ntpd -q lists no servers

Question

I am trying to set up ntpd on my servers, so that their clocks are kept in sync. I am running Ubuntu 16.04. I have followed these instructions, and everything seems fine until the end. It's now a while later and the output of timedatectl looks like:

      Local time: Thu 2018-06-14 08:41:32 UTC
  Universal time: Thu 2018-06-14 08:41:32 UTC
        RTC time: Thu 2018-06-14 08:41:05
       Time zone: Etc/UTC (UTC, +0000)
 Network time on: no
NTP synchronized: yes
 RTC in local TZ: no

and the output of ntpq -p is:

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 0.ubuntu.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.000
 1.ubuntu.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.000
 2.ubuntu.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.000
 3.ubuntu.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.000
 ntp.ubuntu.com  .POOL.          16 p    -   64    0    0.000    0.000   0.000

I have configured my AWS security groups so that UDP is open to 0.0.0.0/0 on port 123. All outgoing connections are allowed from these servers anyway.

nmap -sU -p 123 reports:

PORT    STATE         SERVICE
123/udp open|filtered ntp

iptables -L -n -v reports:

Chain INPUT (policy ACCEPT 860K packets, 1119M bytes)
 pkts bytes target     prot opt in     out     source               destination
 1206  140K f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 573K packets, 460M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain f2b-sshd (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1206  140K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

I haven't modified the default ntp config at all.

How can I figure out why ntp isn't updating?

Any chance your instance has a local firewall that's blocking the NTP packets? — MadHatter, Jun 14 '18 at 10:34
@MadHatter I don't think so. I'm afraid I don't know how I would check. — user31415629, Jun 14 '18 at 11:07
@MadHatter I nmap'ed the port, but the situation is no clearer. — user31415629, Jun 14 '18 at 11:13
I'm not sure the `nmap` output is dispositive. Could we get the output of `iptables -L -n -v` on the server in question? — MadHatter, Jun 14 '18 at 11:47
OK, that's not it, then. You're *absolutely sure* your AWS SG is letting UDP/123 in? And can you confirm the `nmap` test was done from off-server? — MadHatter, Jun 14 '18 at 12:47
@MadHatter Yup, done from my local machine. And I've double checked the security group ‍♀️ — user31415629, Jun 14 '18 at 13:17
No possibility of an [AWS NACL](https://serverfault.com/questions/853540/getting-ntp-to-work-on-aws-without-opening-inbound-port-in-security-group) getting in the way? It really does look like a firewall issue to me. — MadHatter, Jun 14 '18 at 13:31
@MadHatter I got through from the linked page to a guide getting set up with `chrony` using Amazon's own service. This seems to work! — user31415629, Jun 14 '18 at 14:28
I'm glad to hear it, and well done for finding a fix! I'm not sure what I said really constitutes an answer. I could write it up if you want, so you can accept it and put the question to bed, or you could just delete this question. What would you prefer? — MadHatter, Jun 14 '18 at 15:36
@MadHatter Since it's a problem with a solution, lets not delete it, can you write up as an answer? I'll elaborate it with what I actually did and we can mark as accepted :-) — user31415629, Jun 14 '18 at 16:00

score 2 · Accepted Answer · answered Jun 14 '18 at 16:08

You're fairly confident that it isn't a firewall issue. I have my reservations, but you've followed Amazon's guide to setting up chrony with Amazon's servers, and it's working.

An interesting experiment would be to try setting up ntpd with those same servers, or to point chrony at external servers instead. That would tell us for sure whether the issue is some kind of hard-to-find firewall blocking NTP to servers which aren't internal to Amazon, or if it really is a chrony vs. ntpd issue.

ntpd -q lists no servers

1 Answers1