From ee2cdd9c3a7d3546efbfb1d46ea65941a051440b Mon Sep 17 00:00:00 2001 From: Caroline6312 Date: Wed, 14 Jan 2026 17:45:31 -0800 Subject: [PATCH 01/21] Fix time drift for private operator --- scripts/aws/config-server/app.py | 8 ++++ scripts/aws/entrypoint.sh | 27 +++++++++++++ .../uid2-operator-ami/ansible/playbook.yml | 38 +++++++++++++++++++ 3 files changed, 73 insertions(+) diff --git a/scripts/aws/config-server/app.py b/scripts/aws/config-server/app.py index c0c94fc63..d94857ada 100644 --- a/scripts/aws/config-server/app.py +++ b/scripts/aws/config-server/app.py @@ -1,4 +1,5 @@ from flask import Flask +from datetime import datetime, timezone import json import os @@ -14,5 +15,12 @@ def get_config(): except Exception as e: return str(e), 500 +@app.route('/getCurrentTime', methods=['GET']) +def get_time(): + try: + return datetime.now(timezone.utc).isoformat(timespec="seconds") + except Exception as e: + return str(e), 500 + if __name__ == '__main__': app.run(processes=8) diff --git a/scripts/aws/entrypoint.sh b/scripts/aws/entrypoint.sh index 6d4fbe15e..de5c39550 100755 --- a/scripts/aws/entrypoint.sh +++ b/scripts/aws/entrypoint.sh @@ -22,6 +22,33 @@ ifconfig lo 127.0.0.1 echo "Starting vsock proxy..." /app/vsockpx --config /app/proxies.nitro.yaml --daemon --workers $(( ( $(nproc) + 3 ) / 4 )) --log-level 3 +TIME_SYNC_URL="http://127.0.0.1:27015/getCurrentTime" +TIME_SYNC_INTERVAL_SECONDS="${TIME_SYNC_INTERVAL_SECONDS:-300}" + +sync_enclave_time() { + local current_time + if current_time=$(curl -s -f -x socks5h://127.0.0.1:3305 "${TIME_SYNC_URL}"); then + if ! date -u -s "${current_time}"; then + echo "Time sync: failed to set enclave time from '${current_time}'" + return 1 + fi + echo "Time sync: updated enclave time to ${current_time}" + else + echo "Time sync: failed to fetch time from parent instance" + return 1 + fi +} + +start_time_sync_loop() { + while true; do + sync_enclave_time || true + sleep "${TIME_SYNC_INTERVAL_SECONDS}" + done +} + +sync_enclave_time || true +start_time_sync_loop & + build_parameterized_config() { curl -s -f -o "${PARAMETERIZED_CONFIG}" -x socks5h://127.0.0.1:3305 http://127.0.0.1:27015/getConfig REQUIRED_KEYS=("optout_base_url" "core_base_url" "core_api_token" "optout_api_token" "environment" "uid_instance_id_prefix") diff --git a/scripts/aws/uid2-operator-ami/ansible/playbook.yml b/scripts/aws/uid2-operator-ami/ansible/playbook.yml index a5ec77809..fdff8f6ff 100644 --- a/scripts/aws/uid2-operator-ami/ansible/playbook.yml +++ b/scripts/aws/uid2-operator-ami/ansible/playbook.yml @@ -19,6 +19,44 @@ name: nmap-ncat state: latest + - name: Install chrony for time sync + ansible.builtin.dnf: + name: chrony + state: latest + + - name: Comment out default chrony pool servers + ansible.builtin.replace: + path: /etc/chrony.conf + regexp: '^pool\s+' + replace: '# pool ' + + - name: Configure AWS Time Sync Service in chrony + ansible.builtin.lineinfile: + path: /etc/chrony.conf + line: 'server 169.254.169.123 prefer iburst' + state: present + insertafter: EOF + + - name: Enable RTC sync in chrony + ansible.builtin.lineinfile: + path: /etc/chrony.conf + line: 'rtcsync' + state: present + insertafter: EOF + + - name: Allow chrony to step clock at startup + ansible.builtin.lineinfile: + path: /etc/chrony.conf + line: 'makestep 1.0 3' + state: present + insertafter: EOF + + - name: Ensure chronyd is enabled at boot + ansible.builtin.systemd: + name: chronyd + state: started + enabled: true + - name: Install python ansible.builtin.dnf: name: From 17f04870248283a339bc498e0a16ebe802ca33ce Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Thu, 15 Jan 2026 01:47:18 +0000 Subject: [PATCH 02/21] [CI Pipeline] Released Snapshot version: 5.63.23-alpha-203-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 0474f97a0..53f72b549 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.63.22 + 5.63.23-alpha-203-SNAPSHOT UTF-8 From 1e53d3ac57f25dbf55109d85615a887d870549c3 Mon Sep 17 00:00:00 2001 From: Caroline6312 Date: Thu, 15 Jan 2026 02:02:18 -0800 Subject: [PATCH 03/21] Add more timestamps in log --- scripts/aws/entrypoint.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/scripts/aws/entrypoint.sh b/scripts/aws/entrypoint.sh index de5c39550..e2eaa6a88 100755 --- a/scripts/aws/entrypoint.sh +++ b/scripts/aws/entrypoint.sh @@ -27,7 +27,16 @@ TIME_SYNC_INTERVAL_SECONDS="${TIME_SYNC_INTERVAL_SECONDS:-300}" sync_enclave_time() { local current_time + local parent_epoch + local enclave_epoch + local drift_seconds if current_time=$(curl -s -f -x socks5h://127.0.0.1:3305 "${TIME_SYNC_URL}"); then + parent_epoch=$(date -u -d "${current_time}" +%s 2>/dev/null || true) + enclave_epoch=$(date -u +%s) + if [[ -n "${parent_epoch}" ]]; then + drift_seconds=$((enclave_epoch - parent_epoch)) + echo "Time sync: drift seconds (enclave - parent) = ${drift_seconds}" + fi if ! date -u -s "${current_time}"; then echo "Time sync: failed to set enclave time from '${current_time}'" return 1 From 9683f2def7356b0ed02e0a15f00190bb755d465d Mon Sep 17 00:00:00 2001 From: Caroline6312 Date: Thu, 15 Jan 2026 13:44:37 -0800 Subject: [PATCH 04/21] Test, add a drift on boot --- scripts/aws/entrypoint.sh | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/scripts/aws/entrypoint.sh b/scripts/aws/entrypoint.sh index e2eaa6a88..236b36c9f 100755 --- a/scripts/aws/entrypoint.sh +++ b/scripts/aws/entrypoint.sh @@ -24,6 +24,7 @@ echo "Starting vsock proxy..." TIME_SYNC_URL="http://127.0.0.1:27015/getCurrentTime" TIME_SYNC_INTERVAL_SECONDS="${TIME_SYNC_INTERVAL_SECONDS:-300}" +TIME_SYNC_OFFSET_SECONDS="${TIME_SYNC_OFFSET_SECONDS:-30}" sync_enclave_time() { local current_time @@ -48,6 +49,27 @@ sync_enclave_time() { fi } +sync_enclave_time_with_offset_once() { + local current_time + local parent_epoch + if current_time=$(curl -s -f -x socks5h://127.0.0.1:3305 "${TIME_SYNC_URL}"); then + parent_epoch=$(date -u -d "${current_time}" +%s 2>/dev/null || true) + if [[ -n "${parent_epoch}" ]]; then + parent_epoch=$((parent_epoch + TIME_SYNC_OFFSET_SECONDS)) + if ! date -u -s "@${parent_epoch}"; then + echo "Time sync: failed to set enclave time from '${current_time}' with offset ${TIME_SYNC_OFFSET_SECONDS}s" + return 1 + fi + echo "Time sync: updated enclave time to ${current_time} + ${TIME_SYNC_OFFSET_SECONDS}s" + fi + else + echo "Time sync: failed to fetch time from parent instance" + return 1 + fi +} + +sync_enclave_time_with_offset_once || true + start_time_sync_loop() { while true; do sync_enclave_time || true @@ -55,7 +77,6 @@ start_time_sync_loop() { done } -sync_enclave_time || true start_time_sync_loop & build_parameterized_config() { From 84bab6bf4330bb21a25d0c28c786c3fd4dfa7849 Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Thu, 15 Jan 2026 21:46:57 +0000 Subject: [PATCH 05/21] [CI Pipeline] Released Snapshot version: 5.63.24-alpha-205-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 53f72b549..27725bcf5 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.63.23-alpha-203-SNAPSHOT + 5.63.24-alpha-205-SNAPSHOT UTF-8 From 450075279ff793418703a66ea30cab799ebec7c0 Mon Sep 17 00:00:00 2001 From: Caroline6312 Date: Thu, 15 Jan 2026 14:56:36 -0800 Subject: [PATCH 06/21] Update the test case --- scripts/aws/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/aws/entrypoint.sh b/scripts/aws/entrypoint.sh index 236b36c9f..7b2a3b770 100755 --- a/scripts/aws/entrypoint.sh +++ b/scripts/aws/entrypoint.sh @@ -72,8 +72,8 @@ sync_enclave_time_with_offset_once || true start_time_sync_loop() { while true; do - sync_enclave_time || true sleep "${TIME_SYNC_INTERVAL_SECONDS}" + sync_enclave_time || true done } From c15a42f5b027b7e40c61fa893fc82d9128234a93 Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Thu, 15 Jan 2026 22:58:21 +0000 Subject: [PATCH 07/21] [CI Pipeline] Released Snapshot version: 5.63.25-alpha-206-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 27725bcf5..747951d3c 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.63.24-alpha-205-SNAPSHOT + 5.63.25-alpha-206-SNAPSHOT UTF-8 From f9a080c0d3e95707abb0e3de51f7c8007e7e138a Mon Sep 17 00:00:00 2001 From: Caroline6312 Date: Thu, 15 Jan 2026 16:16:18 -0800 Subject: [PATCH 08/21] Update to drift correction once a day --- scripts/aws/entrypoint.sh | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/scripts/aws/entrypoint.sh b/scripts/aws/entrypoint.sh index 7b2a3b770..8373cea9c 100755 --- a/scripts/aws/entrypoint.sh +++ b/scripts/aws/entrypoint.sh @@ -23,7 +23,7 @@ echo "Starting vsock proxy..." /app/vsockpx --config /app/proxies.nitro.yaml --daemon --workers $(( ( $(nproc) + 3 ) / 4 )) --log-level 3 TIME_SYNC_URL="http://127.0.0.1:27015/getCurrentTime" -TIME_SYNC_INTERVAL_SECONDS="${TIME_SYNC_INTERVAL_SECONDS:-300}" +TIME_SYNC_INTERVAL_SECONDS="${TIME_SYNC_INTERVAL_SECONDS:-86400}" TIME_SYNC_OFFSET_SECONDS="${TIME_SYNC_OFFSET_SECONDS:-30}" sync_enclave_time() { @@ -49,27 +49,6 @@ sync_enclave_time() { fi } -sync_enclave_time_with_offset_once() { - local current_time - local parent_epoch - if current_time=$(curl -s -f -x socks5h://127.0.0.1:3305 "${TIME_SYNC_URL}"); then - parent_epoch=$(date -u -d "${current_time}" +%s 2>/dev/null || true) - if [[ -n "${parent_epoch}" ]]; then - parent_epoch=$((parent_epoch + TIME_SYNC_OFFSET_SECONDS)) - if ! date -u -s "@${parent_epoch}"; then - echo "Time sync: failed to set enclave time from '${current_time}' with offset ${TIME_SYNC_OFFSET_SECONDS}s" - return 1 - fi - echo "Time sync: updated enclave time to ${current_time} + ${TIME_SYNC_OFFSET_SECONDS}s" - fi - else - echo "Time sync: failed to fetch time from parent instance" - return 1 - fi -} - -sync_enclave_time_with_offset_once || true - start_time_sync_loop() { while true; do sleep "${TIME_SYNC_INTERVAL_SECONDS}" From a1517b6e36ef37d01cfca7bb99ff0c553507d583 Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Fri, 16 Jan 2026 00:35:18 +0000 Subject: [PATCH 09/21] [CI Pipeline] Released Snapshot version: 5.63.26-alpha-207-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 747951d3c..b2c0027b0 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.63.25-alpha-206-SNAPSHOT + 5.63.26-alpha-207-SNAPSHOT UTF-8 From 338fc46ed1fe3433e4be4027fa0a7e67ff69f2b9 Mon Sep 17 00:00:00 2001 From: Caroline6312 Date: Thu, 15 Jan 2026 16:46:24 -0800 Subject: [PATCH 10/21] Remove unused parameters --- scripts/aws/entrypoint.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/aws/entrypoint.sh b/scripts/aws/entrypoint.sh index 8373cea9c..3688d3683 100755 --- a/scripts/aws/entrypoint.sh +++ b/scripts/aws/entrypoint.sh @@ -24,7 +24,6 @@ echo "Starting vsock proxy..." TIME_SYNC_URL="http://127.0.0.1:27015/getCurrentTime" TIME_SYNC_INTERVAL_SECONDS="${TIME_SYNC_INTERVAL_SECONDS:-86400}" -TIME_SYNC_OFFSET_SECONDS="${TIME_SYNC_OFFSET_SECONDS:-30}" sync_enclave_time() { local current_time From aa92c63e713544791d92d7c090fd94b92d3dea29 Mon Sep 17 00:00:00 2001 From: Caroline6312 Date: Wed, 28 Jan 2026 00:20:45 -0800 Subject: [PATCH 11/21] Address comments --- scripts/aws/entrypoint.sh | 65 ++++++++++--------- .../uid2-operator-ami/ansible/playbook.yml | 38 ----------- 2 files changed, 36 insertions(+), 67 deletions(-) diff --git a/scripts/aws/entrypoint.sh b/scripts/aws/entrypoint.sh index 3688d3683..6b7268cdb 100755 --- a/scripts/aws/entrypoint.sh +++ b/scripts/aws/entrypoint.sh @@ -23,39 +23,46 @@ echo "Starting vsock proxy..." /app/vsockpx --config /app/proxies.nitro.yaml --daemon --workers $(( ( $(nproc) + 3 ) / 4 )) --log-level 3 TIME_SYNC_URL="http://127.0.0.1:27015/getCurrentTime" -TIME_SYNC_INTERVAL_SECONDS="${TIME_SYNC_INTERVAL_SECONDS:-86400}" - -sync_enclave_time() { - local current_time - local parent_epoch - local enclave_epoch - local drift_seconds - if current_time=$(curl -s -f -x socks5h://127.0.0.1:3305 "${TIME_SYNC_URL}"); then - parent_epoch=$(date -u -d "${current_time}" +%s 2>/dev/null || true) - enclave_epoch=$(date -u +%s) - if [[ -n "${parent_epoch}" ]]; then - drift_seconds=$((enclave_epoch - parent_epoch)) - echo "Time sync: drift seconds (enclave - parent) = ${drift_seconds}" - fi - if ! date -u -s "${current_time}"; then - echo "Time sync: failed to set enclave time from '${current_time}'" - return 1 - fi - echo "Time sync: updated enclave time to ${current_time}" - else - echo "Time sync: failed to fetch time from parent instance" - return 1 +TIME_SYNC_PROXY="socks5h://127.0.0.1:3305" +TIME_SYNC_INTERVAL_SECONDS="300" + +enable_time_sync_timer() { + if ! command -v systemctl >/dev/null 2>&1 || [[ ! -d /run/systemd/system ]]; then + echo "Time sync: systemd not available; skipping timer setup" >&2 + return 0 fi -} -start_time_sync_loop() { - while true; do - sleep "${TIME_SYNC_INTERVAL_SECONDS}" - sync_enclave_time || true - done + cat </etc/systemd/system/uid2-time-sync.service +[Unit] +Description=UID2 enclave time sync + +[Service] +Type=oneshot +Environment=TIME_SYNC_URL=${TIME_SYNC_URL} +Environment=TIME_SYNC_PROXY=${TIME_SYNC_PROXY} +ExecStart=/bin/bash -c 'set -euo pipefail; curl -sSf -x "$TIME_SYNC_PROXY" "$TIME_SYNC_URL" | xargs -I{} date -u -s "{}"; echo "Time sync: updated enclave time to $current_time"' +EOF + + cat </etc/systemd/system/uid2-time-sync.timer +[Unit] +Description=UID2 enclave time sync timer + +[Timer] +OnBootSec=30s +OnUnitActiveSec=${TIME_SYNC_INTERVAL_SECONDS}s +Unit=uid2-time-sync.service +Persistent=true +AccuracySec=1s + +[Install] +WantedBy=timers.target +EOF + + systemctl daemon-reload + systemctl enable --now uid2-time-sync.timer } -start_time_sync_loop & +enable_time_sync_timer build_parameterized_config() { curl -s -f -o "${PARAMETERIZED_CONFIG}" -x socks5h://127.0.0.1:3305 http://127.0.0.1:27015/getConfig diff --git a/scripts/aws/uid2-operator-ami/ansible/playbook.yml b/scripts/aws/uid2-operator-ami/ansible/playbook.yml index fdff8f6ff..a5ec77809 100644 --- a/scripts/aws/uid2-operator-ami/ansible/playbook.yml +++ b/scripts/aws/uid2-operator-ami/ansible/playbook.yml @@ -19,44 +19,6 @@ name: nmap-ncat state: latest - - name: Install chrony for time sync - ansible.builtin.dnf: - name: chrony - state: latest - - - name: Comment out default chrony pool servers - ansible.builtin.replace: - path: /etc/chrony.conf - regexp: '^pool\s+' - replace: '# pool ' - - - name: Configure AWS Time Sync Service in chrony - ansible.builtin.lineinfile: - path: /etc/chrony.conf - line: 'server 169.254.169.123 prefer iburst' - state: present - insertafter: EOF - - - name: Enable RTC sync in chrony - ansible.builtin.lineinfile: - path: /etc/chrony.conf - line: 'rtcsync' - state: present - insertafter: EOF - - - name: Allow chrony to step clock at startup - ansible.builtin.lineinfile: - path: /etc/chrony.conf - line: 'makestep 1.0 3' - state: present - insertafter: EOF - - - name: Ensure chronyd is enabled at boot - ansible.builtin.systemd: - name: chronyd - state: started - enabled: true - - name: Install python ansible.builtin.dnf: name: From 63ea32cb2de25280e3f47032cd76833e3b57b22e Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Wed, 28 Jan 2026 08:26:59 +0000 Subject: [PATCH 12/21] [CI Pipeline] Released Snapshot version: 5.63.27-alpha-208-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index b2c0027b0..4fc717919 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.63.26-alpha-207-SNAPSHOT + 5.63.27-alpha-208-SNAPSHOT UTF-8 From 6aecf6cd78a932327a19f9cbc59172561a4d43c3 Mon Sep 17 00:00:00 2001 From: Caroline6312 Date: Wed, 28 Jan 2026 15:32:46 -0800 Subject: [PATCH 13/21] Add echo update the time --- scripts/aws/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/aws/entrypoint.sh b/scripts/aws/entrypoint.sh index 6b7268cdb..77bbe5c6c 100755 --- a/scripts/aws/entrypoint.sh +++ b/scripts/aws/entrypoint.sh @@ -40,7 +40,7 @@ Description=UID2 enclave time sync Type=oneshot Environment=TIME_SYNC_URL=${TIME_SYNC_URL} Environment=TIME_SYNC_PROXY=${TIME_SYNC_PROXY} -ExecStart=/bin/bash -c 'set -euo pipefail; curl -sSf -x "$TIME_SYNC_PROXY" "$TIME_SYNC_URL" | xargs -I{} date -u -s "{}"; echo "Time sync: updated enclave time to $current_time"' +ExecStart=/bin/bash -c 'set -euo pipefail; current_time="$(curl -sSf -x "$TIME_SYNC_PROXY" "$TIME_SYNC_URL")"; date -u -s "$current_time"; echo "Time sync: updated enclave time to $current_time"' EOF cat </etc/systemd/system/uid2-time-sync.timer From 550f0de820826389a97680c5358cb0f340702da8 Mon Sep 17 00:00:00 2001 From: Caroline6312 Date: Wed, 28 Jan 2026 15:40:48 -0800 Subject: [PATCH 14/21] Add test --- scripts/aws/entrypoint.sh | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/scripts/aws/entrypoint.sh b/scripts/aws/entrypoint.sh index 77bbe5c6c..701c4686f 100755 --- a/scripts/aws/entrypoint.sh +++ b/scripts/aws/entrypoint.sh @@ -26,6 +26,30 @@ TIME_SYNC_URL="http://127.0.0.1:27015/getCurrentTime" TIME_SYNC_PROXY="socks5h://127.0.0.1:3305" TIME_SYNC_INTERVAL_SECONDS="300" +TIME_SYNC_OFFSET_SECONDS="${TIME_SYNC_OFFSET_SECONDS:-30}" + +sync_enclave_time_with_offset_once() { + local current_time + local parent_epoch + if current_time=$(curl -s -f -x socks5h://127.0.0.1:3305 "${TIME_SYNC_URL}"); then + parent_epoch=$(date -u -d "${current_time}" +%s 2>/dev/null || true) + if [[ -n "${parent_epoch}" ]]; then + parent_epoch=$((parent_epoch + TIME_SYNC_OFFSET_SECONDS)) + if ! date -u -s "@${parent_epoch}"; then + echo "Time sync: failed to set enclave time from '${current_time}' with offset ${TIME_SYNC_OFFSET_SECONDS}s" + return 1 + fi + echo "Time sync: updated enclave time to ${current_time} + ${TIME_SYNC_OFFSET_SECONDS}s" + fi + else + echo "Time sync: failed to fetch time from parent instance" + return 1 + fi +} + +sync_enclave_time_with_offset_once || true + + enable_time_sync_timer() { if ! command -v systemctl >/dev/null 2>&1 || [[ ! -d /run/systemd/system ]]; then echo "Time sync: systemd not available; skipping timer setup" >&2 @@ -48,7 +72,7 @@ EOF Description=UID2 enclave time sync timer [Timer] -OnBootSec=30s +OnBootSec=300s OnUnitActiveSec=${TIME_SYNC_INTERVAL_SECONDS}s Unit=uid2-time-sync.service Persistent=true From 97c6e98bd7697027ec28bd2e6aea6a5a770139b2 Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Wed, 28 Jan 2026 23:42:26 +0000 Subject: [PATCH 15/21] [CI Pipeline] Released Snapshot version: 5.63.28-alpha-209-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 4fc717919..2f3284d50 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.63.27-alpha-208-SNAPSHOT + 5.63.28-alpha-209-SNAPSHOT UTF-8 From 1f7dad7ff323ac5dd97031ebb8d09ce36cd5027e Mon Sep 17 00:00:00 2001 From: Caroline6312 Date: Wed, 28 Jan 2026 18:07:16 -0800 Subject: [PATCH 16/21] Switch to cronjob on host as no systemd running in enclave --- scripts/aws/entrypoint.sh | 80 ++++++++++--------- scripts/aws/proxies.host.yaml | 5 ++ scripts/aws/proxies.nitro.yaml | 5 ++ .../uid2-operator-ami/ansible/playbook.yml | 16 ++++ 4 files changed, 70 insertions(+), 36 deletions(-) diff --git a/scripts/aws/entrypoint.sh b/scripts/aws/entrypoint.sh index 701c4686f..f490920c6 100755 --- a/scripts/aws/entrypoint.sh +++ b/scripts/aws/entrypoint.sh @@ -24,8 +24,7 @@ echo "Starting vsock proxy..." TIME_SYNC_URL="http://127.0.0.1:27015/getCurrentTime" TIME_SYNC_PROXY="socks5h://127.0.0.1:3305" -TIME_SYNC_INTERVAL_SECONDS="300" - +TIME_SYNC_TRIGGER_PORT="${TIME_SYNC_TRIGGER_PORT:-27100}" TIME_SYNC_OFFSET_SECONDS="${TIME_SYNC_OFFSET_SECONDS:-30}" sync_enclave_time_with_offset_once() { @@ -50,43 +49,52 @@ sync_enclave_time_with_offset_once() { sync_enclave_time_with_offset_once || true -enable_time_sync_timer() { - if ! command -v systemctl >/dev/null 2>&1 || [[ ! -d /run/systemd/system ]]; then - echo "Time sync: systemd not available; skipping timer setup" >&2 - return 0 - fi - cat </etc/systemd/system/uid2-time-sync.service -[Unit] -Description=UID2 enclave time sync - -[Service] -Type=oneshot -Environment=TIME_SYNC_URL=${TIME_SYNC_URL} -Environment=TIME_SYNC_PROXY=${TIME_SYNC_PROXY} -ExecStart=/bin/bash -c 'set -euo pipefail; current_time="$(curl -sSf -x "$TIME_SYNC_PROXY" "$TIME_SYNC_URL")"; date -u -s "$current_time"; echo "Time sync: updated enclave time to $current_time"' -EOF - - cat </etc/systemd/system/uid2-time-sync.timer -[Unit] -Description=UID2 enclave time sync timer - -[Timer] -OnBootSec=300s -OnUnitActiveSec=${TIME_SYNC_INTERVAL_SECONDS}s -Unit=uid2-time-sync.service -Persistent=true -AccuracySec=1s - -[Install] -WantedBy=timers.target -EOF - - systemctl daemon-reload - systemctl enable --now uid2-time-sync.timer +start_time_sync_server() { + python3 - <<'PY' & +import