当前位置：九州下载 > 建站问答 >

linux was部署war包

时间：2022-12-25 19:32编辑：九州下载来源：www.wzjsgs.com

linux

如何在linux suse中配置NTP服务器？

在suse上配置ntp

$vim /etc/ntp.conf

#增加时间源

server 192.168.56.1

$chkconfig ntp on # 在系统重启时启动服务

$service ntp start # 启动ntp

$service ntp status # 查看ntp状态

问题：

1）为什么在故意改了一个错误的时间，ntpd没有更新时间？

如果差异很大，需要重新doing an Initial Synchronization，If the time on the local server is very different from that of its primary time server your NTP daemon will eventually terminate itself leaving an error message in the /var/log/messages file. You should run the ntpdate -u command to force your server to become instantly synchronized with its NTP servers before starting the NTP daemon for the first time. The ntpdate command doesn\'t run continuously in the background, you will still have to run the ntpd daemon to get continuous NTP updates.

2）/etc/ntp.conf中选择主NTP Server

选择了哪个server做为主server是按stratum的大小决定的？应该不是，由ntp的算法决定，如在virtualbox中的suse怎么样都无法选择外部时钟源，ntpd在几次poll time后算法就决定使用local源，郁闷啊。由于是虚拟机中运行，时钟和cpu的频率有关系，跳得比真实的硬件快，在virtaulbox中ntp的算法认为local源比外部源更准确就使用了local的，解决的方法可以去掉local源，只使用外部源或者在crontab中每分钟执行一次ntpdate了。

即使把本机的stratum设置为比外部源更高的，过了一段时间以后，virtualbox中的suse还是选择了local，郁闷again

fudge 127.127.1.0 stratum 12 # not disciplined

remote refid st t when poll reach delay offset jitter

==============================================================================

LOCAL(0) .LOCL. 15 l 9 64 1 0.000 0.000 0.002

192.168.56.1 139.114.32.134 14 u 8 64 1 3.739 -53.045 0.002

注意最开始的时候，ip地址前面是没有符号的，poll几次以后ntp就会选择一个主时间源，前面带 * 号标识。

3）windows上的ntp server配置

官方ntp.org推荐的win上的ntp server，http://www.meinberg.de/german/sw/ntp.htm

3）如何知道ntp的运行状态

使用ntpq命令

$watch ntpq -p # 可以使用watch命令来查看一段时间内服务器各项数值的变化

使用ntpq命令查看与您同步的服务器. 它提供你一份时间服务器配置清单，包括延误值(delay)，偏差值(offset)和抖动值(jitter). 为了能正确同步，延迟值和偏移值应该不为零,抖动值(jitter)应小于100 .

$/usr/local/ntp/bin/ntpq -p

显示如下：

remote refid st t when poll reach delay offset jitter

========================================================

time.nist.gov .ACTS. 1 u 1606 1024 22 357.845 334.375 71.122

*LOCAL(0) .LOCL. 10 l 11 64 377 0.000 0.000 0.001

ntpq -p 可以列出目前我们的NTP与相关的上层NTP的状态，几个字段的意义为：

remote：亦即是 NTP 主机的 IP 或主机名称啰～注意最左边的符号，http://www.ece.udel.edu/~mills/ntp/html/decode.html#peer

它告诉我们远端的服务器已经被确认为我们的主NTP Server,我们系统的时间将由这台机器所提供

它将作为辅助的NTP Server和带有*号的服务器一起为我们提供同步服务. 当*号服务器不可用时它就可以接管

远程服务器被clustering algorithm认为是不合格的NTP Server

远程服务器不可用

refid：参考的上一层 NTP 主机的地址

st：stratum 阶层

when：几秒钟前曾经做过时间同步化更新的动作；

poll：下一次更新在几秒钟之后；

reach：已经向上层 NTP 服务器要求更新的次数

delay：网络传输过程当中延迟的时间，单位为 10^(-6) 秒

offset：时间补偿的结果，单位与 10^(-6) 秒

jitter：Linux 系统时间与 BIOS 硬件时间的差异时间，单位为 10^(-6) 秒。

也可以检查一下BIOS时间与Linux系统时间的差异，就是/var/lib/ntp/drift的内容，就能了解到Linux系统时间与BIOS硬件时钟到底差多久？单位为 10^(-6) 秒

