故障现象：

SUSE 12 在启动NTP客户端时，报“cannot restart the ntp daemon”错误，此错误应该是SUSE 12.0的一个BUG

解决办法：

root 用户执行  

#logprof 命令，根据提示 按  A    A    W

然后再执行

# systemctl restart ntpd.service
# systemctl status ntpd.service

参考官网说明：https://www.suse.com/support/kb/doc.php?id=7015867

NTP Service Fails to Start or Hangs on SLES12

Environment

SUSE Linux Enterprise Server 12
Network Time Protocol (NTP)
 

Situation

Upon completing the NTP configuration in yast2 and clicking Finish, an error "Error: Cannot restart the NTP daemon" appears on the screen.

Running systemctl start ntpd.service fails or hangs.

The error persists whether NTP is configured in a chroot jail or not.

The system log /var/log/messages contains the errors:
‘kernel: [  657.760204] type=1400 audit (1415376571.756:44): apparmor="DENIED" operation="file_mmap" parent=1 profile="/usr/sbin/ntpd" name="/run/nscd/group" pid=2879 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0‘

"systemd[1]: Failed to start NTP Server Daemon."

# ntpq -p
ntpq: read: Connection refused

The following services are enabled.

apparmor module is loaded.
39 profiles are loaded.
39 profiles are in enforce mode.
   /sbin/klogd
   /sbin/syslog-ng
   /sbin/syslogd
   /usr/lib/apache2/mpm-prefork/apache2
   /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
   /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
   /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
   /usr/lib/dovecot/anvil
   /usr/lib/dovecot/auth
   /usr/lib/dovecot/config
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dict
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/dovecot-lda
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/lmtp
   /usr/lib/dovecot/log
   /usr/lib/dovecot/managesieve
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/lib/dovecot/ssl-params
   /usr/lib64/libvirt/virt-aa-helper
   /usr/sbin/avahi-daemon
   /usr/sbin/dnsmasq
   /usr/sbin/dovecot
   /usr/sbin/identd
   /usr/sbin/libvirtd
   /usr/sbin/mdnsd
   /usr/sbin/nmbd
   /usr/sbin/nscd
   /usr/sbin/ntpd
   /usr/sbin/smbd
   /usr/sbin/smbldap-useradd
   /usr/sbin/smbldap-useradd///etc/init.d/nscd
   /usr/sbin/winbindd
   /usr/{sbin/traceroute,bin/traceroute.db}
   /{usr/,}bin/ping
0 profiles are in complain mode.
3 processes have profiles defined.
3 processes are in enforce mode.
   /usr/sbin/avahi-daemon (892) 
   /usr/sbin/libvirtd (1425) 
   /usr/sbin/nscd (896) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

ntpd.service - NTP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled)
   Active: activating (auto-restart) (Result: timeout) since Fri 2014-11-07 09:26:57 MST; 1min 38s ago
     Docs: man:ntpd(1)
  Process: 4584 ExecStart=/usr/sbin/start-ntpd start (code=exited, status=0/SUCCESS)

Nov 07 09:26:57 sles12 systemd[1]: Failed to start NTP Server Daemon.

Rebooting the server seems to start the NTP service daemon just fine, but it terminates after some time attempting to activate the service.

ntpd.service - NTP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled)
   Active: activating (start) since Fri 2014-11-07 09:59:14 MST; 45s ago
     Docs: man:ntpd(1)
  Process: 1428 ExecStart=/usr/sbin/start-ntpd start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/ntpd.service
           └─1444 /usr/sbin/ntpd -p /var/run/ntp/ntpd.pid -g -u ntp:ntp -i /v...

Nov 07 09:59:14 sles12 ntpd[1444]: pid file /var/run/ntp/ntpd.pid: Permission denied
Nov 07 09:59:14 sles12 ntpd[1444]: ntp_io: estimated max descriptors: 102...

Resolution

Update the AppArmor /usr/sbin/ntpd profile with logprof to allow read access to /run/nscd/group and write access to /var/lib/ntp/var/run/ntp/ntpd.pid. Once the AppArmor ntpd policy has been saved, you can restart the NTP service.

Login as root on the command line and run:

# logprof
Reading log entries from /var/log/messages.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:

Profile:  /usr/sbin/ntpd
Path:     /run/nscd/group
Mode:     r
Severity: unknown

 [1 - /run/nscd/group]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish/ (O)pts
Adding /run/nscd/group r to profile.

Profile:  /usr/sbin/ntpd
Path:     /var/lib/ntp/var/run/ntp/ntpd.pid
Mode:     w
Severity: unknown

 [1 - /var/lib/ntp/var/run/ntp/ntpd.pid]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish/ (O)pts
Adding /var/lib/ntp/var/run/ntp/ntpd.pid w to profile.

= Changed Local Profiles =

The following local profiles were changed.  Would you like to save them?

 [1 - /usr/sbin/ntpd]

(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /usr/sbin/ntpd.

# systemctl restart ntpd.service
# systemctl status ntpd.service
# 
#

Cause

Apparmor is restricting the NTP service from reading /run/nscd/group and from writing to /var/lib/ntp/var/run/ntp/ntpd.pid.
 

Status

Reported to Engineering

本文出自 “晨歌牧牛” 博客，请务必保留此出处http://168ok8.blog.51cto.com/73394/1652705

SUSE 12 cannot restart the ntp daemon 故障处理

原文：http://168ok8.blog.51cto.com/73394/1652705