Skip to content

Fix private operator time drift#2300

Merged
caroline-ttd merged 40 commits into
mainfrom
ccm-UID2-6489-drift
Feb 3, 2026
Merged

Fix private operator time drift#2300
caroline-ttd merged 40 commits into
mainfrom
ccm-UID2-6489-drift

Conversation

@caroline-ttd

@caroline-ttd caroline-ttd commented Jan 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Correct the time drift once a day

For testing, I added a function to manually changed the time and use the cron job to set it back.

TIME_SYNC_OFFSET_SECONDS="${TIME_SYNC_OFFSET_SECONDS:-30}"

sync_enclave_time_with_offset_once() {
 local current_time
 local parent_epoch
 if current_time=$(curl -s -f -x socks5h://127.0.0.1:3305 "${TIME_SYNC_URL}"); then
   parent_epoch=$(date -u -d "${current_time}" +%s 2>/dev/null || true)
   if [[ -n "${parent_epoch}" ]]; then
     parent_epoch=$((parent_epoch + TIME_SYNC_OFFSET_SECONDS))
     if ! date -u -s "@${parent_epoch}"; then
       echo "Time sync: failed to set enclave time from '${current_time}' with offset ${TIME_SYNC_OFFSET_SECONDS}s"
       return 1
     fi
     echo "Time sync: updated enclave time to ${current_time} + ${TIME_SYNC_OFFSET_SECONDS}s"
   fi
 else
   echo "Time sync: failed to fetch time from parent instance"
   return 1
 fi
}
 
sync_enclave_time_with_offset_once || true

Test:
Cron job in enclave:
Screenshot 2026-01-30 at 2 37 16 PM

Cronjob in host (out of date):

  1. Manually set the time drift for 30 seconds
Screenshot 2026-01-29 at 11 52 19 AM 2. Correct the drift Screenshot 2026-01-29 at 11 51 28 AM ---

Previous python version:

  1. Manually set the time drift for 30 seconds
Screenshot 2026-01-15 at 4 17 30 PM 2. Correct the drift Screenshot 2026-01-15 at 4 21 52 PM

caroline-ttd and others added 14 commits January 14, 2026 17:45
@caroline-ttd
Fix time drift for private operator
ee2cdd9
@github-actions
[CI Pipeline] Released Snapshot version: 5.63.23-alpha-203-SNAPSHOT
17f0487
@caroline-ttd
Add more timestamps in log
1e53d3a
@caroline-ttd
Merge branch 'ccm-UID2-6489-add-sync-fix-time-drift' of github.com:IA…
29ffb43 
…BTechLab/uid2-operator into ccm-UID2-6489-add-sync-fix-time-drift
@caroline-ttd
Test, add a drift on boot
9683f2d
@github-actions
[CI Pipeline] Released Snapshot version: 5.63.24-alpha-205-SNAPSHOT
84bab6b
@caroline-ttd
Update the test case
4500752
@caroline-ttd
Merge branch 'ccm-UID2-6489-drift' of github.com:IABTechLab/uid2-oper…
ea7e12b 
…ator into ccm-UID2-6489-drift
@github-actions
[CI Pipeline] Released Snapshot version: 5.63.25-alpha-206-SNAPSHOT
c15a42f
@caroline-ttd
Update to drift correction once a day
f9a080c
@caroline-ttd
Merge branch 'ccm-UID2-6489-drift' of github.com:IABTechLab/uid2-oper…
7637e3d 
…ator into ccm-UID2-6489-drift
@github-actions
[CI Pipeline] Released Snapshot version: 5.63.26-alpha-207-SNAPSHOT
a1517b6
@caroline-ttd
Remove unused parameters
338fc46
@caroline-ttd
Merge branch 'ccm-UID2-6489-drift' of github.com:IABTechLab/uid2-oper…
3dd3f84 
…ator into ccm-UID2-6489-drift
abuabraham-ttd
abuabraham-ttd reviewed Jan 16, 2026
View reviewed changes
Comment thread scripts/aws/entrypoint.sh Outdated
fi
}

start_time_sync_loop() {

@abuabraham-ttd abuabraham-ttd Jan 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel this is a bit complex.

