Network
Time Protocol(NTP)
NTP
(Network Time Protocol) allows a system to sync its time clock with a
time server. Time synchronization on IT infrastructures is critical,
for example if time system of a node in a cluster is too different
from the rest of the nodes the cluster software will think that this
node is not responding and automatically will be removed from the
cluster.
Configuring a local NTP server
To keep sync the time clocks of all nodes in a LAN, a
local NTP server can be configured. All nodes on the LAN will keep
time clock sync with the local NTP server using the NTP protocol, and
the local NTP server will be in sync with other NTP servers on the
Internet.
To configure a server as local NTP server, the ntp RPM must be installed.
# yum install ntp
Edit /etc/ntp.conf file and uncomment the line that allows access to all nodes on your LAN (192.168.1.0/24)
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap--> /etc/ntp.conf
Note: local NTP server will be synchronized with other public NTP servers on Internet listed on 'server' directive on /etc/named.conf. Examples 0.rhel.poll.ntp.org, 1.rhel.poll.ntp.org, ...
Restart ntpd service with the new configuration and make sure it will started on boot.
# /etc/init.d/ntpd restart
# chkconfig ntpd on
To configure a server as local NTP server, the ntp RPM must be installed.
# yum install ntp
Edit /etc/ntp.conf file and uncomment the line that allows access to all nodes on your LAN (192.168.1.0/24)
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap--> /etc/ntp.conf
Note: local NTP server will be synchronized with other public NTP servers on Internet listed on 'server' directive on /etc/named.conf. Examples 0.rhel.poll.ntp.org, 1.rhel.poll.ntp.org, ...
Restart ntpd service with the new configuration and make sure it will started on boot.
# /etc/init.d/ntpd restart
# chkconfig ntpd on
NTP server security
Some security considerations have to be taken in order
to run ntpd service secure. The first one is open the NTP server
firewall to allow connections from/to other ntp client/server.
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT
Note: NTP clients must keep open the 123/UDP port on the firewall.
By default the ntpd services is protected by SElinux. In order to disable this protection, just in case of causing problems :
# setsebool -P ntpd_disable_trans 1
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT
Note: NTP clients must keep open the 123/UDP port on the firewall.
By default the ntpd services is protected by SElinux. In order to disable this protection, just in case of causing problems :
# setsebool -P ntpd_disable_trans 1
NTP clients
In order to configure the ntpd service on a Linux node
as client for your LAN NTP server just add the local NTP server IP on
'server' directive in /etc/ntp.conf . Make sure that port 123/UDP is
open on your firewall and the service ntpd is up and running.
# /etc/init.d/ntpd restart
# chkconfig ntpd on
In order to force a NTP synchronization the command ntpdate can be used. For example if we want to sync our time clock from NTP server 192.168.1.10 :
ntpdate -u 192.168.1.10
Note : if the NTP server used has not terminated the calculation of its drift time (/var/lib/ntp/driftime file), the NTP server will be not ready to be used and the message "no server suitable for synchronization found" will be displayed on the ntp client. Just be patient and wait, sometimes takes hours ...
# /etc/init.d/ntpd restart
# chkconfig ntpd on
In order to force a NTP synchronization the command ntpdate can be used. For example if we want to sync our time clock from NTP server 192.168.1.10 :
ntpdate -u 192.168.1.10
Note : if the NTP server used has not terminated the calculation of its drift time (/var/lib/ntp/driftime file), the NTP server will be not ready to be used and the message "no server suitable for synchronization found" will be displayed on the ntp client. Just be patient and wait, sometimes takes hours ...
No comments :
Post a Comment