search

QubesOS / qubes-issues

The Qubes OS Project issue tracker
https://www.qubes-os.org/doc/issue-tracking/
538 stars 48 forks source link

ntp sync for dom0 doesn't work #301

Closed marmarek closed 9 years ago

marmarek commented 9 years ago

Reported by joanna on 18 Jul 2011 13:09 UTC I installed my system yesterday, and I still have some 6 minutes desync of the dom0 clock...

Besides automatically syncing the dom0 clock, it might be good to have a qvm-dom0-sync-clock utility that would force it on demand?

Migrated-From: https://wiki.qubes-os.org/ticket/301

marmarek commented 9 years ago

Modified by rafal on 28 Jul 2011 14:08 UTC

marmarek commented 9 years ago

Comment by rafal on 28 Jul 2011 15:13 UTC Correct me if I am wrong, but in the current state, there is no "automatically syncing the dom0 clock" ? the commit http://git.qubes-os.org/?p=joanna/core.git;a=blobdiff;f=common/qubes_core;h=45d4b7fec58145c281aac12ddb1bba063866c4b6;hp=239a684511b0e9d258a53ab66eac124ddede628d;hb=2784d0ccd41582f34949cd49dd787e6c85d2d55b;hpb=9d778d6870e0147f8002667f0e837906b330ec78

just starts ntp in proxyvm. I see no other references to ntp or date in core, nor in a running fresh install ?

So, we need to periodically sync dom0 clock. We chose to disable cron; so do we want to run date -s "$(qvm-run default_netvm date)" command in some shell script started by qubes_netvm, in a infinite loop ?

Moreover, it seems that the "use ntp" option/screen is still present in the installer ? And it is quite confusing, as it offers to use fedora.pool.ntp.org servers as source, which suggests that dom0 has network connectivity.

marmarek commented 9 years ago

Comment by joanna on 28 Jul 2011 15:22 UTC I'm fine with enabling (ana)cron in Dom0 -- just making sure we remove all the unnecessary crap from the cron jobs.

NTP is no longer present in the latest installer I built.

marmarek commented 9 years ago

Comment by joanna on 28 Jul 2011 15:34 UTC BTW, we could use (ana)cron to also periodicly run qvm-dom0-upgraade.

marmarek commented 9 years ago

Comment by rafal on 29 Jul 2011 10:23 UTC No, I was wrong, qubes-watch-updates.sh takes care of syncing the clock. However, "date -s" with input obtained from date +%s.%N fails. Fixed at http://git.qubes-os.org/?p=rafal/core.git;a=commit;h=4ad919bf6d60d21663604aa10dacbfaa55470046 prebeta2 branch.

marmarek commented 9 years ago

Comment by joanna on 30 Jul 2011 10:06 UTC NTP is not configured in the UpdateVM (firewallvm)...

marmarek commented 9 years ago

Comment by joanna on 30 Jul 2011 10:09 UTC Specifically ntpdate fails in firewallvm

marmarek commented 9 years ago

Comment by rafal on 30 Jul 2011 12:48 UTC According to the manual, you need to pass an argument to "ntpdate", which you probably did not do - it works with e.g. 0.fedora.pool.ntp.org

ntpd daemon takes care of updating the time itself (although, if you change the time manually, it may take about 20minutes for ntpd to fix this), and the default /etc/ntp.conf is just fine. "ntpdc -c peers" is a better way to check ntpd status.

marmarek commented 9 years ago

Comment by joanna on 30 Jul 2011 14:11 UTC I've been running my firewallvm for days and it haven't synced even once...

I'm gonna check this again on pre5...

marmarek commented 9 years ago

Comment by joanna on 30 Jul 2011 14:46 UTC ntpd* services are off by default in servicevm in rc5.

marmarek commented 9 years ago

Comment by joanna on 30 Jul 2011 14:46 UTC s/rc5/pre5/

marmarek commented 9 years ago

Comment by rafal on 30 Jul 2011 17:43 UTC See the commit url in the first comment. ntpd is started manually in qubes_core. Dom0 time is synced with firewallvm every 6 hours.

marmarek commented 9 years ago

Comment by joanna on 2 Aug 2011 11:56 UTC This still doesn't work as of pre6 (pre5 with updated core and xen).

In fact I have created an additional script (qvm-sync-dom0-clock):

#!/bin/sh

UPDATES_VM=`qvm-get-updatevm`

QREXEC_CLIENT=/usr/lib/qubes/qrexec_client

if [ -z "$UPDATES_VM" ]; then
    echo "UpdateVM not set, exiting!" >&2
    exit 1
fi

if ! xl domid "$UPDATES_VM" > /dev/null 2>&1; then
    echo "UpdateVM not started, exiting!"
    exit 1
fi

# dd is supposed to not allow memory exhaustion
# grep does basic sanity checking
# there seems to be no way to pass output of date +%s.%N to date,
# so we use human-readable format

CURRENT_TIME="$($QREXEC_CLIENT -d $UPDATES_VM 'user:date -u' | dd count=1 2>/dev/null | grep '^[[A-Za-z](A-Za-z]*)* [[0-9](0-9]*)[UTC [0-9](0-9]:[0-9][0-9]:[0-9][0-9])[-1)"
echo currtime = $CURRENT_TIME
if [ -n "$CURRENT_TIME" ](0-9][0-9][0-9]$'|head) ; then 
    echo Syncing Dom0 clock: setting time "$CURRENT_TIME"...
    sudo date -u -s "$CURRENT_TIME" ;
fi

And it shows the $CURRENT_TIME is always empty...

The desynced clocks between Dom0 and updatevm causes problems when it comes to updateing Dom0 -- yum complains about files having future timestamps. For this reason I think we should: 1) Keep a separate tool named qvm-sync-dom0-clock and call it from qvm-dom0-upgrade 2) Modify qubes-update-watcher to call this tool

marmarek commented 9 years ago

Modified by joanna on 2 Aug 2011 11:56 UTC

marmarek commented 9 years ago

Comment by joanna on 2 Aug 2011 12:06 UTC There is a problem with the grep expression -- will fix it.

marmarek commented 9 years ago

Comment by joanna on 2 Aug 2011 12:26 UTC Fixed: http://git.qubes-os.org/?p=joanna/core.git;a=commitdiff;h=9c58c9757160bd22598bbda351806ed95608cdb7 http://git.qubes-os.org/?p=joanna/core.git;a=commitdiff;h=ccda3d664238d5e36d256996f7390a85f169c651