Page MenuHomeVyOS Platform

Chrony NTP Server Fails To Sync Time
Closed, ResolvedPublicBUG

Description

Seems like the chrony NTP server in VyOS does not sync its time due to it unable to resolve DNS names at boot of the system. To solve this, I added an IP address to my list of NTP servers and then checked via chronyc

Before change, the config was

vyos@vyos# edit service ntp
[edit service ntp]
vyos@vyos# show
 allow-client {
     address 10.0.0.0/8
 }
 interface eth2.4040
 listen-address 10.255.253.1
 server 0.ubnt.pool.ntp.org {
 }
 server 1.ubnt.pool.ntp.org {
 }
 server 2.ubnt.pool.ntp.org {
 }
 server 3.ubnt.pool.ntp.org {
 }
 server time1.vyos.net {
 }
 server time2.vyos.net {
 }
 server time3.vyos.net {
 }

Also, Chrony was not synced

vyos@vyos:/etc$ sudo  chronyc tracking
Reference ID    : 00000000 ()
Stratum         : 0
Ref time (UTC)  : Thu Jan 01 00:00:00 1970
System time     : 0.000000000 seconds fast of NTP time
Last offset     : +0.000000000 seconds
RMS offset      : 0.000000000 seconds
Frequency       : 0.000 ppm slow
Residual freq   : +0.000 ppm
Skew            : 0.000 ppm
Root delay      : 1.000000000 seconds
Root dispersion : 1.000000000 seconds
Update interval : 0.0 seconds
Leap status     : Not synchronised

After I made the following changes and committed them,

vyos@vyos# edit service ntp
[edit service ntp]
vyos@vyos# show
 allow-client {
     address 10.0.0.0/8
 }
 interface eth2.4040
 listen-address 10.255.253.1
 server 0.ubnt.pool.ntp.org {
     pool
 }
 server 1.ubnt.pool.ntp.org {
     pool
 }
 server 2.ubnt.pool.ntp.org {
     pool
 }
 server 3.ubnt.pool.ntp.org {
     pool
 }
 server 129.6.15.28 {
     prefer
 }
 server time1.vyos.net {
 }
 server time2.vyos.net {
 }
 server time3.vyos.net {
 }

My clients started to properly sync time (they were reporting the "kiss-of-death" packet
Also, chronyc showed

vyos@vyos:~$ sudo chronyc tracking
Reference ID    : 81060F1C (129.6.15.28)
Stratum         : 2
Ref time (UTC)  : Tue Aug 15 20:24:27 2023
System time     : 0.000016202 seconds slow of NTP time
Last offset     : +0.000060604 seconds
RMS offset      : 0.000991987 seconds
Frequency       : 3.716 ppm slow
Residual freq   : +0.011 ppm
Skew            : 2.638 ppm
Root delay      : 0.072576128 seconds
Root dispersion : 0.000859601 seconds
Update interval : 64.2 seconds
Leap status     : Normal

My VyOS version is

vyos@vyos:/etc$ show version
Version:          VyOS 1.4-rolling-202308140557
Release train:    current

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202308140557
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Don't have this issue
@dcplaya Could you re-check in the newest rolling image?

@Viacheslav
I will check it today or tomorrow. But I believe I know the culprit, the new firewall rules didn't allow my VyOS instance to contact the CoreDNS (set to host mode) container that is hosted as a container in VyOS. I was unable to ping 127.0.0.1 as well as all of my VyOS's IP addresses.

At the time I posted this, I had no idea firewall rules had changed due to an update!

Once I added the following to the firewalls, I was able to ping myself as well as resolve DNS names.
My fix does seem a bit messy though.

[edit firewall ipv4 input]
vyos@vyos# show
 filter {
     default-action accept
     rule 100 {
         action accept
         description "Allow router traffic to itself"
         destination {
             group {
                 address-group RouterAddresses
             }
         }
         source {
             group {
                 address-group RouterAddresses
             }
         }
     }
[edit firewall ipv4 output]
vyos@vyos# show
 filter {
     default-action accept
     rule 100 {
         action accept
         description "Allow VyOS to connect to itself"
         destination {
             group {
                 address-group RouterAddresses
             }
         }
         source {
             group {
                 address-group RouterAddresses
             }
         }
     }

Are you using vrf? Maybe it's an issue and router can't resolve dns for ntp servers

I think VyOS might need to accept as default traffic to/from localhost towards itself for both IPv4 and IPv6.

Example:

For INPUT chain add accept where incoming interface is lo and srcip is 127.0.0.0/8 or ::1/128.

For OUTPUT chain add accept where outgoing interface is lo and dstip is 127.0.0.0/8 or ::1/128.

set firewall ipv4 input filter rule 999999 action 'accept'
set firewall ipv4 input filter rule 999999 inbound-interface interface-name 'lo'
set firewall ipv4 input filter rule 999999 source address '127.0.0.0/8'

set firewall ipv4 output filter rule 999999 action 'accept'
set firewall ipv4 output filter rule 999999 destination address '127.0.0.0/8'
set firewall ipv4 output filter rule 999999 outbound-interface interface-name 'lo'

set firewall ipv6 input filter rule 999999 action 'accept'
set firewall ipv6 input filter rule 999999 inbound-interface interface-name 'lo'
set firewall ipv6 input filter rule 999999 source address '::1/128'

set firewall ipv6 output filter rule 999999 action 'accept'
set firewall ipv6 output filter rule 999999 destination address '::1/128'
set firewall ipv6 output filter rule 999999 outbound-interface interface-name 'lo'

Question is if the above shouldnt be a hidden always-on rule set by VyOS?

Viacheslav changed the task status from Open to Needs reporter action.Tue, Feb 13, 3:42 PM

@dcplaya provide the whole configuration to reproduce or close the task if the reason is firewall incorrect configuration.

I believe it was an issue with my DNS server. Nevertheless, the issue cannot be reproduced so the bug report can be closed.