A timesyncd total failure and systemd's complete lack of debugability
Last November, I wrote an entry about how we were switching to using systemd's timesyncd on our Ubuntu machines. Ubuntu 18.04 defaults to using timesyncd just as 16.04 does, and when we set up our standard Ubuntu 18.04 environment we stuck with that default behavior (although we customize the list of NTP servers). Then today I discovered that timesyncd had silently died on one of our 18.04 servers back on July 20th, and worse it couldn't be restarted.
Specifically, it reported:
systemd-timesyncd: Failed to create state directory: Permission denied
The state directory it's complaining about is /var/lib/systemd/timesync,
which is actually a symlink to /var/lib/private/systemd/timesync
(at least on systems that are in good order; if the symlink has had
something happen to it, you can apparently get other errors from
timesyncd). I had a clever informed theory about what was wrong
with things, but it turns out
strace says I'm wrong.
(To my surprise, doing '
strace -f -p 1' on this system did not
produce either explosions or an impossibly large amount of output.
This would have been a very different thing on a system that was
actually in use; this is basically an almost idle server being used
as part of our testing of 18.04 before we upgrade our production
servers to it.)
strace, what is failing is timesyncd's attempts to
access /var/lib/private/systemd/timesync as its special UID (and
GID) 'systemd-timesync'. This is failing for the prosaic reason
that /var/lib/private is owner-only and owned by root. Since this
works on all of our other Ubuntu 18.04 machines, presumably the
actual failure is somewhere else.
The real problem here is that it is impossible to diagnose or debug
this situation. Simply to get this far I had to read the systemd
source code (to find the code in timesyncd that printed this specific
error message) and then search through 25,000 lines of
output. And I still don't know what the problem is or how to fix
it. I'm not even confident that rebooting the server will change
anything, especially when all the relevant pieces on this server
seem to be just the same as the pieces on other, working servers.
(I do know that according to logs this failure started happening immediately after the systemd package was upgraded and re-executed itself. On the other hand, the systemd upgrade also happened on other Ubuntu 18.04 machines, and they didn't have their timesyncds explode.)
Since systemd has no clear diagnostic information here, I spent a great deal of time chasing the red herring that if you look at /var/lib/private/systemd/timesync on such a failing system, it will be owned by a numeric UID and GID, while on working systems it will be the magically special login and group 'systemd-timesync'. This is systemd's 'dynamic user' facility in action, combined with systemd itself creating the /var/lib/private/systemd/timesync directory (with the right login and group) before exec'ing the timesyncd binary. When timesyncd fails to start, systemd removes the login and group but leaves the directory behind, now not owned by any existing login or group.
(You might think that the 'failed to create state directory' error
message would mean that timesyncd was the one actually creating the
state directory, but strace says otherwise; the
exec() does, while the new process that will become
timesyncd is still in systemd's code. timesyncd's code does try to
create the directory, but presumably the internal systemd functions
it's using are fine if the directory is already there with the right
ownership and so on.)
I am rather unhappy about this situation, and I am even unhappier that there is effectively nothing that we can do about any aspect of it except to stop using timesyncd (which is now something that I will be arguing for, especially since this server drifted more than half a second out of synchronization before I found this issue entirely by coincidence). Reporting a bug to either systemd or to Ubuntu is hopeless (systemd will tell me to reproduce on the latest version, Ubuntu will ignore it as always). This is simply what happens when the systemd developers produce a design and an implementation that doesn't explain how it actually works and doesn't contain any real support for field diagnosis. Once again we get to return to the era of 'reboot the server, maybe that will fix it'. Given systemd's general current attitude, I don't expect this to change any time soon. Adding documentation of systemd's internals and diagnosis probes would be admitting that the internals can have bugs, problems, and issues, and that's just not supposed to happen.
PS: The extra stupid thing about the whole situation is that the only thing /var/lib/systemd/timesync is used for is to hold a zero-length file whose timestamp is used to track the last time the clock was synchronized, and non-root users can't even see this file on Ubuntu 18.04.
Update: I've identified the cause of this problem, which is
described in my new entry on how systemd's
is dangerous. The short version is
that systemd silently failed to set up a custom namespace that would
have given timesyncd access to /var/lib/private because it could
not deal with FUSE mounts in NFS mounted user home directories that
were not world-accessible.