AppArmor denies dbus socket access to ntpd

starkruzr

Well-Known Member
Hi,

Was wondering why NTP wasn't working on my hosts, then found this in syslog:

Jul 20 17:21:36 riogrande kernel: [236932.823729] audit: type=1400 audit(1595283696.540:59): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=1921804 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

What is the right way to fix this? As is I'm getting clock skew warnings on my Ceph mons because they're off from the master by about a half second.

Thanks!
 
Hi,

Check the clock on your BIOS, also your firewall if you are already checked it and everything ok - post output of the following commands:

- systemctl status systemd-timesyncd
- timedatectl status
 
Hi,

Check the clock on your BIOS, also your firewall if you are already checked it and everything ok - post output of the following commands:
I had originally disabled systemd-timesyncd because it wasn't working either. After uninstalling ntp and re-enabling systemd-timesyncd it still doesn't work.

Code:
root@ibnmajid:/etc/systemd# timedatectl
               Local time: Tue 2020-07-21 11:52:50 CDT
           Universal time: Tue 2020-07-21 16:52:50 UTC
                 RTC time: Tue 2020-07-21 16:52:43
                Time zone: America/Chicago (CDT, -0500)
System clock synchronized: no
              NTP service: active
          RTC in local TZ: no

Judging from the /etc/systemd/timesyncd.conf file it does not appear that there is a way for one server to act as the "master clock" and others to sync to it.
 
Hello,

I've just noticed a similar strange behavior on my single node install. Falling back from kernel pve-kernel-5.4.44-2-pve to pve-kernel-5.4.34-1-pve fixed the timesync problem for me :

Bash:
root@pve:~# timedatectl
               Local time: Mon 2020-08-10 18:39:23 CEST
           Universal time: Mon 2020-08-10 16:39:23 UTC
                 RTC time: Mon 2020-08-10 16:39:23
                Time zone: Europe/Warsaw (CEST, +0200)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

On 5.4.44-2-pve the ntp service on proxmox and pfsense KVM did run very unstable with jitter around 10k ...

Hope this helps !
 
What is the right way to fix this? As is I'm getting clock skew warnings on my Ceph mons because they're off from the master by about a half second.

Thanks!

So, "right way" depends on your definition, but IMHO, systemd-timesyncd will not be adequate for reliable, production use.

I replaced it with the Debian chrony package. I configured it as both client and server (with local servers and each node in the cluster) such that if I lose external NTP connectivity, the nodes sync (and drift) together using the Ceph public network. The package automatically installs an Apparmor profile as well.

I no longer have any clock skew issues with Ceph. Hope that helps.
 
Thanks for the hint. I just test chrony, and it was much more reliable in sense of clock stability an lower variation of the offset. However, what I observe with ntpd is really suspecious:

On an Intel CPU ntpd and chronyd are working as expected: low fluctuation of the offset in the range of 10 µs
On an AMD CPU ntpd sometimes runs out of sync, the offset becomes bigger an bigger more than 600 µs to all servers and the clock are not synced anymore.
 
I have similar problem, I want install NTP Server in my proxmox for my network
My Solution:
add "#include <abstractions/dbus-strict>"
in /etc/apparmor.d/usr.sbin.ntpd

Edit /etc/apparmor.d/usr.sbin.ntpd
Into:
#include <tunables/global>
#include <tunables/ntpd>
/usr/sbin/ntpd flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
#include <abstractions/dbus-strict>
...
...
...
}


https://ubuntu-bugs.narkive.com/gvgtiXW4/bug-1598759-new-incomplete-apparmor-definition-for-ntpd
https://cognoz.github.io/ntp-configure-in-secure-envs/
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!