os +import subprocess +from http.server import BaseHTTPRequestHandler, HTTPServer + +TIME_SYNC_URL = os.environ.get("TIME_SYNC_URL", "http://127.0.0.1:27015/getCurrentTime") +TIME_SYNC_PROXY = os.environ.get("TIME_SYNC_PROXY", "socks5h://127.0.0.1:3305") +TIME_SYNC_TRIGGER_PORT = int(os.environ.get("TIME_SYNC_TRIGGER_PORT", "27100")) + +def sync_time() -> str: + current_time = subprocess.check_output( + ["curl", "-sSf", "-x", TIME_SYNC_PROXY, TIME_SYNC_URL], + text=True, + ).strip() + subprocess.check_call(["date", "-u", "-s", current_time]) + return current_time + +class Handler(BaseHTTPRequestHandler): + def do_GET(self) -> None: + if self.path not in ("/", "/sync"): + self.send_response(404) + self.end_headers() + return + try: + result = sync_time() + print(f"Time sync: updated enclave time to {result}") + self.send_response(200) + self.end_headers() + self.wfile.write(f"OK {result}\n".encode()) + except Exception as exc: # pragma: no cover - best effort logging + print(f"Time sync error: {exc}") + self.send_response(500) + self.end_headers() + self.wfile.write(f"ERROR {exc}\n".encode()) + + def log_message(self, format, *args): # noqa: N802 - match base class + return + +server = HTTPServer(("127.0.0.1", TIME_SYNC_TRIGGER_PORT), Handler) +server.serve_forever() +PY } -enable_time_sync_timer +start_time_sync_server build_parameterized_config() { curl -s -f -o "${PARAMETERIZED_CONFIG}" -x socks5h://127.0.0.1:3305 http://127.0.0.1:27015/getConfig diff --git a/scripts/aws/proxies.host.yaml b/scripts/aws/proxies.host.yaml index 5a2ae0623..5ed149f3c 100644 --- a/scripts/aws/proxies.host.yaml +++ b/scripts/aws/proxies.host.yaml @@ -19,3 +19,8 @@ syslogng: service: direct listen: vsock://-1:2011 connect: tcp://127.0.0.1:2011 +time-sync: + service: direct + listen: tcp://127.0.0.1:27100 + connect: vsock://42:27100 + diff --git a/scripts/aws/proxies.nitro.yaml b/scripts/aws/proxies.nitro.yaml index 0f459b150..f981a9a29 100644 --- a/scripts/aws/proxies.nitro.yaml +++ b/scripts/aws/proxies.nitro.yaml @@ -19,3 +19,8 @@ syslogng: service: direct listen: tcp://127.0.0.1:2011 connect: vsock://3:2011 +time-sync: + service: direct + listen: vsock://-1:27100 + connect: tcp://127.0.0.1:27100 + diff --git a/scripts/aws/uid2-operator-ami/ansible/playbook.yml b/scripts/aws/uid2-operator-ami/ansible/playbook.yml index a5ec77809..f60c5d958 100644 --- a/scripts/aws/uid2-operator-ami/ansible/playbook.yml +++ b/scripts/aws/uid2-operator-ami/ansible/playbook.yml @@ -167,6 +167,15 @@ dest: /etc/systemd/system/uid2operator.service remote_src: yes + - name: Install time sync trigger script + ansible.builtin.copy: + dest: /usr/local/bin/uid2-time-sync + mode: "0755" + content: | + #!/usr/bin/env bash + set -euo pipefail + curl -sSf http://127.0.0.1:27100/sync > /dev/null + - name: Install AWS Nitro Enclaves CLI ansible.builtin.dnf: name: aws-nitro-enclaves-cli @@ -240,6 +249,13 @@ ansible.builtin.systemd: name: uid2operator.service enabled: yes + + - name: Install time sync cron job + ansible.builtin.copy: + dest: /etc/cron.d/uid2-time-sync + mode: "0644" + content: | + */5 * * * * root /usr/local/bin/uid2-time-sync - name: Clean up tmp files file: From b7533c2bba43c57fdf134ca22bc355f63bfba28d Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Thu, 29 Jan 2026 02:08:35 +0000 Subject: [PATCH 17/21] [CI Pipeline] Released Snapshot version: 5.63.29-alpha-210-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 2f3284d50..40f7f8cd1 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.63.28-alpha-209-SNAPSHOT + 5.63.29-alpha-210-SNAPSHOT UTF-8 From cdf4a81617a5ecb53fea40c31547e935ae60ed81 Mon Sep 17 00:00:00 2001 From: Caroline6312 Date: Wed, 28 Jan 2026 23:59:58 -0800 Subject: [PATCH 18/21] Update --- scripts/aws/uid2-operator-ami/ansible/playbook.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/scripts/aws/uid2-operator-ami/ansible/playbook.yml b/scripts/aws/uid2-operator-ami/ansible/playbook.yml index f60c5d958..308dadc55 100644 --- a/scripts/aws/uid2-operator-ami/ansible/playbook.yml +++ b/scripts/aws/uid2-operator-ami/ansible/playbook.yml @@ -19,6 +19,11 @@ name: nmap-ncat state: latest + - name: Install cron + ansible.builtin.dnf: + name: cronie + state: latest + - name: Install python ansible.builtin.dnf: name: @@ -250,6 +255,12 @@ name: uid2operator.service enabled: yes + - name: Ensure cron is enabled at boot + ansible.builtin.systemd: + name: crond + state: started + enabled: yes + - name: Install time sync cron job ansible.builtin.copy: dest: /etc/cron.d/uid2-time-sync From df5154456f514c9ea3129c35f538a0b72702d7bc Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Thu, 29 Jan 2026 08:01:26 +0000 Subject: [PATCH 19/21] [CI Pipeline] Released Snapshot version: 5.63.30-alpha-211-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 40f7f8cd1..8a56439e4 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.63.29-alpha-210-SNAPSHOT + 5.63.30-alpha-211-SNAPSHOT UTF-8 From 3bc31883331001bec2fa3e82396b49a86f71edc9 Mon Sep 17 00:00:00 2001 From: Caroline6312 Date: Thu, 29 Jan 2026 01:31:11 -0800 Subject: [PATCH 20/21] Update log printout --- scripts/aws/entrypoint.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/scripts/aws/entrypoint.sh b/scripts/aws/entrypoint.sh index f490920c6..f606df6ef 100755 --- a/scripts/aws/entrypoint.sh +++ b/scripts/aws/entrypoint.sh @@ -51,11 +51,14 @@ sync_enclave_time_with_offset_once || true start_time_sync_server() { - python3 - <<'PY' & + python3 -u - <<'PY' & +import sys import os import subprocess from http.server import BaseHTTPRequestHandler, HTTPServer +sys.stdout.reconfigure(line_buffering=True) + TIME_SYNC_URL = os.environ.get("TIME_SYNC_URL", "http://127.0.0.1:27015/getCurrentTime") TIME_SYNC_PROXY = os.environ.get("TIME_SYNC_PROXY", "socks5h://127.0.0.1:3305") TIME_SYNC_TRIGGER_PORT = int(os.environ.get("TIME_SYNC_TRIGGER_PORT", "27100")) @@ -76,12 +79,12 @@ class Handler(BaseHTTPRequestHandler): return try: result = sync_time() - print(f"Time sync: updated enclave time to {result}") + print(f"Time sync: updated enclave time to {result}", flush=True) self.send_response(200) self.end_headers() self.wfile.write(f"OK {result}\n".encode()) except Exception as exc: # pragma: no cover - best effort logging - print(f"Time sync error: {exc}") + print(f"Time sync error: {exc}", flush=True) self.send_response(500) self.end_headers() self.wfile.write(f"ERROR {exc}\n".encode()) From cb04ca47ef195eb3840200a81d96539988b7d151 Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Thu, 29 Jan 2026 09:32:33 +0000 Subject: [PATCH 21/21] [CI Pipeline] Released Snapshot version: 5.63.31-alpha-212-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 8a56439e4..3f6cc9a4d 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.63.30-alpha-211-SNAPSHOT + 5.63.31-alpha-212-SNAPSHOT UTF-8