为什么ntpq -pn报告“连接被拒绝”？

debugcn 发表于 Dev

你好

我最近在运行NTPD的情况下设置了一个CentOS 6.x系统，并且在运行时遇到此错误ntpq -pn：

$ ntpq -pn
ntpq: read: Connection refused

我知道ntpd通过ntpstat命令可以正常运行：

$ ntpstat
synchronised to NTP server (204.11.201.12) at stratum 3
   time correct to within 71 ms
   polling server every 256 s

为什么ntpq -pn不工作？

你好

您可以通过strace如下方式对输出进行一些分类：

$ strace ntpq -pn ::1|& grep -i conn
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(3, {sa_family=AF_INET6, sin6_port=htons(123), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
recvfrom(3, 0x7fffc3365a10, 516, 0, 0, 0) = -1 ECONNREFUSED (Connection refused)
write(2, "Connection refused\n", 19Connection refused

请注意，它正在使用ipv6进行连接。基本上这行：

connect(3, {sa_family=AF_INET6, sin6_port=htons(123), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0

NTPD是否正在ipv6端口上侦听？

$ netstat -taupn|grep udp|grep ntp
udp        0      0 10.22.7.237:123             0.0.0.0:*                               24213/ntpd
udp        0      0 127.0.0.1:123               0.0.0.0:*                               24213/ntpd
udp        0      0 0.0.0.0:123                 0.0.0.0:*                               24213/ntpd

因此，它似乎并未在ipv6上进行监听，因此出现了错误。我们可以通过告诉ntpq -pn明确地在ipv4上进行连接来解决此问题，如下所示：

$ ntpq -pn 127.0.0.1
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
+69.89.207.199   212.215.1.157    2 u  209  256  377   43.582    2.768   0.076
-72.5.72.15      10.3.255.0       3 u  217  256  377   68.627   -1.833   4.388
*204.11.201.12   66.220.9.122     2 u  244  256  377   61.928   -0.712   0.234
+108.59.2.24     130.133.1.10     2 u  178  256  377    1.824    3.256   0.111

好多了。您可以strace再次使用确认我们的逻辑：

$ strace ntpq -pn 127.0.0.1|& grep -i conn
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(3, {sa_family=AF_INET, sin_port=htons(123), sin_addr=inet_addr("127.0.0.1")}, 16) = 0
connect(4, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(4, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)

请注意，当客户端尝试通过123端口上的UDP连接到ipv4时，ipv4会使用，sa_family=AF_INET而ipv6会使用。sa_family=AF_INET6ntpqntpd

我们还可以使用-4和-6开关ntpq -pn：

$ ntpq -pn -4
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
+69.89.207.199   212.215.1.157    2 u  235  256  377   43.582    2.768   0.047
-72.5.72.15      10.3.255.0       3 u  248  256  377   68.627   -1.833   4.417
*204.11.201.12   66.220.9.122     2 u  265  256  377   61.802   -0.765   0.198
+108.59.2.24     130.133.1.10     2 u  212  256  377    1.824    3.256   0.097