntp_crypto.c:3077:14: warning: implicit declaration of function 'd2i_DSAparams'; did you mean 'd2i_DHxparams'? [-Wimplicit-function-declaration]
if ((sdsa = d2i_DSAparams(NULL, &ptr, len)) == NULL) {
^~~~~~~~~~~~~
d2i_DHxparams
ntp_crypto.c:3077:12: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
if ((sdsa = d2i_DSAparams(NULL, &ptr, len)) == NULL) {
这些是 ntp_crypto.c 的标头:
/*
* ntp_crypto.c - NTP version 4 public key routines
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#ifdef AUTOKEY
#include <stdio.h>
#include <stdlib.h> /* strtoul */
#include <sys/types.h>
#include <sys/param.h>
#include <unistd.h>
#include <fcntl.h>
#include "ntpd.h"
#include "ntp_stdlib.h"
#include "ntp_unixtime.h"
#include "ntp_string.h"
#include "ntp_random.h"
#include "ntp_assert.h"
#include "ntp_calendar.h"
#include "ntp_leapsec.h"
#include <openssl/dsa.h>
#include "openssl/asn1.h"
#include "openssl/bn.h"
#include "openssl/crypto.h"
#include "openssl/err.h"
#include "openssl/evp.h"
#include "openssl/opensslv.h"
#include "openssl/pem.h"
#include "openssl/rand.h"
#include "openssl/x509.h"
#include "openssl/x509v3.h"
#include "libssl_compat.h"
#ifdef KERNEL_PLL
#include "ntp_syscall.h"
#endif /* KERNEL_PLL */
我正在使用 OpenSSL v1.1.1
这是 ./configure 选项:
#!/bin/sh
# Configure software package.
configure()
{
cd $packageDir
./bootstrap
./configure --host=arm-linux --with-yielding-select=yes --with-crypto=openssl --enable-linuxcaps \
--with-openssl-incdir=$OPENSSL_DIR/install-arm/include/ \
--with-openssl-libdir=$OPENSSL_DIR/install-arm/lib/ \
return $?
}
我发现如果我自己编译 NTP,包 ntp-keygen 缺少自动密钥验证功能。
我编译的ntp的帮助界面如下:
而如果我只是 apt-get install ntp,ntp-keygen 帮助看起来像这样:
根据文档,这些功能应该默认启用。当我检查 ./configure --help 时确认了这一点:
*+号表示默认启用
我正在通过zeus yocto 发行版开发基于 yocto 的 Linux 发行版。我需要在分发中添加一个 NTP 客户端,但我不需要在映像中安装 NTP 服务器。
我找到了秘诀:
meta-openembedded/meta-networking/recipes-support /ntp/ntp_4.2.8p15.bb
这与网络时间协议 (NTP) 相关。
该配方包含以下有关它的信息:
摘要 = “网络时间协议守护程序和实用程序”
描述 = “网络时间协议 (NTP) 用于将计算机客户端或服务器的时间同步到另一个服务器或参考时间源,例如无线电或卫星接收器或调制解调器。 "
前面的信息没有解释配方是否安装了 NTP 服务器或 NTP 客户端或两者。
我需要的是一个 NTP 客户端应用程序,它能够连接到可配置的 NTP 服务器并获取当前日期和时间。
以下指令:
IMAGE_INSTALL += "ntp"
不适合,因为将调用的 NTP 服务器添加到 yocto 映像中ntpd。
我必须添加到图像中以包含客户端 NTP 的包是什么?是包含在以前的食谱中还是我必须找到不同的食谱?
谢谢