m/n/time: add time service
This adds a bare-minimum time service based on chrony/NTP for keeping
the system clock and RTC on Metropolis nodes accurate.
It also introduces a UID/GID registry in the Metropolis node code
as this is the first unprivileged service to run on the node itself.
It does not yet use a secure time source, this is tracked as #73.
Change-Id: I873971e6d3825709bc8c696e227bece4cfbda93a
Reviewed-on: https://review.monogon.dev/c/monogon/+/319
Reviewed-by: Sergiusz Bazanski <serge@monogon.tech>
diff --git a/metropolis/node/BUILD.bazel b/metropolis/node/BUILD.bazel
index ee86523..feade24 100644
--- a/metropolis/node/BUILD.bazel
+++ b/metropolis/node/BUILD.bazel
@@ -3,7 +3,10 @@
go_library(
name = "go_default_library",
- srcs = ["ports.go"],
+ srcs = [
+ "ids.go",
+ "ports.go",
+ ],
importpath = "source.monogon.dev/metropolis/node",
visibility = ["//metropolis:__subpackages__"],
)
@@ -78,6 +81,7 @@
# runc runtime, with cgo
"@com_github_opencontainers_runc//:runc": "/containerd/bin/runc",
"@xfsprogs//:mkfs": "/bin/mkfs.xfs",
+ "@chrony//:chrony": "/time/chrony",
},
symlinks = {
"/ephemeral/machine-id": "/etc/machine-id",
diff --git a/metropolis/node/core/BUILD.bazel b/metropolis/node/core/BUILD.bazel
index e0d6d87..c1d48ae 100644
--- a/metropolis/node/core/BUILD.bazel
+++ b/metropolis/node/core/BUILD.bazel
@@ -21,6 +21,7 @@
"//metropolis/node/core/localstorage/declarative:go_default_library",
"//metropolis/node/core/network:go_default_library",
"//metropolis/node/core/roleserve:go_default_library",
+ "//metropolis/node/core/time:go_default_library",
"//metropolis/node/kubernetes/pki:go_default_library",
"//metropolis/pkg/logtree:go_default_library",
"//metropolis/pkg/supervisor:go_default_library",
diff --git a/metropolis/node/core/main.go b/metropolis/node/core/main.go
index d378934..9ed2beb 100644
--- a/metropolis/node/core/main.go
+++ b/metropolis/node/core/main.go
@@ -40,6 +40,7 @@
"source.monogon.dev/metropolis/node/core/localstorage/declarative"
"source.monogon.dev/metropolis/node/core/network"
"source.monogon.dev/metropolis/node/core/roleserve"
+ timesvc "source.monogon.dev/metropolis/node/core/time"
"source.monogon.dev/metropolis/node/kubernetes/pki"
"source.monogon.dev/metropolis/pkg/logtree"
"source.monogon.dev/metropolis/pkg/supervisor"
@@ -100,6 +101,7 @@
}
networkSvc := network.New()
+ timeSvc := timesvc.New()
// This function initializes a headless Delve if this is a debug build or
// does nothing if it's not
@@ -131,6 +133,9 @@
if err := supervisor.Run(ctx, "network", networkSvc.Run); err != nil {
return fmt.Errorf("when starting network: %w", err)
}
+ if err := supervisor.Run(ctx, "time", timeSvc.Run); err != nil {
+ return fmt.Errorf("when starting time: %w", err)
+ }
// Start cluster manager. This kicks off cluster membership machinery,
// which will either start a new cluster, enroll into one or join one.
diff --git a/metropolis/node/core/time/BUILD.bazel b/metropolis/node/core/time/BUILD.bazel
new file mode 100644
index 0000000..05a938a
--- /dev/null
+++ b/metropolis/node/core/time/BUILD.bazel
@@ -0,0 +1,13 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+ name = "go_default_library",
+ srcs = ["time.go"],
+ importpath = "source.monogon.dev/metropolis/node/core/time",
+ visibility = ["//visibility:public"],
+ deps = [
+ "//metropolis/node:go_default_library",
+ "//metropolis/pkg/fileargs:go_default_library",
+ "//metropolis/pkg/supervisor:go_default_library",
+ ],
+)
diff --git a/metropolis/node/core/time/time.go b/metropolis/node/core/time/time.go
new file mode 100644
index 0000000..6c2e906
--- /dev/null
+++ b/metropolis/node/core/time/time.go
@@ -0,0 +1,60 @@
+// Package time implements a supervisor runnable which is responsible for
+// keeping both the system clock and the RTC accurate.
+// Metropolis nodes need accurate time both for themselves (for log
+// timestamping, validating certain certificates, ...) as well as workloads
+// running on top of it expecting accurate time.
+// This initial implementation is very minimalistic, running just a stateless
+// NTP client per node for the whole lifecycle of it.
+// This implementation is simple, but is fairly unsafe as NTP by itself does
+// not offer any cryptography, so it's easy to tamper with the responses.
+// See #73 for further work in that direction.
+package time
+
+import (
+ "context"
+ "fmt"
+ "os/exec"
+ "strconv"
+ "strings"
+
+ "source.monogon.dev/metropolis/node"
+ "source.monogon.dev/metropolis/pkg/fileargs"
+ "source.monogon.dev/metropolis/pkg/supervisor"
+)
+
+// Service implements the time service. See package documentation for further
+// information.
