search

aws-samples / vpn-gateway-strongswan

AWS CloudFormation template to deploy the open source strongSwan VPN solution to act as a VPN gateway in support of site-to-site VPN connections.
Apache License 2.0
68 stars 37 forks source link

ntpd fails to restart due to: Failed to start ntpd.service: Transaction is destructive. #24

Closed ckamps closed 2 years ago

ckamps commented 3 years ago

I encountered this condition during a stack deployment attempt, but have not encountered it again.

First boot configuration fails via a CloudFormation event:

WaitCondition received failed message: 'Configuration failed.' for uniqueId: i-0....

Digging into cfn-init.log shows the cause of the stack creation failure, but it's unclear as to what caused ntpd to fail to restart. Requires further investigation.

2021-09-22 16:27:20,378 [DEBUG] Running command 02-enable-ip-forwarding
2021-09-22 16:27:20,379 [DEBUG] No test for command 02-enable-ip-forwarding
2021-09-22 16:27:20,387 [INFO] Command 02-enable-ip-forwarding succeeded
2021-09-22 16:27:20,387 [DEBUG] Command 02-enable-ip-forwarding output: net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.disable_xfrm = 1
net.ipv4.conf.eth0.disable_policy = 1

2021-09-22 16:27:20,387 [DEBUG] Running command 03-enable-start-ntpd
2021-09-22 16:27:20,387 [DEBUG] No test for command 03-enable-start-ntpd
2021-09-22 16:27:20,479 [ERROR] Command 03-enable-start-ntpd (systemctl enable ntpd &&  systemctl start  ntpd) failed
2021-09-22 16:27:20,479 [DEBUG] Command 03-enable-start-ntpd output: Created symlink from /etc/systemd/system/multi-user.target.wants/ntpd.service to /usr/lib/systemd/system/ntpd.service.Failed to start ntpd.service: Transaction is destructive.
See system logs and 'systemctl status ntpd.service' for details.

2021-09-22 16:27:20,479 [ERROR] Error encountered during build of 06-config-vpn-gateway-commands: Command 03-enable-start-ntpd failed
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/construction.py", line 573, in run_config
    CloudFormationCarpenter(config, self._auth_config).build(worklog)
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/construction.py", line 273, in build    self._config.commands)
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/command_tool.py", line 127, in apply
    raise ToolError(u"Command %s failed" % name)
cfnbootstrap.construction_errors.ToolError: Command 03-enable-start-ntpd failed
2021-09-22 16:27:20,487 [ERROR] -----------------------BUILD FAILED!------------------------
2021-09-22 16:27:20,487 [ERROR] Unhandled exception during build: Command 03-enable-start-ntpd failed
Traceback (most recent call last):
  File "/opt/aws/bin/cfn-init", line 176, in <module>
    worklog.build(metadata, configSets)
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/construction.py", line 135, in build
    Contractor(metadata).build(configSets, self)
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/construction.py", line 561, in build
    self.run_config(config, worklog)
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/construction.py", line 573, in run_config
    CloudFormationCarpenter(config, self._auth_config).build(worklog)
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/construction.py", line 273, in build
    self._config.commands)
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/command_tool.py", line 127, in apply
    raise ToolError(u"Command %s failed" % name)
cfnbootstrap.construction_errors.ToolError: Command 03-enable-start-ntpd failed
ckamps commented 2 years ago

Since the latest versions of Amazon Linux 2 and Amazon Linux AMIs synchronize with the Amazon Time Sync Service by default, there's likely no need for the stack to install and configure ntp.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html

ckamps commented 2 years ago

Latest commit resolves this issue by removing installation and start up of ntpd. https://github.com/aws-samples/vpn-gateway-strongswan/commit/6c1caab6cb53c383ace6e4cc834d2c1e27ef924a