這次筆者需要面對的環境對時間的同步有比較高的要求, 而虛擬化的環境中時間是比較容易出問題的, 您可以參考上一篇博文為什么Domain controller上的time synchronization非常重要? 筆者的環境里, 經過親自觀察, 如果沒有時間同步, 虛擬機與標准時間差距在短短的兩個小時之內竟然就偏差了近半個小時!
按照VMware KB 1003063的說法, ESXi 5.5只要在vCenter的vSphere里配好NTP client就可以了.
Note: For ESX 3.5 and above, NTP can be configured from vSphere Client and no longer requires manual configuration.
然而, 這不是真的.
問題描述
===============================================
先介紹筆者的環境:
- 一台安裝了Windows 2012的實體機, 它並不是Domain Controller.
- 三台ESXi 5.5.
- 一台安裝了vCenter 5.5的Windows 2008 R2虛擬機, 運行在上面的一台ESXi上.
按照文檔Configuring Windows Time service to use an internal hardware clock的步驟,我將Windows 2012實體機配置成了使用內部硬件時鍾的NTP server. 注意, 微軟的文章如何在 Windows Server 中配置權威時間服務器是不work的.
按照VMware KB 1003736的步驟, 將三台ESXi 5.5 配置成了與Windows 實體機NTP server 同步時間.
結果如圖:
NTP Server的時間
一台ESXi的時間
懂行的你一定會說, ESXi上只存UTC的時間, 你在vCenter vSphere中看到的時間是convert過了的. 那我就補充一句, 我的vSphere所在的機器的時區已經被設置為與NTP server一樣的時區, 而且時間是一樣的.
其結論就是, 這個ESXi的NTP有問題, 時間沒有同步.
問題排查
==============================================
首先, 需要verify我們的NTP server是否是好的.
於是筆者挑選了一台安裝在其中一台ESXi上的虛擬機. 注意, 默認情況下只要安裝了VMware Tools, 那么即使你沒有開啟VMware tools的timesync, 虛擬機也會在某些情況下和其宿主去sync時間的, 詳見Configure Time Synchronization Between Guest and Host Operating Systems.
這台ESXi的虛擬機的時間是錯誤的, 因為ESXi的時間是錯誤的. –_-||
筆者運行了如下的命令, 使這台虛擬機的時間正確了.
net start w32tm
w32tm /config /manualpeerlist:10.110.69.124 /syncfromflags:manual /reliable:yes /update
w32tm /resync /rediscover
由此, 我們證明了NTP server是正常工作的. 筆者把NTP Server的時間設置的與標准時間相差了幾分鍾, 所以, 可以避免混淆.
下一步, 筆者在vSphere里嘗試了界面能操作的所有相關東西, 都沒能讓NTP client正常工作.
筆者按照文章Troubleshooting NTP on ESX and ESXi 4.x / 5.x (1005092)所講的去排查, 沒有結果. 直到, 筆者找到這篇文章.
詳細步驟不介紹了, 大家可以自己去看, 我只簡單說一下:
1. 在/etc/ntp.conf的最后一行添加一行tos maxdist 30.
2. 修改/etc/likewise/lsassd.conf文件, 取消掉#sync-system-time的注釋, 顯式地設置sync-system-time = yes
3. 重啟lsassd服務和ntpd服務.
困擾了筆者好幾天的問題終於解決了!
另外, 文章ntpd - Network Time Protocol (NTP) daemon有如下的介紹:
Most operating systems and hardware of today incorporate a time-of-year (TOY) chip to maintain the time during periods when the power is off. When the machine is booted, the chip is used to initialize the operating system time. After the machine has synchronized to a NTP server, the operating system corrects the chip from time to time. In case there is no TOY chip or for some reason its time is more than 1000s from the server time, ntpd assumes something must be terribly wrong and the only reliable action is for the operator to intervene and set the clock by hand. This causes ntpd to exit with a panic message to the system log. The -g option overrides this check and the clock will be set to the server time regardless of the chip time. However, and to protect against broken hardware, such as when the CMOS battery fails or the clock counter becomes defective, once the clock has been set, an error greater than 1000s will causentpd to exit anyway.
注意粗體的部分, 說如果NTP client的時間與server的時間相差超過1000秒, 那么NTPD就會假設發生了嚴重的錯誤, 從而只能手動進行時間調整. 筆者在測試時, 時間差超過了1000秒, 也成功同步了.
命令列表
==============================
cp /etc/ntp.conf /etc/ntp.conf.bak
vi /etc/ntp.conf
“tos maxdist 30”
cp /etc/likewise/lsassd.conf /etc/likewise/lsassd.conf.bak
chmod +w /etc/likewise/lsassd.conf
vi /etc/likewise/lsassd.conf
“sync-system-time = yes”
/sbin/auto-backup.sh./etc/init.d/lsassd restart
./etc/init.d/ntpd restart
參考資料
==============================
Configuring Windows Time service to use an internal hardware clock
http://www.denningelectronics.com/wp-content/uploads/2010/04/TimeService.pdf
VMware ESXi 5.1 will not sync time with Windows 2008 R2 NTP Domain Controller
Guide to configure NTP on ESX servers (1003063)
Configuring the Windows Time Service
http://blogs.msmvps.com/acefekay/2014/04/26/configuring-the-windows-time-service/
Verifying time synchronization across an ESX/ESXi host environment(1003736)
Troubleshooting NTP on ESX and ESXi 4.x / 5.x (1005092)
W32tm
http://technet.microsoft.com/en-us/library/w32tm.aspx
Windows Time Service Tools and Settings
http://technet.microsoft.com/en-us/library/cc773263(v=ws.10).aspx