The time on my Linux machine will not stay put. I need to test an issue with our server that only occurs on Saturdays.
- CentOS 6.5 64-bit
- I have NTPD off. (
service ntpd stop
andchkconfig ntpd off
) - I have the virtual BIOS/ HW clock set to May 2, 2015
- Changing the time to future or past has the same effect.
- I set the date on the command line with
date --set "02 May 2015 11:00:00"
date
replies properly and shows the date is May 2 2015- Nothing related to time/ntp in
cron.d
,cron.daily
,cron.hourly
, etc.
After a few minutes the time will force itself back to the proper date.
What else could be running to continually change the time back?
Where is it getting its info!?
Best Answer
For this answer, I'll assume that there may be several elements working hard to set your time straight. Since I don't really want to wild-guess about which one is working against you, I'll try and give you an answer which should help you find it yourself instead.
On a UNIX system, the clock can typically be set using the
stime
system call. As things evolved, it also became possible to set the clocks more accurately using theclock_settime
call instead. You might also come accrosssettimeofday
. When runningdate --set
on a CentOS machine,strace
revealed that it usedclock_settime
.Knowing this, a solution would be to trace these system calls. Good thing is, Linux has a mechanism for that: debugfs. On my system, calling
mount
, I can see that this is available at/sys/kernel/debug
:However, on some systems (including RedHat and probably CentOS), it isn't mounted at boot time. You'll therefore need to run...
Also note that if you were in that directory before mounting, you might have to go out and back in before files start to appear in it.
Now we're ready to go. Let's enable the trace for our systems calls. I'm tracing all of them because I don't really want to check which one is really being used. Tracing for system calls can be set in
/sys/kernel/debug/tracing/events/syscalls
. In this directory, you should find...sys_enter_stime
sys_enter_clock_settime
sys_enter_settimeofday
... depending on what's available on your system.
These correspond to the events of entering our system calls, which is what we want to trace (you'll also find
sys_exit_*
directories). Within each directory, you'll find a file namedenable
, the contents of which should appear to be 0. To trace these calls, set that to 1 instead:Now that we've set up our trap, just wait until something sets your time to its correct value. Once it has happened, run for the trace logs at...
Now, unless something wrong occured, you should see one of the following lines:
The number right after
stime-
(or another call's name) is the PID of the process which made the system call. Now go get it:You should now have everything you need to make sure your system stops getting the time right. The simplest thing would probably be to kill the process, and make sure it isn't spawned at boot time ; of course, you'll have to make sure it doesn't serve a more important purpose before doing so : you don't want to completely crash your system...
Also remember to disable the trace when you're done by writing 0 to the files we edited earlier. A shortcut could be:
(this file acts as a master switch for all others ; it allows you to switch all system calls tracing off)
Note: as Mark Plotnick said in a comment
systemtap
could be a slightly easier way to achieve similar results. I'll let him write astap
answer if he feels like it, since I'm not fluent withstap
scripts at all.