I'm working on a project where I'm updating an existing AWS Elastic Beanstalk environment to run on a CIS Benchmark hardened machine image. I'm able to launch a single EC2 instance normally, but when I try to put the image into Elastic Beanstalk, I'm running into issues with chronyd failures.
It looks to me that the problem is that in the CIS-hardened image, the /tmp directory and most others are mounted as noexec, and the Elastic Beanstalk bootstrap process unpacks some scripts and tries to run them from a noexec partition, and one of those does configuration which chronyd needs. Or else there's an issue with the socket.
The error shows up as such in eb-engine..log:
2022/10/18 18:06:14..704180 [INFO] Executing instruction: SyncClock
2022/10/18 18:06:14.704185 [INFO] Starting SyncClock
2022/10/18 18:06:14.704198 [INFO] Running command /bin/sh -c /usr/bin/chronyc tracking
2022/10/18 18:06:21.715994 [INFO] Reference ID : A9FEA97B (169.254.169.123)
Stratum : 4
Ref time (UTC) : Tue Oct 18 18:06:15 2022
System time : 0.000017567 seconds slow of NTP time
Last offset : -0.000058970 seconds
RMS offset : 0.000058970 seconds
Frequency : 6.422 ppm slow
Residual freq : -1.538 ppm
Skew : 0.225 ppm
Root delay : 0.000430699 seconds
Root dispersion : 0.000270378 seconds
Update interval : 16.0 seconds
Leap status : Normal
2022/10/18 18:06:21.716030 [INFO] Running command /bin/sh -c /usr/bin/chronyc -a makestep
2022/10/18 18:06:28.723982 [INFO] 501 Not authorised
2022/10/18 18:06:28.724013 [ERROR] An error occurred during execution of command [self-startup] - [SyncClock]. Stop running the command. Error: Command /bin/sh -c /usr/bin/chronyc -a makestep failed with error exit status 1
Obviously, this isn't chrony's fault, but I'm looking for advice on how to troubleshoot or work around the situation. If I put a User Data directive to run chronyd on instance boot, it creates chronyd.pid and chronyd.sock in /run/chrony, and the daemon seems to be syncing time, but all of the command line commands (like "chronyc sources") return nothing.
Any ideas?
--
Tom Holub, Founder and PrincipalPractical strategic consulting for non-profits and the public sector