Focal Fossa : chronyd unable to sync system clock
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
chrony (Ubuntu) |
Fix Released
|
Critical
|
Christian Ehrhardt |
Bug Description
We haven't released Focal yet, but we are in Beta freeze.
This fix is important and to help the release Team I'll add an SRU Teamplate which is a form/style everyone knows.
[Impact]
* capsh changed the output and chrony scripts used to parse that
* that failed parsing leads to detecting the lack of cap-sys_time ALWAYS
* due to that chrony in focal can't sync time at all, as always -x is
appended which is a critical impact and IMHO should make us accept this
fix asap.
[Test Case]
* install/upgrade chrony in an environment that can set time (bare metal,
VMs, but not containers)
Without the fix it will report:
$ systemctl status chrony
Mar 31 08:34:57 f-chrony systemd[1]: Starting chrony, an NTP client/server...
Mar 31 08:34:57 f-chrony chronyd-
Mar 31 08:34:57 f-chrony chronyd-
* With the fix on those environments it will work again.
Mar 31 10:17:51 f-chrony systemd[1]: Starting chrony, an NTP client/server...
Mar 31 10:17:51 f-chrony chronyd[10780]: chronyd version 3.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 -DEBUG)
Mar 31 10:17:51 f-chrony chronyd[10780]: Frequency -0.027 +/- 0.117
ppm read from /var/lib/
Mar 31 10:17:51 f-chrony chronyd[10780]: Loaded seccomp filter
Mar 31 10:17:51 f-chrony systemd[1]: Started chrony, an NTP client/server.
* One can also check the chrony commandline, in environments able to set the time it should NOT contain the "-x" argument
[Regression Potential]
* There would have been the risk of restarting the service on an upgrade
before the new capsh is around, but I've added a versioned dependency.
Other than that:
- on VMs/Bare-Metal since it is false-posiive today it can't regress
further and nothing else was changed
- on Containers if we made a mistake it would NOT detect as a lack of
cap_sys_time due to that chronyd there would start and fail trying to
sync the clock. That is the default upstream behavior - our addition
of a "try to run in containers" is only a helping hand to e.g. time
forwarders set up there like MAAS does.
Therefore overall no regression risk that should stop this upload IMHO.
[Other Info]
* the second case broken by capsh output, I'm glad the capability check
now become an explicit option to reduce the chance of this happening
again.
---
systemd[1]: Starting chrony, an NTP client/server...
chronyd-
Related branches
- Robie Basak: Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 43 lines (+11/-2)3 files modifieddebian/changelog (+9/-0)
debian/chronyd-starter.sh (+1/-1)
debian/control (+1/-1)
description: | updated |
Tested on armv7l and aarch64.