Ubuntu

Install time-daemon with NTS support by default

Bug #2111342 reported by Lukas Märdian
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu
Fix Released
Undecided
Lukas Märdian
chrony (Ubuntu)
Fix Released
Undecided
Lukas Märdian
systemd (Ubuntu)
Invalid
Undecided
Unassigned
ubuntu-meta (Ubuntu)
Fix Released
Undecided
Lukas Märdian
ubuntu-release-upgrader (Ubuntu)
Deferred
Undecided
Unassigned

Bug Description

Ubuntu shall be secure by default, therefore utilize Network Time Security (NTS), as time is the trust anchor for many cryptography related processes (e.g. certificates).

NTS was previously enabled in chrony (LP: #2084585) and comes pre-installed in certain Ubuntu cloud images. Still, in Ubuntu Desktop/Server and other generic Ubuntu images we rely on systemd-timesyncd (without support for NTS [1]). This leads to a situation where we have to maintain two time-daemons in "main", while still not using NTS on most systems.

[1] https://github.com/systemd/systemd/issues/9481

References: spec-FO207, SD-2171, chrony MIR (LP: #1744072)

See original description

Related branches

~slyon/ubuntu-seeds/+git/platform:nts-by-default
Didier Roche-Tolomelli: Approve
Michael Hudson-Doyle: Approve
Valentin David: Pending requested
Diff: 12 lines (+1/-0)
1 file modified
minimal (+1/-0)
~slyon/ubuntu/+source/systemd:nts-by-default
Lukas Märdian: Disapprove
Nick Rosbrook: Needs Information
Diff: 32 lines (+12/-1)
2 files modified
debian/changelog (+11/-0)
debian/control (+1/-1)
~slyon/ubuntu-seeds/+git/ubuntu:nts-by-default
Catherine Redfield: Pending requested
Ubuntu Core Development Team: Pending requested
Diff: 19 lines (+1/-1)
1 file modified
cloud-minimal (+1/-1)
Lukas Märdian (slyon)
description: updated
description: updated
Revision history for this message
Lukas Märdian (slyon) wrote (last edit ):

The current plan looks like this:

0/ Testing can happen already, by switching to "chrony" manually
   => apt install chrony && apt-mark auto chrony # will remove systemd-timesyncd

1/ Get the seed changes landed in "platform:minimal" and "ubuntu:cloud-minimal"
   => seeding "chrony | time-daemon", to allow for switching of NTP stack, e.g. by installing systemd-timesyncd (also in "main").

   => Give germinate some time to regenerate its outputs and sync to the mirrors.

2/ update "ubuntu-meta", by running the ./update script and dput to the archive, deploying the seed changes from (1) to to the "ubuntu-minimal" and "ubuntu-cloud-minimal" meta packages.

3/ Update systemd, to drop "Recommends: systemd-timesyncd", just keeping "time-daemon".
   => We can potentially avoid this delta, as the ubuntu-meta "Depends: chrony | time-daemon" should overrule systemd's "Recommends: systemd-timesyncd | time-daemon".

4/ At this point new installations/images should come pre-installed with chrony (not sd-timesyncd).
   => People can manually switch back by calling "apt-mark auto chrony && apt install systemd-timesyncd"

5/ Implement transition logic in ubuntu-release-upgrader to remove systemd-timesyncd from upgrading system, replacing it with chrony.
    => To make upgraded systems behave the same as new installations.
    => People can still manually switch back to any other "time-daemon" as described in (4).

6/ Update docs and release notes.

Revision history for this message
Lukas Märdian (slyon) wrote :

Installing chrony in a minimal chroot will grow image size by 803kB.

"""
$ sudo debootstrap questing qq
$ sudo chroot qq

# apt-mark auto systemd-timesyncd
# apt install chrony
Installing:
  chrony

Installing dependencies:
  libedit2

Suggested packages:
  dnsutils

REMOVING:
  systemd-timesyncd

Summary:
  Upgrading: 0, Installing: 2, Removing: 1, Not Upgrading: 0
  Download size: 470 kB
  Space needed: 803 kB / 73.1 GB available
"""

Revision history for this message
Lukas Märdian (slyon) wrote (last edit ):

We might consider adding a "ConditionVirtualization=!container" to chrony.service (as suggested by @sdeziel), to avoid running it in containers, as has been done with systemd-timesyncd in the past. See bug #2111535

Revision history for this message
Alessandro Astone (aleasto) wrote :

I've installed chrony on my plucky system to give it an early test.

I've noticed in my system journal this message getting logged every 2 seconds:

  Could not connect to [2620:2d:4002:1::3123]:4460 (4.ntp.ubuntu.com)

Indeed I do not have an ipv6, so that makes sense. However it's unclear whether chrony is then falling back to ipv4 or if it's getting blocked on failing to use ipv6.

`resolvectl query 4.ntp.ubuntu.com` shows:

  4.ntp.ubuntu.com: 2620:2d:4002:1::3123 -- link: wlp1s0
                    91.189.91.113 -- link: wlp1s0

Lukas Märdian (slyon)
Changed in ubuntu:
status: New → Fix Committed
Revision history for this message
Lukas Märdian (slyon) wrote :

The seeds are not picking up the dependency for ubuntu-minimal... Running the ./update script of "ubuntu-meta" gives this warning for all the architectures:

> "minimal/amd64": Skipping package chrony (package not in debootstrap)

We need to bump chrony to "Priority: important" to get it pulled in by default in debootstrap and make "germinate-update-metapackage" happy. At the same time we need to demote systemd-timesyncd to "Priority: optional", as we cannot have two "Priority: standard" (or above) packages conflicting on each other.
Currently, sd-timesyncd is overridden as "Priority: important" [1, 2].

Chrony is already showing up in priority-mismatches (for all architectures), as the "minimal" seed change landed. [3]

As a quick smoke test of those priority changes, this commands succeeds, while it fails when we don't "--exclude=systemd-timesyncd" (because we cannot have conflicting "Priority: standard" or above packages in the base installation):

# debootstrap --include=chrony --exclude=systemd-timesyncd questing qq

[1] https://www.debian.org/doc/debian-policy/ch-archive.html#priorities
[2] https://archive.ubuntu.com/ubuntu/indices/override.questing.main
[3] https://ubuntu-archive-team.ubuntu.com/priority-mismatches.html

Revision history for this message
Christian Ehrhardt (paelzer) wrote :

Agreed and thanks for the clarifying discussion,
I had to unblock a currently moving systemd 257.6-1ubuntu1 in the NEW queue first (synced with Nick, accepted now), once all of it is in proposed I can resolve the priorities on this one.

Revision history for this message
Christian Ehrhardt (paelzer) wrote :

Systemd is now fully published, deprioritizing release and proposed of questing

./change-override --priority optional -s questing systemd-timesyncd
Override priority to optional
systemd-timesyncd 257.4-1ubuntu3 in questing amd64: main/admin/important/100% -> optional
systemd-timesyncd 257.4-1ubuntu3 in questing arm64: main/admin/important/100% -> optional
systemd-timesyncd 257.4-1ubuntu3 in questing armhf: main/admin/important/100% -> optional
systemd-timesyncd 257.4-1ubuntu3 in questing i386: main/admin/important/100% -> optional
systemd-timesyncd 257.4-1ubuntu3 in questing ppc64el: main/admin/important/100% -> optional
systemd-timesyncd 257.4-1ubuntu3 in questing riscv64: main/admin/important/100% -> optional
systemd-timesyncd 257.4-1ubuntu3 in questing s390x: main/admin/important/100% -> optional
Override [y|N]? y
7 publications overridden.
./change-override --priority optional -s questing-proposed systemd-timesyncd
Override priority to optional
systemd-timesyncd 257.6-1ubuntu1 in questing amd64: main/admin/important/100% -> optional
systemd-timesyncd 257.6-1ubuntu1 in questing arm64: main/admin/important/100% -> optional
systemd-timesyncd 257.6-1ubuntu1 in questing armhf: main/admin/important/100% -> optional
systemd-timesyncd 257.6-1ubuntu1 in questing i386: main/admin/important/100% -> optional
systemd-timesyncd 257.6-1ubuntu1 in questing ppc64el: main/admin/important/100% -> optional
systemd-timesyncd 257.6-1ubuntu1 in questing riscv64: main/admin/important/100% -> optional
systemd-timesyncd 257.6-1ubuntu1 in questing s390x: main/admin/important/100% -> optional
Override [y|N]? y
7 publications overridden.

