ntpsec's ntpd fails to write ntp.drift file because of apparmor
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ntpsec (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
NTPsec 1.1.0 changed the way it writes the drift file. The new drift file is written to ntp.drift-tmp before being renamed to ntp.drift. The apparmor policy does not allow writing to ntp.drift-tmp. As a result, NTPsec is not able to write the drift file.
Failing to write the drift file means that every time ntpd starts up, it has to recalculate the system's drift from scratch. This reduces clock accuracy for some time.
The fix is to update the apparmor policy to allow writing to ntp.drift-tmp at the same locations as ntp.drift.
Per the SRU rules, I waited to file this SRU until the fix made it into cosmic. This is fixed in ntpsec 1.1.1+dfsg1-2, which has synced to cosmic. It was originally fixed in exactly the way proposed here. (The fix here is a cherry pick of that commit.) However, subsequent changes restructured /var/lib/ntp to /var/lib/ntpsec, so the apparmor policy in 1.1.1+dfsg1-2 can't be directly copied.
[Test Case]
1. If the ntp (note: ntp, not ntpsec) package is installed, uninstall it. Make sure there is no /var/lib/
2. Install ntpsec.
3. Wait a while (typically an hour or more) for ntpd to calculate the drift.
4. Check syslog for messages like this:
2018-08-
and the kernel log for messages like this:
[446384.822309] audit: type=1400 audit(153482543
5. Verify that there is no /var/lib/
6. Install the updated apparmor policy. Restart apparmor. Restart ntpd. Wait for ntpd to calculate the drift. This time there should be a file at: /var/lib/
[Regression Potential]
This change only adds entries to the apparmor profile. Barring a syntax error, this shouldn't be able to break anything.
[Other Info]
I am the Debian maintainer of the ntpsec package.
tags: |
added: verification-done verification-done-bionic removed: verification-needed verification-needed-bionic |
The attachment "ntpsec_ 1.1.0+dfsg1- 1ubuntu1. debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]