Could not open socket /var/run/timemaster/chrony.SOCK0

Bug #2032805 reported by Patrik Lundquist
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
chrony (Ubuntu)
Fix Released
Medium
Bryce Harrington
linuxptp (Ubuntu)
Fix Released
Low
Bryce Harrington

Bug Description

After updating from lunar to mantic and from linuxptp 3.1.1-4 to 4.0-1 timemaster.service fails to start because of apparmor.

[ 2096.796432] ptp ptp0: new virtual clock ptp1
[ 2096.796442] ptp ptp0: guarantee physical clock free running
[ 2096.808229] audit: type=1400 audit(1692795422.931:135): apparmor="DENIED" operation="mknod" class="file" profile="/usr/sbin/chronyd" name="/run/timemaster/chrony.SOCK0" pid=16068 comm="chronyd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[ 2096.810293] ptp ptp0: delete virtual clock ptp1
[ 2096.824806] ptp ptp0: only physical clock in use now

Adding the line below to /etc/apparmor.d/local/usr.sbin.chronyd solves the problem:
 /{,var/}run/timemaster/chrony.SOCK0 rw,

I am not sure it is the proper solution.

ProblemType: Bug
DistroRelease: Ubuntu 23.10
Package: linuxptp 4.0-1
ProcVersionSignature: Ubuntu 6.2.0-27.28-generic 6.2.15
Uname: Linux 6.2.0-27-generic x86_64
ApportVersion: 2.27.0-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: GNOME
Date: Wed Aug 23 15:13:22 2023
SourcePackage: linuxptp
UpgradeStatus: Upgraded to mantic on 2023-08-23 (0 days ago)
modified.conffile..etc.linuxptp.timemaster.conf: [modified]
mtime.conffile..etc.linuxptp.timemaster.conf: 2023-08-21T15:56:35.408264

Related branches

Revision history for this message
Patrik Lundquist (patrik-lundquist) wrote :
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks for the ping on this @ahresse !
Yes, this should be very similar to thew old fix in bug 1771028

It is essentially yet another "chrony works with something else" use case.
There is a section for that in the chrony apparmor rules and we should indeed add the known default paths (like this) to be allowed.

And this is such a default path, from the man page:
rundir - Specify the directory where should be generated chronyd, ntpd and ptp4l configuration files and sockets. The directory will be created if it doesn't exist. The default value is /var/run/timemaster.
So on this we might even want to allow to read all sub-elements, including the generated config.
But RW for the socket.

But furthermore while touching it, in addition to the one reported I also see in the ptp4l
refclock_sock_address - The address of the UNIX domain socket to be used by the refclock_sock servo. The default is /var/run/refclock.ptp.sock
So we should allow that path as well.

For chrony my proposal that - once agreed - we need to pick up would seem like

diff --git a/debian/usr.sbin.chronyd b/debian/usr.sbin.chronyd
index bc52d4f7..e64edc90 100644
--- a/debian/usr.sbin.chronyd
+++ b/debian/usr.sbin.chronyd
@@ -62,6 +62,13 @@ abi <abi/3.0>,
   @{run}/chrony.*.sock rw,
   # To sign replies to MS-SNTP clients by the smbd daemon
   /var/lib/samba/ntp_signd/socket rw,
+ # default path of the sock to sync with ptp4l
+ @{run}/refclock.ptp.sock rw,
+ # timemaster directory of chronyd, ... configuration files and sockets.
+ # read for all configs
+ @{run}/timemaster/* r,
+ # rw for coodination via the default socket path
+ @{run}/timemaster/chrony.SOCK0 rw,

   # rtc
   /etc/adjtime r,

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

While the above is needed to change chrony, I further found that timemaster also has an issue in the default config.

debian/timemaster.conf:14:[chrony.conf]
debian/timemaster.conf:15:include /etc/chrony.conf

That causes the default to behave like:
Mar 22 07:03:49 n chronyd[50428]: Fatal error : Could not open /etc/chrony.conf : No such file or directory
Mar 22 07:03:49 n timemaster[50428]: Fatal error : Could not open /etc/chrony.conf : No such file or directory
Mar 22 07:03:49 n timemaster[50427]: [5186982.753] process 50428 terminated with status 1

And this is due to the chrony config itself for ages (since 1.24-1 AFAICS) being in
root@n:~# ll /etc/chrony/chrony.conf
-rw-r--r-- 1 root root 2230 Dec 11 21:17 /etc/chrony/chrony.conf

So there we might want to land a change like
diff --git a/debian/timemaster.conf b/debian/timemaster.conf
index fd8e77e..4a3e1c1 100644
--- a/debian/timemaster.conf
+++ b/debian/timemaster.conf
@@ -12,7 +12,7 @@
 ntp_program chronyd

 [chrony.conf]
-include /etc/chrony.conf
+include /etc/chrony/chrony.conf

 [ntp.conf]
 includefile /etc/ntp.conf

What do others think?
Maybe Patrik has changed that on te initial setup, or happens to know why it is not needed?