And then pushing chrony up

./change-override --priority important -s questing chrony
Override priority to important
chrony 4.6.1-1ubuntu1 in questing amd64: main/admin/extra/100% -> important
chrony 4.6.1-1ubuntu1 in questing arm64: main/admin/extra/100% -> important
chrony 4.6.1-1ubuntu1 in questing armhf: main/admin/extra/100% -> important
chrony 4.6.1-1ubuntu1 in questing ppc64el: main/admin/extra/100% -> important
chrony 4.6.1-1ubuntu1 in questing riscv64: main/admin/extra/100% -> important
chrony 4.6.1-1ubuntu1 in questing s390x: main/admin/extra/100% -> important
Override [y|N]? y
6 publications overridden.

Lukas Märdian (slyon)
Changed in ubuntu-meta (Ubuntu):
assignee: nobody → Lukas Märdian (slyon)
Changed in ubuntu:
assignee: nobody → Lukas Märdian (slyon)
Changed in ubuntu-meta (Ubuntu):
status: New → In Progress
Revision history for this message
Lukas Märdian (slyon) wrote :

Uploaded ubuntu-meta with the seed changes: https://launchpad.net/ubuntu/+source/ubuntu-meta/1.550

Changed in ubuntu-meta (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Lukas Märdian (slyon) wrote :

For ubuntu-release-upgrader, we might need to add "PostUpgradeInstall=chrony" to data/DistUpgrade.cfg in order to align upgraded systems with new installations of 25.10+. Or alternatively implement a custom quirk in DistUpgradeQuriks.py that marks systemd-timesyncd as auto-installed and pulls in chrony on upgrade. Perhaps after checking that no other time daemon is used and only migrate to chrony if systmed-timesyncd is in use.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-meta - 1.550

---------------
ubuntu-meta (1.550) questing; urgency=medium

  * Refreshed dependencies
  * Added chrony | time-daemon to cloud-minimal, minimal (LP: #2111342)
  * Removed systemd-timesyncd | time-daemon from cloud-minimal
  * Added raspi-utils to desktop-raspi [arm64 armhf], server-raspi
    [arm64 armhf]
    desktop-recommends
  * Removed libraspberrypi-bin from desktop-raspi [arm64 armhf], server-
  * Removed initramfs-tools | dracut from desktop-minimal-recommends,
    raspi [arm64 armhf]

 -- Lukas Märdian <email address hidden> Tue, 03 Jun 2025 09:05:19 +0200

Changed in ubuntu-meta (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Lukas Märdian (slyon) wrote (last edit ):

For now we will keep upgraded systems on systemd-timesyncd. Those can be transitioned to chrony + NTS using (as mentioned in the Questing release notes):

$ apt-mark systemd-timesyncd auto && apt install chrony

Changed in systemd (Ubuntu):
status: New → Invalid
Changed in ubuntu:
status: Fix Committed → Fix Released
Changed in ubuntu-release-upgrader (Ubuntu):
status: New → Deferred
Revision history for this message
Nick Rosbrook (enr0n) wrote :

What's the reasoning for that decision? We have a best-effort goal that this sort of behavior/default should be consistent across newly-installed *and* upgraded systems. Is there a limitation or specific risk involved in making this transition across upgrades?

Revision history for this message
Lukas Märdian (slyon) wrote (last edit ):

Chrony + NTS docs are being updated in https://documentation.ubuntu.com/server/how-to/networking/chrony-client/ (via https://github.com/canonical/ubuntu-server-documentation/pull/298)

Changed in chrony (Ubuntu):
status: New → Fix Committed
assignee: nobody → Lukas Märdian (slyon)
Revision history for this message
Lukas Märdian (slyon) wrote :

@enr0n, yes there is the specific risk of breaking time synchronization due to the need for an additional NTS/KE (4460/tcp) port, that might not be accessible everywhere. We want to play this safe and rather give it a cycle where chrony/NTS is only enabled on new installations. Especially, as systemd-timesyncd remains in "main" and is therefore still supported.

We're considering to implement the full, automatic upgrade path to NTS time synchronization in a following cycle, as tracked in SD-2377.

The risk and (manual) upgrade path is described in the Questing release notes: https://discourse.ubuntu.com/t/questing-quokka-release-notes/59220#p-151948-chrony

Lukas Märdian (slyon)
Changed in chrony (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.