MAAS fails w/ bad hwclock & no NTP access

Lets Reference bug #1581515 which was marked as invalid

Hi Sean,

Again, this is not a problem in MAAS. So why would cloud-init report the time is in the future. What happens if you just don't try to ensure the clocks are the same? The error in deployment above is telling me that the clocks are not synced.

Cloud-init only fixes the clock-skew so there are no authentication issues when sending information back to MAAS. Now, I don't see your installation log (you can grab it from the WebUI).

Also, MAAS doesn't do NTP as of now, but may do in the future.

I'm marking this as "invalid" for MAAS, and will open a task for curtin and cloud init. Howeve,r please do attach your installation log.

In the future please remember, from a customers point of view this can be very much is a problem with MAAS. I don't understand how not ensuring the clocks are the same help me in this situation.

For cloud-init and curtin here are is the log reported from the deployment. http://pastebin.ubuntu.com/16393095/

In this particular deployment the system successfully deployed, however in the logs we can still see the time stamp being a problem.

Nothing in a normal maas enlistment, commissioning or deployment will automatically set hardware clock. My opinion is that MAAS "owns" the hardware, so anything setting the clock should be done so under its direction. Cloud-init only has heuristic data on what is the right time.

There is work underway to support maas configuring ntp for the systems and that is the right path forward in all cases. We can add support for cloud-init to configure a system for ntp or even to one-time set the system clock via a reference ntp service, but doing so will require maas to *tell* it to do that.

cloud-init does not change the hardware or system clock at all. The messages you see are cloud-init setting the offset that it uses for a timestamp when doing Oauth to maas. cloud-init tries to read an oauth resource, gets a 403 and then tries again with the same credentials but with a timestamp similar to that of the server. That allows cloud-init to continue on and have access to the user-data, but does not update the system clock. (there is an improvement that we need to put in place to this described under bug 1531233 . this issue would come up if systemd sets the clock during boot after cloud-init has read and set its offset).

The dance above is necessary as oauth requires similar timestamps. Basically cloud-init says "well, whatever the server said is the right timestamp is the right timestamp, so go with that". That is cloud-init working around a broken system clock, but it does not do anything to fix the clock.

The errors you see with tar are really just warnings. They would be fixed with a correct system clock, but they do not affect deployment. MAAS should probably direct the system clock just set system clock on every deployment

There are really 2 classes of "bad clock" errors.
a.) system clock has no battery, and resets to Jan 1 1970 on reboot. Thus every boot is bad. I've only ever seen this on arm hardware, and possibly that only actually occurred on pre-release hardware that we got from vendors.

b.) system clock is set wrong but is generally working, possibly losing minutes or even hours in a year. Either timezone is set to local time or the clock has never been set. Setting in enlistment and/or commissioning would be sufficient.

cloud-init's oauth dance is kind of necessary for 'a', and would still be needed after ntp server support is in place as getting to information about the ntp server probably requires oauth.

Thanks for the feedback,

So, If I read this correctly,

1.) MAAS is planning on supporting NTP in the future. (And is probably my only fix at this point? )
2.) Cloud-init setting the offset for Oauth requests is normal (this I understand)
3.) The tar errors are warnings, that should be fixed with a correct system clock.

What defines a correct system clock? arm64 efi platforms have no RTC support, so it's the job of rtc-efi to pass the date/time issued in UEFI -> OS, so far, from my tests and experiments there has been no problems with this handshake on Xenial.

( MAAS should probably direct the system clock just set system clock on every deployment ) -- Was this just a thought or is this something we should bug?

3a, The tar warnings do not affect deployment, however the warnings can take upwards of 5-15 minutes to report on the console, causing the deployment to 'timeout' and thus 'fail' in the 'maas ui'. In addition to these warnings the hardware is experiencing it's own complex slew of bugs that are delaying the deployment another +5/10 minutes or so. which we are working on. So it's just enough to trigger the MAAS UI timeout and flag the node under deployment as "Failed Deployment". I'm not sure what the default wait time is for a deployment or if that can be modified.

