[ntp:questions] 'Temporary failure in name resolution' ntpd error

Terry.Lemons at dell.com Terry.Lemons at dell.com
Thu Jun 11 14:13:13 UTC 2020


Hi Martin

Thanks very much for this reply.  I did stop the AppArmor service:

service apparmor stop

but this made no change in the behavior.

Here's what I see when I start ntpd interactively with two levels of debugging (below) (for security reasons, I changed the name of the company-internal ntp server to REDACTED).

And, again, a 'nslookup' of thentp server hostname completes without error. Maybe I should note that /etc/resolv.conf on this system has two entries; the second DNS server is the one that can resolve the ntp server hostname. But that shouldn't matter, right? Ntpd should be able to do a DNS lookup from a second DNS server, I hope. This same setup does work correctly on my other SLES 12 SP2 system.

Thoughts?

Thanks
tl


lava93109:~ # /usr/sbin/ntpd -p /var/run/ntp/ntpd.pid -g -u ntp:ntp -c /etc/ntp.conf -d -d &
[1] 63154
lava93109:~ # 11 Jun 08:05:15 ntpd[63154]: ntpd 4.2.8p13 at 1.3847-o Wed Mar 13 12:24:30 UTC 2019 (1): Starting
11 Jun 08:05:15 ntpd[63154]: Command line: /usr/sbin/ntpd -p /var/run/ntp/ntpd.pid -g -u ntp:ntp -c /etc/ntp.conf -d -d
ntp_rlimit: STACK: 50 4k pages
ntp_rlimit: MEMLOCK: -1 MB
11 Jun 08:05:15 ntpd[63154]: set_process_priority: Leave priority alone: priority_done is <2>
11 Jun 08:05:15 ntpd[63154]: proto: precision = 0.077 usec (-24)
Finished Parsing!!
11 Jun 08:05:15 ntpd[63154]: basedate set to 2019-03-01
11 Jun 08:05:15 ntpd[63154]: gps base set to 2019-03-03 (week 2043)
create_sockets(123)
move_fd: estimated max descriptors: 1024, initial socket boundary: 16
11 Jun 08:05:15 ntpd[63154]: Listen and drop on 0 v6wildcard [::]:123
created interface #0: fd=16, bfd=-1, name=v6wildcard, flags=0x81, ifindex=0, sin=::, Disabled:
11 Jun 08:05:15 ntpd[63154]: Listen and drop on 1 v4wildcard 0.0.0.0:123
created interface #1: fd=17, bfd=-1, name=v4wildcard, flags=0x89, ifindex=0, sin=0.0.0.0, bcast=0.0.0.0, mask=255.255.255.255, Disable
create_interface(127.0.0.1#123)
11 Jun 08:05:15 ntpd[63154]: Listen normally on 2 lo 127.0.0.1:123
hack_restrict: op RESTRICT_FLAGS addr 127.0.0.1 mask 255.255.255.255 ippeerlimit -4 mflags 00003000 rflags 00000001
created interface #2: fd=18, bfd=-1, name=lo, flags=0x5, ifindex=1, sin=127.0.0.1, mask=255.0.0.0, Enabled:
create_interface(10.7.93.109#123)
11 Jun 08:05:15 ntpd[63154]: Listen normally on 3 eth0 10.7.93.109:123
hack_restrict: op RESTRICT_FLAGS addr 10.7.93.109 mask 255.255.255.255 ippeerlimit -4 mflags 00003000 rflags 00000001
created interface #3: fd=19, bfd=-1, name=eth0, flags=0x19, ifindex=2, sin=10.7.93.109, bcast=10.7.93.255, mask=255.255.255.0, Enabled
create_interface(::1#123)
11 Jun 08:05:15 ntpd[63154]: Listen normally on 4 lo [::1]:123
hack_restrict: op RESTRICT_FLAGS addr ::1 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ippeerlimit -4 mflags 00003000 rflags 00000001
created interface #4: fd=20, bfd=-1, name=lo, flags=0x5, ifindex=1, sin=::1, Enabled:
create_interface(2620:0:170:70d:2ce0:9284:5d16:a96b#123)
11 Jun 08:05:15 ntpd[63154]: Listen normally on 5 eth0 [2620:0:170:70d:2ce0:9284:5d16:a96b]:123
hack_restrict: op RESTRICT_FLAGS addr 2620:0:170:70d:2ce0:9284:5d16:a96b mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ippeerlimit -4 m003000 rflags 00000001
created interface #5: fd=21, bfd=-1, name=eth0, flags=0x11, ifindex=2, sin=2620:0:170:70d:2ce0:9284:5d16:a96b, Enabled:
create_interface(2620:0:170:70d:5024:590:fb36:cb75#123)
11 Jun 08:05:15 ntpd[63154]: Listen normally on 6 eth0 [2620:0:170:70d:5024:590:fb36:cb75]:123
hack_restrict: op RESTRICT_FLAGS addr 2620:0:170:70d:5024:590:fb36:cb75 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ippeerlimit -4 mf03000 rflags 00000001
created interface #6: fd=22, bfd=-1, name=eth0, flags=0x11, ifindex=2, sin=2620:0:170:70d:5024:590:fb36:cb75, Enabled:
create_interface(2620:0:170:70d:250:56ff:fe8a:24b3#123)
11 Jun 08:05:15 ntpd[63154]: Listen normally on 7 eth0 [2620:0:170:70d:250:56ff:fe8a:24b3]:123
hack_restrict: op RESTRICT_FLAGS addr 2620:0:170:70d:250:56ff:fe8a:24b3 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ippeerlimit -4 mf03000 rflags 00000001
created interface #7: fd=23, bfd=-1, name=eth0, flags=0x11, ifindex=2, sin=2620:0:170:70d:250:56ff:fe8a:24b3, Enabled:
create_interface(fe80::250:56ff:fe8a:24b3%2#123)
11 Jun 08:05:15 ntpd[63154]: Listen normally on 8 eth0 [fe80::250:56ff:fe8a:24b3%2]:123
hack_restrict: op RESTRICT_FLAGS addr fe80::250:56ff:fe8a:24b3%2 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ippeerlimit -4 mflags 00flags 00000001
created interface #8: fd=24, bfd=-1, name=eth0, flags=0x11, ifindex=2, sin=fe80::250:56ff:fe8a:24b3%2, Enabled:
create_sockets: Total interfaces = 9
11 Jun 08:05:15 ntpd[63154]: Listening on routing socket on fd #25 for interface updates
forked worker child (pid 63155)
dump_restrict: restrict_def4: 0x55c222216000
restrict node at 0x55c222216000: 0.0.0.0/0.0.0.0 count 0, rflags 00000, mflags 00000, ippeerlimit -1, expire 0, next (nil)
dump_restrict: restrict_def6: 0x55c222215fc0
restrict node at 0x55c222215fc0: ::/:: count 0, rflags 00000, mflags 00000, ippeerlimit -1, expire 0, next (nil)
dump_restrict: restrictlist4: 0x55c222262f80
restrict node at 0x55c222b5ff20: 127.0.0.1/255.255.255.255 count 0, rflags 00001, mflags 03000, ippeerlimit -4, expire 0, next 0x55c22
restrict node at 0x55c222b5ff48: 10.7.93.109/255.255.255.255 count 0, rflags 00001, mflags 03000, ippeerlimit -4, expire 0, next 0x55c0
restrict node at 0x55c222216000: 0.0.0.0/0.0.0.0 count 0, rflags 00000, mflags 00000, ippeerlimit -1, expire 0, next (nil)
dump_restrict: restrictlist6: 0x55c222262f88
restrict node at 0x55c222b60f80: fe80::250:56ff:fe8a:24b3/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff count 0, rflags 00001, mflags 03000,imit -4, expire 0, next 0x55c222b60f00
restrict node at 0x55c222b60f00: 2620:0:170:70d:5024:590:fb36:cb75/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff count 0, rflags 00001, mfla, ippeerlimit -4, expire 0, next 0x55c222b60ec0
restrict node at 0x55c222b60ec0: 2620:0:170:70d:2ce0:9284:5d16:a96b/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff count 0, rflags 00001, mfl0, ippeerlimit -4, expire 0, next 0x55c222b60f40
restrict node at 0x55c222b60f40: 2620:0:170:70d:250:56ff:fe8a:24b3/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff count 0, rflags 00001, mfla, ippeerlimit -4, expire 0, next 0x55c222b60e80
restrict node at 0x55c222b60e80: ::1/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff count 0, rflags 00001, mflags 03000, ippeerlimit -4, expixt 0x55c222215fc0
restrict node at 0x55c222215fc0: ::/:: count 0, rflags 00000, mflags 00000, ippeerlimit -1, expire 0, next (nil)
loop_config: item 1 freq 0.000000
kernel loop status 0x41 (Clock Unsynchronized)
11 Jun 08:05:15 ntpd[63154]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized
event at 0 0.0.0.0 c01d 0d kern kernel time sync enabled
kernel loop status 0x41 (Clock Unsynchronized)
11 Jun 08:05:15 ntpd[63154]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized
event at 0 0.0.0.0 c012 02 freq_set kernel 0.000 PPM
rstclock: mu 0 state 1 poll 3 count 0
event at 0 0.0.0.0 c011 01 freq_not_set
event at 0 0.0.0.0 c016 06 restart
blocking_getaddrinfo given node REDACTED serv ntp fam 0 flags 0
blocking_getaddrinfo given node localhost serv ntp fam 0 flags 0
intres: resolver returned: Temporary failure in name resolution (-3), retrying
sleep until 08:05:17 scheduled at 08:05:15 (>= 17:00:00)
auth_agekeys: at 1 keys 1 expired 0
timer: interface update
blocking_getaddrinfo given node REDACTED serv ntp fam 0 flags 0
intres: resolver returned: Temporary failure in name resolution (-3), retrying
sleep until 08:05:20 scheduled at 08:05:17 (>= 17:00:00)
blocking_getaddrinfo given node REDACTED serv ntp fam 0 flags 0
intres: resolver returned: Temporary failure in name resolution (-3), retrying
sleep until 08:05:24 scheduled at 08:05:20 (>= 17:00:00)
blocking_getaddrinfo given node REDACTED serv ntp fam 0 flags 0
intres: resolver returned: Temporary failure in name resolution (-3), retrying
sleep until 08:05:30 scheduled at 08:05:24 (>= 17:00:00)
blocking_getaddrinfo given node REDACTED serv ntp fam 0 flags 0
intres: resolver returned: Temporary failure in name resolution (-3), retrying
sleep until 08:05:38 scheduled at 08:05:30 (>= 17:00:00)
blocking_getaddrinfo given node REDACTED serv ntp fam 0 flags 0
intres: resolver returned: Temporary failure in name resolution (-3), retrying
sleep until 08:05:50 scheduled at 08:05:38 (>= 17:00:00)
timer: interface update
fgblocking_getaddrinfo given node REDACTED serv ntp fam 0 flags 0
intres: resolver returned: Temporary failure in name resolution (-3), retrying
sleep until 08:06:06 scheduled at 08:05:50 (>= 17:00:00)

