There is still a Mismatched SOCK filespec implemented by chronyd and chronyc.
The saving grace was that loopback network interface hid this bug very well and
saved the day for nearly everyone (who is not an expert Chronyd configurer)...
That is, until the directive 'cmddeny 127.0.0.1' is configured: then one finds
out the hard way that there is no consistent way to open the UNIX socket.
Workaround:
Don't use 'cmddeny 127.0.0.1' setting for now until the filenaming convention
for its socket file specification becomes synchronized between Chrony client
and server.
STRACES
-------
In all straces below, the config directive is:
cmddeny 127.0.0.1
Client CLI Fallback method (default)
------------------------------------
This following strace details the default operation of ordinary chronyc CLI
client operation, specifically to send a 'sources' CLI command with hope to
receive a list of NTP servers.
This shell invocation did NOT use an '-h' option, fallback mechanism to other
communcation channel methods werre done:
* Socket failed, (this bug report)
* IPv4 loopback failed (due to 'cmddeny 127.0.0.1')
* IPv6 loopback failed (not sure how, but it shouldn't have happened)
#Shell Invocation
# strace -f chrony -d -d -d sources
socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_IP) = 3
socket(AF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 3
write(2, "Resolved 127.0.0.1 to 127.0.0.1", 31Resolved 127.0.0.1 to 127.0.0.1)
= 31
write(2, "\n", 1
write(2, "Resolved ::1 to ::1", 19Resolved ::1 to ::1) = 19
write(2, "\n", 1
socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
unlink("/var/run/chrony/chronyc.21014.sock") = -1 ENOENT (No such file or
directory)
write(2, "Could not remove /var/run/chrony"..., 79Could not remove
/var/run/chrony/chronyc.21014.sock : No such file or directory) = 79
write(2, "\n", 1
bind(3, {sa_family=AF_UNIX, sun_path="/var/run/chrony/chronyc.21014.sock"},
110) = -1 EACCES (Permission denied)
write(2, "Could not bind Unix socket to /v"..., 84Could not bind Unix socket to
/var/run/chrony/chronyc.21014.sock : Permission denied) = 84
write(2, "\n", 1
getsockname(3, {sa_family=AF_UNIX}, [112->2]) = 0
socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 3
write(2, "Opened UDPv4 socket fd=3 remote="..., 45Opened UDPv4 socket fd=3
remote=127.0.0.1:323) = 45
write(2, "Could not receive message fd=3 :"..., 51Could not receive message
fd=3 : Connection refused) = 51
write(2, "\n", 1
getsockname(3, {sa_family=AF_INET, sin_port=htons(34899),
sin_addr=inet_addr("127.0.0.1")}, [112->16]) = 0
socket(AF_INET6, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 3
read(4, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 542
read(4, "", 4096) = 0
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0003\0\0\0\0\0\0"...,
832) = 832
read(4, "# Internet (IP) protocols\n#\n# Up"..., 4096) = 2932
setsockopt(3, SOL_IPV6, IPV6_V6ONLY, [1], 4) = 0
write(2, "Opened UDPv6 socket fd=3 remote="..., 41Opened UDPv6 socket fd=3
remote=[::1]:323) = 41
write(2, "\n", 1
write(2, "Sent data fd=3 len=32", 21Sent data fd=3 len=32) = 21
write(2, "\n", 1
write(2, "Timeout 1.000000 seconds", 24Timeout 1.000000 seconds) = 24
write(2, "\n", 1
write(2, "Could not receive message fd=3 :"..., 51Could not receive message
fd=3 : Connection refused) = 51
write(2, "\n", 1
write(2, "Sent data fd=3 len=32", 21Sent data fd=3 len=32) = 21
write(2, "\n", 1
write(2, "Timeout 2.000000 seconds", 24Timeout 2.000000 seconds) = 24
write(2, "\n", 1
write(2, "Could not receive message fd=3 :"..., 51Could not receive message
fd=3 : Connection refused) = 51
write(2, "\n", 1
write(2, "Sent data fd=3 len=32", 21Sent data fd=3 len=32) = 21
write(2, "\n", 1
write(2, "Timeout 4.000000 seconds", 24Timeout 4.000000 seconds) = 24
write(2, "\n", 1
write(2, "Could not receive message fd=3 :"..., 51Could not receive message
fd=3 : Connection refused) = 51
write(2, "\n", 1
getsockname(3, {sa_family=AF_INET6, sin6_port=htons(56416),
sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr),
sin6_scope_id=0}, [112->28]) = 0
Client CLI Direct Loopback method
---------
The following strace uses '-h' command line option to specify the desired
sockets, network-based, but we know that daemon has already been directed by
'cmddeny 127.0.0.1', so no go here.