4.) I see the (a) version of bad clock errors quite often due to the nature of enablement work.
    (B) I see no evidence that the rtc-efi is misbehaving here.

So What are my options here?
  I will and still am, continuing to work this on my side. I appreciate the assistance thus far.

Adding to to my last comment,

3 the tar warnings do not affect deployment meaning, YES I can access the host after X amount of minutes, once I notice that cloud-init is finished on the console. However, the MAAS UI reports the deployment as failed.

Which is somewhat useless to me when it comes to using JUJU and other tools, unless the timeout can be adjusted beyond the defaults.

Given that serial spew itself can slowdown deployment, would it make sense to add --warning=no-timestamp to the tar extract command?

$ tar -xf noname.tar
tar: noname: time stamp 2016-05-17 12:55:38 is 7140.360712301 s in the future
$ tar --warning=no-timestamp -xf noname.tar
$

Attached is the full deployment log from the host console.

Regardless if the system clock is wrong or not, we should really suppress these tar messages. Here we go.

I've attached 3 files..

First the Maas Console showing the 2 systems deploying , (CVM13 and CVM15) @ timestamp 13:11

May 20 13:11:43 cvm12 maas.node: [INFO] cvm13: Status transition from ALLOCATED to DEPLOYING
May 20 13:11:43 cvm12 maas.power: [INFO] Changing power state (on) of node: cvm13 (4y3h7t)
May 20 13:11:43 cvm12 maas.node: [INFO] cvm15: Status transition from READY to ALLOCATED
May 20 13:11:43 cvm12 maas.node: [INFO] cvm15: allocated to user ubuntu
May 20 13:11:43 cvm12 maas.node: [INFO] cvm15: Status transition from ALLOCATED to DEPLOYING
May 20 13:11:43 cvm12 maas.power: [INFO] Changing power state (on) of node: cvm15 (4y3h7s)

Tar messages took 35 minutes do scroll over the console!!!!!!!!

The Systems did not restart to boot up from the disk until 13:46

( 35 Minutes to initially DEPLOY!!!! )

=> rackd.log <==
2016-05-20 13:46:48-0400 [TFTP (UDP)] Datagram received from ('10.246.48.115', 1051): <RRQDatagram(filename=b'grubaa64.efi', mode=b'octet', options=OrderedDict([(b'tsize', b'0'), (b'blksize', b'2016')]))>
2016-05-20 13:46:48-0400 [-] RemoteOriginReadSession starting on 60862

The deployment finished for CVM13 @ 13:48

(37 Minutes)

==> maas.log <==
May 20 13:48:22 cvm12 maas.node: [INFO] cvm13: Status transition from DEPLOYING to DEPLOYED

cvm15 on the other hand, as seen in the logs, encountered a system problem (Soft Lockup) due to an enablement bug we are working on which delayed the Deployment another +10 minutes. NMI recovered and continued finishing out the deployment.

as a result, MAAS fails the deployment due to timeout:

(+40 Minutes)

==> maas.log <==
May 20 13:52:40 cvm12 maas.node: [ERROR] cvm15: Marking node failed: None
May 20 13:52:40 cvm12 maas.node: [INFO] cvm15: Status transition from DEPLOYING to FAILED_DEPLOYMENT

However as seen in the console logs for CVM15, you can see the deployment does finish and we can access the host as expected.

In a real world scenario, I think we can all come to the agreement that system clocks are not always going to be correct. How Curtin handles this should be more or less system friendly.

I'm proposing
A: Curtin to surpress the tar warning using the flag from Comment #7. (I was going to try this @

Attached are the log files for comment # 9

On Fri, May 20, 2016 at 1:04 PM, Sean Feole <email address hidden>
wrote:

> Regardless if the system clock is wrong or not, we should really
> suppress these tar messages. Here we go.
>

If the clock is set properly no such messages from tar exist.
The message is a clear warning that *something*; namely the clock, is not
correct. Hiding these messages would paper over the underlying issue
of not getting the clock set correctly.

