Fatal error : Could not open /run/chrony/chronyd.pid : Permission denied
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
chrony (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
After an upgrade from 20.04 to 22.04, chrony fails with the error:
Fatal error : Could not open /run/chrony/
See also an earlier report in https:/
The workaround I documented there was:
echo ' @{run}/chrony/{,**} rw,' > /etc/apparmor.
systemctl reload apparmor
systemctl restart chrony
It seems the default chrony apparmor profile should say `@{run}
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: chrony 4.2-2ubuntu2
ProcVersionSign
Uname: Linux 5.15.0-58-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.3
Architecture: amd64
CasperMD5CheckR
Date: Thu Feb 2 11:41:41 2023
SourcePackage: chrony
UpgradeStatus: Upgraded to jammy on 2023-02-02 (0 days ago)
Hmm I am a bit surprised by this - the existing rule would appear to cover /run/chrony/ chrony. pid
ie `@{run}/chrony/{,*} rw`, says allow read and write to the directory `/run/chrony/` and any files immediately inside it - of which chrony.pid should be allowed.
Also FWIW I can't reproduce this in a clean 22.04 VM:
root@sec- jammy-amd64: ~# apt install chrony jammy-amd64: ~# aa-status core/14399/ usr/lib/ snapd/snap- confine core/14399/ usr/lib/ snapd/snap- confine/ /mount- namespace- capture- helper lib/NetworkMana ger/nm- dhcp-client. action lib/NetworkMana ger/nm- dhcp-helper lib/connman/ scripts/ dhclient- script lib/snapd/ snap-confine lib/snapd/ snap-confine/ /mount- namespace- capture- helper sbin/chronyd }sbin/dhclient modprobe/ /kmod update- ns.core update- ns.hello- world core.hook. configure hello-world. env hello-world. evil hello-world. hello-world hello-world. sh sbin/chronyd (1063) sbin/chronyd (1064) jammy-amd64: ~# systemctl status chrony.service system/ chrony. service; enabled; vendor preset: enabled)
man: chronyc( 1)
man: chrony. conf(5) /usr/lib/ systemd/ scripts/ chronyd- starter. sh $DAEMON_OPTS (code=exited, status=0/SUCCESS) slice/chrony. service
...
root@sec-
apparmor module is loaded.
19 profiles are loaded.
19 profiles are in enforce mode.
/snap/
/snap/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/{,usr/
lsb_release
nvidia_modprobe
nvidia_
snap-
snap-
snap.
snap.
snap.
snap.
snap.
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
2 processes have profiles defined.
2 processes are in enforce mode.
/usr/
/usr/
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
root@sec-
● chrony.service - chrony, an NTP client/server
Loaded: loaded (/lib/systemd/
Active: active (running) since Thu 2023-02-02 03:33:19 UTC; 1min 50s ago
Docs: man:chronyd(8)
Process: 1054 ExecStart=
Main PID: 1063 (chronyd)
Tasks: 2 (limit: 1120)
Memory: 1.5M
CPU: 38ms
CGroup: /system.
├─1063 /usr/sbin/chronyd -F 1
└─1064 /usr/sbin/chronyd -F 1
Feb 02 03:33:19 sec-jammy-amd64 systemd[1]: Starting chrony, an NTP client/server... pool.ntp. org)
Feb 02 03:33:19 sec-jammy-amd64 chronyd[1063]: chronyd version 4.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
Feb 02 03:33:19 sec-jammy-amd64 chronyd[1063]: Using right/UTC timezone to obtain leap second data
Feb 02 03:33:19 sec-jammy-amd64 chronyd[1063]: Loaded seccomp filter (level 1)
Feb 02 03:33:19 sec-jammy-amd64 systemd[1]: Started chrony, an NTP client/server.
Feb 02 03:33:27 sec-jammy-amd64 chronyd[1063]: Selected source 212.243.96.76 (2.ubuntu.
Feb 02 03:33:27 sec-jammy-amd64 chronyd[1063]: System clock TAI offset set to 37 seconds
Feb 02 03:34:34 sec-jammy-amd64 chronyd[1063]: Selected source 185.125.190.56 (ntp.ubuntu.com)