+type Service struct{}
+
+func New() *Service {
+ return &Service{}
+}
+
+func (s *Service) Run(ctx context.Context) error {
+ // TODO(#72): Apply for a NTP pool vendor zone
+ config := strings.Join([]string{
+ "pool pool.ntp.org iburst",
+ "bindcmdaddress /",
+ "stratumweight 0.01",
+ "leapsecmode slew",
+ "maxslewrate 10000",
+ "makestep 2.0 3",
+ "rtconutc",
+ "rtcsync",
+ }, "\n")
+ args, err := fileargs.New()
+ if err != nil {
+ return fmt.Errorf("cannot create fileargs: %w", err)
+ }
+ defer args.Close()
+ cmd := exec.Command(
+ "/time/chrony",
+ "-d",
+ "-i", strconv.Itoa(node.TimeUid),
+ "-g", strconv.Itoa(node.TimeUid),
+ "-f", args.ArgPath("chrony.conf", []byte(config)),
+ )
+ cmd.Stdout = supervisor.RawLogger(ctx)
+ cmd.Stderr = supervisor.RawLogger(ctx)
+ return supervisor.RunCommand(ctx, cmd)
+}
diff --git a/metropolis/node/ids.go b/metropolis/node/ids.go
new file mode 100644
index 0000000..b4ddf84
--- /dev/null
+++ b/metropolis/node/ids.go
@@ -0,0 +1,24 @@
+// Copyright 2021 The Monogon Project Authors.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package node
+
+// These are UID/GID constants for components inside the Metropolis node
+// code.
+const (
+ RootUid = 0
+ TimeUid = 100
+)
diff --git a/third_party/chrony/external.bzl b/third_party/chrony/external.bzl
index e269c41..64b4f47 100644
--- a/third_party/chrony/external.bzl
+++ b/third_party/chrony/external.bzl
@@ -25,5 +25,10 @@
sha256 = "61a1b0879432695735a1e2a14e5d1ae499d3be15099c767501fbe695f46861da",
build_file = "@//third_party/chrony:chrony.bzl",
strip_prefix = "chrony-" + version,
+ patch_args = ["-p1"],
+ patches = [
+ "//third_party/chrony/patches:disable_defaults.patch",
+ "//third_party/chrony/patches:support_fixed_uids.patch",
+ ],
urls = ["https://git.tuxfamily.org/chrony/chrony.git/snapshot/chrony-%s.tar.gz" % version],
)
diff --git a/third_party/chrony/patches/BUILD b/third_party/chrony/patches/BUILD
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/third_party/chrony/patches/BUILD
diff --git a/third_party/chrony/patches/disable_defaults.patch b/third_party/chrony/patches/disable_defaults.patch
new file mode 100644
index 0000000..2a3dacf
--- /dev/null
+++ b/third_party/chrony/patches/disable_defaults.patch
@@ -0,0 +1,13 @@
+diff --git a/conf.c b/conf.c
+index ce2ff00..7ce7fd2 100644
+--- a/conf.c
++++ b/conf.c
+@@ -403,8 +403,6 @@ CNF_Initialise(int r, int client_only)
+ if (client_only) {
+ cmd_port = ntp_port = 0;
+ } else {
+- bind_cmd_path = Strdup(DEFAULT_COMMAND_SOCKET);
+- pidfile = Strdup(DEFAULT_PID_FILE);
+ }
+
+ SCK_GetAnyLocalIPAddress(IPADDR_INET4, &bind_address4);
\ No newline at end of file
diff --git a/third_party/chrony/patches/support_fixed_uids.patch b/third_party/chrony/patches/support_fixed_uids.patch
new file mode 100644
index 0000000..f9aecb7
--- /dev/null
+++ b/third_party/chrony/patches/support_fixed_uids.patch
@@ -0,0 +1,52 @@
+--- a/main.c
++++ b/main.c
+@@ -439,6 +439,7 @@ int main
+ int scfilter_level = 0, lock_memory = 0, sched_priority = 0;
+ int clock_control = 1, system_log = 1, log_severity = LOGS_INFO;
+ int user_check = 1, config_args = 0, print_config = 0;
++ int uid = -1, gid = -1;
+
+ do_platform_checks();
+
+@@ -458,7 +459,7 @@ int main
+ optind = 1;
+
+ /* Parse short command-line options */
+- while ((opt = getopt(argc, argv, "46df:F:hl:L:mnpP:qQrRst:u:Uvx")) != -1) {
++ while ((opt = getopt(argc, argv, "46df:F:g:hi:l:L:mnpP:qQrRst:u:Uvx")) != -1) {
+ switch (opt) {
+ case '4':
+ case '6':
+@@ -475,6 +476,12 @@ int main
+ case 'F':
+ scfilter_level = parse_int_arg(optarg);
+ break;
++ case 'g':
++ gid = parse_int_arg(optarg);
++ break;
++ case 'i': // u and U were alredy used, so i for id
++ uid = parse_int_arg(optarg);
++ break;
+ case 'l':
+ log_file = optarg;
+ break;
+@@ -583,9 +590,13 @@ int main
+ if (!user)
+ user = CNF_GetUser();
+
+- pw = getpwnam(user);
+- if (!pw)
+- LOG_FATAL("Could not get user/group ID of %s", user);
++ if (uid != -1 && gid != -1) {
++ pw = &(struct passwd) { .pw_uid = uid, .pw_gid = gid };
++ } else {
++ pw = getpwnam(user);
++ if (!pw)
++ LOG_FATAL("Could not get user/group ID of %s", user);
++ }
+
+ /* Create directories for sockets, log files, and dump files */
+ CNF_CreateDirs(pw->pw_uid, pw->pw_gid);
+--
+2.25.1
+