There is still a Mismatched SOCK filespec implemented by chronyd and chronyc.
The saving grace was that loopback network interface hid this bug very well and saved the day for nearly everyone (who is not an expert Chronyd configurer)... That is, until the directive 'cmddeny 127.0.0.1' is configured: then one finds out the hard way that there is no consistent way to open the UNIX socket. Workaround: Don't use 'cmddeny 127.0.0.1' setting for now until the filenaming convention for its socket file specification becomes synchronized between Chrony client and server. STRACES ------- In all straces below, the config directive is: cmddeny 127.0.0.1 Client CLI Fallback method (default) ------------------------------------ This following strace details the default operation of ordinary chronyc CLI client operation, specifically to send a 'sources' CLI command with hope to receive a list of NTP servers. This shell invocation did NOT use an '-h' option, fallback mechanism to other communcation channel methods werre done: * Socket failed, (this bug report) * IPv4 loopback failed (due to 'cmddeny 127.0.0.1') * IPv6 loopback failed (not sure how, but it shouldn't have happened) #Shell Invocation # strace -f chrony -d -d -d sources socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_IP) = 3 socket(AF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 3 write(2, "Resolved 127.0.0.1 to 127.0.0.1", 31Resolved 127.0.0.1 to 127.0.0.1) = 31 write(2, "\n", 1 write(2, "Resolved ::1 to ::1", 19Resolved ::1 to ::1) = 19 write(2, "\n", 1 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 unlink("/var/run/chrony/chronyc.21014.sock") = -1 ENOENT (No such file or directory) write(2, "Could not remove /var/run/chrony"..., 79Could not remove /var/run/chrony/chronyc.21014.sock : No such file or directory) = 79 write(2, "\n", 1 bind(3, {sa_family=AF_UNIX, sun_path="/var/run/chrony/chronyc.21014.sock"}, 110) = -1 EACCES (Permission denied) write(2, "Could not bind Unix socket to /v"..., 84Could not bind Unix socket to /var/run/chrony/chronyc.21014.sock : Permission denied) = 84 write(2, "\n", 1 getsockname(3, {sa_family=AF_UNIX}, [112->2]) = 0 socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 3 write(2, "Opened UDPv4 socket fd=3 remote="..., 45Opened UDPv4 socket fd=3 remote=127.0.0.1:323) = 45 write(2, "Could not receive message fd=3 :"..., 51Could not receive message fd=3 : Connection refused) = 51 write(2, "\n", 1 getsockname(3, {sa_family=AF_INET, sin_port=htons(34899), sin_addr=inet_addr("127.0.0.1")}, [112->16]) = 0 socket(AF_INET6, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 3 read(4, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 542 read(4, "", 4096) = 0 read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0003\0\0\0\0\0\0"..., 832) = 832 read(4, "# Internet (IP) protocols\n#\n# Up"..., 4096) = 2932 setsockopt(3, SOL_IPV6, IPV6_V6ONLY, [1], 4) = 0 write(2, "Opened UDPv6 socket fd=3 remote="..., 41Opened UDPv6 socket fd=3 remote=[::1]:323) = 41 write(2, "\n", 1 write(2, "Sent data fd=3 len=32", 21Sent data fd=3 len=32) = 21 write(2, "\n", 1 write(2, "Timeout 1.000000 seconds", 24Timeout 1.000000 seconds) = 24 write(2, "\n", 1 write(2, "Could not receive message fd=3 :"..., 51Could not receive message fd=3 : Connection refused) = 51 write(2, "\n", 1 write(2, "Sent data fd=3 len=32", 21Sent data fd=3 len=32) = 21 write(2, "\n", 1 write(2, "Timeout 2.000000 seconds", 24Timeout 2.000000 seconds) = 24 write(2, "\n", 1 write(2, "Could not receive message fd=3 :"..., 51Could not receive message fd=3 : Connection refused) = 51 write(2, "\n", 1 write(2, "Sent data fd=3 len=32", 21Sent data fd=3 len=32) = 21 write(2, "\n", 1 write(2, "Timeout 4.000000 seconds", 24Timeout 4.000000 seconds) = 24 write(2, "\n", 1 write(2, "Could not receive message fd=3 :"..., 51Could not receive message fd=3 : Connection refused) = 51 write(2, "\n", 1 getsockname(3, {sa_family=AF_INET6, sin6_port=htons(56416), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}, [112->28]) = 0 Client CLI Direct Loopback method --------- The following strace uses '-h' command line option to specify the desired sockets, network-based, but we know that daemon has already been directed by 'cmddeny 127.0.0.1', so no go here. Since the CLI command line explicitly asked for '-h 127.0.0.1' there were no fallback mechanism to try other channel methods (UNIX socket or a non-loopback remote network) That too failed (correctly) due to 'cmddeny 127.0.0.1' directive. #Shell Invocation # strace -f chronyc -h 127.0.0.1 sources socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_IP) = 3 socket(AF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 3 write(2, "Resolved 127.0.0.1 to 127.0.0.1", 31Resolved 127.0.0.1 to 127.0.0.1) = 31 write(2, "\n", 1 socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 3 write(2, "Opened UDPv4 socket fd=3 remote="..., 45Opened UDPv4 socket fd=3 remote=127.0.0.1:323) = 45 write(2, "\n", 1 write(2, "Sent data fd=3 len=32", 21Sent data fd=3 len=32) = 21 write(2, "\n", 1 write(2, "Timeout 1.000000 seconds", 24Timeout 1.000000 seconds) = 24 write(2, "\n", 1 write(2, "Could not receive message fd=3 :"..., 51Could not receive message fd=3 : Connection refused) = 51 write(2, "\n", 1 write(2, "Sent data fd=3 len=32", 21Sent data fd=3 len=32) = 21 write(2, "\n", 1 write(2, "Timeout 2.000000 seconds", 24Timeout 2.000000 seconds) = 24 write(2, "\n", 1 write(2, "Could not receive message fd=3 :"..., 51Could not receive message fd=3 : Connection refused) = 51 write(2, "\n", 1 write(2, "Sent data fd=3 len=32", 21Sent data fd=3 len=32) = 21 write(2, "\n", 1 write(2, "Timeout 4.000000 seconds", 24Timeout 4.000000 seconds) = 24 write(2, "\n", 1 write(2, "Could not receive message fd=3 :"..., 51Could not receive message fd=3 : Connection refused) = 51 write(2, "\n", 1 getsockname(3, {sa_family=AF_INET, sin_port=htons(37226), sin_addr=inet_addr("127.0.0.1")}, [112->16]) = 0 write(1, "506 Cannot talk to daemon\n", 26506 Cannot talk to daemon Client Direct UNIX socket method --------------------------------- The following strace uses '-h /run/chrony/chrony.sock' command line option to specify the desired sockets, this time in UNIX-socket. But we know that daemon has already been directed by 'cmddeny 127.0.0.1', so THIS SHOULD HAVE BEEN ALLOWED TO CONNECT. Since the CLI command line explicitly asked for '-h /run/chrony/chrony.sock' there were no fallback mechanism to try other channel methods (UNIX socket or a non-loopback remote network) That too failed (correctly) and is the basis of this bug report. #Shell Invocation # strace -f chronyc -d -d -d -h /run/chrony/chrony.sock sources execve("./chronyc", ["./chronyc", "-d", "-d", "-d", "-h/run/chrony/chrony.sock", "sources"], 0x7ffd6f4c70d0 /* 27 vars */) = 0 socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_IP) = 3 socket(AF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 3 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 unlink("/run/chrony/chronyc.21039.sock") = -1 ENOENT (No such file or directory) write(2, "Could not remove /run/chrony/chr"..., 75Could not remove /run/chrony/chronyc.21039.sock : No such file or directory) = 75 write(2, "\n", 1 bind(3, {sa_family=AF_UNIX, sun_path="/run/chrony/chronyc.21039.sock"}, 110) = -1 EACCES (Permission denied) write(2, "Could not bind Unix socket to /r"..., 80Could not bind Unix socket to /run/chrony/chronyc.21039.sock : Permission denied) = 80 write(2, "\n", 1 getsockname(3, {sa_family=AF_UNIX}, [112->2]) = 0 write(2, "Could not open connection to dae"..., 35Could not open connection to daemon) = 35 write(2, "\n", 1