[Bug 1788102] Re: ntpsec's ntpd fails to write ntp.drift file because of apparmor
Ubuntu Foundations Team Bug Bot
1788102 at bugs.launchpad.net
Tue Aug 21 08:21:12 UTC 2018
The attachment "ntpsec_1.1.0+dfsg1-1ubuntu1.debdiff" seems to be a
debdiff. The ubuntu-sponsors team has been subscribed to the bug report
so that they can review and hopefully sponsor the debdiff. If the
attachment isn't a patch, please remove the "patch" flag from the
attachment, remove the "patch" tag, and if you are member of the
~ubuntu-sponsors, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issue please contact him.]
** Tags added: patch
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
ntpsec's ntpd fails to write ntp.drift file because of apparmor
Status in ntpsec package in Ubuntu:
NTPsec 1.1.0 changed the way it writes the drift file. The new drift
file is written to ntp.drift-tmp before being renamed to ntp.drift.
The apparmor policy does not allow writing to ntp.drift-tmp. As a
result, NTPsec is not able to write the drift file.
Failing to write the drift file means that every time ntpd starts up,
it has to recalculate the system's drift from scratch. This reduces
clock accuracy for some time.
The fix is to update the apparmor policy to allow writing to ntp
.drift-tmp at the same locations as ntp.drift.
Per the SRU rules, I waited to file this SRU until the fix made it
into cosmic. This is fixed in ntpsec 1.1.1+dfsg1-2, which has synced
to cosmic. It was originally fixed in exactly the way proposed here.
(The fix here is a cherry pick of that commit.) However, subsequent
changes restructured /var/lib/ntp to /var/lib/ntpsec, so the apparmor
policy in 1.1.1+dfsg1-2 can't be directly copied.
1. If the ntp (note: ntp, not ntpsec) package is installed, uninstall
it. Make sure there is no /var/lib/ntp/ntp.drift file left over from
the ntp package or previous testing.
2. Install ntpsec.
3. Wait a while (typically an hour or more) for ntpd to calculate the
4. Check syslog for messages like this:
2018-08-21T00:23:52.891966-05:00 ubuntu1804test ntpd: LOG: frequency file /var/lib/ntp/ntp.drift-tmp: Permission denied
and the kernel log for messages like this:
[446384.822309] audit: type=1400 audit(1534825432.887:14): apparmor="DENIED" operation="mknod" profile="/usr/sbin/ntpd" name="/var/lib/ntp/ntp.drift-tmp" pid=5392 comm="ntpd" requested_mask="c" denied_mask="c" fsuid=110 ouid=110
5. Verify that there is no /var/lib/ntp/ntp.drift file.
6. Install the updated apparmor policy. Restart apparmor. Restart
ntpd. Wait for ntpd to calculate the drift. This time there should be
a file at: /var/lib/ntp/ntp.drift
This change only adds entries to the apparmor profile. Barring a
syntax error, this shouldn't be able to break anything.
I am the Debian maintainer of the ntpsec package.
To manage notifications about this bug go to:
More information about the Ubuntu-sponsors