Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Time synchronization #870

Open
bgilbert opened this issue Oct 2, 2019 · 8 comments
Open

Time synchronization #870

bgilbert opened this issue Oct 2, 2019 · 8 comments
Labels
area/stability jira for syncing to jira kind/enhancement platform/metal

Comments

@bgilbert
Copy link
Contributor

bgilbert commented Oct 2, 2019

Feature Request

Environment

Bare metal

Desired Feature

Ignition runs early in boot, before any time synchronization, and runs on newly-installed systems which may not have an accurate system clock. This can cause TLS certificate validation failures during fetch.

Consider adding a mechanism to query time servers and use the result for TLS certificate validation. This might be SNTP, roughtime, or HTTP Date headers.

Firewalls might not allow access to public time servers, so we can't just hardcode a server and forget about it. We can allow configuring a time server in an Ignition config, but if the initial config is fetched over HTTPS, there's a bootstrapping issue. So this might not be sufficiently practical.

Other Information

crypto/tls.Config includes a callback for getting the current time, so we can implement this without changing the system clock.
@ajeddeloh
Copy link
Contributor

Several options here:

  1. Add something to the spec to tell ignition what ntp servers to use
  2. Add something to the initramfs to set the system time before Ignition runs
  3. Add something to the initramfs to tell Ignition what time it started without setting system time
  4. Add something to the spec, but allow setting a default via a karg

Option 1 is nice since it is flexible and doesn't change the system time, but would require a spec change. It also has a chicken-and-egg problem of what to do if the initial config is fetched over https. It does mean Ignition would need to learn about NTP which isn't ideal.

Option 2 is less flexible, though could be made adequately flexible through kargs. It avoids the chicken-and-egg problem, but sets the system time which may not be what the user wants

Option 3 is like option 2, but we query the time right before running Ignition, then tell it the time it started and it can calculate time from there. I prefer option 3 over option 2.

Option 4 is relatively clean and I think I prefer it to option 1. It avoids the chicken-and-egg problem but still means Ignition needs to learn about ntp.

@cgwalters
Copy link
Member

xref openshift/machine-config-operator#629

@bgilbert
Copy link
Contributor Author

bgilbert commented Oct 3, 2019

I like option 4. I don't think HTTP is less secure than NTP, so arguably we could just use the HTTP Date header.

For bootstrapping I think there are two cases:

  1. Bare metal systems (except live ISO) receive an ignition.config.url kernel argument anyway, so the user can pass a second karg.
  2. On live ISO and cloud platforms other than Packet, if this functionality is even needed, fetching the initial Ignition config doesn't require HTTPS so a config option would work.

@ajeddeloh
Copy link
Contributor

wrt openshift and spec changing: all changes need to go in the 2.4.0-experimental or 3.1.0-experimental spec, so openshift would need to use those.

Does packet set the clocks on their servers when you get a machine? Might just not be an issue there.

@cgwalters
Copy link
Member

cgwalters commented Feb 23, 2021
edited

For bare metal (or virt acting as metal) systems, one thing we could do is take the flow of:

  • firstboot from e.g. ISO w/embedded ignition config (no remote resources with TLS+timestamp checks)
  • Our userspace chrony runs and syncs to correct time
  • coreos-installer learnds to capture the time and inject it into e.g. /boot/coreos.timestamp (or...hmm, you know, we could just set the time to be no earlier than that of the creation timestamp on /boot/config.ign automatically by default)
  • Add code to our initramfs that syncs up to at least that time

@cgwalters
Copy link
Member

Longer term though I think for CoreOS at least we need to move our time sync logic into the initramfs by default. On some platforms, there's a correct thing to do by default (major public clouds use a link-local NTP server): https://github.com/coreos/fedora-coreos-tracker/blob/master/internals/README-internals.md#time-synchronization

Ideally hypervisors like VSphere and Hyper-V provide a similar channel.

This was referenced Oct 19, 2022
Closed
Closed
@bgilbert
Copy link
Contributor Author

In particular, this is relevant for the Raspberry Pi, which doesn't have a battery-backed RTC.

@bgilbert bgilbert added the jira for syncing to jira label Oct 20, 2022
@djds
Copy link

djds commented Apr 8, 2023
edited

This also has the impact of failing to set up disk encryption on a Raspberry Pi CM4 board if any tang server is behind TLS even when paired with a separate tang server running over unencrypted HTTP with a threshold of 1. When paired with the official I/O board and correct overlay, it's possible to use the board RTC. Unfortunately ignition runs before that's synced back.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/stability jira for syncing to jira kind/enhancement platform/metal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cgwalters @bgilbert @ajeddeloh @djds