Switch to cronjob on host as no systemd running in enclave

caroline-ttd · caroline-ttd · commit 1f7dad7ff323 · 2026-01-28T18:07:16.000-08:00
diff --git a/scripts/aws/entrypoint.sh b/scripts/aws/entrypoint.sh
@@ -24,8 +24,7 @@ echo "Starting vsock proxy..."
 
 TIME_SYNC_URL="http://127.0.0.1:27015/getCurrentTime"
 TIME_SYNC_PROXY="socks5h://127.0.0.1:3305"
-TIME_SYNC_INTERVAL_SECONDS="300"
-
+TIME_SYNC_TRIGGER_PORT="${TIME_SYNC_TRIGGER_PORT:-27100}"
 TIME_SYNC_OFFSET_SECONDS="${TIME_SYNC_OFFSET_SECONDS:-30}"
 
 sync_enclave_time_with_offset_once() {
@@ -50,43 +49,52 @@ sync_enclave_time_with_offset_once() {
 sync_enclave_time_with_offset_once || true
 
 
-enable_time_sync_timer() {
-  if ! command -v systemctl >/dev/null 2>&1 || [[ ! -d /run/systemd/system ]]; then
-    echo "Time sync: systemd not available; skipping timer setup" >&2
-    return 0
-  fi
 
-  cat <<EOF >/etc/systemd/system/uid2-time-sync.service
-[Unit]
-Description=UID2 enclave time sync
-
-[Service]
-Type=oneshot
-Environment=TIME_SYNC_URL=${TIME_SYNC_URL}
-Environment=TIME_SYNC_PROXY=${TIME_SYNC_PROXY}
-ExecStart=/bin/bash -c 'set -euo pipefail; current_time="$(curl -sSf -x "$TIME_SYNC_PROXY" "$TIME_SYNC_URL")"; date -u -s "$current_time"; echo "Time sync: updated enclave time to $current_time"'
-EOF
-
-  cat <<EOF >/etc/systemd/system/uid2-time-sync.timer
-[Unit]
-Description=UID2 enclave time sync timer
-
-[Timer]
-OnBootSec=300s
-OnUnitActiveSec=${TIME_SYNC_INTERVAL_SECONDS}s
-Unit=uid2-time-sync.service
-Persistent=true
-AccuracySec=1s
-
-[Install]
-WantedBy=timers.target
-EOF
-
-  systemctl daemon-reload
-  systemctl enable --now uid2-time-sync.timer
+start_time_sync_server() {
+  python3 - <<'PY' &
+import os
+import subprocess
+from http.server import BaseHTTPRequestHandler, HTTPServer
+
+TIME_SYNC_URL = os.environ.get("TIME_SYNC_URL", "http://127.0.0.1:27015/getCurrentTime")
+TIME_SYNC_PROXY = os.environ.get("TIME_SYNC_PROXY", "socks5h://127.0.0.1:3305")
+TIME_SYNC_TRIGGER_PORT = int(os.environ.get("TIME_SYNC_TRIGGER_PORT", "27100"))
+
+def sync_time() -> str:
+    current_time = subprocess.check_output(
+        ["curl", "-sSf", "-x", TIME_SYNC_PROXY, TIME_SYNC_URL],
+        text=True,
+    ).strip()
+    subprocess.check_call(["date", "-u", "-s", current_time])
+    return current_time
+
+class Handler(BaseHTTPRequestHandler):
+    def do_GET(self) -> None:
+        if self.path not in ("/", "/sync"):
+            self.send_response(404)
+            self.end_headers()
+            return
+        try:
+            result = sync_time()
+            print(f"Time sync: updated enclave time to {result}")
+            self.send_response(200)
+            self.end_headers()
+            self.wfile.write(f"OK {result}\n".encode())
+        except Exception as exc:  # pragma: no cover - best effort logging
+            print(f"Time sync error: {exc}")
+            self.send_response(500)
+            self.end_headers()
+            self.wfile.write(f"ERROR {exc}\n".encode())
+
+    def log_message(self, format, *args):  # noqa: N802 - match base class
+        return
+
+server = HTTPServer(("127.0.0.1", TIME_SYNC_TRIGGER_PORT), Handler)
+server.serve_forever()
+PY
 }
 
-enable_time_sync_timer
+start_time_sync_server
 
 build_parameterized_config() {
   curl -s -f -o "${PARAMETERIZED_CONFIG}" -x socks5h://127.0.0.1:3305 http://127.0.0.1:27015/getConfig
diff --git a/scripts/aws/proxies.host.yaml b/scripts/aws/proxies.host.yaml
@@ -19,3 +19,8 @@ syslogng:
   service: direct
   listen: vsock://-1:2011
   connect: tcp://127.0.0.1:2011
+time-sync:
+  service: direct
+  listen: tcp://127.0.0.1:27100
+  connect: vsock://42:27100
+
diff --git a/scripts/aws/proxies.nitro.yaml b/scripts/aws/proxies.nitro.yaml
@@ -19,3 +19,8 @@ syslogng:
   service: direct
   listen: tcp://127.0.0.1:2011
   connect: vsock://3:2011
+time-sync:
+  service: direct
+  listen: vsock://-1:27100
+  connect: tcp://127.0.0.1:27100
+
diff --git a/scripts/aws/uid2-operator-ami/ansible/playbook.yml b/scripts/aws/uid2-operator-ami/ansible/playbook.yml
@@ -167,6 +167,15 @@
       dest: /etc/systemd/system/uid2operator.service
       remote_src: yes
 
+  - name: Install time sync trigger script
+    ansible.builtin.copy:
+      dest: /usr/local/bin/uid2-time-sync
+      mode: "0755"
+      content: |
+        #!/usr/bin/env bash
+        set -euo pipefail
+        curl -sSf http://127.0.0.1:27100/sync > /dev/null
+
   - name: Install AWS Nitro Enclaves CLI
     ansible.builtin.dnf:
       name: aws-nitro-enclaves-cli
@@ -240,6 +249,13 @@
     ansible.builtin.systemd:
       name: uid2operator.service
       enabled: yes
+  
+  - name: Install time sync cron job
+    ansible.builtin.copy:
+      dest: /etc/cron.d/uid2-time-sync
+      mode: "0644"
+      content: |
+        */5 * * * * root /usr/local/bin/uid2-time-sync
 
   - name: Clean up tmp files
     file:
