-
Notifications
You must be signed in to change notification settings - Fork 841
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clock skew issues megathread #10006
Comments
This workaround using systemd was the best and only solution in my case: #8204 (comment) |
The number of open issues that relate to this temporal distortion worry me, because it tells me there isn't a critical security focus on time by the teams involved in all these regressions and supposed fixes; so who is running the show for temporal security at MS? Anybody? Who is the Time Czar in the Security Org? Or perhaps a better question to ask: Why aren't these consistent temporal anomalies being considered more of a security issue? Everybody in security knows that time is a critical security component; so if time is not correct on the host system, then it is simply out of security compliance by default, right? |
Here's a simple fix that invokes Assuming you've changed the default user to something other than $ sudo visudo Add the following line:
Next, create a batch file somewhere on your machine, e.g.: @echo off
ubuntu.exe run "sudo hwclock -s"
exit (Change "ubuntu.exe" if you need to) Lastly, create a Task in the Task Scheduler that runs every time your computer wakes up from sleep.
If the task is not executed on your machine, it may be because your version of Windows emits a different Event ID. Open up the Event Viewer and check under System for any log entries that have the source "Kernel-Power" that match a timestamp when your machine has woken up from sleep mode. Verify the correct event by reading its description. It should state something along the lines of "The system exited sleep mode". The correct "Event ID" should be listed in the same window. Hope this helps. |
I suppose one could argue that it should rather be a wsl Linux kernel level
task to have a hardware clock synch at power up/restore?
in the proposed temp solution, I have used in the past `wsl -l -v` to list
running distro and then exec into them, `wsl -d <distro> hwclock -s`. Might
require the video step though, I had issues with some distros.
cheers
manu
…On Thu, 27 Apr 2023, 00:08 Harold Iedema, ***@***.***> wrote:
Here's a simple fix that invokes hwclock -s everytime your machine wakes
up from sleep. Note: This assumes you configured your WSL environment in
such a way that it should always be running (for daemons/webservers/etc.).
Assuming you've changed the *default user* to something other than root,
you'll first need to allow passwordless sudo when invoking sudo hwclock -s
by updating the *sudoers* file:
$ sudo visudo
Add the following line:
%sudo ALL=(ALL) NOPASSWD: /usr/sbin/hwclock
Next, create a batch file somewhere on your machine, e.g.:
C:\sync-clock.bat with the following contents:
@echo off
ubuntu.exe run "sudo hwclock -s"exit
(Change "ubuntu.exe" if you need to)
Lastly, create a Task in the *Task Scheduler* that runs every time your
computer wakes up from sleep.
1. Open the Task Scheduler and create a new "Basic Task". This time,
we want to start a task on a specific event.
2. Set the trigger to "When a specific event is logged" and click
"Next".
3. Under "Log", select System.
4. Under "Source", select Kernel-Power.
5. Under "Event ID", type "507".
6. Under "action", select "Start a program" and click "next"
7. Specify the batch file we just created: C:\sync-clock.bat.
If the task is not executed on your machine, it may be because your
version of Windows emits a different Event ID. Open up the Event Viewer and
check under System for any log entries that have the source "Kernel-Power"
that match a timestamp when your machine has woken up from sleep mode.
Verify the correct event by reading its description. It should state
something along the lines of "The system exited sleep mode". The correct
"Event ID" should be listed in the same window.
Hope this helps.
—
Reply to this email directly, view it on GitHub
<#10006 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB4R3ABWJD77SHKIDZBFM4TXDEF3LANCNFSM6AAAAAAXG6OMXU>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
I'd add 107 as well.
Another reason can be (lack of) power:
Also see the above link to do without sudo. |
Task Scheduler doesn't work to run tasks in WSL2, see #9231 |
I don't think we need any more workarounds do we? Someone needs to go into the hypervisor code and fix the bug, no? Hypervisor's job is to present correct hardware clock functionality to its host kernels, presumably. Or have we moved on from that being the case? |
No. An actual fix would be best for security and compliance as systems having the wrong time can create GDPR violations in the worst case, and MSFT is a globally GDPR compliant company, right? So the team has a clear mandate as part of being One Microsoft that they need to fix this, right?
Yes, if that is where it is.
I don't believe anybody's done that kind of due diligence. The correct people at that level don't seem to be aware of this issue, or I suspect it would have been resolved if they truly understood how big of an issue this was, so the fact nobody in technical leadership has freaked out and mandated a fix asap tells me that has not happened yet. |
I don't think this is as large of an issue as you're trying to make it out to be. Keep in mind that WSL is primarily intended to be a developer tool, and not something you'd run a production-level server on (also - if your server is allowed to sleep you probably have much larger problems). It would be simpler, easier, and cheaper to just run whatever distro "natively" (either in a dedicated hypervisor like Hyper-V, or on bare metal). Yes, it's annoying. Yes, there are security issues (although exploiting them still requires stealing a private key, which shouldn't be trivial). If it's the end of the world for you, though, you likely have larger problems. |
Then respectfully, you do not understand the issue or how this impacts the world at scale.
... and that's exactly why this is such a big issue. if you're making the bad assumption that because this is a developer's system that it's not going to be attacked, then sadly I have some bad news for you. We developers get attacked everyday, and even now people are trying to figure out ways to get on our machines. You ever hear of supply chain attacks? Developers are the supply chain.
I agree but this is workstations, and that's even more heavily audited in some environments. If companies invested half as much in their production system security as they put into their corporate security, a lot of breaches would never happen.
Not for everybody. It would not be easier for me. I asked for many GB of ram for a reason: Docker/K8s.
Because looking in "%SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys is hard, right? ;) I get what you're saying, but it's also clear to me that you don't have the same goals I do. |
Even This is an important issue. |
When the user is not logged on to the desktop, I suppose? |
I think another point to note is that WSL2 didn't always have this problem. So if it could do the right thing after waking up at one point, how come it's such a problem fixing the issue now? |
Respectfully disagree. It's a very serious hypervisor bug. Presumably needs to be filed against the right product (not WSL, most likely) to get on the radar of someone who can fix it. |
Yes, exactly. This is a regression in a formally working product. |
No, he's right. That's why creating batch files is important. TaskScheduler can run a batch file, which then invokes the WSL commands. That works just fine. |
@troyhunt can you get some traction on this? |
I guarantee you that audit logs that have the wrong timestamp due to the host system times being wrong can create severe problems; mostly because these audit records containing false data are considered immutable proof of legal compliance in these systems. The end result is that data is being logged that is not correct, and then every single some of these systems that doesn't know the input is bad is then saying that data as presented is correct. I would like to see this issue fixed. |
My team and I are also facing this issue. After a system restart or sleep the clock is usually behind by ~40mins. For now Eagerly looking forward to an official fix. |
Running
Update: the VM's "hardware clock" appears to be reporting the time off by 5 minutes. This is not a drift calculation in the guest:
|
The I've found the following snippet (heavily adapted/reduced from wslact utility from WSL utilities project works more reliably:
#!/bin/bash
set -e
function pwsh {
local PowerShellExe="/mnt/c/Program Files/PowerShell/7/pwsh.exe"
"$PowerShellExe" -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; [Console]::InputEncoding = [System.Text.Encoding]::UTF8; $*"
}
function full_date {
date +"%F %T"
}
echo "Prev date: $(full_date)"
sudo date -u -s "$(pwsh Get-Date -AsUTC -UFormat \"%FT%TZ\")" > /dev/null
echo "New date : $(full_date)" It just gets the current UTC time from Windows by running a PowerShell command, and then runs The |
Likewise |
imho posts of the form "I found I could run hwclock|ntp and it made my clock kind of right" should be prohibited here. The bug is about the hypervisor screws up the guest OS's time. There is no workaround for that. The hypervisor just needs to be fixed such that it presents virtualized RTC to the guest that works. (Sorry, no coffee yet this morning). |
