Managing time, date and timezone in Ubuntu Core

Hi, sorry for the delay in confirming, but yes my application needs to be able to change the system timezone through some means.

The fix has been committed in snapd. You’ll be able to use timedatectl to manage the time using the time-control interface and change the timezone using the timezone-control interface.

May I ask, when does this become available in an update from the stable channel?

@zyga-snapd could you give as estimate to @jenny.murphy as to when https://github.com/snapcore/snapd/commit/24d67cbdc0df5d64dcfc8edeada81bfbb5cca0a2 will be released into the stable channel? I haven’t been keeping up with the snapd release cadence to give an accurate estimate.

Hi! Is it possible to release this fix with 2.26.4 snapd? We need it so much=)

Hi, to use this will I just need to connect using the time-control interface and the timezone-control interface. In other words, timedatectl will be available to my snap. Or do I need to build the timedatectl binary into my snap similar to

timedatectl will be available in time-control, timeserver-control and timezone-control once https://github.com/snapcore/snapd/pull/3364 is in the stable core snap. This is merged in trunk and I believe it will be a part of snapd 2.26, which AIUI will hopefully be released to stable soon.

Will is be possible to use timedatectl set-ntp also with this update?

Looking at the timeserver-control interface, it allows timedatectl and various DBus APIs for using set-ntp, so yes, it is supposed to work.

I have now snapd 2.26.0 and can use timedatectl.

I still get the following denials reported through snappy-debug:

= AppArmor =
Time: Jul 18 08:37:31
Log: apparmor=“ALLOWED” operation=“open” profile=“snap.epi-gateway.main” name="/proc/1/environ" pid=5644 comm=“timedatectl.rea” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
File: /proc/1/environ (read)
Suggestion:

  • adjust program to not access ‘@{PROC}/@{pid}/environ’

= AppArmor =
Time: Jul 18 08:37:31
Log: apparmor=“ALLOWED” operation=“ptrace” profile=“snap.epi-gateway.main” pid=5644 comm=“timedatectl.rea” requested_mask=“trace” denied_mask=“trace” peer=“unconfined”

The second one probably is ok, What about the first one?

@jenny.murphy Did you manage to address your problem there? The process is trying to read the environment of the init process in the system, which is a bit of a strange thing to do. Do you have more details?

Hi,
Yes I still get the same denial.

I am using timedatectl for setting time, timezone and also switching off/ on NTP so for example I am effectively invoking

timedatectl set-ntp true

from my Java process.

What other information could I provide that would be of use?

Sorry for the lag, I didn’t notice the @-mention. The packaging for Fedora has landed and 2.27.x is about to be released into the stable channel.

@zyga-snapd Do you think the denial I have will be fixed in this new version?

The only mention of /proc/.../environ that I can see is in the greengrass support interface. CCing @jdstrand – my guesstimate says “no”.

I checked the status of this with the latest version from the stable channel.

admin@1TXPB02:~$ snap list
Name Version Rev Developer Notes
core 16-2.28.5 3247 canonical core

Still getting following denials :


= AppArmor =
Time: Nov 1 09:36:02
Log: apparmor=“ALLOWED” operation=“open” profile=“snap.epi-gateway.main” name="/proc/1/environ" pid=9069 comm=“timedatectl.rea” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
File: /proc/1/environ (read)
Suggestion:
* adjust program to not access ‘@{PROC}/@{pid}/environ’

= AppArmor =
Time: Nov 1 09:36:02
Log: apparmor=“ALLOWED” operation=“ptrace” profile=“snap.epi-gateway.main” pid=9069 comm=“timedatectl.rea” requested_mask=“trace” denied_mask=“trace” peer=“unconfined”
Ptrace: peer=unconfined (trace)
Suggestions:
* adjust program to not trace processes
* do nothing if program otherwise works properly


Why is invoking timedatectl from the program resulting in the first one?

Is it still ok to get the second one?

There are no interfaces to allow the second denial (it would allow breaking out of confinement). systemd itself is not designed for application isolation and it will try to interact with its processes in various ways.

We could allow this rule though: @{PROC}/1/environ r, (there isn’t anything sensitive in there), but I don’t see either denial on a Ubuntu 16.04 LTS classic or an Ubuntu Core 16 system. I tried various timedatectl invocations. How are you calling it?

note that the timedatectl is a shell wrapper in the core snap calling out to timedatectl.real … could that be the issue here ?

Actually, up above @jenny.murphy mentioned that she is calling ‘timedatectl set-ntp true’ from a java process. Do you have a small reproducer for this that is representative of how you are using java to invoke the program? A simple .java file is fine (I can put it in a snap easy enough).

Hi,
Yes I will produce a code snippet for you over the coming days.
Thanks a lot.
Jenny