Hiding the messages as a debug option? Sure but suppressing the
warning from tar is something we should not do by default.

>
> In a real world scenario, I think we can all come to the agreement that
> system clocks are not always going to be correct. How Curtin handles
> this should be more or less system friendly.
>
> I'm proposing
> A: Curtin to surpress the tar warning using the flag from Comment #7. (I
> was going to try this @
>

If the clock is wrong, how can we trust other things that happen on the
host?
It's certainly possible that further errors occur on higher levels that
will be
harder to debug. "Well, the node deployed just fine with no errors in MAAS"

Is it a MAAS requirement that the hwclock be correct? Requiring that seems like it will only lead to silent failures when e.g. batteries die. MAAS has code to deal with this in other areas - e.g. cert checking. If we don't trust hosts with bad hwclocks, wouldn't it be better to just abort with a clear message about this requirement? (Just devil's advocating there).

I do agree that hiding warnings isn't ideal - but do we really need a warning for *every file*? That is what is causing us to bottleneck on the console output and surpass the deployment timeout. Perhaps we could pipe output to a warn-once filter or something.

Hi Dann,

No. It is not a requirement for MAAS to have the hwclock in sync. cloud-init would handle the situation to fix the clock skew for oauth, but again, doesn't require the hwclocks to to be in sync. What's being going on the field is that they setup their own internal NTP server, otherwise ubuntu should just automatically reach it if facing the internet.

On Mon, May 23, 2016 at 1:42 PM, dann frazier <email address hidden>
wrote:

> Is it a MAAS requirement that the hwclock be correct? Requiring that
> seems like it will only lead to silent failures when e.g. batteries die.
> MAAS has code to deal with this in other areas - e.g. cert checking. If
> we don't trust hosts with bad hwclocks, wouldn't it be better to just
> abort with a clear message about this requirement? (Just devil's
> advocating there).
>

I would certainly agree with this. That probably ignores the fact that
some folks
are willing to take the risk given hardware that partly works versus none.
This sorta feels like a 'taints support' flag such that in MAAS the machine
is tagged
as unstable-clock and thus bugs on it are to be recreated on hardware
without
such issue.

>
> I do agree that hiding warnings isn't ideal - but do we really need a
> warning for *every file*? That is what is causing us to bottleneck on
> the console output and surpass the deployment timeout. Perhaps we could
> pipe output to a warn-once filter or something.
>

I think it'd be simpler to expose the "silence warning" sort of config
option that
maas could pass to curtin as long as MAAS itself is tracking which nodes
are
using this warning suppression (ie, tagged as unstable, support might
require
reproducing on more stable devices).

>
> --
> You received this bug notification because you are subscribed to curtin.
> Matching subscriptions: curtin-bugs-all
> https://bugs.launchpad.net/bugs/1581553
>
> Title:
> Maas 2.0 Deployment Failing on arm64 , Xenial
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/cloud-init/+bug/1581553/+subscriptions
>

On Mon, May 23, 2016 at 4:03 PM, Ryan Harper <email address hidden>
wrote:

>
>
> I think it'd be simpler to expose the "silence warning" sort of config
> option that maas could pass to curtin as long as MAAS itself is tracking
> which nodes
> are using this warning suppression (ie, tagged as unstable, support might
> require reproducing on more stable devices).
>

Some good points brought up here. Any idea whose feathers we could ruffle
to possibly get something rolling, i would be more than happy to offer
testing of this feature.

(Been out on vacation, sorry for the delayed response)

From Comment #15, it sounds like it is a bug if a deployment fails because of a bad hwclock. In those cases, is NTP server access a requirement? (IIRC, feedback from the field is that MAAS works fine w/o NTP - though clock sync is needed for Juju).

