0

We are moving from CentOS 7 to CentOS 8 for our monitoring servers (Zabbix) and we use ntpdate to query for time to detect if our local time provider for all devices (Cisco device) hasn't started drifting.

Basically query pool server, query local device and do math to determine if difference is greater than X.

Input:

ntpdate -p 1 -q 0.centos.pool.ntp.org | grep -oP '(?<=offset ).*?(?= sec)'

Output:

0.006313

Is there a way to query time (without setting server as source) using chrony or other tool in CentOS 8 that would work in similar fashion?

dualsport
  • 1
  • 1
  • 1
  • 1
    Does the output of `chronyc sources` give you the info you need? – Krackout Sep 23 '20 at 15:05
  • chronyc sources would give only me info on source server. But I don't want to add Cisco device (local time server) as source only 0.centos.pool.ntp.org. So I need a way to query server without setting it as source or setting local time from it. – dualsport Sep 23 '20 at 16:49

1 Answers1

1

To adapt your existing command, try something like:

[root@localhost ~]# chronyc ntpdata 2001:418:3ff::53 | grep -oP '(?<=Offset          : ).*?(?= sec)'
+0.000654742

The address given must be one of your configured NTP servers. To do this, you should add the server to your sources list with the noselect option. This will tell chronyd to monitor the server but never synchronize from it. For example:

server cisco-ntp-server.example.com iburst noselect

Of course you can always continue to use ntpdate, and your question didn't specify why you are not willing to do this.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • nonselect might be answer to my problem. ntpdate (ntp) as far as I understand has been depreciated in CentOS8 or am I getting something wrong and can't find right package? – dualsport Sep 23 '20 at 17:31
  • @dualsport Hm, you're right, it seems to have been dropped from CentOS 8. I can't find it either. In any case, `noselect` is probably going to do it for you. – Michael Hampton Sep 23 '20 at 17:47
  • This seems like answer except zabbix_agent can't use chronyc, it get's "501 Not authorised" error and I am not exactly sure how to add user to allow to use this process. – dualsport Sep 23 '20 at 19:08
  • @dualsport See if this helps https://serverfault.com/a/923484/126632 Otherwise increase the agent's log level and see what you can find in its logs. – Michael Hampton Sep 23 '20 at 19:15
  • It seems to be an issue with Chrony where it can be run only under root or chrony user from what I understand (and I don't claim to understand much as I am mainly Win administrator): 401 4.2. I keep getting the error 501 Not authorised 402 403 Since version 2.2, the password command doesn't do anything and chronyc needs 404 to run locally under the root or chrony user, which are allowed to access the 405 chronyd's Unix domain command socket. – dualsport Sep 23 '20 at 19:18
  • # sudo -H -u zabbix bash -c 'chronyc ntpdata server.ntp.com' 501 Not authorised – dualsport Sep 23 '20 at 19:20
  • @dualsport Hmm. You could use sudo to change to the chrony user to run the command. – Michael Hampton Sep 23 '20 at 19:21
  • Tried using sudo, but then I get this...: We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper – dualsport Sep 23 '20 at 19:35
  • sudo -H -u chrony bash -c 'chronyc ntpdata cisco-ntp-server.example.com | grep "Offset" |awk '{print $3}'' We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper – – dualsport Sep 23 '20 at 19:36
  • Interesting find, zabbix user can access information from: chronyc sourcestats, chronyc sources and chronyc tracking, but chronyc ntpdata is still "501 Not authorised" – dualsport Sep 23 '20 at 20:24
  • You need to configure sudo so that zabbix doesn't require a password to switch to the chrony user. But we're getting far off the track here. – Michael Hampton Sep 23 '20 at 20:30
  • Resolved thanks to the reddit user expressadmin, more info here if anyone is wondering: https://www.reddit.com/r/zabbix/comments/iyh8rs/chronyc_request_from_zabbix_agent_501_not/g6cpq33/?utm_source=reddit&utm_medium=web2x&context=3 Thank you Michael for all your help. – dualsport Sep 23 '20 at 20:58