Fix private operator time drift #2300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

caroline-ttd wants to merge 32 commits into main from ccm-UID2-6489-drift

pom.xml

-Original file line number
+Diff line change
@@ Expand Up / @@ -6,7 +6,7 @@ @@
         <groupId>com.uid2</groupId>
         <artifactId>uid2-operator</artifactId>
-        <version>5.63.22</version>
+        <version>5.63.33-alpha-214-SNAPSHOT</version>
         <properties>
             <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ Expand Down @@

scripts/aws/Dockerfile

-Original file line number
+Diff line change
@@ Expand Up / @@ -20,7 +20,7 @@ COPY ./syslog-ng-ose-pub.asc /app/dep/ @@
     RUN echo "deb http://security.ubuntu.com/ubuntu focal-security main" | tee -a /etc/apt/sources.list \
         && apt update -y \
-        && apt install -y pkg-config libssl-dev libssl1.1 net-tools curl jq netcat python3 python3-pip libcap2 libivykis0 libjson-c5 libnet1 libwrap0 \
+        && apt install -y pkg-config libssl-dev libssl1.1 net-tools curl jq netcat python3 python3-pip libcap2 libivykis0 libjson-c5 libnet1 libwrap0 cron \
         && apt-key add /app/dep/syslog-ng-ose-pub.asc \
         && apt-get install /app/dep/syslog-ng-core_4.6.0-1_amd64.deb \
         && rm -rf /var/lib/apt/lists/* \
@@ Expand Down @@

scripts/aws/config-server/app.py

-Original file line number
+Diff line change
@@ -1,4 +1,5 @@
     from flask import Flask
+    from datetime import datetime, timezone
     import json
     import os
@@ Expand All / @@ -11,8 +12,15 @@ @@
                 secret_value = secret_file.read().strip()
                 secret_value_json = json.loads(secret_value)
             return json.dumps(secret_value_json)
         except Exception as e:
             return str(e), 500
+    @app.route('/getCurrentTime', methods=['GET'])
+    def get_time():
+        try:
+            return datetime.now(timezone.utc).isoformat(timespec="seconds")
+        except Exception as e:
+            return str(e), 500
     if __name__ == '__main__':
         app.run(processes=8)

scripts/aws/entrypoint.sh

-Original file line number
+Diff line change
@@ Expand Up / @@ -22,6 +22,43 @@ ifconfig lo 127.0.0.1 @@
     echo "Starting vsock proxy..."
     /app/vsockpx --config /app/proxies.nitro.yaml --daemon --workers $(( ( $(nproc) + 3 ) / 4 )) --log-level 3
+    TIME_SYNC_URL="http://127.0.0.1:27015/getCurrentTime"
+    TIME_SYNC_PROXY="socks5h://127.0.0.1:3305"
+    TIME_SYNC_OFFSET_SECONDS="${TIME_SYNC_OFFSET_SECONDS:-30}"
+    sync_enclave_time_with_offset_once() {
+      local current_time
+      local parent_epoch
+      if current_time=$(curl -s -f -x socks5h://127.0.0.1:3305 "${TIME_SYNC_URL}"); then
+        parent_epoch=$(date -u -d "${current_time}" +%s 2>/dev/null || true)
+        if [[ -n "${parent_epoch}" ]]; then
+          parent_epoch=$((parent_epoch + TIME_SYNC_OFFSET_SECONDS))
+          if ! date -u -s "@${parent_epoch}"; then
+            echo "Time sync: failed to set enclave time from '${current_time}' with offset ${TIME_SYNC_OFFSET_SECONDS}s"
+            return 1
+          fi
+          echo "Time sync: updated enclave time to ${current_time} + ${TIME_SYNC_OFFSET_SECONDS}s"
+        fi
+      else
+        echo "Time sync: failed to fetch time from parent instance"
+        return 1
+      fi
+    }
+    sync_enclave_time_with_offset_once || true
+    install_time_sync_cron() {
+      mkdir -p /etc/cron.d
+      cat > /etc/cron.d/uid-time-sync <<EOF
+    */5 * * * * root current_time=\$(curl -sSf -x "${TIME_SYNC_PROXY}" "${TIME_SYNC_URL}") && date -u -s "\${current_time}" && echo "Time sync: updated enclave time to \${current_time}" >>/proc/1/fd/1 2>>/proc/1/fd/2
+    EOF
+      chmod 0644 /etc/cron.d/uid-time-sync
+      cron
+    }
+    install_time_sync_cron
     build_parameterized_config() {
       curl -s -f -o "${PARAMETERIZED_CONFIG}" -x socks5h://127.0.0.1:3305 http://127.0.0.1:27015/getConfig
       REQUIRED_KEYS=("optout_base_url" "core_base_url" "core_api_token" "optout_api_token" "environment" "uid_instance_id_prefix")
@@ Expand Down @@

scripts/aws/uid2-operator-ami/ansible/playbook.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -240,7 +240,7 @@ @@
         ansible.builtin.systemd:
           name: uid2operator.service
           enabled: yes
       - name: Clean up tmp files
         file:
           path: /tmp/artifacts
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix private operator time drift #2300

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Check warning

Uh oh!

Fix private operator time drift #2300

Are you sure you want to change the base?

Uh oh!

Fix private operator time drift #2300

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Check warning

Uh oh!

Uh oh!