Assuming that out-of-sync clock configs (bad hwclock + no NTP access) are supported, I'd prefer not to require users to have to select magic options (e.g. a debug mode) for MAAS to work. One option here is to increase the default timeout, giving the deploy enough time to write all the tar timestamp warnings to the console. From Sean's output, this looks like ~35 minutes for his setup.

However, the user would still have to suffer the extra (~25m?) delay and, further, I don't think any warnings after the first one are adding useful information. So another option would be to run tar's stderr through a filter like the one attached.

$ tar xf ../foobar.tar
tar: foo: time stamp 2016-06-01 23:16:02 is 45189.384620221 s in the future
tar: bar: time stamp 2016-06-01 23:16:02 is 45189.384196257 s in the future
$ tar xf ../foobar.tar 2>&1 | /tmp/warn-once
tar: foo: time stamp 2016-06-01 23:16:02 is 45168.679087452 s in the future
/tmp/warn-once: Suppressing further timestamp warnings to avoid console spew

On Wed, Jun 1, 2016 at 11:56 AM, dann frazier <email address hidden>
wrote:

> (Been out on vacation, sorry for the delayed response)
>
> >From Comment #15, it sounds like it is a bug if a deployment fails
> because of a bad hwclock. In those cases, is NTP server access a
> requirement? (IIRC, feedback from the field is that MAAS works fine w/o
> NTP - though clock sync is needed for Juju).
>
> Assuming that out-of-sync clock configs (bad hwclock + no NTP access)
> are supported, I'd prefer not to require users to have to select magic
>

I think this is the _real_ debate. Just because it works doesn't mean it
should
be supported.

If MAAS agrees that such platform should be supported, and that includes
determining beyond issues with deployment (such as the tar error) that may
occur due to the lack of a stable clock then I would expect we'll have a
more
formal plan to determine how best to stablize the clock prior to
installation
of the tarball and we'll avoid the whole mess in the first place.

> options (e.g. a debug mode) for MAAS to work. One option here is to
> increase the default timeout, giving the deploy enough time to write all
> the tar timestamp warnings to the console. From Sean's output, this
> looks like ~35 minutes for his setup.
>

I don't expect that a hidden/debug option is reasonable for users at all.
That's purely a development option that'd help working with such devices
while MAAS investigates how to stabilize/fix issues with clock.

Another alternative in the meanwhile would be to package up a modified
version of curtin with the filter into a PPA and use that when working with
these platforms until they're stable.

Ryan

On Wed, Jun 1, 2016 at 2:46 PM, Ryan Harper <email address hidden> wrote:
> On Wed, Jun 1, 2016 at 11:56 AM, dann frazier <email address hidden>
> wrote:
>
>> (Been out on vacation, sorry for the delayed response)
>>
>> >From Comment #15, it sounds like it is a bug if a deployment fails
>> because of a bad hwclock. In those cases, is NTP server access a
>> requirement? (IIRC, feedback from the field is that MAAS works fine w/o
>> NTP - though clock sync is needed for Juju).
>>
>> Assuming that out-of-sync clock configs (bad hwclock + no NTP access)
>> are supported, I'd prefer not to require users to have to select magic
>>
>
> I think this is the _real_ debate. Just because it works doesn't mean it
> should
> be supported.

Ryan: Agreed - that's where I'm seeking clarity.

> If MAAS agrees that such platform should be supported, and that includes
> determining beyond issues with deployment (such as the tar error) that may
> occur due to the lack of a stable clock then I would expect we'll have a
> more
> formal plan to determine how best to stablize the clock prior to
> installation
> of the tarball and we'll avoid the whole mess in the first place.
>
>
>> options (e.g. a debug mode) for MAAS to work. One option here is to
>> increase the default timeout, giving the deploy enough time to write all
>> the tar timestamp warnings to the console. From Sean's output, this
>> looks like ~35 minutes for his setup.
>>
>
> I don't expect that a hidden/debug option is reasonable for users at all.
> That's purely a development option that'd help working with such devices
> while MAAS investigates how to stabilize/fix issues with clock.
>
> Another alternative in the meanwhile would be to package up a modified
> version of curtin with the filter into a PPA and use that when working with
> these platforms until they're stable.

I don't see how platform stability comes into play here. The issue is
simply that
any hardware clock may not be valid, and NTP may not be accessible. It isn't
specific to this platform or architecture.

For our testing purposes, we can hack around this by setting an accurate
hwclock or obtaining NTP access - but my goal here is to prevent users
from hitting this and not knowing how to proceed.

I'd prefer to either resolve this by dealing with this use case, or by
clearly documenting
that it is not supported, and that you must have either valid hwclocks
or access to an
NTP server.

[ We do have a blurb in the docs about how bad hwclocks may cause oauth to fail:
  http://maas.ubuntu.com/docs/troubleshooting.html?highlight=clock#nodes-hang-on-commissioning)
but that's a different problem with different symptoms that appears to
be resolved. ]

On Wed, Jun 1, 2016 at 4:39 PM, dann frazier <email address hidden>
wrote:

> On Wed, Jun 1, 2016 at 2:46 PM, Ryan Harper <email address hidden>
> wrote:
> > On Wed, Jun 1, 2016 at 11:56 AM, dann frazier <
> <email address hidden>>
> > wrote:
> >
> >> (Been out on vacation, sorry for the delayed response)
> >>
> >> >From Comment #15, it sounds like it is a bug if a deployment fails
> >> because of a bad hwclock. In those cases, is NTP server access a
> >> requirement? (IIRC, feedback from the field is that MAAS works fine w/o
> >> NTP - though clock sync is needed for Juju).
> >>
> >> Assuming that out-of-sync clock configs (bad hwclock + no NTP access)
> >> are supported, I'd prefer not to require users to have to select magic
> >>
> >
> > I think this is the _real_ debate. Just because it works doesn't mean it
> > should
> > be supported.
>
> Ryan: Agreed - that's where I'm seeking clarity.
>

Cool

>
> > If MAAS agrees that such platform should be supported, and that includes
> > determining beyond issues with deployment (such as the tar error) that
> may
> > occur due to the lack of a stable clock then I would expect we'll have a
> > more
> > formal plan to determine how best to stablize the clock prior to
> > installation
> > of the tarball and we'll avoid the whole mess in the first place.
> >
> >
> >> options (e.g. a debug mode) for MAAS to work. One option here is to
> >> increase the default timeout, giving the deploy enough time to write all
> >> the tar timestamp warnings to the console. From Sean's output, this
> >> looks like ~35 minutes for his setup.
> >>
> >
> > I don't expect that a hidden/debug option is reasonable for users at all.
> > That's purely a development option that'd help working with such devices
> > while MAAS investigates how to stabilize/fix issues with clock.
> >
> > Another alternative in the meanwhile would be to package up a modified
> > version of curtin with the filter into a PPA and use that when working
> with
> > these platforms until they're stable.
>
> I don't see how platform stability comes into play here. The issue is
> simply that
> any hardware clock may not be valid, and NTP may not be accessible. It
> isn't
> specific to this platform or architecture.
>

IMO, having a valid hwclock is part and parcel to having a stable platform.
Literally if the platform had a valid hwclock we wouldn't have this thread
at all,
one would not see the tar warnings and the slow deployment.

>
> For our testing purposes, we can hack around this by setting an accurate
> hwclock or obtaining NTP access - but my goal here is to prevent users
> from hitting this and not knowing how to proceed.
>

> I'd prefer to either resolve this by dealing with this use case, or by
> clearly documenting
> that it is not supported, and that you must have either valid hwclocks
> or access to an
> NTP server.
>

Full agreement here. IMO, without a clear path to handle these situations
I think documentation that working hwclocks across reboots and access to
NTP are requirements. And a section in Troubleshooting or the like that
specifically references
the tar warning as common indicator of missing requirements (st...