I'm working on a project where I'm updating an existing AWS Elastic Beanstalk environment to run on a CIS Benchmark hardened machine image. I'm able to launch a single EC2 instance normally, but when I try to put the image into Elastic Beanstalk, I'm running into issues with chronyd failures.
It looks to me that the problem is that in the CIS-hardened image, the /tmp directory and most others are mounted as noexec, and the Elastic Beanstalk bootstrap process unpacks some scripts and tries to run them from a noexec partition, and one of those does configuration which chronyd needs. Or else there's an issue with the socket. The error shows up as such in eb-engine.log: 2022/10/18 18:06:14.704180 [INFO] Executing instruction: SyncClock 2022/10/18 18:06:14.704185 [INFO] Starting SyncClock 2022/10/18 18:06:14.704198 [INFO] Running command /bin/sh -c /usr/bin/chronyc tracking 2022/10/18 18:06:21.715994 [INFO] Reference ID : A9FEA97B (169.254.169.123) Stratum : 4 Ref time (UTC) : Tue Oct 18 18:06:15 2022 System time : 0.000017567 seconds slow of NTP time Last offset : -0.000058970 seconds RMS offset : 0.000058970 seconds Frequency : 6.422 ppm slow Residual freq : -1.538 ppm Skew : 0.225 ppm Root delay : 0.000430699 seconds Root dispersion : 0.000270378 seconds Update interval : 16.0 seconds Leap status : Normal 2022/10/18 18:06:21.716030 [INFO] Running command /bin/sh -c /usr/bin/chronyc -a makestep 2022/10/18 18:06:28.723982 [INFO] 501 Not authorised 2022/10/18 18:06:28.724013 [ERROR] An error occurred during execution of command [self-startup] - [SyncClock]. Stop running the command. Error: Command /bin/sh -c /usr/bin/chronyc -a makestep failed with error exit status 1 Obviously, this isn't chrony's fault, but I'm looking for advice on how to troubleshoot or work around the situation. If I put a User Data directive to run chronyd on instance boot, it creates chronyd.pid and chronyd.sock in /run/chrony, and the daemon seems to be syncing time, but all of the command line commands (like "chronyc sources") return nothing. Any ideas? -- Tom Holub, Founder and Principal Totally Doable Consulting, http://totallydoable.com <http://totallydoableconsulting.com/> Practical strategic consulting for non-profits and the public sector t...@totallydoable.com <t...@totallydoableconsulting.com>, 510-957-8225
