Chronyd snap is unable to set time on system clock

Hi,

I’m creating snap for chrony 3.5.1.
I have successfully created snap in “devmode” and is working fine.
While switching from “Devmode” to “strict” mode it’s quite difficult.

Actually, Snap building in “strict” mode is done.
While installing it, I’m facing permission regarding time adjustment.

snapcraft.yaml is look like:

name: chronyd # you probably want to 'snapcraft register ’
base: core18 # the base snap is the execution environment for this snap
version: ‘3.5.1’ # just for humans, typically ‘1.2+git’ or ‘1.3.2’
summary: chronyd snap # 79 char long summary
description: |
Learning snapping with chronyd.

grade: stable # must be ‘stable’ to release into candidate/stable channels
confinement: strict # use ‘strict’ once you have the right plugs and slots

apps:

chronyd:
command: bin/chronyd -f $SNAP_DATA/etc/chrony.conf
daemon: forking
restart-condition: always
plugs:
- network
- network-bind
- time-control
- timeserver-control
- timezone-control

chronyc:
command: bin/chronyc

parts:
chronyd-defaults:
plugin: dump
source: conf
organize:
chrony.conf: etc/chrony.conf

chronyd:
source: https://download.tuxfamily.org/chrony/chrony-3.5.1.tar.gz
plugin: autotools
build-packages: [ asciidoctor ]
organize:
usr/local/sbin/chronyd: bin/chronyd
usr/local/bin/chronyc: bin/chronyc

snap version :

snap 2.48.2
snapd 2.48.2
series 16
ubuntu 18.04
kernel 5.4.0-58-generic

snapcraft version:

snapcraft, version 4.4.4

While installing in strict mode below error :

error: cannot perform the following tasks:

  • Start snap “chronyd” (unset) services ([start snap.chronyd.chronyd.service] failed with exit status 1: Job for snap.chronyd.chronyd.service failed because the control process exited with error code.
    See “systemctl status snap.chronyd.chronyd.service” and “journalctl -xe” for details.
    )

Journalctl -xe command o/p:

– Unit snap.chronyd.chronyd.service has begun starting up.
Jan 11 11:21:48 User chronyd[15042]: chronyd version 3.5.1 starting (+CMDMON +NTP +REFCLOCK +RTC -PRIVDROP -SCFILTER -SIGND +ASYNCDNS -SECHASH +IPV6 -DEBUG)
Jan 11 11:21:48 User kernel: kauditd_printk_skb: 2 callbacks suppressed
Jan 11 11:21:48 User kernel: audit: type=1326 audit(1610344308.783:1237): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=15042 comm=“chronyd” exe="/snap/chronyd/x1/bin/chronyd" sig=0 arch=c000003e sysc
Jan 11 11:21:48 User audit[15042]: SECCOMP auid=4294967295 uid=0 gid=0 ses=4294967295 pid=15042 comm=“chronyd” exe="/snap/chronyd/x1/bin/chronyd" sig=0 arch=c000003e syscall=159 compat=0 ip=0x7fc220709
Jan 11 11:21:48 User systemd[1]: snap.chronyd.chronyd.service: Control process exited, code=exited status=1
Jan 11 11:21:48 User chronyd.chronyd[15018]: adjtimex(0x8001) failed : Operation not permitted
Jan 11 11:21:48 User chronyd[15042]: Wrong permissions on /var/snap/chronyd/current/run
Jan 11 11:21:48 User systemd[1]: snap.chronyd.chronyd.service: Failed with result ‘exit-code’.
Jan 11 11:21:48 User chronyd[15042]: Disabled command socket /var/snap/chronyd/current/run/chrony.sock
Jan 11 11:21:48 User systemd[1]: Failed to start Service for snap application chronyd.chronyd.
– Subject: Unit snap.chronyd.chronyd.service has failed
– Defined-By: systemd
– Support: http://www.ubuntu.com/support

– Unit snap.chronyd.chronyd.service has failed.

– The result is RESULT.
Jan 11 11:21:48 User chronyd[15042]: Fatal error : adjtimex(0x8001) failed : Operation not permitted
Jan 11 11:21:48 User systemd[1]: Stopped Service for snap application chronyd.chronyd.
– Subject: Unit snap.chronyd.chronyd.service has finished shutting down
– Defined-By: systemd
– Support: http://www.ubuntu.com/support

It seems like chronyd service tries to adjust time on system clock but as strict confined snap doesn’t have permission.

snappy-debug.security scanlog o/p:

User@User:~/User/Chrony$ snappy-debug.security scanlog
INFO: Following ‘/var/log/syslog’. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
= Seccomp =
Time: Jan 11 11:45:43
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=15981 comm=“chronyd” exe="/snap/chronyd/x1/bin/chronyd" sig=0 arch=c000003e 159(adjtimex) compat=0 ip=0x7fa930a7bf57 code=0x50000
Syscall: adjtimex
Suggestion:

  • add ‘time-control’ to ‘plugs’

Scanlog is showing, need to add ‘time-control’ plugs.But i have already added it in snapcraft.yaml.

Any suggestion and help is appreciated.
Thanks in advance.

@ogra
I have seen you have helped many people in this forum.
Please guide me if you have any suggestion.

Thanks

Did you connect the time-control interface (it is not automatically connected)? Eg snap connect chronyd:time-control. You can check with snap connections chronyd.

@jdstrand

Thanks for reply… I’m eagerly waiting reply.
Actually, to connect with time-control interface it should be installed right?

But at the time of installation, it’s failing.
And throwing errors via ‘journalctl -xe’, which I have already mentioned.

Is it possible to auto-connect time-control at the time of installation?

It is not possible to connect at the time of installation at this time. If the service fails to start then the snap will fail to install. You can solve this in a number of ways. Some people will temporarily remove daemon: ... from the snap.yaml for the command (in your case, chronyd) which turns the service into a command and allow the snap to install, then after the interfaces are connected can run the command under sudo. Others choose to create a small wrapper and use snapctl is-connected <interface> (for you, snapctl is-connected time-control) and conditionally start the daemon if the interfaces are setup.