Force immediate NTP time sync with chronyd at IPA startup

In order to make sure we have the correct time early, e.g.
by the time we create a TLS certificate, this patch proposes
to force an immediate NTP update when using chronyd. While
the previous approach uses the passed NTP server as well, the
update may happen only after chronyd has performed measurements
(which may be too late).

Story: #2009058
Task: #42843

Change-Id: I6edafe8edeb8549f324959e7a1ec175c3049a515

ironic_python_agent/tests/unit/extensions/test_standby.py

@@ -1385,15 +1385,15 @@ class TestStandbyExtension(base.IronicAgentTest):
 
         self.agent_extension._sync_clock()
 
-        calls = [mock.call('chronyd', check_exit_code=[0, 1]),
+        calls = [mock.call('chronyc', 'shutdown', check_exit_code=[0, 1]),
-                 mock.call('chronyc', 'add', 'server', '192.168.1.1'),
+                 mock.call("chronyd -q 'server 192.168.1.1 iburst'",
-                 mock.call('chronyc', 'makestep'),
+                           shell=True),
                  mock.call('hwclock', '-v', '--systohc')]
         execute_mock.assert_has_calls(calls)
 
         execute_mock.reset_mock()
         execute_mock.side_effect = [
-            ('', ''), ('', ''), ('', ''),
+            ('', ''), ('', ''),
             processutils.ProcessExecutionError('boop')
         ]
 

ironic_python_agent/tests/unit/test_utils.py

@@ -856,27 +856,8 @@ class TestClockSyncUtils(ironic_agent_base.IronicAgentTest):
         mock_time_method.return_value = 'chronyd'
         utils.sync_clock()
         mock_execute.assert_has_calls([
-            mock.call('chronyd', check_exit_code=[0, 1]),
+            mock.call('chronyc', 'shutdown', check_exit_code=[0, 1]),
-            mock.call('chronyc', 'add', 'server', '192.168.1.1'),
+            mock.call("chronyd -q 'server 192.168.1.1 iburst'", shell=True),
-            mock.call('chronyc', 'makestep'),
-        ])
-
-    @mock.patch.object(utils, 'determine_time_method', autospec=True)
-    def test_sync_clock_chrony_already_present(self, mock_time_method,
-                                               mock_execute):
-        self.config(ntp_server='192.168.1.1')
-        mock_time_method.return_value = 'chronyd'
-        mock_execute.side_effect = [
-            ('', ''),
-            processutils.ProcessExecutionError(
-                stderr='Source already present'),
-            ('', ''),
-        ]
-        utils.sync_clock()
-        mock_execute.assert_has_calls([
-            mock.call('chronyd', check_exit_code=[0, 1]),
-            mock.call('chronyc', 'add', 'server', '192.168.1.1'),
-            mock.call('chronyc', 'makestep'),
         ])
 
     @mock.patch.object(utils, 'determine_time_method', autospec=True)
@@ -889,12 +870,8 @@ class TestClockSyncUtils(ironic_agent_base.IronicAgentTest):
             processutils.ProcessExecutionError(stderr='time verboten'),
         ]
         self.assertRaisesRegex(errors.CommandExecutionError,
-                               'Error occured adding ntp',
+                               'Failed to sync time using chrony to ntp '
-                               utils.sync_clock)
+                               'server:', utils.sync_clock)
-        mock_execute.assert_has_calls([
-            mock.call('chronyd', check_exit_code=[0, 1]),
-            mock.call('chronyc', 'add', 'server', '192.168.1.1'),
-        ])
 
     @mock.patch.object(utils, 'determine_time_method', autospec=True)
     def test_sync_clock_none(self, mock_time_method, mock_execute):

ironic_python_agent/utils.py

@@ -835,21 +835,11 @@ def sync_clock(ignore_errors=False):
                 raise errors.CommandExecutionError(msg)
     elif method == 'chronyd':
         try:
-            # 0 should be if chronyd started
+            # stop chronyd, ignore if it ran before or not
-            # 1 if already running
+            execute('chronyc', 'shutdown', check_exit_code=[0, 1])
-            execute('chronyd', check_exit_code=[0, 1])
+            # force a time sync now
-            # NOTE(TheJulia): Once started, chronyd forks and stays in the
+            query = "server " + CONF.ntp_server + " iburst"
-            # background as a server service, it will continue to keep the
+            execute("chronyd -q \'%s\'" % query, shell=True)
-            # clock in sync.
-            try:
-                execute('chronyc', 'add', 'server', CONF.ntp_server)
-            except processutils.ProcessExecutionError as e:
-                if 'Source already present' not in str(e):
-                    msg = 'Error occured adding ntp server: %s' % e
-                    LOG.error(msg)
-                    raise errors.CommandExecutionError(msg)
-            # Force the clock to sync now.
-            execute('chronyc', 'makestep')
             LOG.debug('Set software clock using chrony')
         except (processutils.ProcessExecutionError,
                 errors.CommandExecutionError) as e:

releasenotes/notes/fix_chronyd_time_sync-626a14b66ca37677.yaml

@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixes an issue where the NTP time sync at the IPA startup via chronyd is
+    not immediate (which can break time sensitive components such as the
+    generation of a TLS certificate).