ntp sync for dom0 doesn't work

[marmarek]

Reported by joanna on 18 Jul 2011 13:09 UTC
I installed my system yesterday, and I still have some 6 minutes desync of the dom0 clock...

Besides automatically syncing the dom0 clock, it might be good to have a qvm-dom0-sync-clock utility that would force it on demand?

Migrated-From: https://wiki.qubes-os.org/ticket/301

[marmarek]

Modified by rafal on 28 Jul 2011 14:08 UTC

[marmarek]

Modified by rafal on 28 Jul 2011 14:08 UTC

[marmarek]

Comment by rafal on 28 Jul 2011 15:13 UTC
Correct me if I am wrong, but in the current state, there is no "automatically syncing the dom0 clock" ?
the commit
http://git.qubes-os.org/?p=joanna/core.git;a=blobdiff;f=common/qubes_core;h=45d4b7fec58145c281aac12ddb1bba063866c4b6;hp=239a684511b0e9d258a53ab66eac124ddede628d;hb=2784d0ccd41582f34949cd49dd787e6c85d2d55b;hpb=9d778d6870e0147f8002667f0e837906b330ec78

just starts ntp in proxyvm. I see no other references to ntp or date in core, nor in a running fresh install ?

So, we need to periodically sync dom0 clock. We chose to disable cron; so do we want to run
date -s "$(qvm-run default_netvm date)"
command in some shell script started by qubes_netvm, in a infinite loop ?

Moreover, it seems that the "use ntp" option/screen is still present in the installer ? And it is quite confusing, as it offers to use fedora.pool.ntp.org servers as source, which suggests that dom0 has network connectivity.

[marmarek]

Comment by rafal on 28 Jul 2011 15:13 UTC
Correct me if I am wrong, but in the current state, there is no "automatically syncing the dom0 clock" ?
the commit
http://git.qubes-os.org/?p=joanna/core.git;a=blobdiff;f=common/qubes_core;h=45d4b7fec58145c281aac12ddb1bba063866c4b6;hp=239a684511b0e9d258a53ab66eac124ddede628d;hb=2784d0ccd41582f34949cd49dd787e6c85d2d55b;hpb=9d778d6870e0147f8002667f0e837906b330ec78

just starts ntp in proxyvm. I see no other references to ntp or date in core, nor in a running fresh install ?

So, we need to periodically sync dom0 clock. We chose to disable cron; so do we want to run
date -s "$(qvm-run default_netvm date)"
command in some shell script started by qubes_netvm, in a infinite loop ?

Moreover, it seems that the "use ntp" option/screen is still present in the installer ? And it is quite confusing, as it offers to use fedora.pool.ntp.org servers as source, which suggests that dom0 has network connectivity.

[marmarek]

Comment by joanna on 28 Jul 2011 15:22 UTC
I'm fine with enabling (ana)cron in Dom0 -- just making sure we remove all the unnecessary crap from the cron jobs.

NTP is no longer present in the latest installer I built.

[marmarek]

Comment by joanna on 28 Jul 2011 15:22 UTC
I'm fine with enabling (ana)cron in Dom0 -- just making sure we remove all the unnecessary crap from the cron jobs.

NTP is no longer present in the latest installer I built.

[marmarek]

Comment by joanna on 28 Jul 2011 15:34 UTC
BTW, we could use (ana)cron to also periodicly run qvm-dom0-upgraade.

[marmarek]

Comment by joanna on 28 Jul 2011 15:34 UTC
BTW, we could use (ana)cron to also periodicly run qvm-dom0-upgraade.

[marmarek]

Comment by rafal on 29 Jul 2011 10:23 UTC
No, I was wrong, qubes-watch-updates.sh takes care of syncing the clock. However, "date -s" with input obtained from date +%s.%N fails. Fixed at
http://git.qubes-os.org/?p=rafal/core.git;a=commit;h=4ad919bf6d60d21663604aa10dacbfaa55470046
prebeta2 branch.

[marmarek]

Comment by rafal on 29 Jul 2011 10:23 UTC
No, I was wrong, qubes-watch-updates.sh takes care of syncing the clock. However, "date -s" with input obtained from date +%s.%N fails. Fixed at
http://git.qubes-os.org/?p=rafal/core.git;a=commit;h=4ad919bf6d60d21663604aa10dacbfaa55470046
prebeta2 branch.

[marmarek]

Comment by joanna on 30 Jul 2011 10:06 UTC
NTP is not configured in the UpdateVM (firewallvm)...

[marmarek]

Comment by joanna on 30 Jul 2011 10:06 UTC
NTP is not configured in the UpdateVM (firewallvm)...

[marmarek]

Comment by joanna on 30 Jul 2011 10:09 UTC
Specifically ntpdate fails in firewallvm

[marmarek]

Comment by joanna on 30 Jul 2011 10:09 UTC
Specifically ntpdate fails in firewallvm

[marmarek]

Comment by rafal on 30 Jul 2011 12:48 UTC
According to the manual, you need to pass an argument to "ntpdate", which you probably did not do - it works with e.g. 0.fedora.pool.ntp.org

ntpd daemon takes care of updating the time itself (although, if you change the time manually, it may take about 20minutes for ntpd to fix this), and the default /etc/ntp.conf is just fine.
"ntpdc -c peers" is a better way to check ntpd status.

[marmarek]

Comment by rafal on 30 Jul 2011 12:48 UTC
According to the manual, you need to pass an argument to "ntpdate", which you probably did not do - it works with e.g. 0.fedora.pool.ntp.org

ntpd daemon takes care of updating the time itself (although, if you change the time manually, it may take about 20minutes for ntpd to fix this), and the default /etc/ntp.conf is just fine.
"ntpdc -c peers" is a better way to check ntpd status.

[marmarek]

Comment by joanna on 30 Jul 2011 14:11 UTC
I've been running my firewallvm for days and it haven't synced even once...

I'm gonna check this again on pre5...

[marmarek]

Comment by joanna on 30 Jul 2011 14:11 UTC
I've been running my firewallvm for days and it haven't synced even once...

I'm gonna check this again on pre5...

[marmarek]

Comment by joanna on 30 Jul 2011 14:46 UTC
ntpd* services are off by default in servicevm in rc5.

[marmarek]

Comment by joanna on 30 Jul 2011 14:46 UTC
ntpd* services are off by default in servicevm in rc5.

[marmarek]

Comment by joanna on 30 Jul 2011 14:46 UTC
s/rc5/pre5/

[marmarek]

Comment by joanna on 30 Jul 2011 14:46 UTC
s/rc5/pre5/

[marmarek]

Comment by rafal on 30 Jul 2011 17:43 UTC
See the commit url in the first comment. ntpd is started manually in qubes_core.
Dom0 time is synced with firewallvm every 6 hours.

[marmarek]

Comment by rafal on 30 Jul 2011 17:43 UTC
See the commit url in the first comment. ntpd is started manually in qubes_core.
Dom0 time is synced with firewallvm every 6 hours.

[marmarek]

Comment by joanna on 2 Aug 2011 11:56 UTC
This still doesn't work as of pre6 (pre5 with updated core and xen).

In fact I have created an additional script (qvm-sync-dom0-clock):

#!/bin/sh

UPDATES_VM=`qvm-get-updatevm`

QREXEC_CLIENT=/usr/lib/qubes/qrexec_client

if [ -z "$UPDATES_VM" ]; then
    echo "UpdateVM not set, exiting!" >&2
    exit 1
fi

if ! xl domid "$UPDATES_VM" > /dev/null 2>&1; then
    echo "UpdateVM not started, exiting!"
    exit 1
fi

# dd is supposed to not allow memory exhaustion
# grep does basic sanity checking
# there seems to be no way to pass output of date +%s.%N to date,
# so we use human-readable format

CURRENT_TIME="$($QREXEC_CLIENT -d $UPDATES_VM 'user:date -u' | dd count=1 2>/dev/null | grep '^[[A-Za-z](A-Za-z]*)* [[0-9](0-9]*)[UTC [0-9](0-9]:[0-9][0-9]:[0-9][0-9])[-1)"
echo currtime = $CURRENT_TIME
if [ -n "$CURRENT_TIME" ](0-9][0-9][0-9]$'|head) ; then 
    echo Syncing Dom0 clock: setting time "$CURRENT_TIME"...
    sudo date -u -s "$CURRENT_TIME" ;
fi

And it shows the $CURRENT_TIME is always empty...

The desynced clocks between Dom0 and updatevm causes problems when it comes to updateing Dom0 -- yum complains about files having future timestamps. For this reason I think we should:

1. Keep a separate tool named qvm-sync-dom0-clock and call it from qvm-dom0-upgrade
2. Modify qubes-update-watcher to call this tool

[marmarek]

Comment by joanna on 2 Aug 2011 11:56 UTC
This still doesn't work as of pre6 (pre5 with updated core and xen).

In fact I have created an additional script (qvm-sync-dom0-clock):

#!/bin/sh

UPDATES_VM=`qvm-get-updatevm`

QREXEC_CLIENT=/usr/lib/qubes/qrexec_client

if [ -z "$UPDATES_VM" ]; then
    echo "UpdateVM not set, exiting!" >&2
    exit 1
fi

if ! xl domid "$UPDATES_VM" > /dev/null 2>&1; then
    echo "UpdateVM not started, exiting!"
    exit 1
fi

# dd is supposed to not allow memory exhaustion
# grep does basic sanity checking
# there seems to be no way to pass output of date +%s.%N to date,
# so we use human-readable format

CURRENT_TIME="$($QREXEC_CLIENT -d $UPDATES_VM 'user:date -u' | dd count=1 2>/dev/null | grep '^[[A-Za-z](A-Za-z]*)* [[0-9](0-9]*)[UTC [0-9](0-9]:[0-9][0-9]:[0-9][0-9])[-1)"
echo currtime = $CURRENT_TIME
if [ -n "$CURRENT_TIME" ](0-9][0-9][0-9]$'|head) ; then 
    echo Syncing Dom0 clock: setting time "$CURRENT_TIME"...
    sudo date -u -s "$CURRENT_TIME" ;
fi

And it shows the $CURRENT_TIME is always empty...

The desynced clocks between Dom0 and updatevm causes problems when it comes to updateing Dom0 -- yum complains about files having future timestamps. For this reason I think we should:

1. Keep a separate tool named qvm-sync-dom0-clock and call it from qvm-dom0-upgrade
2. Modify qubes-update-watcher to call this tool

[marmarek]

Modified by joanna on 2 Aug 2011 11:56 UTC

[marmarek]

Modified by joanna on 2 Aug 2011 11:56 UTC

[marmarek]

Comment by joanna on 2 Aug 2011 12:06 UTC
There is a problem with the grep expression -- will fix it.

[marmarek]

Comment by joanna on 2 Aug 2011 12:06 UTC
There is a problem with the grep expression -- will fix it.

[marmarek]

Comment by joanna on 2 Aug 2011 12:26 UTC
Fixed:
http://git.qubes-os.org/?p=joanna/core.git;a=commitdiff;h=9c58c9757160bd22598bbda351806ed95608cdb7
http://git.qubes-os.org/?p=joanna/core.git;a=commitdiff;h=ccda3d664238d5e36d256996f7390a85f169c651

[marmarek]

Comment by joanna on 2 Aug 2011 12:26 UTC
Fixed:
http://git.qubes-os.org/?p=joanna/core.git;a=commitdiff;h=9c58c9757160bd22598bbda351806ed95608cdb7
http://git.qubes-os.org/?p=joanna/core.git;a=commitdiff;h=ccda3d664238d5e36d256996f7390a85f169c651