Why does ntpq -pn report "Connection refused"?
You can triage this a bit by looking into the output via strace
like so:
$ strace ntpq -pn ::1|& grep -i conn
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(3, {sa_family=AF_INET6, sin6_port=htons(123), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
recvfrom(3, 0x7fffc3365a10, 516, 0, 0, 0) = -1 ECONNREFUSED (Connection refused)
write(2, "Connection refused\n", 19Connection refused
Notice that it's using ipv6 to connect. Basically this line:
connect(3, {sa_family=AF_INET6, sin6_port=htons(123), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
Is NTPD listening on a ipv6 port?
$ netstat -taupn|grep udp|grep ntp
udp 0 0 10.22.7.237:123 0.0.0.0:* 24213/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 24213/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 24213/ntpd
So it doesn't appear to be listening on ipv6, hence the error. We can work around this by telling ntpq -pn
to connect explicitly on ipv4 instead like so:
$ ntpq -pn 127.0.0.1
remote refid st t when poll reach delay offset jitter
==============================================================================
+69.89.207.199 212.215.1.157 2 u 209 256 377 43.582 2.768 0.076
-72.5.72.15 10.3.255.0 3 u 217 256 377 68.627 -1.833 4.388
*204.11.201.12 66.220.9.122 2 u 244 256 377 61.928 -0.712 0.234
+108.59.2.24 130.133.1.10 2 u 178 256 377 1.824 3.256 0.111
Much better. And you can confirm our logic using strace
again:
$ strace ntpq -pn 127.0.0.1|& grep -i conn
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(3, {sa_family=AF_INET, sin_port=htons(123), sin_addr=inet_addr("127.0.0.1")}, 16) = 0
connect(4, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(4, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
Notice that ipv4 uses sa_family=AF_INET
whereas ipv6 uses sa_family=AF_INET6
when the ntpq
client attempts to connect to your ntpd
via UDP on port 123.
We can also use the -4
and -6
switches to ntpq -pn
as well:
$ ntpq -pn -4
remote refid st t when poll reach delay offset jitter
==============================================================================
+69.89.207.199 212.215.1.157 2 u 235 256 377 43.582 2.768 0.047
-72.5.72.15 10.3.255.0 3 u 248 256 377 68.627 -1.833 4.417
*204.11.201.12 66.220.9.122 2 u 265 256 377 61.802 -0.765 0.198
+108.59.2.24 130.133.1.10 2 u 212 256 377 1.824 3.256 0.097
References
- https://bugs.launchpad.net/fuel/+bug/1469239
I had the same issue recently with CentOS7. ntpq -p would show 'read: Connection refused', as well as many other commands in ntp debug such as 'clocklist' and some others. NTP servers I set in ntp.conf were being ignored. Here are some other notable outputs:
[root@server ~]# ntpstat
synchronised to NTP server (69.164.198.192) at stratum 3
time correct to within 56 ms
polling server every 1024 s
[root@server ~]# ntpdate
14 Oct 00:02:14 ntpdate[21443]: no servers can be used, exiting
[root@server ~]# systemctl status ntp
Unit ntp.service could not be found.
[root@server ~]# systemctl status ntpd
ntpd.service - Network Time Service
Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled)
Active: inactive (dead)
ntpq> version
ntpq [email protected] Thu Aug 8 11:48:03 UTC 2019 (1)
ntpq> clocklist
ntpq: read: Connection refused
ntpq> cooked
Output set to cooked
ntpq> readlist
ntpq: read: Connection refused
When I checked the IP of the NTP server it was using, it was always something from ARIN(?) or a big provider like Level3. I couldn't choose the server, but the servers it was using looked OK. But it still would not let me choose my own servers no matter what I did in /etc/ntp.conf
.
I began to suspect I had a bad program somehow, and I started to suspect the epel repository I loaded as I needed some other programs from there.
Sure enough, I performed the following and resolved the issue:
yum remove ntp
yum install ntp --disablerepo=epel
It reinstalled, now ntpq -p
works, and systemctl status ntpd
appears as:
[root@server ntpstats]# systemctl status ntpd
● ntpd.service - Network Time Service
Loaded: loaded (/usr/lib/systemd/system/ntpd.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2019-10-14 22:14:44 CDT; 3s ago
Finally the servers I set in /etc/ntp.conf
are being used.
I don't know how to get word to epel that their CentOS7 ntp is somehow hosed, maybe someone will see this and report.
Note that both epel and the CentOS repository were showing the same version: ntp-4.2.6p5-29.el7.centos.x86_64
.