One more example of how it screws up work: suppose you've done some AWS S3 files downloading, then walked away, your computer went to sleep. Now you return and intend to download more files via the same console. AWS starts rejecting your attempts due to skewed time. |
A patch has gone into the maintainer branch. It will be back ported to our kernel. @habaohaba I'm assuming that you're saying that the host clock doesn't agree with what you see from |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
Thanks for your patience. This issue should be resolved with https://github.com/microsoft/WSL/releases/tag/2.1.1. |
🕺 But...I know we should know this: what's the process for getting this code onto my laptop? Just wait for the next WSL update? |
https://github.com/microsoft/WSL/releases Find version >= 2.1.1 Pull the installer under 'Assets' for your platform. I believe there are CLI options as well for updating WSL to prerelease from the command line too with Before you do this though: Be sure you fully understand the consequences and risks of using the pre-release version and the update process as well as any new defaults or behaviors. It's probably out of scope to go any deeper on the topic of updates on this particular bug/thread. Open separate issues for that. Big kudos to the team for getting this patched! |
Ahhh, my mistake I assumed the assets from a release would be a kernel binary, not something usable by the end user. TIL! |
I just refreshed the Windows store and received 2.1.1 as an update. No magic is required. |
You must already be on the pre-release. I installed updates with |
I am on the Insider Dev build, but I installed it from the store. |
I ran wsl --update --pre-release this broke my fedora WSL installation, after running wsl --update things started working again |
This change keeps the clock synced with Windows all the time, and I can't manually change the time anymore. Unless I set the kernel parameter |
If you consider it an issue, you should probably open a new issue, as this one is closed. |
I guess it's either fixed, or I'm using a more recent fedora, but just
Hopefully I won't need to manually run |
Works like a charm. No more clock updating after sleep/inactivity. No more git commits hours/days off. |
If you have a WSL release that's 2.1.1 or newer, you should have the fix? |
My issue was that Windows VM synced it's time correctly with a ntp-server, while the underlaying host did not sync it's time and had the wrong time configured, the WSL synced with the host and not with the windows-system runing WSL. After fixing the host time-sync it started to working as it should. It seems like this issue should be re-opened as the issue is still there: WSL version: 2.3.24.0 PRETTY_NAME="Ubuntu 22.04.5 LTS" WSL: Wed Oct 30 14:01:55 CET 2024 When runing the commands with not even a second between em. |
In WSL, there is a scheduling deviation with EnvironmentWSL Ubuntu 24.04 wsl.conf
Issue DescriptionIn WSL, there is a scheduling deviation with After restarting WSL, the issue improves slightly, but after a longer duration (approximately 100 seconds), the deviation reappears. The only way to resolve this issue temporarily is to restart Windows. Steps to Reproduce
codelocal skynet = require "skynet"
local start = os.time()
while true do
skynet.sleep(100)
skynet.error(skynet.now .. "vs" .. os.time() - start)
end log
c debug codevoid skynet_timer_init(void) {
...
struct timespec ti;
clock_gettime(CLOCK_MONOTONIC, &ti);
TI->t1 = (uint32_t)ti.tv_sec;
}
uint64_t skynet_now(void) {
struct timespec ti;
clock_gettime(CLOCK_MONOTONIC, &ti);
struct timespec ti1;
clock_gettime(CLOCK_REALTIME, &ti1);
skynet_error(NULL, "pass:%d real:%d", ((uint32_t)ti.tv_sec - TI-> t1), ((uint32_t)ti1.tv_sec - TI->starttime));
return TI->current;
} c log
|
Megathread
Current status: waiting on backport for kernel patch to mitigate issue.
We're creating this megathread to track the clock skew issues in WSL in one place, and will keep this parent comment current with any updates.
Background
Sometimes the WSL clock can become skewed after resume from sleep (specifically S0). See some example related issues for more info:
#8318
#8204
#7255
Potential work arounds
Use systemd to force clock sync
See this comment: #8204 (comment)
Set the hardware clock via a command
Run
sudo hwclock -s
. More info here.Run
ntpdate
on distro start upEdit /etc/wsl.conf to have this content:
This will force a clock reset on start up of the distro.
Build a private kernel with this patch
The text was updated successfully, but these errors were encountered: