Push host wall-clock to guest every minute to correct drift

VMs have no RTC. The guest clock is set once in Supervisor.start(),
so long host sleeps (laptop lid, suspend) leave the guest's
CLOCK_REALTIME frozen for the sleep duration — breaking TLS cert
validation and every mtime-driven build tool after resume.

Add Supervisor.syncClock(epoch, epochNanos) — an idempotent, cheap
RPC that just re-applies clock_settime. The host ticks it every 60 s
from cmd_start after Supervisor.start() returns. Errors are logged at
debug since transient RPC failures aren't alarming.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: milankinen

app/airlock-cli/src/cli/cmd_start.rs

@@ -216,6 +216,12 @@ async fn run(
         .await?;
     info!("vm process started");
 
+    // Push the host wall-clock into the guest every minute so the VM
+    // clock stays in sync across host sleeps (laptop lid closed,
+    // suspend). VMs have no RTC, so without this the guest time
+    // drifts by exactly the sleep duration.
+    supervisor.spawn_clock_sync(std::time::Duration::from_secs(60));
+
     // Start CLI server so `airlock exec` can attach processes to this VM.
     // The server needs a copy of the sandbox's resolved env so it can layer
     // `airlock exec -e KEY=VAL` overrides on top without the exec client

app/airlock-cli/src/rpc/supervisor.rs

@@ -106,6 +106,35 @@ impl Supervisor {
         self.supervisor.clone()
     }
 
+    /// Spawn a background task that pushes the host wall-clock into the
+    /// guest every `interval`. VMs have no RTC, so long host sleeps
+    /// (laptop lid closed, suspend) cause the guest clock to drift —
+    /// breaking TLS validation and every `mtime`-driven build tool.
+    /// The RPC is cheap (one UInt64 + UInt32 round-trip) and idempotent;
+    /// we just keep re-setting the guest clock to the current host
+    /// value.
+    pub fn spawn_clock_sync(&self, interval: std::time::Duration) {
+        let supervisor = self.supervisor.clone();
+        tokio::task::spawn_local(async move {
+            let mut ticker = tokio::time::interval(interval);
+            // Skip the immediate first tick — the guest's clock was
+            // just set by `Supervisor.start`.
+            ticker.tick().await;
+            loop {
+                ticker.tick().await;
+                let now = std::time::SystemTime::now()
+                    .duration_since(std::time::UNIX_EPOCH)
+                    .unwrap_or_default();
+                let mut req = supervisor.sync_clock_request();
+                req.get().set_epoch(now.as_secs());
+                req.get().set_epoch_nanos(now.subsec_nanos());
+                if let Err(e) = req.send().promise.await {
+                    tracing::debug!("clock sync: {e}");
+                }
+            }
+        });
+    }
+
     /// Send the initial `Supervisor.start()` RPC to bootstrap the VM and
     /// launch the main container process. Returns a [`Process`] handle for
     /// polling output and forwarding signals.

app/airlock-common/schema/supervisor.capnp

@@ -81,6 +81,12 @@ interface Supervisor {
   # every still-running daemon. Host follows up with `pollDaemons` until
   # all daemons reach a terminal state (`stopped` or `killed`).
   shutdownDaemons @7 () -> ();
+
+  # Reapply the host wall-clock to the guest. VMs have no RTC; the
+  # initial clock is set in `start @0`, but long host sleeps (laptop
+  # lid closed) cause the guest time to drift. The host polls this
+  # every few seconds to keep them within wake-up-jitter of each other.
+  syncClock @8 (epoch :UInt64, epochNanos :UInt32) -> ();
 }
 
 struct DaemonSpec {

app/airlockd/src/init.rs

@@ -83,3 +83,14 @@ pub fn setup(
 ) -> anyhow::Result<()> {
     unimplemented!("supervisor only runs inside the Linux VM");
 }
+
+/// Reapply the host wall-clock to the guest. Idempotent; called at
+/// startup via `setup` and periodically thereafter via the
+/// `Supervisor.syncClock` RPC to correct drift after host sleeps.
+#[cfg(target_os = "linux")]
+pub fn set_clock(epoch: u64, epoch_nanos: u32) {
+    linux::set_clock(epoch, epoch_nanos);
+}
+
+#[cfg(not(target_os = "linux"))]
+pub fn set_clock(_epoch: u64, _epoch_nanos: u32) {}

app/airlockd/src/init/linux.rs

@@ -19,6 +19,12 @@ mod mount;
 mod net;
 mod overlay;
 
+/// Apply the host wall-clock to `CLOCK_REALTIME`. See
+/// [`super::set_clock`].
+pub(super) fn set_clock(epoch: u64, epoch_nanos: u32) {
+    clock::set(epoch, epoch_nanos);
+}
+
 /// Run all guest initialization steps in order, including container mounts.
 pub fn setup(
     config: &InitConfig,

app/airlockd/src/rpc.rs

@@ -422,4 +422,14 @@ impl supervisor::Server for SupervisorImpl {
         }
         Ok(())
     }
+
+    async fn sync_clock(
+        self: Rc<Self>,
+        params: supervisor::SyncClockParams,
+        _results: supervisor::SyncClockResults,
+    ) -> Result<(), capnp::Error> {
+        let params = params.get()?;
+        crate::init::set_clock(params.get_epoch(), params.get_epoch_nanos());
+        Ok(())
+    }
 }

docs/manual/src/technical/vm-init.md

@@ -16,7 +16,9 @@ mounts win over earlier dir bind mounts.
 
 1. **Clock** (`clock::set`) — the host passes Unix epoch + nanos in
    the `start` RPC; the guest sets the system clock so timestamps are
-   correct from the start.
+   correct from the start. The host re-pushes the wall-clock every
+   minute via `Supervisor.syncClock` to correct drift after host
+   sleeps (VMs have no RTC).
 
 2. **VirtioFS shares** (`mount::virtiofs`):
    - `layers` — shared per-layer OCI cache (read-only).