<div dir="ltr">On Thu, Oct 9, 2014 at 10:58 PM, Jan Wagner <span dir="ltr"><<a href="mailto:waja@cyconet.org" target="_blank">waja@cyconet.org</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
tags 764603 + unreproducible moreinfo<br>
thanks<br>
<br>
Hi Leo,<br>
<br>
thanks for reporting the issue.<br>
<br>
Am 09.10.2014 um 16:21 schrieb leo weppelman:<br>
> After hardening the ntp configuration, I noticed that the nagios<br>
> check was no longer functioning. The line I added to ntp.conf was:<br>
> restrict default limited kod nomodify notrap nopeer noquery<br>
><br>
> The culprit turned out to be the 'kod' option in the restrict<br>
> line.<br>
<br>
The default in /etc/ntp.conf on wheezy is:<br>
<br>
restrict -4 default kod notrap nomodify nopeer noquery<br>
restrict -6 default kod notrap nomodify nopeer noquery<br>
<br>
> The nagios check does not understand the contents of the 'KoD'<br>
> package and only reports that the server stratum is 0. Which is<br>
> part of the KoD packet.<br>
<br>
On wheezy I adjusted the ntp.conf like you said:<br>
<br>
$ grep limit /etc/ntp.conf | grep -v ^#<br>
restrict -4 default kod notrap nomodify nopeer noquery limited<br>
restrict -6 default kod notrap nomodify nopeer noquery limited<br>
<br>
Checking with check_ntp_time binary from the soon to be released next<br>
upstream:<br>
<br>
$ /usr/lib/nagios/plugins/check_ntp_time -H localhost<br>
NTP OK: Offset -0,0002338594495<br>
secs|offset=-0,000234s;60,000000;120,000000;<br>
$ dpkg -l | grep monitoring-plugins-basic<br>
ii monitoring-plugins-basic<br>
2.0+git20141006-1~2~bpo70+1 i386 Plugins for nagios<br>
compatible monitoring systems (basic)<br>
<br>
Even with the check_ntp_time binary from the 1.4.16-1 it seems to work:<br>
<br>
$ /tmp/check_ntp_time -H localhost<br>
NTP OK: Offset 4,751665983e-06 secs|offset=0,000005s;60,000000;120,000000;<br>
$ /tmp/check_ntp_time -V<br>
check_ntp_time v1.4.16 (nagios-plugins 1.4.16)<br>
<br>
Unfortunately I can reproduce your problem. Maybe you can test my<br>
latest packages for wheezy (see <a href="http://ftp.cyconet.org/instructions" target="_blank">http://ftp.cyconet.org/instructions</a><br>
for installing experimental monitoring-plugins packages from my<br>
wheezy-backports repository). Even you can describe a bit more<br>
specific your environment to reproduce this issue.<br></blockquote><div><br></div><div>OK. To keep things simple I start with 1.4.16 too...<br><br>$ grep limit /etc/ntp.conf | grep -v ^#<br>restrict default limited kod nomodify notrap nopeer noquery<br><br>$ COLUMNS=255 dpkg -l ntp<br>ii ntp 1:4.2.6.p5+dfsg-2 i386 Network Time Protocol daemon and utility programs<br><br>$ /usr/lib/nagios/plugins/check_ntp_time -V<br>check_ntp_time v1.4.16 (nagios-plugins 1.4.16)<br><br>$ /usr/lib/nagios/plugins/check_ntp_time -H localhost -vv<br>Found 1 peers to check<br>sending request to peer 0<br>response from peer 0: packet contents:<br> flags: 0x24<br> li=0 (0x00)<br> vn=4 (0x20)<br> mode=4 (0x04)<br> stratum = 3<br> poll = 16<br> precision = 9.53674e-07<br> rtdelay = 0.107757568359375<br> rtdisp = 0.155517578125<br> refid = 1009e0a<br> refts = 1412942304.275869<br> origts = 1412942888.355381<br> rxts = 1412942888.355422<br> txts = 1412942888.355525<br>offset 2.30409205e-06<br>sending request to peer 0<br>response from peer 0: packet contents:<br> flags: 0xe4<br> li=3 (0xc0)<br> vn=4 (0x20)<br> mode=4 (0x04)<br> stratum = 0<br> poll = 16<br> precision = 9.53674e-07<br> rtdelay = 0.107757568359375<br> rtdisp = 0.155517578125<br> refid = 45544152<br> refts = 1412942304.275869<br> origts = 1412942888.356483<br> rxts = 1412942888.356483<br> txts = 1412942888.356483<br>offset -7.599743549e-05<br>sending request to peer 0<br>re-sending request to peer 0<br>re-sending request to peer 0<br>re-sending request to peer 0<br>re-sending request to peer 0<br>re-sending request to peer 0<br>re-sending request to peer 0<br>discarding peer 0: stratum=0<br>no peers meeting synchronization criteria :(<br>overall average offset: 0<br>NTP CRITICAL: Offset unknown|<br><br></div><div>As you can clearly see, the first response packet is a 'normal' response packet. The second response packet however is a KoD packet (li == 3, stratum == 0 and refid == 'RATE').<br><br></div><div>It looks like my ntpd is more eager to send a KoD than yours :-) It can also be that your nagios check has more time between the requests (I believe 2secs. is the threshold). But why this differs between our configs is a mystery to me.<br><br></div><div>Hope this helps,<br><br></div><div>Leo. <br></div></div></div></div>