/usr/sbin/ntpd -p /var/run/ntp/ntpd.pid -g -u ntp:ntp -c /etc/ntp.conf -d -d
^C11 Jun 08:05:53 ntpd[63154]: ntpd exiting on signal 2 (Interrupt)
event at 37 0.0.0.0 c01d 0d kern kernel time sync disabled
lava93109:~ # service apparmor stopblocking_getaddrinfo given node REDACTED serv ntp fam 0 flags 0
send_blocking_resp_internal: short write (0 of 64), Broken pipe
11 Jun 08:06:07 ntp_intres[63155]: blocking_getaddrinfo can not queue response


-----Original Message-----
From: Martin Burnicki <martin.burnicki at burnicki.net> 
Sent: Wednesday, June 10, 2020 5:42 PM
To: Lemons, Terry; questions at lists.ntp.org
Subject: Re: [ntp:questions] 'Temporary failure in name resolution' ntpd error


[EXTERNAL EMAIL] 

Hi,

Terry.Lemons at dell.com wrote:
> Hi
> 
> I'm trying to diagnose a ntp problem with two systems in my environment. On one system, ntp works correctly whether I specify the ntp server via hostname or IP address. On the other system, ntp works correctly when I specify the ntp server via IP address; but when I specify the ntp server via hostname,  the ntp service starts, but 'ntpq -p' returns "No association ID's returned". When I run ntpd interactively with two level of debugging, I see the message, "intres: resolver returned: Temporary failure in name resolution (-3), retrying sleep until 13:09:55 scheduled at 13:09:53 (>= 17:00:00)"
> 
> I'm trying to understand the difference in behavior between these two systems:
> 
> 
>   *   Both systems are running SLES 12 SP2
>   *   Both systems are running ntp-4.2.8p13-85.1.x86_64
>   *   Both system have the same servers listed in /etc/resolv.conf
>   *   Both system can resolve the hostname of the ntp server via 'nslookup'
>   *   One system has been hardened (including the use of apparmor); on this system, ntp no longer works correctly
>   *   The other system has not been hardened; on this system, ntp works correctly
> 
> Why does ntpd have a problem with name resolution on one of these systems?

From what you said above, it sounds like AppArmor prevents ntpd from doing a DNS lookup.

In the past there could be problems when AppArmor prevented ntpd from accessing specific devices that represented hardware refclocks, e.g. a GPS receiver. Yet I've never heard that it could or did deny DNS lookups.

It should be easy to check this, though, if you temporarily disable AppArmor, then see if ntpd can do the DNS lookup. If that works you should compare the AppArmor configuration for ntpd on both machines. I'm not so familiar with AppArmor that I could tell you how to tweak the configuration so that it works.

Martin


More information about the questions mailing list