下面的从http://www.meinberg.de/english/info/ntp.htm上摘下来的，详细说明了ntpq -p输出的每个列的意思，reach列为377表示前8次同步都成功。

Checking the NTP Status

The command line utility ntpq can be used to check the status of a NTP daemon on either the local machine or on a remote host.

ntpq can be run in an interactive mode or in batch mode. In batch mode, ntpq executes a command and returns to the command prompt. The parameter -p (\'peers\') lets ntpq print the status of a NTP daemon. Enter

ntpq -p

to display the status of the daemon on the local machine, or

ntpq -p ntp_server

to display the status of the daemon on the remote host ntp_server. The command should print a table with one status line for each reference time source which has been configured for the NTP daemon on the specified host:

remote refid st t when poll reach delay offset jitter

=======================================================================

LOCAL(0) LOCAL(0) 12 l 30 64 377 0.000 0.000 0.000

*GENERIC(0) .DCFa. 0 - 24 64 377 0.000 0.050 0.003

+172.16.3.103 .PPS. 1 u 36 64 377 1.306 -0.019 0.043

The table above shows the output for a NTP daemon which has 3 reference time sources: its own local clock, a DCF77 radio clock as refclock-0, plus an NTP daemon on the network, with IP address 172.16.3.103.

If the first character of a line is not blank then it contains a qualifier for the corresponding reference time source. Immediately after the daemon has been started all qualifiers are blank. The NTP daemon needs several polling cycles to check the available time sources and declare one of them as the reference it synchronizes to.

An asterisk * in the first column marks the reference time source which is currently preferred by the NTP daemon, the + character marks high quality candidates for the reference time which could be used if the currently selected reference time source should become unavailable.

The column remote displays the IP address or the host name of the reference time source, where LOCAL refers to the local clock. The refid shows the type of the reference clock, where e.g. LOCAL or LCL refers to the local clockagain, .DCFa. refers to a standard DCF77 time source, and .PPS. indicates that the reference clock is disciplined by a hardware pulse-per-second signal. Other identifiers are possible, depending on the type of the reference clock.

The column st reflects the stratum number of the reference time source. In the example above, the local clock has stratum 12, the remote time server at 172.16.3.103 has stratum 1 which is the best you can see across the network, and the local radio clock has stratum 0, so the radio clock is currently being preferred.

Every time a when count reaches the poll number in the same line, the NTP daemon queries the time from the corresponding time source and resets the when count to 0. The query results of each polling cycle are filtered and used as a measure for the clock\'s quality and reachability.

The column reach shows if a reference time source could be reached at the last polling intervals, i.e. data could be read from the reference time source, and the reference time source was synchronized. The value must be interpreted as an 8 bit shift register whose contents is for historical reasons displayed as octal values. If the NTP daemon has just been started, the value is 0. Each time a query was successful a \'1\' is shifted in from the right, so after the daemon has been started the sequence of reach numbers is 0, 1, 3, 7, 17, 37, 77, 177, 377. The maximum value 377 means that the eight last queries were completed successfully.

Queries are considered successful if data can be received from the time source, and the time source in turn claims to be synchronized to some other timesource. In case of a hardware reference clock this means the query considered unsuccessful if the hardware reference clock is not synchronized to its incoming time signal, e.g. because the clock\'s antenna has been disconnected, or if no data can be received e.g. because the serial cable to an external device has been disconnected.

The NTP daemon must have reached a reference time source several times (reach not 0) before it selects a preferred time source and puts an asterisk in the first column.

The columns delay, offset and jitter show some timing values which are derived from the query results. In some versions of ntpq the last column is labeled disp (for dispersion) instead of jitter. All values are in in milliseconds. The delay value is derived from the roundtrip time of the queries. The offset value shows the difference between the reference time and the system clock. The jitter value indicates the magnitude of jitter between several time queries.

linux服务之OpenSSH服务？

OpenSSH这一术语指系统中使用的Secure Shell软件的软件实施。用于在远程系统上安全运行shell。如果您在可提供ssh服务的远程Linux系统中拥有用户帐户，则ssh是通常用来远程登录到该系统的命令。ssh命令也可用于在远程系统中运行命令。