Changed in chrony (Ubuntu):
status: New → Triaged
Changed in linuxptp (Ubuntu):
status: New → Confirmed
tags: added: server-todo
Revision history for this message
Patrik Lundquist (patrik-lundquist) wrote :

I corrected /etc/chrony/chrony.conf in timemaster.conf years ago but forgot to file a bug. It is still needed.

Revision history for this message
Bryce Harrington (bryce) wrote :

Agreed with Christian's suggested changes to fix in noble, and worth prioritizing for getting in before final freeze.

It sounds like an SRU at least for mantic would be appropriate, however I wonder if the fix should be limited to just what is directly reproducible for this specific issue. But I'll leave that to decide later.

Changed in chrony (Ubuntu):
assignee: nobody → Bryce Harrington (bryce)
Changed in linuxptp (Ubuntu):
assignee: nobody → Bryce Harrington (bryce)
Changed in chrony (Ubuntu):
importance: Undecided → Medium
Changed in linuxptp (Ubuntu):
importance: Undecided → Low
Bryce Harrington (bryce)
Changed in chrony (Ubuntu):
status: Triaged → In Progress
Changed in linuxptp (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Bryce Harrington (bryce) wrote (last edit ):

Hi Patrik,

I've packaged up the fixes Christian suggested and posted to this PPA:

    https://launchpad.net/~bryce/+archive/ubuntu/chrony-fix-lp2032805

Once the packages have finished building, I would appreciate it if you could verify this fixes the issues you've encountered, if you're able to run a noble system (e.g. in a LXD container or VM, or similar).

tags: added: noble
Revision history for this message
Patrik Lundquist (patrik-lundquist) wrote :

Bryce, your fixes work fine in my VM. Thanks!

Revision history for this message
Bryce Harrington (bryce) wrote :

Hi Patrik, thanks for the quick response on the testing!

I've proceeded with uploading these fixes to both chrony and linuxptp for noble. They're in the unapproved queue currently, as things are frozen for beta release, but hopefully should go in post-beta and be included in the final LTS release.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linuxptp - 4.0-1ubuntu1

---------------
linuxptp (4.0-1ubuntu1) noble; urgency=medium

  * d/timemaster.conf: Fix path to chrony.conf.
    (LP: #2032805)

 -- Bryce Harrington <email address hidden> Mon, 01 Apr 2024 18:42:08 -0700

Changed in linuxptp (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package chrony - 4.5-1ubuntu4

---------------
chrony (4.5-1ubuntu4) noble; urgency=medium

  * d/usr.sbin.chronyd: Fix failure to start timemaster due to lack
    of rw permissions on chrony socket.
    (LP: #2032805)
  * d/usr.sbin.chronyd: Allow the default UNIX domain socket address
    to be used by the reflock_sock service in the Apport configuration.
    (ref LP #2032805)

 -- Bryce Harrington <email address hidden> Mon, 01 Apr 2024 18:28:32 -0700

Changed in chrony (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Kenneth Klette Jonassen (knneth) wrote :

The AppArmor permissions fix for chrony sockets was too specific to support more than one active PTP instance. chronyd fails to open a second socket:
   chronyd[35626]: Fatal error : Could not open socket /var/run/timemaster/chrony.SOCK1

Suggested fix is replacing the following line in /etc/apparmor.d/usr.sbin.chronyd:
  @{run}/timemaster/chrony.SOCK0 rw,
with:
  @{run}/timemaster/chrony.SOCK[0-9]* rw,

Revision history for this message
Bryce Harrington (bryce) wrote :

Hi Kenneth, thanks for your note about that.

Would you mind filing a new bug report for that improvement? If possible, please describe your PTP setup in case we have trouble reproducing the issue.

Revision history for this message
Kenneth Klette Jonassen (knneth) wrote :

Hi Bryce,

Filed a new bug #2068526 with steps to reproduce. Thanks.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.