clock nightmare

[haaber]

Hello, could someone please help me out of the clock nightmare? dom0
keeps setting itself at -1day, and helpless sys-whonix follows, which
disturbs tor, the time stamp of this email ETC.
Concrete question: in which timezone should live respectively dom0 and
whonix-* ? How/Where do I configure TZ without messing all up? Thank
you, Bernhard

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Seen these?

https://github.com/QubesOS/qubes-issues/issues/3983

https://groups.google.com/d/topic/qubes-users/zNkc1pL-erE/discussion

TL;DR: In the TemplateVM on which sys-net is based:

$ sudo chmod 0700 /var/lib/private/

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlxKrQYACgkQ203TvDlQ
MDBaZRAAjf0K2pHsPKGNuerDvl6s+LVOAhAZhKJgaXKTbRFO/zthUUintmHBHuUR
LOzyyN6EXIPi3F1gYNJ1EMTMucQklVsmQaY7KGfPEUungyumXHWlRBPdvDZXsyN0
59Cp4GBwk5xi24PoJuyzHAw4kQYG+chApk8qrC5wL0Hhy5Y/U02rqJiv26/VjTjm
Mfs7gTRkoq21RubiBvibcCvaUyk3sfXKeejIcVlITBxWAooFTkD8WYyRGBZx46XE
AryJTypn/qFXrkvW+FINyc0muyXUPAtF4T3Em/ficx1X9n8rrEILrBR8MYWI1Rue
VLuZ4lWb+aqZpTzAPQQBIIUpMm2ATcJMERFeINDIKlXcH5i2n4uzeOwofb7GQJvs
NcuqTA4jFM1FIIkbkhYDOfO+kRx9yR7Rv+lX3KQ8g4/HdRocwiXwNNNujfnXwXwm
RXSLKhreNW4QC70aoYV4KbDA5bzy7SaUoCHN6K/uV3HoUPBFi2VAdNQQaaotXRDN
FNXoLYKTg28XouwvEOe6hhHGf9EFmC7vH/aooiRjpx1In9osZGSf8KTc1CbXa1MQ
4AqqOqInhe6e0BsEkDsnYrcehLE2sO/4UhvrgExLXArWSSTmYcaQvGP1+wrU868y
DUb4swHrLzUL1LQ+XuOuKJj+eJWOfHsg8mDzbKGBfqnajxP0Ue0=
=d6XS
-----END PGP SIGNATURE-----

[haaber]

> On 24/01/2019 12.11 AM, haaber wrote:
>> Hello, could someone please help me out of the clock nightmare?
>> dom0 keeps setting itself at -1day, and helpless sys-whonix
>> follows, which disturbs tor, the time stamp of this email ETC.
>> Concrete question: in which timezone should live respectively dom0
>> and whonix-* ? How/Where do I configure TZ without messing all up?
>> Thank you, Bernhard
>>
>
> Seen these?
>
> https://github.com/QubesOS/qubes-issues/issues/3983
>
> https://groups.google.com/d/topic/qubes-users/zNkc1pL-erE/discussion
>
> TL;DR: In the TemplateVM on which sys-net is based:
>
> $ sudo chmod 0700 /var/lib/private/

yes I saw it & did it: ls -lah /var/lib/ gives

dwrx--------- /var/lib/private


Yet, it does not help. Therefore I ask here ... cheers, Bernhard

[haaber]

I forgot to specify that I use fedora-28-minimal as net-vm (and
clock-vm). Is the problem in the "minimal" ?

[Zrubi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 1/24/19 7:42 AM, haaber wrote:
> I forgot to specify that I use fedora-28-minimal as net-vm (and
> clock-vm). Is the problem in the "minimal" ?

The minimal teplates are not suitable for any service without
installing additional packages. That template is just a base for
advanced users to create their own special purpose templates.

If you are just starting to learn Qubes, I would suggest to keep using
the default normal template, till you feel confortable using Qubes.


