On Thu, Mar 8, 2018 at 6:09 PM, Miroslav Lichvar <mlich...@redhat.com> wrote:
> On Thu, Mar 08, 2018 at 05:08:16PM +0100, Christian Ehrhardt wrote: > > 1. the option would not be default on, so "normal" users/installations > > would not be affected > > 2. cases that want the fallback behavior, but are unable to probe/detect > at > > the time: > > - so they can not decide to use normal -x > > - also the environment might change on them withut reconfig > > Both of the above would be solved by them dropping the new -x=fallback > > option for their case. > > Does that include an assumption that if the clock cannot be > controlled, it's already synchronized by something else and if it can, > it's a separate time namespace? > > > Our container folks will outline the CAP_SYS_TIME issue I mentioned > before, > > so really the best test for my suggested SYS_IsTimeAdjustable would be > (on > > top to what I have to check the Cap) a adjtime no-op. > > I tried via adjtimex cmdline and thought maybe "adjtimex -s 0" (in C from > > chrony eventually) would be a no-op check I'd think > > The sys_linux initialization code resets the singleshot offset, which > could be used as an early check for adjtimex(). > > Ok, here are some suggestions for the implementation: > - change all SYS_*_Initialise() functions to return 1 and SYS_Initialise() > to check the return code (with a LOG_FATAL message if it is 0) > - change reset_adjtime() and SYS_Linux_Initialise() to return 0 on failure > - change SYS_Initialise() to handle the failure if clock_control is -1 > and add (and document) -X option which sets clock_control to -1 in > main.c > For readability I used a second arg clock_fallback instead of 1/0/-1 in clock_control. I tried to make the known cases (e.g. lack ot CAP_SYS_TIME) being called out explicitly. Also I ensured that the actual issue e.g. adjtimex is reported as it would have been before (just no more fatally) A few tests before sending V2 ran fine after some iterations (e.g. we have to set null-driver=1 to make later cap_set_proc not need the perm). Other than that I realized I mostly followed you suggestion - thanks BTW! Following are a few logs how it currently looks like now - sending that as v2. container: chronyd -qd 2018-03-12T16:07:14Z chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 -DEBUG) 2018-03-12T16:07:14Z adjtimex(0x8001) failed : Operation not permitted 2018-03-12T16:07:14Z Failed to initialize control of local system clock 2018-03-12T16:07:14Z CAP_SYS_TIME not present 2018-03-12T16:07:14Z Fatal error : No Fallback (-X) allowed, init failed container: chronyd -qd -x 2018-03-12T16:07:30Z chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 -DEBUG) 2018-03-12T16:07:30Z Disabled control of system clock 2018-03-12T16:07:30Z Frequency 0.510 +/- 14.980 ppm read from /var/lib/chrony/chrony.drift 2018-03-12T16:07:41Z System clock wrong by -0.000833 seconds (step) 2018-03-12T16:07:41Z Could not step system clock 2018-03-12T16:07:41Z chronyd exiting container: chronyd -qd -X 2018-03-12T16:08:01Z chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 -DEBUG) 2018-03-12T16:08:01Z adjtimex(0x8001) failed : Operation not permitted 2018-03-12T16:08:01Z Failed to initialize control of local system clock 2018-03-12T16:08:01Z CAP_SYS_TIME not present 2018-03-12T16:08:01Z Falling back by disabling control of the system clock 2018-03-12T16:08:01Z Disabled control of system clock 2018-03-12T16:08:01Z Frequency 0.510 +/- 14.980 ppm read from /var/lib/chrony/chrony.drift 2018-03-12T16:08:12Z System clock wrong by -0.000503 seconds (step) 2018-03-12T16:08:12Z Could not step system clock 2018-03-12T16:08:12Z chronyd exiting Container service with -X systemctl status chrony ● chrony.service - chrony, an NTP client/server Loaded: loaded (/lib/systemd/system/chrony.