Hi,
I’m creating snap for chrony 3.5.1.
I have successfully created snap in “devmode” and is working fine.
While switching from “Devmode” to “strict” mode it’s quite difficult.
Actually, Snap building in “strict” mode is done.
While installing it, I’m facing permission regarding time adjustment.
snapcraft.yaml is look like:
name: chronyd # you probably want to 'snapcraft register ’
base: core18 # the base snap is the execution environment for this snap
version: ‘3.5.1’ # just for humans, typically ‘1.2+git’ or ‘1.3.2’
summary: chronyd snap # 79 char long summary
description: |
Learning snapping with chronyd.grade: stable # must be ‘stable’ to release into candidate/stable channels
confinement: strict # use ‘strict’ once you have the right plugs and slotsapps:
chronyd:
command: bin/chronyd -f $SNAP_DATA/etc/chrony.conf
daemon: forking
restart-condition: always
plugs:
- network
- network-bind
- time-control
- timeserver-control
- timezone-controlchronyc:
command: bin/chronycparts:
chronyd-defaults:
plugin: dump
source: conf
organize:
chrony.conf: etc/chrony.confchronyd:
source: https://download.tuxfamily.org/chrony/chrony-3.5.1.tar.gz
plugin: autotools
build-packages: [ asciidoctor ]
organize:
usr/local/sbin/chronyd: bin/chronyd
usr/local/bin/chronyc: bin/chronyc
snap version :
snap 2.48.2
snapd 2.48.2
series 16
ubuntu 18.04
kernel 5.4.0-58-generic
snapcraft version:
snapcraft, version 4.4.4
While installing in strict mode below error :
error: cannot perform the following tasks:
- Start snap “chronyd” (unset) services ([start snap.chronyd.chronyd.service] failed with exit status 1: Job for snap.chronyd.chronyd.service failed because the control process exited with error code.
See “systemctl status snap.chronyd.chronyd.service” and “journalctl -xe” for details.
)
Journalctl -xe command o/p:
– Unit snap.chronyd.chronyd.service has begun starting up.
Jan 11 11:21:48 User chronyd[15042]: chronyd version 3.5.1 starting (+CMDMON +NTP +REFCLOCK +RTC -PRIVDROP -SCFILTER -SIGND +ASYNCDNS -SECHASH +IPV6 -DEBUG)
Jan 11 11:21:48 User kernel: kauditd_printk_skb: 2 callbacks suppressed
Jan 11 11:21:48 User kernel: audit: type=1326 audit(1610344308.783:1237): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=15042 comm=“chronyd” exe="/snap/chronyd/x1/bin/chronyd" sig=0 arch=c000003e sysc
Jan 11 11:21:48 User audit[15042]: SECCOMP auid=4294967295 uid=0 gid=0 ses=4294967295 pid=15042 comm=“chronyd” exe="/snap/chronyd/x1/bin/chronyd" sig=0 arch=c000003e syscall=159 compat=0 ip=0x7fc220709
Jan 11 11:21:48 User systemd[1]: snap.chronyd.chronyd.service: Control process exited, code=exited status=1
Jan 11 11:21:48 User chronyd.chronyd[15018]: adjtimex(0x8001) failed : Operation not permitted
Jan 11 11:21:48 User chronyd[15042]: Wrong permissions on /var/snap/chronyd/current/run
Jan 11 11:21:48 User systemd[1]: snap.chronyd.chronyd.service: Failed with result ‘exit-code’.
Jan 11 11:21:48 User chronyd[15042]: Disabled command socket /var/snap/chronyd/current/run/chrony.sock
Jan 11 11:21:48 User systemd[1]: Failed to start Service for snap application chronyd.chronyd.
– Subject: Unit snap.chronyd.chronyd.service has failed
– Defined-By: systemd
– Support: http://www.ubuntu.com/support– Unit snap.chronyd.chronyd.service has failed.
– The result is RESULT.
Jan 11 11:21:48 User chronyd[15042]: Fatal error : adjtimex(0x8001) failed : Operation not permitted
Jan 11 11:21:48 User systemd[1]: Stopped Service for snap application chronyd.chronyd.
– Subject: Unit snap.chronyd.chronyd.service has finished shutting down
– Defined-By: systemd
– Support: http://www.ubuntu.com/support
It seems like chronyd service tries to adjust time on system clock but as strict confined snap doesn’t have permission.
snappy-debug.security scanlog o/p:
User@User:~/User/Chrony$ snappy-debug.security scanlog
INFO: Following ‘/var/log/syslog’. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
= Seccomp =
Time: Jan 11 11:45:43
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=15981 comm=“chronyd” exe="/snap/chronyd/x1/bin/chronyd" sig=0 arch=c000003e 159(adjtimex) compat=0 ip=0x7fa930a7bf57 code=0x50000
Syscall: adjtimex
Suggestion:
- add ‘time-control’ to ‘plugs’
Scanlog is showing, need to add ‘time-control’ plugs.But i have already added it in snapcraft.yaml.
Any suggestion and help is appreciated.
Thanks in advance.