允许与我们的时间源同步时间,但是不允许源查询或修改这个系统上的服务。
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap noquery
restrict -6 default kod nomodify notrap nopeer noquery
环回网卡允许所有访问。这可能收紧,但这样做会有些影响管理功能。
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1
允许系统在这个网络同步时间服务。不允许修改这些系统配置的服务。此外,不能使用那些系统作为对等体。
# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service. Do not permit those systems to modify the
# configuration of this service. Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap禁止ntpdc修改服务器状态,允许内网其他机器同步时间
从pool.ntp.org项目使用公共时间服务器。
# --- OUR TIMESERVERS -----
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org
server 2.centos.pool.ntp.org
利用server 设定上层NTP服务器,格式如下:
server [IP or hostname] [prefer]
perfer:表示优先级最高
burst :当一个运程NTP服务器可用时,向它发送一系列的并发包进行检测。
iburst :当一个运程NTP服务器不可用时,向它发送一系列的并发包进行检测。
注:默认情况小15分钟后才会与上层NTP服务器进行时间校对。.
# --- NTP MULTICASTCLIENT ---多播
#multicastclient
# listen on default 224.0.1.1 # multicast server 其中IP为NTP固定组播地址
# restrict 224.0.1.1 mask 255.255.255.255 nomodify notrap
# restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server 其中IP为NTP固定组播地址
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
没有驯服的本地时钟。这是一个假的驱动程序用于备份,在没有外部来源的同步时间是可用的。默认层通常是3,但在这种情况下,我们选择使用层0。由于服务器没有选择关键字,这个驱动程序从未用于同步时间,除非没有其他同步源。如果本地主机控制的一些外部来源,如外部振荡器或另一个协议,选择关键字会导致本地主机无视所有其他同步源,除非内核修改正在使用和声明一个同步的条件。
# --- GENERAL CONFIGURATION ---
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
#server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
#skate add
server 192.168.2.29 prefer
#skate add
漂移文件。把这个守护进程可以写在目录中。
不允许符号链接,因为守护进程更新文件,在相同的目录中,然后通过创建一个临时的重命名()的rename()'ing文件。
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /var/lib/ntp/drift
broadcastdelay 0.008
#
以driftfile记录BIOS与上层Time Server时间差异,关于文件名必须要知道以下几点:driftfile后面接的文件需要使用完整路径的文件名;该文件不能是链接文件;该文件需要设置成ntpd这个守护进程可以写入的权限;该文件所记录的数值单位为百万分之一秒(ppm)
密钥文件。如果你想骗取您在运行时的服务器,使用一个键文件(600模式)和定义的关键数字
用于发出请求。
# Keys file. If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
在这里请不要使用默认值。选择你自己的,还是远程的
系统可以调整时钟。还请注意, ntpd启动a标志,禁用认证,将会被删除。
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
keys /etc/ntp/keys