Hi all,
I have a problem with ntpd daemon in my CentOS7 vm. When I try to list peers, command fails:
[root@c7tst ntpstats]# ntpq ntpq> pe ntpq: read: Connection refused ntpq>
My actual ntp.conf:
# For more information about this file, see the man pages # ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system. restrict default nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could # be tightened as well, but to do so would effect some of # the administrative functions. restrict 127.0.0.1 #restrict ::1
# Hosts on local network are less restricted. #restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). server 0.europe.pool.ntp.org iburst server 1.europe.pool.ntp.org iburst server 2.europe.pool.ntp.org iburst server 3.europe.pool.ntp.org iburst
#broadcast 192.168.1.255 autokey # broadcast server #broadcastclient # broadcast client #broadcast 224.0.1.1 autokey # multicast server #multicastclient 224.0.1.1 # multicast client #manycastserver 239.255.254.254 # manycast server #manycastclient 239.255.254.254 autokey # manycast client
# Enable public key cryptography. #crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating # with symmetric key cryptography. keys /etc/ntp/keys
# Specify the key identifiers which are trusted. #trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility. #requestkey 8
# Specify the key identifier to use with the ntpq utility. #controlkey 8
# Enable writing of statistics records. statistics clockstats cryptostats loopstats peerstats
# Disable the monitoring facility to prevent amplification attacks using ntpdc # monlist command when default restrict does not include the noquery flag. See # CVE-2013-5211 for more details. # Note: Monitoring will not be disabled with the limited restriction flag. #disable monitor
I have tried to disable all "restrict" statements without luck. Same ntp.conf works in my CentOS6.x hosts ...
Any idea why?? (SELinux is disabled)
Thanks.
Hi,
On Mon, Mar 9, 2015 at 4:43 PM, C.L. Martinez carlopmart@gmail.com wrote:
Hi all,
I have a problem with ntpd daemon in my CentOS7 vm. When I try to list peers, command fails:
[root@c7tst ntpstats]# ntpq ntpq> pe ntpq: read: Connection refused ntpq>
By default NTP daemon is stopped in CentOS. Please see NTP daemon is running or not?
Please share the output of "netstat -nupl | grep 123" command for more information.
--Regards Ashishkumar S. Yadav
On 03/09/2015 11:48 AM, Ashish Yadav wrote:
Hi,
On Mon, Mar 9, 2015 at 4:43 PM, C.L. Martinez carlopmart@gmail.com wrote:
Hi all,
I have a problem with ntpd daemon in my CentOS7 vm. When I try to list peers, command fails:
[root@c7tst ntpstats]# ntpq ntpq> pe ntpq: read: Connection refused ntpq>
By default NTP daemon is stopped in CentOS. Please see NTP daemon is running or not?
Please share the output of "netstat -nupl | grep 123" command for more information.
--Regards Ashishkumar S. Yadav
Hi Ashish,
of course, ntpd daemon is running:
[root@c7tst tmp]$ ps xauw | grep ntp ntp 8238 0.0 0.0 29360 2076 ? Ss 11:09 0:00 /usr/sbin/ntpd -u ntp:ntp -g -4
And:
[root@c7tst tmp]$ sudo ss -putan | grep 123 tcp UNCONN 0 0 172.22.55.1:123 *:* users:(("ntpd",8238,18)) tcp UNCONN 0 0 127.0.0.1:123 *:* users:(("ntpd",8238,17)) tcp UNCONN 0 0 *:123 *:* users:(("ntpd",8238,16))
And /var/log/messages:
Mar 9 09:31:04 c7tst ntpd[6030]: proto: precision = 0.055 usec Mar 9 09:31:04 c7tst ntpd[6030]: 0.0.0.0 c01d 0d kern kernel time sync enabled Mar 9 09:31:04 c7tst ntpd[6030]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Mar 9 09:31:04 c7tst ntpd[6030]: Listen normally on 1 lo 127.0.0.1 UDP 123 Mar 9 09:31:04 c7tst ntpd[6030]: Listen normally on 2 prodif 172.22.55.1 UDP 123 Mar 9 09:31:04 c7tst ntpd[6030]: Listening on routing socket on fd #19 for interface updates Mar 9 09:31:04 c7tst ntpd[6030]: 0.0.0.0 c016 06 restart Mar 9 09:31:04 c7tst ntpd[6030]: 0.0.0.0 c012 02 freq_set kernel -2.019 PPM Mar 9 09:31:05 c7tst ntpd[6030]: 0.0.0.0 c615 05 clock_sync Mar 9 11:09:05 c7tst ntpd[6030]: ntpd exiting on signal 15 Mar 9 11:09:09 c7tst ntpd[8237]: ntpd 4.2.6p5@1.2349-o Sat Dec 20 01:24:55 UTC 2014 (1) Mar 9 11:09:09 c7tst ntpd[8238]: proto: precision = 0.066 usec Mar 9 11:09:09 c7tst ntpd[8238]: 0.0.0.0 c01d 0d kern kernel time sync enabled Mar 9 11:09:09 c7tst ntpd[8238]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Mar 9 11:09:09 c7tst ntpd[8238]: Listen normally on 1 lo 127.0.0.1 UDP 123 Mar 9 11:09:09 c7tst ntpd[8238]: Listen normally on 2 prodif 172.22.55.1 UDP 123 Mar 9 11:09:09 c7tst ntpd[8238]: Listening on routing socket on fd #19 for interface updates Mar 9 11:09:10 c7tst ntpd[8238]: 0.0.0.0 c016 06 restart Mar 9 11:09:10 c7tst ntpd[8238]: 0.0.0.0 c012 02 freq_set kernel -1.971 PPM Mar 9 11:09:10 c7tst ntpd[8238]: 0.0.0.0 c615 05 clock_sync
But, I am worried about two things. First in /var/log/messages:
Mar 9 11:09:09 c7tst ntpd[8238]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
¿¿????
And second: ss output shows an "UNCONN", that means "unconnected" .... Uhmmm, and I don't understand why .... There is no firewall or blocking gateway between this C7 vm and Internet ...
On Mon, 9 Mar 2015, C.L. Martinez wrote:
Hi all,
I have a problem with ntpd daemon in my CentOS7 vm. When I try to list peers, command fails: [....]
[root@c7tst ntpstats]# ntpq ntpq> pe ntpq: read: Connection refused ntpq>
Does "ntpq -4 -c peer" work? If so, then the problem is related to access via IPv6 and this line in ntp.conf:
# Permit all access over the loopback interface. This could # be tightened as well, but to do so would effect some of # the administrative functions. restrict 127.0.0.1 #restrict ::1
Uncommnent the IPv6 restrict entry, restart ntpd, and try again.
On 03/09/2015 03:42 PM, Paul Heinlein wrote:
On Mon, 9 Mar 2015, C.L. Martinez wrote:
Hi all,
I have a problem with ntpd daemon in my CentOS7 vm. When I try to list peers, command fails: [....]
[root@c7tst ntpstats]# ntpq ntpq> pe ntpq: read: Connection refused ntpq>
Does "ntpq -4 -c peer" work? If so, then the problem is related to access via IPv6 and this line in ntp.conf:
# Permit all access over the loopback interface. This could # be tightened as well, but to do so would effect some of # the administrative functions. restrict 127.0.0.1 #restrict ::1
Uncommnent the IPv6 restrict entry, restart ntpd, and try again.
Yep, using "ntpq -4", works:
[root@c7tst tmp]$ ntpq -4 ntpq> pe remote refid st t when poll reach delay offset jitter ============================================================================== *lafkor.de 192.93.2.20 2 u 5 64 1 64.748 1.130 0.268 primary.server. 134.130.5.17 2 u 4 64 1 83.842 1.120 0.614 ntp1.warwicknet 195.66.241.10 2 u 5 64 1 66.697 -1.593 0.504 ntp.univ-poitie 193.50.27.66 3 u 5 64 1 72.149 10.225 2.323 ntpq> quit
Uhmm .. Then, my problem is with Ipv6. I have disabled all IPv6 stack using ipv6_disable=1 in grub.cfg ...
According to this I need to re-enable ... Correct??
On Mon, 9 Mar 2015, C.L. Martinez wrote:
Does "ntpq -4 -c peer" work? If so, then the problem is related to access via IPv6 and this line in ntp.conf:
# Permit all access over the loopback interface. This could # be tightened as well, but to do so would effect some of # the administrative functions. restrict 127.0.0.1 #restrict ::1
Uncommnent the IPv6 restrict entry, restart ntpd, and try again.
Yep, using "ntpq -4", works [....]
Uhmm .. Then, my problem is with Ipv6. I have disabled all IPv6 stack using ipv6_disable=1 in grub.cfg ...
According to this I need to re-enable ... Correct??
I think you'll find that IPv6 is alive and well on your machine. A quick peek will show you:
/sbin/ip -6 addr
In the "lo" device, you'll see the standard "::1/128" loopback address. In your ethernet devices, you'll probably see "fe80::/64" link-local addresses.
All you need to do is uncomment the "restrict ::1" entry in your ntp.conf and restart ntpd.
-
Ashish Yadav -
C.L. Martinez -
Paul Heinlein