I switched my main TemplateVM to Kicksecure and since then I have problems with sdwdate.
oathtool doesn’t give the right OTP anymore since the time is always inaccurate.Any way to fix this? Should I just use NTP (or maybe ntpsec) in the ClockVM?
Can you try to run sudo qvm-sync-clock in dom0 and then sudo systemctl restart sdwdate in the DispVM?
It seems to not be happening right now. I think it’s an intermittent error.
Now it’s happening again, even after doing this.
Shouldn’t sdwdate be disable in an offline VM (like the one I use for oathtool)?
For some reason it’s happening to me too randomly.
If the qube is offline then you can disable sdwdate since it can’t reach any domains for its test.
I think the problem was this supposedly fixed issue with qubes-sync-time. I fixed it for me by adding these 2 lines to /etc/rc.local (so it works for all VMs):
rm -v /var/run/qubes-service/clocksync
service qubes-sync-time restart
I also uninstalled sdwdate because it requires Tor working on the ClockVM (sys-net) and I’m using chrony instead (the default in Ubuntu nowadays). Uninstalling sdwdate triggered uninstalling a few things, so I’m not running a pure Kicksecure installation anymore.
This issue can be easily avoided nowadays using dummy-dependency.
sudo dummy-dependency sdwdate
Yes. Documentation:
sdwdate, Disable Autostart
As a future Kicksecure improvement, would be nice to disable sdwdate and boot clock randomization by default in offline VMs. Now I am wondering what might be the best way for a script to detect being inside an offline VM (excluding attempting to connect to external servers for privacy/security).