- --
Zrubi
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAlxKwt4ACgkQVjGlenYH
FQ2hRxAAnrQ2BoPWsixutzjh4f/tJUdciVaMtG9VsmLHM+DCQok0/ag2KZd+O0+a
tVH8U5Rs41p3dnCmbWlADtBmoHz7kj9tHmTBkgdxwZwTacWX7jje5GzV/R13zXTz
nCq0AvIoXBUyqDyIoGvMxI/XEa9UlKME4sFv83I33TSLllbw/ACri85rPSTqW/1F
a3TpKDHGHhlxz/kPA4tL6IiS+lEFpVjZblBkXhsd+j/gNrwWIvL65Vc1mqJNTIFN
pBikcfo292c2lzBSAE0cvPOYbpzoWmsvQJYv772ZDEms/pyua2nLf2ukzK4qM2GL
gosUNO/2vs/6g3l3FJDNRzI36wsRXkWNWpUnFszUx48ZxevDsGL3mUqJAP0uzPBi
PgNXW96cIUYc07rr/olli5Mi+codm45DM8IrGG1vygL6uFB09U1vJ19+FMyhZWiz
kZ4gzRiKeiA7RdSeXQncVURFV7OqTfM2smfP2lq+I5T1o28NzOAi4N4gJKbqGLmW
5arJaANt7llP5VS+nVkEb1W2YvBKboahbqh71l5EzzMBztH0c2S75zJCxRoFPskT
Tm88MtBwM/W8rENl1V/Kf6+qr5GRV0tK34b4Lc7xYg29loM4j9MN5t0ueSc+QXxn
9duJSdZMO1JMEcJzoM4PvzESOnzX5kxcX8cdT2+0EnFh/pAtl2o=
=Ait4
-----END PGP SIGNATURE-----

[Zrubi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 1/24/19 7:11 AM, haaber wrote:
> Concrete question: in which timezone should live respectively dom0
> and whonix-* ? How/Where do I configure TZ without messing all up?
> Thank you, Bernhard

timedatectl is your friend.

You can set different timezone for dom0, for every template, or every
single VM if you really want.

If you do not want to use any real timezone, you can choose the UTC.

- --
Zrubi
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAlxKxDQACgkQVjGlenYH
FQ1lQxAArFufu4yKwZiBvlrvUNYAlzRelzXeWWY62SIeZBVZ1vQBNGxzQ+V4Da1O
fsaVeTlB1aPYrUiau+KqBYY0L+ksmGrdN9UZ+85reTDTFiDigB8vcoqXBx/+csNv
4sWVbuMx9XUDEVCJyQ5jQeim1qMkpEH0XFXK3ve94s8yRQPFvHbehSM46RydZuDi
KmmhVLbKNZ362GJrd4HnxwoJAveoV9d6P1GE92hAlCL0J9TfGMZ9cfYkO2SUrDNb
Dq8vvmXtRAq6m9LkTUzxPi0bYGp8OdxOGi8eE7hZ22GdOEU4YlEPznlysMlfDCuX
EIRQxlAEhA9Wse/IVwsS3xagf1WoO/wgGwvhLpYWGcSJQWArGuJyvMV6o67HvpuM
OZOZDuOQeQ4Ev00noU9csEGpQfnuzU5/OXm3GMnIQwBXlIqfAHhmV0LDFKWb0hV3
IJBQzP9+12pyFj2F9Y2vRIVD8q4SIA/By+VLcjde5PvEuzIBEhJUrYxt+RVUji4w
opEq7cKG5k+7jMF7QVYo8QPgiPpnsRxR4osML84jbUGL18ZQOit0IdbrdheH24wR
ZppjtakU5MxeSWl91dadNI5G86tp19PAiEhF1B64zU4FtEAR94wDEap+5pGyVSkJ
39BWiv08Ipz0SFhblkqSUHmPsWkWpiktDav/0HZSvcUclrA6rq4=
=emNN
-----END PGP SIGNATURE-----

[haaber]

> On 1/24/19 7:42 AM, haaber wrote:
>> I forgot to specify that I use fedora-28-minimal as net-vm (and
>> clock-vm). Is the problem in the "minimal" ?
>
> The minimal teplates are not suitable for any service without
> installing additional packages. That template is just a base for
> advanced users to create their own special purpose templates.
>
> If you are just starting to learn Qubes, I would suggest to keep using
> the default normal template, till you feel confortable using Qubes.
>

I use Qubes since 3.2 and feel quite comfortable :) Your message is just
discouraging though. According to Std-Qubes-DOC, the minimal template
CAN be used for sys-net. The question is just about which packages to
add, right? If in the list of extra-packages mentioned in the DOC the
package that handels the clock/ntp should miss, this would be of
interest for the qubes community (and the DOC would have to be changed).

--

Tracking the python script qvm-sync-clock I need to follow the

clockvm.run_service('qubes.GetDate')

which I read that I have to check that the right service installed in
sys-net. Now here are the services in sys-net's /var/run/qubes-service

-rw-r--r-- 1 root root 0 Jan 24 17:54 network-manager
-rw-r--r-- 1 root root 0 Jan 24 17:54 qubes-firewall
-rw-r--r-- 1 root root 0 Jan 24 17:54 qubes-network
-rw-r--r-- 1 root root 0 Jan 24 17:54 qubes-update-check
-rw-r--r-- 1 root root 0 Jan 24 17:54 qubes-updates-proxy

simple question: which one is missing to get "GetDate" work (someone
compare with HIS folder in sys-net, please?)
Strangely, there is no ntp installed in sys-net :)) OK I changed that
(on a test basis in the VM not the template): Fedora offers
ntpdate-4.2.8p12-1.fc28.x86_64.rpm is that right?

ntpdate -s SOMESERVER

followed by qvm-sync-clock DOES the job. Do I have to run that by a
startup script inside sys-net ???

