hyperkit clock falls behind: failed to write or validate certificate: the certificate is not valid yet #1378
Comments
|
Thanks for reporting this. This seems to be a know issue for users w/ xhyve + docker: docker/for-mac#17 |
|
It seems that you can automate this by using |
aaron-prindle
added
kind/bug
|
@aaron-prindle thanks for the workaround, but unfortunately I can't get it working. I'm also a bit in the dark about how this is supposed to work: as I understand it, the Minikube VM has a skewed clock, so how is launching a pod going to solve this? Wouldn't it be more logical to run some kind of command directly in the Minikube VM to fix its clock? (like fetching the time from a time server) I tried to come up with a working command myself, but all the usual linux commands seem to be missing from the flavour of Linux that the Minikube VM is running... |
|
I actually tested this command w/ This is just a workaround for now. We are considering making time-syncing daemon for the VM to solve this but this is not really directly related to minikube. |
|
Thanks, this workaround does the trick! |
|
Ran into this on a VirtualBox minikube 0.19.0 as well. The command did the trick |
|
I'm playing with using a privileged pod running ntpd to keep my Minikube VM's clock in sync. If it works well, I will try to submit a PR to bundle it as an addon (if that aligns with how you envisioned a fix) |
|
If you use Homebrew to install minikube and kubectl, you may have to add I also added the following line to set the timezone of the VM to the one of my Mac: (Instead of |
|
out of interest, why run |
|
@aaron-prindle The whole thing should be surrounded in single quotes to prevent bash from expanding the date command. |
|
After combining all comments above, I have this setup script: brew install sleepwatcher
brew services start sleepwatcher
echo "PATH=\$PATH:/usr/local/bin
minikube ssh -- docker run -i --rm --privileged --pid=host debian nsenter -t 1 -m -u -n -i hwclock -s" > ~/.wakeup
chmod +x ~/.wakeup |
|
Since the minikube distro is already using systemd, might be nice to include timesyncd too. Wouldn't cover fixing drift when not on the internet, but would help for a lot of people I bet. I tried enabling it manually but it looks like that daemon isn't included in the minikube distro currently. |
|
+1 this one is a pain when doing AWS dev as our certs get out of sync and fail: |
|
any updates on this issue? |
|
please? I am just running virtualbox, but also have time out of sync...why is this thread just about xhyve when there seems no timesync daemon on the distro? |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
I would add the seconds to the but then I wonder what the purpose of |
|
I'm not sure when it was added, but the minikube guest VM should include time synchronization. Apparently it works for me in kvm2: $ timedatectl
Local time: Wed 2018-09-19 22:24:46 UTC
Universal time: Wed 2018-09-19 22:24:46 UTC
RTC time: Wed 2018-09-19 22:24:46
Time zone: Etc/UTC (UTC, +0000)
System clock synchronized: yes
systemd-timesyncd.service active: yes
RTC in local TZ: noYMMV based on your environment. |
tstromberg
added
priority/important-longterm
tstromberg
added
help wanted
|
@tstromberg I see that minikube had systemd-timesyncd enabled but then you disabled it in #3476. |
|
One could argue that it is the job of the hypervisor to keep the time synced. Then again, some of them fail... |
|
@reegnz - I disabled systemd-timesyncd because it could conflict with hypervisor time synchronization. At the time, I wasn't aware that there were hypervisors which didn't handle time synchronization out-of-band. I agree though that for hyperkit, we will need an sntp daemon to talk to in order to make this work. |
|
@afbjorklund one could also argue that a vm should be blind to the hypervisor and take time from another trusted source instead. The point is, we cannot fix the hypervisor as easily as we can fix this in the minikube ISO however. Once somebody fixes this in hyperkit we could get away with not having an sntpd running. @tstromberg could we detect what hypervisor we are running in? |
|
Just checked systemd unit config parameters: One could use |
|
Checked out the systemd-detect-virt code, hyperkit should be identifyable as bhyve (xhyve under hyperkit is a bhyve fork). @tstromberg I think we should enable systemd-timesyncd and add a drop-in unit config with What do you think, should I give it a go? |
|
FYI I have encountered the same issue using vmware fusion. |
|
We could define multiple virtualization technologies in the ConditionVirtualization option, eg. I am looking into how I can enable timesyncd with buildroot and build the image on mac (don't have a linux machine at hand). I will come back with the results. Then somebody could help out how we get the drop-in file into the buildroot build (maybe with a package 'systemd-timesyncd-conditional'?). |
|
I've encountered the same issue (clock drift when after sleeping) on Windows 10 with the hyper-v driver as well |
|
@danielsonjh thanks for the input! So we're at 3 hypervisors now... @tstromberg would it make sense to just reenable the systemd-timesyncd daemon and open a follow-up ticket for the virtualbox issue (if it even exists anymore)? 3 out of 4 hypervisors break because of no ntp in the vm anymore. We can then experiment with the |
|
I think due to the multiple related issues we have seen, we need to address this as an important bug to fix soon. |
medyagh
added
priority/important-soon
|
I have also encountered this running with kvm2. So that makes 4 hypervisors minikube v1.2.0 |
|
Just the some workaround but in one line: ssh -i ~/.minikube/machines/minikube/id_rsa docker@$(minikube ip) "docker run --rm --privileged --pid=host alpine nsenter -t 1 -m -u -n -i date -u $(date -u +%m%d%H%M%Y)" |
|
Unfortunately, does not work for me. After MacBook wake up today: $ date $ minikube ssh date Minikube 1.4.0, hyperkit driver |
|
Yep, I just ran into this issue. I'm not sure this issue should be closed. |
|
I use Minikube on Windows 10 with VirtualBox. Everytime I lock the screen the time in minikube gets out of sync with the host machine. |
|
yes, confirmed with VirtualBox and minikube, the drift gets bigger depending on how long the machine is in sleep mode. @msabramo 's comment |
|
I use Minikube on Windows 10 with VirtualBox and I see the same issue. The commands provided by @aaron-prindle DO NOT sync the date. |
and others
Minikube version: v0.18.0
Environment:
What happened:
When I wake my laptop after sleep, the clock of the Minikube VM lags behind. This causes problems with the registry credentials plugin, since AWS rejects credentials requests with an invalid timestamp.
What you expected to happen:
The clock should sync after computer wakeup.
How to reproduce it (as minimally and precisely as possible):
See above.
The text was updated successfully, but these errors were encountered: