As I was setting up the new varm server, one of the Nagios checks I included was check_ntp_time. It comes standard with nagios-plugins.
The check was reporting NTP CRITICAL: Offset unknown. Running the check from the command line showed:
[dan@webserver:/usr/local/libexec/nagios] $ ./check_ntp_time -4 -H varm NTP CRITICAL: Offset unknown|
Running the check with a timeout showed:
[dan@webserver:/usr/local/libexec/nagios] $ ./check_ntp_time -4 -H varm -t 1 CRITICAL - Socket timeout after 1 seconds
I checked sockstat
output on a machine with worked and then on varm. They both looked similar to this:
$ sockstat -p 123 -4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root ntpd 778 21 udp4 *:123 *:* root ntpd 778 22 udp4 10.0.0.20:123 *:* root ntpd 778 27 udp4 127.0.0.1:123 *:*
Next, I compared configuration files. I noticed the differences were:
$ diff /etc/ntp.conf ~/ntp.conf 1a2 > 3c4 < # $FreeBSD: stable/10/etc/ntp.conf 285612 2015-07-15 19:21:26Z delphij $ --- > # $FreeBSD: releng/9.3/etc/ntp.conf 259974 2013-12-27 23:09:40Z delphij $ 47,48c48,49 < restrict default limited kod nomodify notrap nopeer noquery < restrict -6 default limited kod nomodify notrap nopeer noquery --- > restrict default kod nomodify notrap nopeer noquery > restrict -6 default kod nomodify notrap nopeer noquery
It seems the default on 10 STABLE doesn’t allow check_ntp_time to do its stuff. I copied in the values from 9.3, restarted ntpd, and the Nagios check then worked.
But there were interesting bits in /var/log/messages
ntpd[36357]: ntpd 4.2.8p3-a (1): Starting ntpd[36358]: restrict default: KOD does nothing without LIMITED. ntpd[36358]: restrict ::: KOD does nothing without LIMITED.
I started looking at the FreeBSD repo to see what changes had occurred to this file. Of note was this change which led me to the ntpd documentation.
I reverted my changes and added this entry to /etc/ntp.conf instead:
# allow nagios/webserver to query # restrict 10.0.0.3
Then all worked just fine.
