podman: OS X, podman machine time stops sometime

Alright, I’m starting to actively work on this, thanks for holding tight y’all 😃

Might be a little ham-fisted, but whenever I notice the machine’s date is out of sync I just set it to the same as the host with podman machine ssh date --set $(date -Iseconds)

makestep seems to fit this use-case exactly:

in some cases (e.g. a computer without an RTC or virtual machine which can be suspended and resumed with an incorrect time) it might be necessary to allow the step on any clock update. The example above would change to

makestep 1 -1

Source

To update the default Podman-Machine:

podman machine ssh --username root -- sed -i 's/^makestep\ .*$/makestep\ 1\ -1/' /etc/chrony.conf
podman machine ssh --username root -- systemctl restart chronyd

I ran into this and used this as a workaround:

podman machine ssh 'sudo hwclock -s'

Might be a little ham-fisted, but whenever I notice the machine’s date is out of sync I just set it to the same as the host with podman machine ssh date --set $(date -Iseconds)

On macOS (Catalina) I had to modify the command a bit:

podman machine ssh sudo date --set $(date +'%Y-%m-%dT%H:%M:%S')

In MacOS I do this for rootless containers

podman machine ssh

And then in the machine shell

sudo -i
hwclock --hctosys

May be this could become an optional auto apply script in the desktop app companion for MacOS. Executed, when OS resumes from sleep/suspend.

Might be a little ham-fisted, but whenever I notice the machine’s date is out of sync I just set it to the same as the host with podman machine ssh date --set $(date -Iseconds)

On macOS (Catalina) I had to modify the command a bit:

podman machine ssh sudo date --set $(date +'%Y-%m-%dT%H:%M:%S')

You could also run as root directly without sudo. Monterey & podman 4.1.1

podman machine ssh --username root date --set $(date -Iseconds)

Devs are using Podman in our organisation. We have all MacBook Pros and we all have frequent time drifts on all recent versions (in fact all versions we tried), including latest 4.1, causing us frequent random issues. It would be good if podman could have some built in solution to the problem. It wouldn’t be anything unusual since there are other OSX specific fixes available already.

Is there anyway to easily configure the VM? No real need to install additional services as one possible issue is to add NTP servers to the systemd-timesyncd service. Will report back after the weekend if this hasn’t worked.

[core@localhost ~]$ sudo sed -i 's/#NTP=.*/NTP=0.fedora.pool.ntp.org 1.fedora.pool.ntp.org/g' /etc/systemd/timesyncd.conf 
[core@localhost ~]$ grep -v '^#' /etc/systemd/timesyncd.conf 

[Time]
NTP=0.fedora.pool.ntp.org 1.fedora.pool.ntp.org
[core@localhost ~]$ sudo systemctl restart systemd-timesyncd.service 

This of course won’t help if there’s firewalls blocking stuff, as in https://github.com/containers/podman/issues/11541#issuecomment-984179128

There is a long blog post about this on the Docker blog. https://www.docker.com/blog/addressing-time-drift-in-docker-desktop-for-mac/

Docker Desktop runs an embedded NTP server on the host. It takes his source on the system time. A NTP client in the VM keeps it in sync.

hwclock was not sufficient for me on my M1 MBP: I would still get some skew (not as long as the machine had been off but enough to cause problems with e.g. certificate and signature validation). Instead. I tell chrony to do its thing:

podman machine ssh "sudo chronyc -m 'burst 4/4' makestep; date -u"

Note that this will step the clock instantly instead of slewing. Hence it is appropriate for running immediately on resume but it may impact existing containers negatively. See chrony’s makestep and related documentation for details.

Same issue here, noticed today after my mac hibernated over the weekend. Nothing helped except restarting the machine.

@ashley-cui / @rhatdan Sadly this is still an issue after over a year.

While this gets fixed, should we mark podman as beta for macOS users?

Took me on an unbelievable ride on three instances to triage what’s wrong with signature based auth and log event timing.

• Developing Slack Bot which requires accurate time
• Sending Splunk log events resulted in strange time delays
• OTP Auth generation resulted in invalid code

Will try several options posted here and see if anything helps with internal QEMU VM. Do share any workaround if you have any!

It’s happening for me especially after resuming work after weekends. (The symptom I always see is that package repositories are “not valid yet”, e.g., E: Release file for http://ports.ubuntu.com/ubuntu-ports/dists/focal-updates/InRelease is not valid yet (invalid for another 3d 6h 54min 17s). Updates for this repository will not be applied..

sudo systemctl restart systemd-timesyncd.service (mentioned in https://github.com/containers/podman/issues/11541#issuecomment-990998454) worked to fix it for me, @zeekoe, maybe you can try it:

[core@localhost ~]$ timedatectl
               Local time: Fri 2022-05-06 05:27:47 CEST
           Universal time: Fri 2022-05-06 03:27:47 UTC
                 RTC time: Mon 2022-05-09 10:28:46
                Time zone: Europe/Berlin (CEST, +0200)
System clock synchronized: no
              NTP service: active
          RTC in local TZ: no
[core@localhost ~]$ sudo systemctl restart systemd-timesyncd.service 
[core@localhost ~]$ timedatectl
               Local time: Mon 2022-05-09 12:46:51 CEST
           Universal time: Mon 2022-05-09 10:46:51 UTC
                 RTC time: Mon 2022-05-09 10:46:52
                Time zone: Europe/Berlin (CEST, +0200)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

it could easily be added to the ignition file that is used to configure the coreos instance.

Ok, I wondered if Podman might already had its own Ignition configuration. I found it and did just that in #17661.

I edited /etc/chrony.conf and added maxchange 100000 1 2 which lets chrony fix the time when it is very off. (Disclaimer: Not properly researched. Just seems to work for now.)

I installed sleepwatcher via brew and then added the following to my ~/.wakeup script to update the date and time whenever my Mac wakes up:

#!/bin/bash

# Fix Podman Machine's time drift on wake
if [[ $(/usr/local/bin/podman machine info) ]]; then
    the_date=$(date +'%Y-%m-%dT%H:%M:%S')
    /usr/local/bin/podman machine ssh sudo date --set $the_date
    echo "Updated Podman Machine date: $the_date" >> ~/podman_debug.log
fi

So far, so good (until a long term fix becomes available).

This is still an issue with podman 3.4.4 on macOs.

When doing podman build of a Dockerfile with RUN apt-get update -q it crashes with exit status 100.

E: Release file for http://security.debian.org/debian-security/dists/buster/updates/InRelease is not valid yet (invalid for another 9h 11min 44s). Updates for this repository will not be applied.

I suspect this impacts many seeing this is a very common use case, so I added the error message here for discoverability.

Workaround:

The command hwclock --hctosyswas still off by 20 minutes somehow, but sudo reboot fixed the clock. It now outputs correct timedatectl and that also fixed the above build error.

I think so

@dm3ch @baude @ashley-cui Is this still a bug?

This situation can also happen after suspend/resume of the system. See a solution here: https://github.com/linuxkit/linuxkit/tree/master/pkg/host-timesync-daemon

hmm… NTP should be utilized on Fedora CoreOS by default

What’s the output of the following commands run on the Fedora CoreOS host?

• timedatectl
• systemctl status chronyd
• sudo journalctl -b 0 -u chronyd

Either we should make Podman do the same for its image or we should bring this up in the Fedora CoreOS project.

I asked Fedora CoreOS if it would make sense to use makestep 1 -1 as the default, but it doesn’t appear to be a good default for all qemu VMs. In that case I propose that we add this configuration to the default Podman machine image.

Makestep does indeed seem like the right solution. It looks like makestep 1 -1 was discussed in a Fedora CoreOS bug and the conclusion was that it should be the default.

I’m not sure why that doesn’t show up in our images. Oh, I see. The change spawned by that discussion is only for cloud VM images. Either we should make Podman do the same for its image or we should bring this up in the Fedora CoreOS project.

@ashley-cui Thanks. Ping me for testing, macos support is important for me and I would be more than happy to spend some time and help making podman on macos easier to use.

The host side code for time sync for vfkit/crc is https://github.com/cfergeau/vfkit/blob/timesync/cmd/vfkit/timesync.go This should be fairly easy to adapt for use with qemu (replace the call to vf.ConnectVsockSync with something connecting over virtio-serial)

@gbraad pointed me at https://github.com/prashantgupta24/mac-sleep-notifier which should be much better than sleepwatcher as it’s native go/cgo code so it can directly be reused in crc/podman machine/…

@mayurah A fix for this is on our roadmap. In the meantime, using podman machine ssh to sync time is the best workaround.

#11541 (comment)

The issue is that you have to apply band-aid fix each time macOS M1 wakes up from sleep! If underlaying qemu VM had auto-NTP (which isn’t hard to setup inside VM), it would probably solve the issue.

For a perm fix, would you be able to take a PR if raised and review it? or is it that someone is actually working on the fix?

I believe the fix would help a lot of users who doesn’t even know that this is a big issue for applications that relies on time!

Alternatives such as Docker Desktop has become expensive possession to have for infrequent container building efforts.

Please guide!

had the same problem. with the latest podman update 4.2.0, i realised there is a message regarding firewall access. haven’t seen that before and was now able to allow access. it seems to be working even after sleep now. at least that’s what timedatectl indicates…

EDIT: nope, still stopping randomly or after longer sleep cycle…

I’m also reproducing it with current podman/podman machine on macOS 12.5 and I’m connected to internet

machine is Rootful

  "if=virtio,file=/Users/benoitf/.local/share/containers/podman/machine/qemu/podman-machine-default_fedora-coreos-36.20220723.2.2-qemu.x86_64.qcow2"
 ],
 "Rootful": true,

Date on my computer: Wed Aug 10 12:06:43 CEST 2022 in the VM: Tue 2022-08-09 23:50:35 CEST

[root@localhost ~]# timedatectl
               Local time: Tue 2022-08-09 23:50:35 CEST
           Universal time: Tue 2022-08-09 21:50:35 UTC
                 RTC time: Wed 2022-08-10 10:06:32
                Time zone: Europe/Paris (CEST, +0200)
System clock synchronized: no
              NTP service: active
          RTC in local TZ: no

● chronyd.service - NTP client/server
     Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-08-09 17:22:35 CEST; 6h ago
       Docs: man:chronyd(8)
             man:chrony.conf(5)
    Process: 794 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS)
   Main PID: 857 (chronyd)
      Tasks: 1 (limit: 2254)
     Memory: 1.6M
        CPU: 2.086s
     CGroup: /system.slice/chronyd.service
             └─ 857 /usr/sbin/chronyd -F 2

Aug 09 19:30:19 localhost.localdomain chronyd[857]: Selected source 37.187.104.44 (2.fedora.pool.ntp.org)
Aug 09 19:30:19 localhost.localdomain chronyd[857]: System clock wrong by 7129.523632 seconds
Aug 09 19:31:24 localhost.localdomain chronyd[857]: Can't synchronise: no selectable sources
Aug 09 19:42:10 localhost.localdomain chronyd[857]: Selected source 37.187.104.44 (2.fedora.pool.ntp.org)
Aug 09 19:42:10 localhost.localdomain chronyd[857]: System clock wrong by 6313.512300 seconds
Aug 09 19:44:24 localhost.localdomain chronyd[857]: Selected source 162.159.200.1 (2.fedora.pool.ntp.org)
Aug 09 21:09:30 localhost.localdomain chronyd[857]: Source 194.177.34.116 replaced with 51.195.120.107 (2.fedora.pool.ntp.org)
Aug 09 21:12:45 localhost.localdomain chronyd[857]: Can't synchronise: no majority
Aug 09 21:13:50 localhost.localdomain chronyd[857]: Selected source 51.195.120.107 (2.fedora.pool.ntp.org)
Aug 09 21:13:50 localhost.localdomain chronyd[857]: System clock wrong by 85.880138 seconds

Aug 09 17:22:34 localhost systemd[1]: Starting chronyd.service - NTP client/server...
Aug 09 17:22:35 localhost chronyd[857]: chronyd version 4.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 +DEBUG)
Aug 09 17:22:35 localhost chronyd[857]: Frequency 9.495 +/- 23.975 ppm read from /var/lib/chrony/drift
Aug 09 17:22:35 localhost chronyd[857]: Using right/UTC timezone to obtain leap second data
Aug 09 17:22:35 localhost chronyd[857]: Loaded seccomp filter (level 2)
Aug 09 17:22:35 localhost systemd[1]: Started chronyd.service - NTP client/server.
Aug 09 17:22:41 localhost.localdomain chronyd[857]: Selected source 54.38.222.63 (2.fedora.pool.ntp.org)
Aug 09 17:22:41 localhost.localdomain chronyd[857]: System clock wrong by 1.368469 seconds
Aug 09 17:22:42 localhost.localdomain chronyd[857]: System clock was stepped by 1.368469 seconds
Aug 09 17:22:42 localhost.localdomain chronyd[857]: System clock TAI offset set to 37 seconds
Aug 09 17:47:32 localhost.localdomain chronyd[857]: Received KoD RATE from 195.154.220.89
Aug 09 18:13:31 localhost.localdomain chronyd[857]: Selected source 188.165.236.162 (2.fedora.pool.ntp.org)
Aug 09 18:13:31 localhost.localdomain chronyd[857]: Source 54.38.222.63 replaced with 162.159.200.1 (2.fedora.pool.ntp.org)
Aug 09 18:13:32 localhost.localdomain chronyd[857]: Can't synchronise: no selectable sources
Aug 09 18:16:45 localhost.localdomain chronyd[857]: Selected source 162.159.200.1 (2.fedora.pool.ntp.org)
Aug 09 18:16:45 localhost.localdomain chronyd[857]: System clock wrong by 1761.019063 seconds
Aug 09 18:18:55 localhost.localdomain chronyd[857]: Selected source 188.165.236.162 (2.fedora.pool.ntp.org)
Aug 09 18:18:56 localhost.localdomain chronyd[857]: Can't synchronise: no selectable sources
Aug 09 18:36:02 localhost.localdomain chronyd[857]: Selected source 5.196.181.37 (2.fedora.pool.ntp.org)
Aug 09 18:36:02 localhost.localdomain chronyd[857]: System clock wrong by 7387.229919 seconds
Aug 09 18:37:08 localhost.localdomain chronyd[857]: Can't synchronise: no selectable sources
Aug 09 18:43:36 localhost.localdomain chronyd[857]: Source 5.196.181.37 replaced with 194.177.34.116 (2.fedora.pool.ntp.org)
Aug 09 18:46:50 localhost.localdomain chronyd[857]: Selected source 194.177.34.116 (2.fedora.pool.ntp.org)
Aug 09 18:46:50 localhost.localdomain chronyd[857]: System clock wrong by 6227.637024 seconds
Aug 09 18:49:09 localhost.localdomain chronyd[857]: Can't synchronise: no selectable sources
Aug 09 19:14:03 localhost.localdomain chronyd[857]: Source 195.154.220.89 replaced with 37.187.104.44 (2.fedora.pool.ntp.org)
Aug 09 19:17:17 localhost.localdomain chronyd[857]: Selected source 37.187.104.44 (2.fedora.pool.ntp.org)
Aug 09 19:17:17 localhost.localdomain chronyd[857]: System clock wrong by 16793.065160 seconds
Aug 09 19:19:31 localhost.localdomain chronyd[857]: Can't synchronise: no selectable sources
Aug 09 19:30:19 localhost.localdomain chronyd[857]: Selected source 37.187.104.44 (2.fedora.pool.ntp.org)
Aug 09 19:30:19 localhost.localdomain chronyd[857]: System clock wrong by 7129.523632 seconds
Aug 09 19:31:24 localhost.localdomain chronyd[857]: Can't synchronise: no selectable sources
Aug 09 19:42:10 localhost.localdomain chronyd[857]: Selected source 37.187.104.44 (2.fedora.pool.ntp.org)
Aug 09 19:42:10 localhost.localdomain chronyd[857]: System clock wrong by 6313.512300 seconds
Aug 09 19:44:24 localhost.localdomain chronyd[857]: Selected source 162.159.200.1 (2.fedora.pool.ntp.org)
Aug 09 21:09:30 localhost.localdomain chronyd[857]: Source 194.177.34.116 replaced with 51.195.120.107 (2.fedora.pool.ntp.org)
Aug 09 21:12:45 localhost.localdomain chronyd[857]: Can't synchronise: no majority
Aug 09 21:13:50 localhost.localdomain chronyd[857]: Selected source 51.195.120.107 (2.fedora.pool.ntp.org)
Aug 09 21:13:50 localhost.localdomain chronyd[857]: System clock wrong by 85.880138 seconds

Pinging from the podman machine

[root@localhost ~]# ping 2.fedora.pool.ntp.org
PING 2.fedora.pool.ntp.org (5.196.160.139) 56(84) bytes of data.
64 bytes from 5.196.160.139 (5.196.160.139): icmp_seq=1 ttl=64 time=0.740 ms
64 bytes from 5.196.160.139 (5.196.160.139): icmp_seq=2 ttl=64 time=0.564 ms

Just spent 2 hours trying to work out why my app using the AWS API was failing running in podman, but worked fine running locally. The culprit was the date shift/freeze - AWS includes the date in it’s API auth/signing scheme (presumably to inhibit some kinds of replay attacks) and the AWS APIs were going “that X-Amz-Date: data isn’t in the valid window”

So just a “me too” on the issue is still happening.

podman machine stop; podman machine start fixed it, albeit only temporarily based on the rest of this thread.

Can’t reproduce, @ssbarnea. No errors in 50 tries. Two keys in ssh-agent.

$ for i in {1..50}; do echo "${i}:" ; podman info -f json | jq -r '.version.Version' || echo "fail"; done 
1:
4.0.2
2:
4.0.2
[...]
49:
4.0.2
50:
4.0.2

Sure, you can do that with hammerspoon, obb, talon… It’s not particularly easy to do without 3rd party software (and requires IOKit to access the events; unfortunately launchd doesn’t expose them directly). You could do something like:

brew install sleepwatcher

cat << EOF > ~/.wakeup
#!/usr/bin/env bash
podman machine ssh "sudo chronyc -m 'burst 4/4' makestep; date -u"
EOF

chmod +x ~/.wakeup
brew services start sleepwatcher

Via Talon (thanks to lunixbochs):

from talon import ui
def fn():
   ...
ui.register('screen_sleep', fn)
ui.register('screen_wake', fn)

@flouthoc @baude @ashley-cui Should we do this in the ignition?

I think podman machine should be self-contained and not require an Internet access. What if you code in the plane? The time should not drift.