amazon-web-services - 在使用 Amazon 的 EC2 服务来对抗时钟漂移时，我应该使用 NTP 服务器吗？

Question

我正在使用 AWS，并且在 EC2 服务器上……

[dalvarado@mymachine ~]$ uname -a
Linux mydomain.org 3.14.33-26.47.amzn1.x86_64 #1 SMP Wed Feb 11 22:39:25 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

我的时钟差了一分钟，所以尽管我已经安装并运行了 NTPD

[dalvarado@mymachine ~]$ sudo service ntpd status
ntpd (pid  22963) is running...

由于我收到此错误，因此会出现 ntp 数据包被阻止或存在其他问题...

[dalvarado@mymachine ~]$ sudo ntpdate pool.ntp.org
 2 Apr 16:43:50 ntpdate[23748]: no server suitable for synchronization found

如果我应该联系另一台服务器以获取 NTP 信息，或者我是否需要其他其他配置，有人知道 AWS 吗？

谢谢， - 戴夫

编辑:包括评论的输出......

[dalvarado@mymachine ~]$ sudo ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 173.44.32.10    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 deekayen.net    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 dhcp-147-115-21 .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 time-b.timefreq .INIT.          16 u    - 1024    0    0.000    0.000   0.000

第二次编辑:

以下是/etc/ntp.conf 文件的内容

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1 
restrict ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.amazon.pool.ntp.org iburst
server 1.amazon.pool.ntp.org iburst
server 2.amazon.pool.ntp.org iburst
server 3.amazon.pool.ntp.org iburst

#broadcast 192.168.1.255 autokey    # broadcast server
#broadcastclient            # broadcast client
#broadcast 224.0.1.1 autokey        # multicast server
#multicastclient 224.0.1.1      # multicast client
#manycastserver 239.255.254.254     # manycast server
#manycastclient 239.255.254.254 autokey # manycast client

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography. 
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats

# Enable additional logging.
logconfig =clockall =peerall =sysall =syncall

# Listen only on the primary network interface.
interface listen eth0
interface ignore ipv6

# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor

以下是“ntpq -p”的输出

sudo ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 173.44.32.10    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 deekayen.net    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 dhcp-147-115-21 .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 time-b.timefreq .INIT.          16 u    - 1024    0    0.000    0.000   0.000

Answer 1

(2018) Amazon now recommend "just" using their 169.254.169.123 NTP server因为

Your instance does not require access to the internet, and you do not have to configure your security group rules or your network ACL rules to allow access.

(看起来像 link-local "Amazon Time Sync Service" was introduced in late 2017 )

备注 : 169.254.169.123服务器会执行“leap smearing”，并且不应与互联网上的其他(非亚马逊)NTP 服务器混合，这些服务器不会以完全相同的方式进行涂抹。亚马逊还推荐使用 chrony 而不是 ntpd除非您陷入 chrony 的遗留情况。不可用，因为 compared to ntpd , chrony is faster at achieving synchronization, more accurate and more robust .