AppArmor denies dbus socket access to ntpd

starkruzr

Active Member
Hi,

Was wondering why NTP wasn't working on my hosts, then found this in syslog:

Jul 20 17:21:36 riogrande kernel: [236932.823729] audit: type=1400 audit(1595283696.540:59): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=1921804 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

What is the right way to fix this? As is I'm getting clock skew warnings on my Ceph mons because they're off from the master by about a half second.

Thanks!
 

Moayad

Proxmox Staff Member
Staff member
Jan 2, 2020
1,131
88
48
28
Vienna
shop.maurer-it.com
Hi,

Check the clock on your BIOS, also your firewall if you are already checked it and everything ok - post output of the following commands:

- systemctl status systemd-timesyncd
- timedatectl status
 

starkruzr

Active Member
Hi,

Check the clock on your BIOS, also your firewall if you are already checked it and everything ok - post output of the following commands:
I had originally disabled systemd-timesyncd because it wasn't working either. After uninstalling ntp and re-enabling systemd-timesyncd it still doesn't work.

Code:
root@ibnmajid:/etc/systemd# timedatectl
               Local time: Tue 2020-07-21 11:52:50 CDT
           Universal time: Tue 2020-07-21 16:52:50 UTC
                 RTC time: Tue 2020-07-21 16:52:43
                Time zone: America/Chicago (CDT, -0500)
System clock synchronized: no
              NTP service: active
          RTC in local TZ: no

Judging from the /etc/systemd/timesyncd.conf file it does not appear that there is a way for one server to act as the "master clock" and others to sync to it.
 

Moayad

Proxmox Staff Member
Staff member
Jan 2, 2020
1,131
88
48
28
Vienna
shop.maurer-it.com

arminpsz

New Member
Aug 10, 2020
1
0
1
Hello,

I've just noticed a similar strange behavior on my single node install. Falling back from kernel pve-kernel-5.4.44-2-pve to pve-kernel-5.4.34-1-pve fixed the timesync problem for me :

Bash:
root@pve:~# timedatectl
               Local time: Mon 2020-08-10 18:39:23 CEST
           Universal time: Mon 2020-08-10 16:39:23 UTC
                 RTC time: Mon 2020-08-10 16:39:23
                Time zone: Europe/Warsaw (CEST, +0200)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

On 5.4.44-2-pve the ntp service on proxmox and pfsense KVM did run very unstable with jitter around 10k ...

Hope this helps !
 

RokaKen

Active Member
Oct 11, 2018
147
37
33
USA
What is the right way to fix this? As is I'm getting clock skew warnings on my Ceph mons because they're off from the master by about a half second.

Thanks!

So, "right way" depends on your definition, but IMHO, systemd-timesyncd will not be adequate for reliable, production use.

I replaced it with the Debian chrony package. I configured it as both client and server (with local servers and each node in the cluster) such that if I lose external NTP connectivity, the nodes sync (and drift) together using the Ceph public network. The package automatically installs an Apparmor profile as well.

I no longer have any clock skew issues with Ceph. Hope that helps.
 

WHSProxmox

Member
Dec 30, 2018
15
0
6
54
Thanks for the hint. I just test chrony, and it was much more reliable in sense of clock stability an lower variation of the offset. However, what I observe with ntpd is really suspecious:

On an Intel CPU ntpd and chronyd are working as expected: low fluctuation of the offset in the range of 10 µs
On an AMD CPU ntpd sometimes runs out of sync, the offset becomes bigger an bigger more than 600 µs to all servers and the clock are not synced anymore.
 

Yuneldeltoro

New Member
Dec 3, 2019
3
7
3
47
La Havana, Cuba.
tostonetcuba.com
I have similar problem, I want install NTP Server in my proxmox for my network
My Solution:
add "#include <abstractions/dbus-strict>"
in /etc/apparmor.d/usr.sbin.ntpd

Edit /etc/apparmor.d/usr.sbin.ntpd
Into:
#include <tunables/global>
#include <tunables/ntpd>
/usr/sbin/ntpd flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
#include <abstractions/dbus-strict>
...
...
...
}


https://ubuntu-bugs.narkive.com/gvgtiXW4/bug-1598759-new-incomplete-apparmor-definition-for-ntpd
https://cognoz.github.io/ntp-configure-in-secure-envs/
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!