Bernhard

[Zrubi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 1/24/19 11:47 AM, haaber wrote:

> I use Qubes since 3.2 and feel quite comfortable :) Your message is
> just discouraging though.

Sorry, I don't wanted to discourage for sure.

> which I read that I have to check that the right service installed
> in sys-net. Now here are the services in sys-net's
> /var/run/qubes-service
>
> -rw-r--r-- 1 root root 0 Jan 24 17:54 network-manager -rw-r--r-- 1
> root root 0 Jan 24 17:54 qubes-firewall -rw-r--r-- 1 root root 0
> Jan 24 17:54 qubes-network -rw-r--r-- 1 root root 0 Jan 24 17:54
> qubes-update-check -rw-r--r-- 1 root root 0 Jan 24 17:54
> qubes-updates-proxy

I'm using a (custom) debian template for sys-net, but I have the same
content as you. I also checked the GUI where I can see a service called:
clocksync

Not sure what it is trigger, but I also have a running systemd timer
related to this:

> user@WiFi:~$ systemctl status qubes-sync-time.timer ●
> qubes-sync-time.timer - Update system time each 6h Loaded: loaded
> (/lib/systemd/system/qubes-sync-time.timer; enabled; vendor preset:
> enabled) Active: active (waiting) since Wed 2019-01-02 18:44:41
> CET; 3 weeks 1 days ago


Hope that's help.

- --
Zrubi
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAlxLKO4ACgkQVjGlenYH
FQ1qFQ/+IsDL24RLJ3ENF8I2IQyQsi+YZyK9+6BXVVhHUVAUflpOzmT2PNgyZyXg
EZmSziocLTK6gNJitYbOlwQiH2WdnKClZTcLiR/IYeHLkrWPQ3a8NDaOPdYaKgkg
nQA1Z/M9VKLFeaNmXAr61LmPWJsjdD6BENem1Jk6jzngurTG9IPheyGuzR02L26E
O/xPX8Vzl6nLmcC6SsDJ9O8+Ey/8ImHq30TMWyxZKXIqmKvL4aDcwAnW85ymLjZW
tQTOytXnjCNfqW5lZgHLJaau82/A7UdRD8W3VLR0g85myd0FewjlbXUuZ+klFOdX
ZD+ZuC08DrZhJLIJpQY0poON5iKBrYciDP1Dj/DutMcUg16FkJOsYzzzubceB8l+
0KXTBbJLALS9MUhVXKWVrXYTPTZ/EhAP3HeZHwtjs0EIoatg8oZeKbrKJTnseYfh
8s3GQHaSZ0Wx22MYzmmSfpyL/KTDLL692whV3GFAGxfdaoJt5eJQDf6ELH274two
LBm8Q/+XaNF6aMSc1sUenYmuWMh+GD2f/kl3nXGARRZHVj02H0JMhQq8/EYAttDs
EJJiQm6ELusMRXDmprBvb0qc8VMdjn39pEQv6FDfI4vo692yLEbmdhV9bw1dsZic
SJdHBjB8Qv3klASfxZGbOQJdczALNtPwkuVxHmF6pCdKokZ4iDY=
=SSOQ
-----END PGP SIGNATURE-----

[John S.Recdep]

I know this may not be the solution you want, but I ended up just
changing sys-net template to debian-9 , then all was well

I did the change to the private/ dir but so far haven't tested it fwiw

[haaber]

>> which I read that I have to check that the right service installed
>> in sys-net. Now here are the services in sys-net's
>> /var/run/qubes-service
>>
>> -rw-r--r-- 1 root root 0 Jan 24 17:54 network-manager -rw-r--r-- 1
>> root root 0 Jan 24 17:54 qubes-firewall -rw-r--r-- 1 root root 0
>> Jan 24 17:54 qubes-network -rw-r--r-- 1 root root 0 Jan 24 17:54
>> qubes-update-check -rw-r--r-- 1 root root 0 Jan 24 17:54
>> qubes-updates-proxy
>
> I'm using a (custom) debian template for sys-net, but I have the same
> content as you. I also checked the GUI where I can see a service called:
> clocksync

Aha! That was it. The qubes-sync-time.timer was active since yesterday
(when I installed ntpdate), but this one missed! I'll see if I can
contribute to the DOC with that!

Cheers, Bernhard