Why not something much simpler like

sync_enclave_time() {
  curl -s -f -x socks5h://127.0.0.1:3305 "${TIME_SYNC_URL}" | xargs -I{} date -u -s "{}"
}

Trust the parent instance clock without the condition ?

abuabraham-ttd
abuabraham-ttd reviewed Jan 16, 2026
View reviewed changes
Comment thread scripts/aws/entrypoint.sh Outdated

start_time_sync_loop() {
while true; do
sleep "${TIME_SYNC_INTERVAL_SECONDS}"

@abuabraham-ttd abuabraham-ttd Jan 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggest using cron. Python sleep is process based, if process crashes (this process running, isn't a requirement for our enclave), it stops.

Using cron on systemd timer would be better IMO

@caroline-ttd caroline-ttd Jan 29, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to cronjob

abuabraham-ttd
abuabraham-ttd reviewed Jan 16, 2026
View reviewed changes
Comment thread scripts/aws/uid2-operator-ami/ansible/playbook.yml Outdated
name: nmap-ncat
state: latest

- name: Install chrony for time sync

@abuabraham-ttd abuabraham-ttd Jan 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure if we need this. This AMI is the parent instance which already has time sync configured with AWS time server

@caroline-ttd caroline-ttd Jan 29, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed it

caroline-ttd and others added 13 commits January 28, 2026 00:20
@caroline-ttd
Address comments
aa92c63
@github-actions
[CI Pipeline] Released Snapshot version: 5.63.27-alpha-208-SNAPSHOT
63ea32c
@caroline-ttd
Add echo update the time
6aecf6c
@caroline-ttd
Merge branch 'ccm-UID2-6489-drift' of github.com:IABTechLab/uid2-oper…
3de24ae 
…ator into ccm-UID2-6489-drift
@caroline-ttd
Add test
550f0de
@github-actions
[CI Pipeline] Released Snapshot version: 5.63.28-alpha-209-SNAPSHOT
97c6e98
@caroline-ttd
Switch to cronjob on host as no systemd running in enclave
1f7dad7
@github-actions
[CI Pipeline] Released Snapshot version: 5.63.29-alpha-210-SNAPSHOT
b7533c2
@caroline-ttd
Update
cdf4a81
@caroline-ttd
Merge branch 'ccm-UID2-6489-drift' of github.com:IABTechLab/uid2-oper…
69506d1 
…ator into ccm-UID2-6489-drift
@github-actions
[CI Pipeline] Released Snapshot version: 5.63.30-alpha-211-SNAPSHOT
df51544
@caroline-ttd
Update log printout
3bc3188
@github-actions
[CI Pipeline] Released Snapshot version: 5.63.31-alpha-212-SNAPSHOT
cb04ca4
abuabraham-ttd
abuabraham-ttd reviewed Jan 29, 2026
View reviewed changes
Comment thread scripts/aws/uid2-operator-ami/ansible/playbook.yml Outdated
dest: /etc/cron.d/uid2-time-sync
mode: "0644"
content: |
0 0 * * * root /usr/local/bin/uid2-time-sync

@abuabraham-ttd abuabraham-ttd Jan 29, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/usr/local/bin/uid2-time-sync

what's that ? how do you get that? (I would suggest creating that over your implementation of adding start_time_sync_server in entrypoint.sh (cleaner)

@caroline-ttd caroline-ttd merged commit 46ac1a1 into main Feb 3, 2026
9 checks passed
@caroline-ttd caroline-ttd deleted the ccm-UID2-6489-drift branch February 3, 2026 00:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@abuabraham-ttd abuabraham-ttd abuabraham-ttd approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@caroline-ttd @abuabraham-ttd