fde: sync time to system before call cdh if run in aliyun ecs

imlk0 · imlk0 · commit ec90b9ee8bfc · 2025-07-07T17:20:42.000+08:00
Signed-off-by: Kun Lai &lt;laikun@linux.alibaba.com&gt;
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -26,12 +26,13 @@ libc = "0.2.161"
 liblmod = "0.2.0"
 loopdev-3 = {git = "https://github.com/stratis-storage/loopdev-3.git", tag = "loopdev-3-v0.5.1"}
 mnt = "0.3.1"
-nix = {version = "0.29.0", features = ["ioctl", "feature"]}
+nix = {version = "0.29.0", features = ["ioctl", "feature", "time"]}
 num_cpus = "1.16.0"
 ordermap = "0.5.6"
 protobuf = {version = "~3.4.0", optional = true}
 rand = {version = "0.8.5", features = ["std_rng"]}
 reqwest = {version = "0.12.9", default-features = false, features = ["rustls-tls"]}
+rsntp = "4.0.0"
 scopeguard = "1.2.0"
 serde = {version = "1.0", features = ["derive"]}
 serde_json = {version = "1", optional = true}
diff --git a/cryptpilot.spec b/cryptpilot.spec
@@ -1,5 +1,5 @@
 %global debug_package %{nil}
-%define release_num 4
+%define release_num 5
 
 Name: cryptpilot
 Version: 0.2.5
@@ -139,6 +139,10 @@ fi
 
 
 %changelog
+* Mon Jul  7 2025 Kun Lai <laikun@linux.alibaba.com> - 0.2.5-5
+- fde: sync time to system before call cdh if run in aliyun ecs.
+- fde: add timeout fetching config from cloudinit.
+
 * Wed Jul  2 2025 Kun Lai <laikun@linux.alibaba.com> - 0.2.5-4
 - Fix "Failed to load kernel module 'nbd'" when used in docker container.
 
diff --git a/src/cmd/boot_service/mod.rs b/src/cmd/boot_service/mod.rs
@@ -1,6 +1,7 @@
 pub mod copy_config;
 pub mod initrd_state;
 pub mod metadata;
+pub mod time_sync;
 
 use std::path::Path;
 
@@ -47,15 +48,12 @@ impl super::Command for BootServiceCommand {
     async fn run(&self) -> Result<()> {
         match &self.boot_service_options.stage {
             BootStage::InitrdFdeBeforeSysroot => {
+                time_sync::sync_time_to_system().await?;
+
                 setup_volumes_required_by_fde()
                     .await
                     .context("Failed to setup volumes required by FDE")?;
             }
-            BootStage::SystemVolumesAutoOpen => {
-                setup_user_provided_volumes(&self.boot_service_options)
-                    .await
-                    .context("Failed to setup volumes user provided automatically")?;
-            }
             BootStage::InitrdFdeAfterSysroot => {
                 let measure = AutoDetectMeasure::new().await;
                 if let Err(e) = measure
@@ -70,6 +68,11 @@ impl super::Command for BootServiceCommand {
                     .await
                     .context("Failed to setup mounts required by FDE")?;
             }
+            BootStage::SystemVolumesAutoOpen => {
+                setup_user_provided_volumes(&self.boot_service_options)
+                    .await
+                    .context("Failed to setup volumes user provided automatically")?;
+            }
         }
 
         tracing::info!("Everything have been completed, exit now");
diff --git a/src/cmd/boot_service/time_sync.rs b/src/cmd/boot_service/time_sync.rs
@@ -0,0 +1,84 @@
+use anyhow::{Context, Result};
+use rsntp::AsyncSntpClient;
+use tokio::net::TcpStream;
+
+use std::time::Duration;
+
+async fn check_is_aliyun_ecs() -> bool {
+    matches!(
+        tokio::time::timeout(
+            Duration::from_secs(5),
+            TcpStream::connect(("100.100.100.200", 80)),
+        )
+        .await,
+        Ok(Ok(_))
+    )
+}
+
+async fn get_time_from_ntp() -> Result<Duration> {
+    // Use the ntp server here: https://help.aliyun.com/zh/ecs/user-guide/alibaba-cloud-ntp-server#1d2319ae414lc
+    let mut client = AsyncSntpClient::new();
+    client.set_timeout(Duration::from_secs(10));
+    let result = client.synchronize("ntp.cloud.aliyuncs.com").await?;
+    let unix_timetamp_utc = result.datetime().unix_timestamp()?;
+    Ok(unix_timetamp_utc)
+}
+
+pub async fn sync_time_to_system() -> Result<()> {
+    let is_ecs = check_is_aliyun_ecs().await;
+    if !is_ecs {
+        tracing::debug!("Not a Aliyun ECS instance, skip syncing system time");
+        return Ok(());
+    } else {
+        tracing::info!("Aliyun ECS instance detected, sync system time now");
+
+        let unix_timetamp_utc = get_time_from_ntp()
+            .await
+            .context("Failed to get time from NTP server")?;
+        tracing::info!(?unix_timetamp_utc, "Got UNIX timestamp from NTP server");
+
+        // Note CAP_SYS_TIME is required to set system time
+        nix::time::clock_settime(
+            nix::time::ClockId::CLOCK_REALTIME,
+            nix::sys::time::TimeSpec::from_duration(unix_timetamp_utc),
+        )
+        .context("Failed to set system time")?;
+    }
+
+    Ok(())
+}
+
+#[cfg(test)]
+pub mod tests {
+
+    #[allow(unused_imports)]
+    use super::*;
+    use anyhow::Result;
+
+    #[tokio::test(flavor = "multi_thread", worker_threads = 10)]
+    async fn test_time() -> Result<()> {
+        let is_ecs = check_is_aliyun_ecs().await;
+        if !is_ecs {
+            /* Skip */
+            return Ok(());
+        } else {
+            let unix_timetamp_utc = get_time_from_ntp()
+                .await
+                .context("Failed to get time from NTP server")?;
+
+            println!("Got: {unix_timetamp_utc:?}");
+            let current_sys_time = Duration::from(nix::time::clock_gettime(
+                nix::time::ClockId::CLOCK_REALTIME,
+            )?);
+
+            let diff = if current_sys_time >= unix_timetamp_utc {
+                current_sys_time - unix_timetamp_utc
+            } else {
+                unix_timetamp_utc - current_sys_time
+            };
+            assert!(diff <= Duration::from_secs(10));
+
+            Ok(())
+        }
+    }
+}
