NTP config in YAST OKs server when added, but can't Synchronize Now

In YAST, configuring a server for the Network Time Protocol (NTP). When I add a new public NTP server, the test succeeds. However, when I accept that and I’m back at the Change Date & Time screen, the Synchronize Now button results in a failure to get an update from the server.
I’ve looked at the fire wall and NTP UDP:123 is checked in the External zone.
Hints welcomed.

On 02/13/2019 08:56 PM, konsultor wrote:
>
> In YAST, configuring a server for the Network Time Protocol (NTP). When
> I add a new public NTP server, the test succeeds. However, when I
> accept that and I’m back at the Change Date & Time screen, the
> Synchronize Now button results in a failure to get an update from the
> server.

Have you tried getting a LAN/wire trace to see what is happening on the wire?


sudo /usr/sbin/tcpdump -n -s 0 -i any port 123

#or written to a file:for you to post for us to review

sudo /usr/sbin/tcpdump -n -s 0 -i any -w /tmp/ntp.cap -v port 123

> I’ve looked at the fire wall and NTP UDP:123 is checked in the External
> zone.

The firewall configuration is all about incoming traffic, and normally
(with SuSEfirewall2 anyway) would work, even with UDP, when your box
starts the communication, so you should not need to change it for NTP to
work on this box as a client (vs. as a server).

Once upon a time, years ago, I reported a bug against YaST2 because it was
allowing addresses to be added even though the connection test was
failing, but I’d expect that to still be fixed. I found the problem using
the LAN/wire trace steps above, so I’d start there.

Does any address work? Is it possible only the NTP server you are trying
is bad? There are public addresses, assuming your network allows reaching
them like most do, at pool.ntp.org (and <country>.pool.ntp.org, e.g.
us.pool.ntp.org) which you can use to test.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.

@konsultor:

Have you checked the output of “chronyc activity”, “chronyc sources” and “chronyc sourcestats”?

Looking at the YaST NTP module, it seems that it can’t, yet, handle the complete chrony configuration file – it only mentions the “pool” entry but, not the “server” entry …

Have you setup the systemd services correctly?


 > systemctl list-unit-files | grep -iE 'ntp|chron'
chrony-dnssrv@.service                                                 static   
chrony-wait.service                                                    disabled 
chronyd.service                                                        enabled  
ntp-wait.service                                                       masked   
ntpd.service                                                           masked   
chrony-dnssrv@.timer                                                   disabled 
 > 

It should be running

/usr/sbin/chronyd -q -t 30 'pool *server* iburst'

where server is server from your definition. Does it fail if you run it in terminal?

Tried this first, since it is quick (will do a wireshark trace later). Got this:

Linspak:/home/konsultor # /usr/sbin/chronyd -q -t 30 'pool 1.pool.ntp.org iburst'
2019-02-14T18:46:55Z chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SECHASH -SIGND +ASYNCDNS +IPV6 -DEBUG)
2019-02-14T18:46:55Z Fatal error : Another chronyd may already be running (pid=12637), check /var/run/chronyd.pid
Linspak:/home/konsultor # /var/run/chronyd.pid
bash: /var/run/chronyd.pid: Permission denied

I don’t understand why a process running as SU finds permission denied. Went looking for the pid, but that no longer is a sortable column in Services Mangaer. This is the first time I’ve encountered this situation.


sudo /usr/sbin/tcpdump -n -s 0 -i any port 123

#or written to a file:for you to post for us to review

sudo /usr/sbin/tcpdump -n -s 0 -i any -w /tmp/ntp.cap -v port 123

Not yet, will do.

Same result from 4 different NTP server names.

Captured a pcap file with tcpdump, and can display it in Wireshark. Unaccustomed as I am, I don’t see how to get the pcap to you because I can’t post an attached file, Kate displays gibberish, and I can’t find a way to copy the legible packet lines from Wireshark. There must be a way. Please let me know what I’m missing.
Thanks.

Well, this is clear enough. Was chronyd started when you tried to “synchronize now” from YaST (systemctl status chronyd.service)? Do you have anything in logs around this time (journalctl) - YaST should have logged reason for error as well?

You didn’t check the systemd status of the Chrony service before attempting to start another instance of the Chrony daemon …


 # systemctl status chronyd.service 
● chronyd.service - NTP client/server
   Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-02-15 10:32:46 CET; 40min ago
     Docs: man:chronyd(8)
           man:chrony.conf(5)
  Process: 1047 ExecStartPost=/usr/share/chrony-helper update-daemon (code=exited, status=0/SUCCESS)
  Process: 1000 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS)
 **Main PID: 1016 (chronyd)**
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/chronyd.service
           └─**1016 /usr/sbin/chronyd**

Feb 15 10:32:45 xxx systemd[1]: Starting NTP client/server...
Feb 15 10:32:45 xxx chronyd[1016]: chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SE>
Feb 15 10:32:45 xxx chronyd[1016]: Frequency -2.839 +/- 0.154 ppm read from /var/lib/chrony/drift
Feb 15 10:32:46 xxx systemd[1]: Started NTP client/server.
Feb 15 10:33:19 xxx chronyd[1016]: Selected source 2001:16b8:2d1c:d800:5e49:79ff:fedc:e1aa
Feb 15 10:35:30 xxx chronyd[1016]: Selected source 217.91.44.17
 # 

On 02/14/2019 11:56 AM, konsultor wrote:
>
> Code:
> --------------------
> Linspak:/home/konsultor # /usr/sbin/chronyd -q -t 30 ‘pool 1.pool.ntp.org iburst’
> 2019-02-14T18:46:55Z chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SECHASH -SIGND +ASYNCDNS +IPV6 -DEBUG)
> 2019-02-14T18:46:55Z Fatal error : Another chronyd may already be running (pid=12637), check /var/run/chronyd.pid
> Linspak:/home/konsultor # /var/run/chronyd.pid
> bash: /var/run/chronyd.pid: Permission denied
>
> --------------------
>
> I don’t understand why a process running as SU finds permission denied.

You apparently tried to execute a .pid file, and unless something was very
wrong, a pid file is not marked as executable. Linux implements a lot of
security features that other platforms do not, such as not allowing
execution/running of non-executable files, where executable-ness is
determined via the file’s permission/mode. A pid file is not meant to
run, so it lacks this permission/mode, so even though you are root (though
we should think of it as “especially because you are ‘root’”) you cannot
run this, and that’s good.

If you want to see the file, us ‘ls’, and if you want to see the contents
of the file, use ‘less’.

Otherwise, see the other responses on how to continue with this chrony issue.

Regarding the tcpdump output from the first command (the one that did not
write data to a file) you could post the text here, or for the one that
did write to a file you could post that file with one of a million file
sharing services I suppose. Maybe the others’ troubleshooting will get
you to the final place sooner, though.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.

Let’s see if we can knock out some of the things discussed in this thread…

A packet capture using tcpdump or wireshark wouldn’t have been my first choice to troubleshoot, but lest’s cover the things you ran into…

Wireshark itself can analyze the packets themselves for things like the packet headers, payload, protocol type, source and target IP addresses. But, unless you’re practiced at looking at these, you may not get much benefit.

One thing you can do is export the data into a format like CSV which is pretty universal. Sometimes then the CSV file can be imported into a spreadsheet like LibreOffice Calc, and then use Calc’s sorting capabilities to analyze like grouping packets to study frequency based on the parameters of your choice.

As for posting data so that others can download and view the data, instead of using a personal cloud storage service it’s common to post to a pastebin. A couple common pastebins we use here are

http://paste.opensuse.org/
hktp://pastebin.com

As for the chronyd errors you posted, the reason why you’re getting errors like “permission denied” is because it’s already running, and would have to be stopped first if you want to manually start it.

I don’t see that you tried to start a pid file, and I’d be surprised if something of the sort would have occured to you, the pid error is a result of the chronys daemon starting up with a fixed pid, and an instance is already running.

As for your original problem described in the first post,
This sounds to me like a bug(A sync likely needs to stop and start the chronys daemon, not just start an instance)…
I recommend you submit a bug to https://bugzilla.opensuse.org and in the bug report reference this Forum thread.

HTH,
TSU

Thanks for all your input. For various reasons, I re-installed Leap 15, updated (after recent trouble with repos), and still can’t sync time with 3.opensuse.pool.ntp.org; can’t ping it either. However, pool.ntp.org responds to ping in about 15 ms.
Checked that there is only one instance of chrony running.
So I’ll report a bug.


 > dig 3.opensuse.pool.ntp.org

; <<>> DiG 9.11.2 <<>> 3.opensuse.pool.ntp.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4765
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;3.opensuse.pool.ntp.org.       IN      A

;; ANSWER SECTION:
3.opensuse.pool.ntp.org. 149    IN      A       85.25.210.112
3.opensuse.pool.ntp.org. 149    IN      A       37.120.184.82
3.opensuse.pool.ntp.org. 149    IN      A       94.130.49.186
3.opensuse.pool.ntp.org. 149    IN      A       176.9.1.211

;; Query time: 31 msec
;; SERVER: 192.168.178.1#53(192.168.178.1)
;; WHEN: Tue Mar 26 10:36:34 CET 2019
;; MSG SIZE  rcvd: 116

 > 

Ping is also OK – for all the listed IPv4 addresses – from here – Germany …

You could, if you want to, choose the NTP server pool address which serves your location on this planet: https://support.ntp.org/bin/view/Servers/NTPPoolServers.
Using the pool “de.pool.ntp.org” and, my DSL Router (which also uses the aforementioned pool and, has 50 Mbit/s downlink and 1 GBit/s LAN) as a fallback server, I get the following result:


 > chronyc tracking
Reference ID    : 5E82B8C1 (nbg01.muxx.net)
Stratum         : 3
Ref time (UTC)  : Tue Mar 26 09:38:38 2019
System time     : 0.000792407 seconds slow of NTP time
Last offset     : -0.000195386 seconds
RMS offset      : 0.000245543 seconds
Frequency       : 4.313 ppm slow
Residual freq   : -0.011 ppm
Skew            : 0.056 ppm
Root delay      : 0.040515944 seconds
Root dispersion : 0.002126989 seconds
Update interval : 1027.2 seconds
Leap status     : Normal
 > 

The reason why he gets

Linspak:/home/konsultor # /var/run/chronyd.pid
bash: /var/run/chronyd.pid: Permission denied

Is explanied by @ab above. That is a file containing a PID, thus a number only. A file with only a few numeric characters in it can not executed.

For the sake of archives …

File content is irrelevant for “Permission denied”. The error is returned because file permissions do not include executable bit(s).
File with numeric characters in it will be happily executed after “chmod +x”. Whether execution result will be useful is beyond current scope.

Depends a bit on what you call “happily”. Does such a file even load and get a PID from the kernel?