常见的远程登录工具有：

telnet

ssh

dropbear

telnet //远程登录协议，23/TCP//一般用于测试端口或者接口是否开启

认证明文

数据传输明文

ssh //Secure SHell，应用层协议，22/TCP

通信过程及认证过程是加密的，主机认证

用户认证过程加密

数据传输过程加密

dropbear //嵌入式系统专用的SSH服务器端和客户端工具，一般应用于手机上

1.2 SSH 版本

openssh有两个版本，分别为v1和v2，其特点如下：

v1：基于CRC-32做MAC，无法防范中间人攻击

v2：双方主机协议选择安全的MAC方式。基于DH算法做密钥交换，基于RSA或DSA算法实现身份认证

关于密钥交换

协商生成密码的过程叫做密钥交换（Internet Key Exchange，IKE）使用的是DH协议（Diffie-Hellman）：

A(主机) --> B（主机）

p,g（大素数，生成数），在网络中传输的，公开的

A：自己取一个随机数x

B：自己取一个随机数y

A：g^x%p --> B

B：g^y%p --> A

A：(g^y%p)^x=g^yx%p

B：(g^x%p)^y=g^xy%p

这最后得出的g^xy%p就是最终的密钥

1.3 SSH 认证方式

openssh有两种认证方式，分别是：

基于口令认证（即密码认证）

基于密钥认证（非对称加密。有一对密钥，公钥（P）和私钥（S））

1.4 openSSH 的工作模式

openSSH是基于C/S架构工作的

服务器端 //sshd，配置文件在/etc/ssh/sshd_config

# vim /etc/ssh/sshd_config

# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file. See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented. Uncommented options override the

# default value.

# If you want to change the port on a SELinux system, you have to tell

# SELinux about this change.

# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

# Example of overriding settings on a per-user basis

#Match User anoncvs

# X11Forwarding no

# AllowTcpForwarding no

# PermitTTY no

# ForceCommand cvs server

客户端

//ssh，配置文件在/etc/ssh/ssh_config

ssh-keygen //密钥生成器

ssh-copy-id //将公钥传输至远程服务器

scp //跨主机安全复制工具

$OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $

# This is the ssh client system-wide configuration file. See

# ssh_config(5) for more information. This file provides defaults for

# users, and the values can be changed in per-user configuration files

# or on the command line.

# Configuration data is parsed as follows:

# 1. command line options

# 2. user-specific file

# 3. system-wide file

# Any configuration value is only changed the first time it is set.

# Thus, host-specific definitions should be at the beginning of the

# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options. For a comprehensive

# list of available options, their meanings and defaults, please see the

# ssh_config(5) man page.

# Host *

# ForwardAgent no

# ForwardX11 no

# RhostsRSAAuthentication no

# RSAAuthentication yes

# PasswordAuthentication yes

# Send locale-related environment variables

SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES

SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE

SendEnv XMODIFIERS

1.5 Secure Shell 示例

//以当前用户身份创建远程交互式shell，然后在结束时使用exit命令返回到之前的shell

# ssh 192.168.112.131

The authenticity of host \'192.168.112.131 (192.168.112.131)\' can\'t be established.

//生成了一个算法是SHA256得公钥

ECDSA key fingerprint is SHA256:dyCibeKTgTQDtKrGgYAKVnGsLcR/Necufp4Jvnx0cTc.

ECDSA key fingerprint is MD5:bb:a6:d4:16:be:40:d1:d9:ef:6b:89:c9:22:bb:bd:b0.

//问你是否信任所连接得主机，不信任则不连接

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added \'192.168.112.131\' (ECDSA) to the list of known hosts.

root@192.168.112.131\'s password:

Last login: Mon Apr 1 14:24:13 2019 from 192.168.112.14

//此时从用户名得知已经登陆到另一台主机

//以其他用户身份（remoteuser）在选定主机（remotehost）上连接到远程`shell`

# ssh root@192.168.112.131

root@192.168.112.131\'s password:

Last login: Mon Apr 1 14:24:54 2019 from 192.168.112.14

//以远程用户身份（remoteuser）在远程主机（remotehost）上通过将输出返回到本地显示器的方式来执行单一命令

//首先登陆一台主机查看自己IP

# ip a s ens33

2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether 00:0c:29:8e:77:9b brd ff:ff:ff:ff:ff:ffinet 192.168.112.131/24 brd 192.168.112.255 scope global dynamic ens33valid_lft 1191sec preferred_lft 1191secinet6 fe80::bc68:f1a3:4a1f:87fb/64 scope link

valid_lft forever preferred_lft forever

//在用另一台主机通过ssh来远程执行命令

# ssh root@192.168.112.131 \'/usr/sbin/ip a s ens33\'

root@192.168.112.131\'s password:

2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether 00:0c:29:8e:77:9b brd ff:ff:ff:ff:ff:ffinet 192.168.112.131/24 brd 192.168.112.255 scope global dynamic ens33valid_lft 1783sec preferred_lft 1783secinet6 fe80::bc68:f1a3:4a1f:87fb/64 scope link

valid_lft forever preferred_lft forever

//w命令可以显示当前登录到计算机的用户列表。这对于显示哪些用户使用ssh从哪些远程位置进行了登录以及执行了何种操作等内容特别有用

# ssh 192.168.112.131

root@192.168.112.131\'s password:

Last login: Mon Apr 1 14:30:57 2019 from 192.168.112.14

//在切换到GUI主机使用w命令查看可以看到192.168.112.14用户在登陆中

# w14:40:59 up 4:37, 2 users, load average: 0.00, 0.02, 0.05

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

root pts/0 192.168.112.1 10:03 3.00s 0.17s 0.01s w

root pts/1 192.168.112.14 14:40 2.00s 0.03s 0.03s -bash

1.5 SSH 主机密钥

ssh通过公钥加密的方式保持通信安全。当某一ssh客户端连接到ssh服务器时，在该客户端登录之前，服务器会向其发送公钥副本。这可用于为通信渠道设置安全加密，并可验证客户端的服务器。

当用户第一次使用ssh连接到特定服务器时，ssh命令可在用户的/.ssh/known_hosts文件中存储该服务器的公钥。在此之后每当用户进行连接时，客户端都会通过对比/.ssh/known_hosts文件中的服务器条目和服务器发送的公钥，确保从服务器获得相同的公钥。如果公钥不匹配，客户端会假定网络通信已遭劫持或服务器已被入侵，并且中断连接。

这意味着，如果服务器的公钥发生更改（由于硬盘出现故障导致公钥丢失，或者出于某些正当理由替换公钥），用户则需要更新其~/.ssh/known_hosts文件并删除旧的条目才能够进行登录。

//主机ID存储在本地客户端系统上的 ~/.ssh/known_hosts 中(家目录中的隐藏目录.ssh)

# cat /root/.ssh/known_hosts

192.168.112.131 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJvfkdzYN1ayz0bbvSc5be4/rddT4r2q/DfLo6VtruJgNNsexqi5GzSJ7AGB1kECRSw4/eg1Z11x05bGjRJfL+8=

//主机密钥存储在SSH服务器上的 /etc/ssh/ssh_host_key* 中（也就是不手动生成密钥的情况下会自动使用这里的密钥）

# ls /etc/ssh/*key*

/etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_ed25519_key.pub /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub

2. 配置基于 SSH 密钥的身份验证

用户可通过使用公钥身份验证进行ssh登录身份验证。ssh允许用户使用私钥-公钥方案进行身份验证。这意味着将生成私钥和公钥这两个密钥。私钥文件用作身份验证凭据，像密码一样，必须妥善保管。公钥复制到用户希望登录的系统，用于验证私钥。公钥并不需要保密。拥有公钥的ssh服务器可以发布仅持有您私钥的系统才可解答的问题。因此，可以根据所持有的密钥进行验证。如此一来，就不必在每次访问系统时键入密码，但安全性仍能得到保证。

使用ssh-keygen命令生成密码。将会生成私钥/.ssh/id_rsa和公钥/.ssh/id_rsa.pub。

//使用ssh-keygen生成密钥时首先会询问你密钥文件存放的位置，默认是在/root/.ssh/id_rsa和id_rsa.pub

# ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):

//接着会询问你是否为你的私钥配置密码

Enter passphrase (empty for no passphrase):

//最后会提示你密钥创建成功，私钥存放在id_rsa,公钥放在id_rsa.pub

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

SHA256:XFV5J+RPAuuHQZBipB8yUyQ22/QAOWT+z2Tsi+cJcpw root@CTL