Since the CLI command line explicitly asked for '-h 127.0.0.1' there were no
fallback mechanism to try other channel methods (UNIX socket or a non-loopback
remote network)
That too failed (correctly) due to 'cmddeny 127.0.0.1' directive.
#Shell Invocation
# strace -f chronyc -h 127.0.0.1 sources
socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_IP) = 3
socket(AF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 3
write(2, "Resolved 127.0.0.1 to 127.0.0.1", 31Resolved 127.0.0.1 to 127.0.0.1)
= 31
write(2, "\n", 1
socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 3
write(2, "Opened UDPv4 socket fd=3 remote="..., 45Opened UDPv4 socket fd=3
remote=127.0.0.1:323) = 45
write(2, "\n", 1
write(2, "Sent data fd=3 len=32", 21Sent data fd=3 len=32) = 21
write(2, "\n", 1
write(2, "Timeout 1.000000 seconds", 24Timeout 1.000000 seconds) = 24
write(2, "\n", 1
write(2, "Could not receive message fd=3 :"..., 51Could not receive message
fd=3 : Connection refused) = 51
write(2, "\n", 1
write(2, "Sent data fd=3 len=32", 21Sent data fd=3 len=32) = 21
write(2, "\n", 1
write(2, "Timeout 2.000000 seconds", 24Timeout 2.000000 seconds) = 24
write(2, "\n", 1
write(2, "Could not receive message fd=3 :"..., 51Could not receive message
fd=3 : Connection refused) = 51
write(2, "\n", 1
write(2, "Sent data fd=3 len=32", 21Sent data fd=3 len=32) = 21
write(2, "\n", 1
write(2, "Timeout 4.000000 seconds", 24Timeout 4.000000 seconds) = 24
write(2, "\n", 1
write(2, "Could not receive message fd=3 :"..., 51Could not receive message
fd=3 : Connection refused) = 51
write(2, "\n", 1
getsockname(3, {sa_family=AF_INET, sin_port=htons(37226),
sin_addr=inet_addr("127.0.0.1")}, [112->16]) = 0
write(1, "506 Cannot talk to daemon\n", 26506 Cannot talk to daemon
Client Direct UNIX socket method
---------------------------------
The following strace uses '-h /run/chrony/chrony.sock' command line option to
specify the desired sockets, this time in UNIX-socket. But we know that daemon
has already been directed by 'cmddeny 127.0.0.1', so THIS SHOULD HAVE BEEN
ALLOWED TO CONNECT.
Since the CLI command line explicitly asked for '-h /run/chrony/chrony.sock'
there were no fallback mechanism to try other channel methods (UNIX socket or a
non-loopback remote network)
That too failed (correctly) and is the basis of this bug report.
#Shell Invocation
# strace -f chronyc -d -d -d -h /run/chrony/chrony.sock sources
execve("./chronyc", ["./chronyc", "-d", "-d", "-d",
"-h/run/chrony/chrony.sock", "sources"], 0x7ffd6f4c70d0 /* 27 vars */) = 0
socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_IP) = 3
socket(AF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 3
socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
unlink("/run/chrony/chronyc.21039.sock") = -1 ENOENT (No such file or directory)
write(2, "Could not remove /run/chrony/chr"..., 75Could not remove
/run/chrony/chronyc.21039.sock : No such file or directory) = 75
write(2, "\n", 1
bind(3, {sa_family=AF_UNIX, sun_path="/run/chrony/chronyc.21039.sock"}, 110) =
-1 EACCES (Permission denied)
write(2, "Could not bind Unix socket to /r"..., 80Could not bind Unix socket to
/run/chrony/chronyc.21039.sock : Permission denied) = 80
write(2, "\n", 1
getsockname(3, {sa_family=AF_UNIX}, [112->2]) = 0
write(2, "Could not open connection to dae"..., 35Could not open connection to
daemon) = 35
write(2, "\n", 1