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2018-03-12 16:08:24 UTC; 3s ago Docs: man:chronyd(8) man:chronyc(1) man:chrony.conf(5) Process: 23184 ExecStartPost=/usr/lib/chrony/chrony-helper update-daemon (code=exited, status=0/SUCCESS) Process: 23180 ExecStart=/usr/sbin/chronyd $DAEMON_OPTS (code=exited, status=0/SUCCESS) Main PID: 23182 (chronyd) Tasks: 1 (limit: 4915) CGroup: /system.slice/chrony.service └─23182 /usr/sbin/chronyd -X Mar 12 16:08:24 b systemd[1]: Starting chrony, an NTP client/server... Mar 12 16:08:24 b chronyd[23182]: chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 -D Mar 12 16:08:24 b chronyd[23182]: adjtimex(0x8001) failed : Operation not permitted Mar 12 16:08:24 b chronyd[23182]: Failed to initialize control of local system clock Mar 12 16:08:24 b chronyd[23182]: CAP_SYS_TIME not present Mar 12 16:08:24 b chronyd[23182]: Falling back by disabling control of the system clock Mar 12 16:08:24 b chronyd[23182]: Disabled control of system clock Mar 12 16:08:24 b chronyd[23182]: Frequency 0.510 +/- 14.980 ppm read from /var/lib/chrony/chrony.drift Mar 12 16:08:24 b systemd[1]: Started chrony, an NTP client/server. Container service with -x ● chrony.service - chrony, an NTP client/server Loaded: loaded (/lib/systemd/system/chrony.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2018-03-12 16:09:03 UTC; 1s ago Docs: man:chronyd(8) man:chronyc(1) man:chrony.conf(5) Process: 23232 ExecStartPost=/usr/lib/chrony/chrony-helper update-daemon (code=exited, status=0/SUCCESS) Process: 23228 ExecStart=/usr/sbin/chronyd $DAEMON_OPTS (code=exited, status=0/SUCCESS) Main PID: 23230 (chronyd) Tasks: 1 (limit: 4915) CGroup: /system.slice/chrony.service └─23230 /usr/sbin/chronyd -x Mar 12 16:09:03 b systemd[1]: Starting chrony, an NTP client/server... Mar 12 16:09:03 b chronyd[23230]: chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 -D Mar 12 16:09:03 b chronyd[23230]: Disabled control of system clock Mar 12 16:09:03 b chronyd[23230]: Frequency 0.510 +/- 14.980 ppm read from /var/lib/chrony/chrony.drift Mar 12 16:09:03 b systemd[1]: Started chrony, an NTP client/server. Container neither -x nor -X: ● chrony.service - chrony, an NTP client/server Loaded: loaded (/lib/systemd/system/chrony.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Mon 2018-03-12 16:09:37 UTC; 1s ago Docs: man:chronyd(8) man:chronyc(1) man:chrony.conf(5) Process: 23232 ExecStartPost=/usr/lib/chrony/chrony-helper update-daemon (code=exited, status=0/SUCCESS) Process: 23245 ExecStart=/usr/sbin/chronyd $DAEMON_OPTS (code=exited, status=1/FAILURE) Main PID: 23230 (code=exited, status=0/SUCCESS) Mar 12 16:09:37 b systemd[1]: Starting chrony, an NTP client/server... Mar 12 16:09:37 b chronyd[23247]: chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 -D Mar 12 16:09:37 b chronyd[23247]: adjtimex(0x8001) failed : Operation not permitted Mar 12 16:09:37 b systemd[1]: chrony.service: Control process exited, code=exited status=1 Mar 12 16:09:37 b chronyd[23245]: No Fallback (-X) allowed, init failed Mar 12 16:09:37 b chronyd[23247]: Failed to initialize control of local system clock Mar 12 16:09:37 b chronyd[23247]: CAP_SYS_TIME not present Mar 12 16:09:37 b chronyd[23247]: Fatal error : No Fallback (-X) allowed, init failed Mar 12 16:09:37 b systemd[1]: chrony.service: Failed with result 'exit-code'. Mar 12 16:09:37 b systemd[1]: Failed to start chrony, an NTP client/server. [...] cases on VM not so interesting except: vm: chronyd with -X set (One can see it does not fall back if it can adjust the time) ● chrony.service - chrony, an NTP client/server Loaded: loaded (/lib/systemd/system/chrony.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2018-03-12 16:10:09 UTC; 1s ago Docs: man:chronyd(8) man:chronyc(1) man:chrony.conf(5) Process: 10566 ExecStartPost=/usr/lib/chrony/chrony-helper update-daemon (code=exited, status=0/SUCCESS) Process: 10552 ExecStart=/usr/sbin/chronyd $DAEMON_OPTS (code=exited, status=0/SUCCESS) Main PID: 10565 (chronyd) Tasks: 1 (limit: 547) CGroup: /system.slice/chrony.service └─10565 /usr/sbin/chronyd -X Mär 12 16:10:09 b-test systemd[1]: Starting chrony, an NTP client/server... Mär 12 16:10:09 b-test chronyd[10565]: chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IP Mär 12 16:10:09 b-test chronyd[10565]: Frequency -3.690 +/- 0.464 ppm read from /var/lib/chrony/chrony.drift Mär 12 16:10:09 b-test systemd[1]: Started chrony, an NTP client/server. > -- > Miroslav Lichvar > > -- > To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with > "unsubscribe" in the subject. > For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the > subject. > Trouble? Email listmas...@chrony.tuxfamily.org. > > -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd