Merge branch 'c9' into a9
This commit is contained in:
commit
1aecc8f651
@ -1,3 +1,3 @@
|
|||||||
15dc1976653f17d290b65007a4779e3f4ac1833e SOURCES/chrony-4.1.tar.gz
|
0f5de043b395311a58bcf4be9800f7118afd5f59 SOURCES/chrony-4.2.tar.gz
|
||||||
6f953389765ec334465ebdef4199e25c0290646e SOURCES/clknetsim-f89702.tar.gz
|
2e1fac8161ea8d92d76532c0b272fb31799bc310 SOURCES/clknetsim-824c48.tar.gz
|
||||||
1395afa521d2e3302a31083edcf568bbc036aafc SOURCES/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc
|
1395afa521d2e3302a31083edcf568bbc036aafc SOURCES/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc
|
||||||
|
4
.gitignore
vendored
4
.gitignore
vendored
@ -1,3 +1,3 @@
|
|||||||
SOURCES/chrony-4.1.tar.gz
|
SOURCES/chrony-4.2.tar.gz
|
||||||
SOURCES/clknetsim-f89702.tar.gz
|
SOURCES/clknetsim-824c48.tar.gz
|
||||||
SOURCES/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc
|
SOURCES/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc
|
||||||
|
@ -1,16 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmCdA+8ACgkQU34rdvdo
|
|
||||||
DayU8Q/9FCKZSecv//ZdhH89eVYyQZsb7AREqhiJqaWHekd08Hj8UZx9SA+0JtSl
|
|
||||||
QwnGJNOrF76gbvyvjCzVmUSnIuHWADK6tAWxm8RBXqjoIS9Qv15sIpVVvTGDWxJQ
|
|
||||||
shN2Tag5gplI6ZRp2rJAggxxtqVR2ZC3sZ+ay5LHQUhN2buxqy/v3XZXaTtfqRtI
|
|
||||||
QLq8IVXH7f08D+F0mlH+okJ0qyemP1KYMrD9XqZjmwUupAVhrVj0UCtn+wDszbbr
|
|
||||||
hWcs12brtSq13YUu2hbU5tXS++BEVJ1QM9+7OvG2V2idV6NRIsDhLjNPJwdYC4Dw
|
|
||||||
kJjN2dA1/tH9YaSUUV1vcSSSmkwYki2WJijIWMluoOlbO6aIR1+ohwkror4GztQL
|
|
||||||
0hOnVgXgTTPCS1hb5qi2nG+n6p1iKDOHudGQoyqV+qbAZYAGPGaC5jd3vDKLlI1F
|
|
||||||
TCmXL68VtTxamjI7hAUCvt1uMWtVhkogw1Y9pHU1D8PeB5iqPK6slLU0hAn1lhB9
|
|
||||||
AUlJ/AFSTXXqpWOuUnMx8mC9xLbekeE+KnM/IfO3BUm7CgUO8pOBCteCisHl/IFU
|
|
||||||
7Y7AmsB+15DjJasqLhhKiVeMTbMJBlA5a9y3kvbUJv0uhS1fl0XrYK6Ht09/6t3C
|
|
||||||
CGy+YB7OfBp1w1kKix6kmsNVjGSL9s+pODRsj/vHAxTbzzbX80Y=
|
|
||||||
=rNMW
|
|
||||||
-----END PGP SIGNATURE-----
|
|
16
SOURCES/chrony-4.2-tar-gz-asc.txt
Normal file
16
SOURCES/chrony-4.2-tar-gz-asc.txt
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmG7LoQACgkQU34rdvdo
|
||||||
|
Daw47w//fpF3YlqSJWQObHv/hMC6EGQSX6hRVzckXgzq7PFN2HaTX1iZV2UsP1KN
|
||||||
|
NtXfH3V7PxTdT4jT41bHUw++vN0HXkaAw3ccbm31MVTc353JFv5VUKT/OtK+I8dZ
|
||||||
|
CKGDy7X4REET7rCYTEfhgvAwjisIlc81xFq9fMYiGasj2LXZD9GUFHqu0JzvvyMz
|
||||||
|
R0PNGDSYaJX5Ex1GtbgULjDJNF0FRDE+T6SBjs8Xlej020DbNRb4MNZitzygMNum
|
||||||
|
ChN2MltzEccw/UegrsaN1UYQG2C4/Xgdjeqfa4ioiewBL0/79oPkNyJT0GCtOIUM
|
||||||
|
TCAdDRrwLuh7d3+Hl6szy8FxKRFN4s/TTjSTinwDCaexqqNgKeSRkJPFWPWhq4l1
|
||||||
|
2W+hh5cYtToP4wYNpFdadz+LJYrRzYEtAKdFMegYt2Q/MMVtsNji4qeJ/VOnyrUI
|
||||||
|
cJD6sWqDtrUQnegVky1QDwKIYLzO+h6kDaTEm7ZhaT3pR4gGC47umPR9HAcgch0/
|
||||||
|
QdmHd1dP1rutDdpiGmXRicvSV48M1Ol6AAs7rUERuQGJ4Tl/zoMGWmN93UQEpisS
|
||||||
|
9L1PBNdAjdutJaZKA3Bgq49BOPzcRGvhamH63fO5Q+h6uXCzxd9s8MDeY8wh3Idn
|
||||||
|
2aHcGnx32z3DNbpG/nXtKE3GeiSDbw6FmN4KUmKKBR552lCcgpA=
|
||||||
|
=F4BS
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,3 +1,146 @@
|
|||||||
|
commit 5bd13c8d593a74ad168057efe94dd2b3aeeffe14
|
||||||
|
Author: Miroslav Lichvar <mlichvar@redhat.com>
|
||||||
|
Date: Mon Feb 7 13:27:25 2022 +0100
|
||||||
|
|
||||||
|
examples: support DHCPv6 NTP servers in NM dispatcher script
|
||||||
|
|
||||||
|
Latest NetworkManager code provides NTP servers from the DHCPv6 NTP
|
||||||
|
option (RFC 5908) in the DHCP6_DHCP6_NTP_SERVERS variable to dispatcher
|
||||||
|
scripts.
|
||||||
|
|
||||||
|
Check for invalid characters (which can come from the FQDN suboption)
|
||||||
|
and include the servers in the interface-specific sources file.
|
||||||
|
|
||||||
|
diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp
|
||||||
|
index 6ea4c370..4454f037 100644
|
||||||
|
--- a/examples/chrony.nm-dispatcher.dhcp
|
||||||
|
+++ b/examples/chrony.nm-dispatcher.dhcp
|
||||||
|
@@ -1,8 +1,7 @@
|
||||||
|
#!/bin/sh
|
||||||
|
# This is a NetworkManager dispatcher script for chronyd to update
|
||||||
|
-# its NTP sources passed from DHCP options. Note that this script is
|
||||||
|
-# specific to NetworkManager-dispatcher due to use of the
|
||||||
|
-# DHCP4_NTP_SERVERS environment variable.
|
||||||
|
+# its NTP sources with servers from DHCP options passed by NetworkManager
|
||||||
|
+# in the DHCP4_NTP_SERVERS and DHCP6_DHCP6_NTP_SERVERS environment variables.
|
||||||
|
|
||||||
|
export LC_ALL=C
|
||||||
|
|
||||||
|
@@ -10,17 +9,19 @@ interface=$1
|
||||||
|
action=$2
|
||||||
|
|
||||||
|
chronyc=/usr/bin/chronyc
|
||||||
|
-default_server_options=iburst
|
||||||
|
+server_options=iburst
|
||||||
|
server_dir=/var/run/chrony-dhcp
|
||||||
|
|
||||||
|
dhcp_server_file=$server_dir/$interface.sources
|
||||||
|
-# DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager.
|
||||||
|
-nm_dhcp_servers=$DHCP4_NTP_SERVERS
|
||||||
|
+dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS"
|
||||||
|
|
||||||
|
add_servers_from_dhcp() {
|
||||||
|
rm -f "$dhcp_server_file"
|
||||||
|
- for server in $nm_dhcp_servers; do
|
||||||
|
- echo "server $server $default_server_options" >> "$dhcp_server_file"
|
||||||
|
+ for server in $dhcp_ntp_servers; do
|
||||||
|
+ # Check for invalid characters (from the DHCPv6 NTP FQDN suboption)
|
||||||
|
+ printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue
|
||||||
|
+
|
||||||
|
+ printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file"
|
||||||
|
done
|
||||||
|
$chronyc reload sources > /dev/null 2>&1 || :
|
||||||
|
}
|
||||||
|
@@ -34,10 +35,11 @@ clear_servers_from_dhcp() {
|
||||||
|
|
||||||
|
mkdir -p $server_dir
|
||||||
|
|
||||||
|
-if [ "$action" = "up" ] || [ "$action" = "dhcp4-change" ]; then
|
||||||
|
- add_servers_from_dhcp
|
||||||
|
-elif [ "$action" = "down" ]; then
|
||||||
|
- clear_servers_from_dhcp
|
||||||
|
-fi
|
||||||
|
+case "$action" in
|
||||||
|
+ up|dhcp4-change|dhcp6-change)
|
||||||
|
+ add_servers_from_dhcp;;
|
||||||
|
+ down)
|
||||||
|
+ clear_servers_from_dhcp;;
|
||||||
|
+esac
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
commit e55f174bd3a7ae82fb24afd43443d0b55d5536cf
|
||||||
|
Author: Miroslav Lichvar <mlichvar@redhat.com>
|
||||||
|
Date: Mon Feb 7 13:27:48 2022 +0100
|
||||||
|
|
||||||
|
examples: handle more actions in NM dispatcher script
|
||||||
|
|
||||||
|
Run the chronyc onoffline command also when the connectivity-change
|
||||||
|
and dhcp6-change actions are reported by the NetworkManager dispatcher.
|
||||||
|
|
||||||
|
The latter should not be necessary, but there currently doesn't seem to
|
||||||
|
be any action for IPv6 becoming routable after duplicate address
|
||||||
|
detection, so at least in networks using DHCPv6, IPv6 NTP servers should
|
||||||
|
not be stuck in the offline state from a previously reported action.
|
||||||
|
|
||||||
|
diff --git a/examples/chrony.nm-dispatcher.onoffline b/examples/chrony.nm-dispatcher.onoffline
|
||||||
|
index 34cfa0db..01e6fdb1 100644
|
||||||
|
--- a/examples/chrony.nm-dispatcher.onoffline
|
||||||
|
+++ b/examples/chrony.nm-dispatcher.onoffline
|
||||||
|
@@ -7,8 +7,18 @@ export LC_ALL=C
|
||||||
|
|
||||||
|
chronyc=/usr/bin/chronyc
|
||||||
|
|
||||||
|
-# For NetworkManager consider only up/down events
|
||||||
|
-[ $# -ge 2 ] && [ "$2" != "up" ] && [ "$2" != "down" ] && exit 0
|
||||||
|
+# For NetworkManager consider only selected events
|
||||||
|
+if [ $# -ge 2 ]; then
|
||||||
|
+ case "$2" in
|
||||||
|
+ up|down|connectivity-change)
|
||||||
|
+ ;;
|
||||||
|
+ dhcp6-change)
|
||||||
|
+ # No other action is reported for routable IPv6
|
||||||
|
+ ;;
|
||||||
|
+ *)
|
||||||
|
+ exit 0;;
|
||||||
|
+ esac
|
||||||
|
+fi
|
||||||
|
|
||||||
|
# Note: for networkd-dispatcher routable.d ~= on and off.d ~= off
|
||||||
|
|
||||||
|
commit fca8966adaaf8376536af86ba2afe02501463588
|
||||||
|
Author: Miroslav Lichvar <mlichvar@redhat.com>
|
||||||
|
Date: Wed Mar 23 15:17:03 2022 +0100
|
||||||
|
|
||||||
|
examples: replace grep command in NM dispatcher script
|
||||||
|
|
||||||
|
Some grep implementations detect binary data and return success without
|
||||||
|
matching whole line. This might be an issue for the DHCPv6 NTP FQDN
|
||||||
|
check. The GNU grep in the C locale seems to check only for the NUL
|
||||||
|
character, which cannot be passed in an environment variable, but other
|
||||||
|
implementations might behave differently and there doesn't seem to be a
|
||||||
|
portable way to force matching the whole line.
|
||||||
|
|
||||||
|
Instead of the grep command, check for invalid characters by comparing
|
||||||
|
the length of the input passed through "tr -d -c".
|
||||||
|
|
||||||
|
diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp
|
||||||
|
index 4454f037..547ce83f 100644
|
||||||
|
--- a/examples/chrony.nm-dispatcher.dhcp
|
||||||
|
+++ b/examples/chrony.nm-dispatcher.dhcp
|
||||||
|
@@ -19,7 +19,11 @@ add_servers_from_dhcp() {
|
||||||
|
rm -f "$dhcp_server_file"
|
||||||
|
for server in $dhcp_ntp_servers; do
|
||||||
|
# Check for invalid characters (from the DHCPv6 NTP FQDN suboption)
|
||||||
|
- printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue
|
||||||
|
+ len1=$(printf '%s' "$server" | wc -c)
|
||||||
|
+ len2=$(printf '%s' "$server" | tr -d -c 'A-Za-z0-9:.-' | wc -c)
|
||||||
|
+ if [ "$len1" -ne "$len2" ] || [ "$len2" -lt 1 ] || [ "$len2" -gt 255 ]; then
|
||||||
|
+ continue
|
||||||
|
+ fi
|
||||||
|
|
||||||
|
printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file"
|
||||||
|
done
|
||||||
From: Robert Fairley <rfairley@redhat.com>
|
From: Robert Fairley <rfairley@redhat.com>
|
||||||
Date: Wed, 17 Jun 2020 10:14:19 -0400
|
Date: Wed, 17 Jun 2020 10:14:19 -0400
|
||||||
Subject: [PATCH] examples/nm-dispatcher.dhcp: use sysconfig
|
Subject: [PATCH] examples/nm-dispatcher.dhcp: use sysconfig
|
||||||
@ -11,33 +154,29 @@ diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.
|
|||||||
index 6ea4c37..a6ad35a 100644
|
index 6ea4c37..a6ad35a 100644
|
||||||
--- a/examples/chrony.nm-dispatcher.dhcp
|
--- a/examples/chrony.nm-dispatcher.dhcp
|
||||||
+++ b/examples/chrony.nm-dispatcher.dhcp
|
+++ b/examples/chrony.nm-dispatcher.dhcp
|
||||||
@@ -6,16 +6,24 @@
|
@@ -8,15 +8,23 @@ export LC_ALL=C
|
||||||
|
interface=$1
|
||||||
chronyc=/usr/bin/chronyc
|
action=$2
|
||||||
default_server_options=iburst
|
|
||||||
-server_dir=/var/run/chrony-dhcp
|
|
||||||
+server_dir=/run/chrony-dhcp
|
|
||||||
|
|
||||||
dhcp_server_file=$server_dir/$interface.sources
|
|
||||||
# DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager.
|
|
||||||
nm_dhcp_servers=$DHCP4_NTP_SERVERS
|
|
||||||
|
|
||||||
+[ -f /etc/sysconfig/network ] && . /etc/sysconfig/network
|
+[ -f /etc/sysconfig/network ] && . /etc/sysconfig/network
|
||||||
+[ -f /etc/sysconfig/network-scripts/ifcfg-"${interface}" ] && \
|
+[ -f /etc/sysconfig/network-scripts/ifcfg-"${interface}" ] && \
|
||||||
+ . /etc/sysconfig/network-scripts/ifcfg-"${interface}"
|
+ . /etc/sysconfig/network-scripts/ifcfg-"${interface}"
|
||||||
+
|
+
|
||||||
|
chronyc=/usr/bin/chronyc
|
||||||
|
-server_options=iburst
|
||||||
|
-server_dir=/var/run/chrony-dhcp
|
||||||
|
+server_options=${NTPSERVERARGS:-iburst}
|
||||||
|
+server_dir=/run/chrony-dhcp
|
||||||
|
|
||||||
|
dhcp_server_file=$server_dir/$interface.sources
|
||||||
|
dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS"
|
||||||
|
|
||||||
add_servers_from_dhcp() {
|
add_servers_from_dhcp() {
|
||||||
rm -f "$dhcp_server_file"
|
rm -f "$dhcp_server_file"
|
||||||
+
|
+
|
||||||
+ # Don't add NTP servers if PEERNTP=no specified; return early.
|
+ # Don't add NTP servers if PEERNTP=no specified; return early.
|
||||||
+ [ "$PEERNTP" = "no" ] && return
|
+ [ "$PEERNTP" = "no" ] && return
|
||||||
+
|
+
|
||||||
for server in $nm_dhcp_servers; do
|
for server in $dhcp_ntp_servers; do
|
||||||
- echo "server $server $default_server_options" >> "$dhcp_server_file"
|
# Check for invalid characters (from the DHCPv6 NTP FQDN suboption)
|
||||||
+ echo "server $server ${NTPSERVERARGS:-$default_server_options}" >> "$dhcp_server_file"
|
len1=$(printf '%s' "$server" | wc -c)
|
||||||
done
|
|
||||||
$chronyc reload sources > /dev/null 2>&1 || :
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
||||||
|
@ -1,30 +1,31 @@
|
|||||||
commit bbbd80bf03223f181d4abf5c8e5fe6136ab6129a
|
commit 8bb8f15a7d049ed26c69d95087065b381f76ec4d
|
||||||
Author: Miroslav Lichvar <mlichvar@redhat.com>
|
Author: Michael Hudson-Doyle <michael.hudson@canonical.com>
|
||||||
Date: Mon Aug 9 11:48:21 2021 +0200
|
Date: Wed Feb 9 09:06:13 2022 +0100
|
||||||
|
|
||||||
sys_linux: allow clone3 and pread64 in seccomp filter
|
sys_linux: allow rseq in seccomp filter
|
||||||
|
|
||||||
These seem to be needed with the latest glibc.
|
Libc 2.35 will use rseq syscalls [1][2] by default and thereby
|
||||||
|
break chrony in seccomp isolation.
|
||||||
|
|
||||||
|
[1]: https://www.efficios.com/blog/2019/02/08/linux-restartable-sequences/
|
||||||
|
[2]: https://sourceware.org/pipermail/libc-alpha/2022-February/136040.html
|
||||||
|
|
||||||
|
Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
|
||||||
|
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
|
||||||
|
Signed-off-by: Michael Hudson-Doyle <michael.hudson@canonical.com>
|
||||||
|
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
|
||||||
|
|
||||||
diff --git a/sys_linux.c b/sys_linux.c
|
diff --git a/sys_linux.c b/sys_linux.c
|
||||||
index 50c08431..2b53f722 100644
|
index 9cab2efa..cc3c9311 100644
|
||||||
--- a/sys_linux.c
|
--- a/sys_linux.c
|
||||||
+++ b/sys_linux.c
|
+++ b/sys_linux.c
|
||||||
@@ -503,6 +503,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
|
@@ -497,6 +497,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
|
||||||
|
SCMP_SYS(getrlimit),
|
||||||
/* Process */
|
SCMP_SYS(getuid),
|
||||||
SCMP_SYS(clone),
|
SCMP_SYS(getuid32),
|
||||||
+#ifdef __NR_clone3
|
+#ifdef __NR_rseq
|
||||||
+ SCMP_SYS(clone3),
|
+ SCMP_SYS(rseq),
|
||||||
+#endif
|
+#endif
|
||||||
SCMP_SYS(exit),
|
SCMP_SYS(rt_sigaction),
|
||||||
SCMP_SYS(exit_group),
|
SCMP_SYS(rt_sigreturn),
|
||||||
SCMP_SYS(getpid),
|
SCMP_SYS(rt_sigprocmask),
|
||||||
@@ -595,6 +598,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
|
|
||||||
#ifdef __NR_ppoll_time64
|
|
||||||
SCMP_SYS(ppoll_time64),
|
|
||||||
#endif
|
|
||||||
+ SCMP_SYS(pread64),
|
|
||||||
SCMP_SYS(pselect6),
|
|
||||||
#ifdef __NR_pselect6_time64
|
|
||||||
SCMP_SYS(pselect6_time64),
|
|
||||||
|
38
SOURCES/chrony-services.patch
Normal file
38
SOURCES/chrony-services.patch
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
diff -up chrony-4.2/examples/chronyd.service.services chrony-4.2/examples/chronyd.service
|
||||||
|
--- chrony-4.2/examples/chronyd.service.services 2021-12-16 13:17:42.000000000 +0100
|
||||||
|
+++ chrony-4.2/examples/chronyd.service 2022-01-19 13:55:59.066677473 +0100
|
||||||
|
@@ -32,8 +32,7 @@ ProtectKernelLogs=yes
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectKernelTunables=yes
|
||||||
|
ProtectProc=invisible
|
||||||
|
-ProtectSystem=strict
|
||||||
|
-ReadWritePaths=/run /var/lib/chrony -/var/log
|
||||||
|
+ProtectSystem=full
|
||||||
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||||
|
RestrictNamespaces=yes
|
||||||
|
RestrictSUIDSGID=yes
|
||||||
|
@@ -42,7 +41,6 @@ SystemCallFilter=~@cpu-emulation @debug
|
||||||
|
|
||||||
|
# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
|
||||||
|
NoNewPrivileges=no
|
||||||
|
-ReadWritePaths=-/var/spool
|
||||||
|
RestrictAddressFamilies=AF_NETLINK
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
|
||||||
|
Avoid a SELinux issue
|
||||||
|
|
||||||
|
diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service
|
||||||
|
index 72b028f2..57646950 100644
|
||||||
|
--- a/examples/chrony-wait.service
|
||||||
|
+++ b/examples/chrony-wait.service
|
||||||
|
@@ -18,7 +18,7 @@ StandardOutput=null
|
||||||
|
|
||||||
|
CapabilityBoundingSet=
|
||||||
|
DevicePolicy=closed
|
||||||
|
-DynamicUser=yes
|
||||||
|
+#DynamicUser=yes
|
||||||
|
IPAddressAllow=localhost
|
||||||
|
IPAddressDeny=any
|
||||||
|
LockPersonality=yes
|
||||||
|
|
@ -1,5 +1,5 @@
|
|||||||
%global _hardened_build 1
|
%global _hardened_build 1
|
||||||
%global clknetsim_ver f89702
|
%global clknetsim_ver 824c48
|
||||||
%bcond_without debug
|
%bcond_without debug
|
||||||
%bcond_without nts
|
%bcond_without nts
|
||||||
|
|
||||||
@ -8,8 +8,8 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
Name: chrony
|
Name: chrony
|
||||||
Version: 4.1
|
Version: 4.2
|
||||||
Release: 3%{?dist}.alma
|
Release: 1%{?dist}.alma
|
||||||
Summary: An NTP client/server
|
Summary: An NTP client/server
|
||||||
|
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
@ -22,14 +22,16 @@ Source3: chrony.dhclient
|
|||||||
Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz
|
Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz
|
||||||
%{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz}
|
%{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz}
|
||||||
|
|
||||||
# add distribution-specific bits to DHCP dispatcher
|
# add IPv6 support and distribution-specific bits to DHCP dispatcher
|
||||||
Patch1: chrony-nm-dispatcher-dhcp.patch
|
Patch1: chrony-nm-dispatcher-dhcp.patch
|
||||||
# update seccomp filter for new glibc
|
# update seccomp filter for new glibc
|
||||||
Patch2: chrony-seccomp.patch
|
Patch2: chrony-seccomp.patch
|
||||||
|
# revert some hardening options in service files
|
||||||
|
Patch3: chrony-services.patch
|
||||||
|
|
||||||
BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel
|
BuildRequires: gnutls-devel libcap-devel libedit-devel pps-tools-devel
|
||||||
BuildRequires: gcc gcc-c++ make bison systemd gnupg2
|
BuildRequires: gcc gcc-c++ make bison systemd gnupg2
|
||||||
%{?with_nts:BuildRequires: gnutls-devel gnutls-utils}
|
%{?with_nts:BuildRequires: gnutls-utils}
|
||||||
%{?with_seccomp:BuildRequires: libseccomp-devel}
|
%{?with_seccomp:BuildRequires: libseccomp-devel}
|
||||||
|
|
||||||
Requires(pre): shadow-utils
|
Requires(pre): shadow-utils
|
||||||
@ -58,18 +60,19 @@ service to other computers in the network.
|
|||||||
%{?gitpatch:%patch0 -p1}
|
%{?gitpatch:%patch0 -p1}
|
||||||
%patch1 -p1 -b .nm-dispatcher-dhcp
|
%patch1 -p1 -b .nm-dispatcher-dhcp
|
||||||
%patch2 -p1 -b .seccomp
|
%patch2 -p1 -b .seccomp
|
||||||
|
%patch3 -p1 -b .services
|
||||||
|
|
||||||
%{?gitpatch: echo %{version}-%{gitpatch} > version.txt}
|
%{?gitpatch: echo %{version}-%{gitpatch} > version.txt}
|
||||||
|
|
||||||
# review changes in packaged configuration files and scripts
|
# review changes in packaged configuration files and scripts
|
||||||
md5sum -c <<-EOF | (! grep -v 'OK$')
|
md5sum -c <<-EOF | (! grep -v 'OK$')
|
||||||
bc563c1bcf67b2da774bd8c2aef55a06 examples/chrony-wait.service
|
222e652b95027289877fa77146d3b9b1 examples/chrony-wait.service
|
||||||
2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2
|
2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2
|
||||||
96999221eeef476bd49fe97b97503126 examples/chrony.keys.example
|
96999221eeef476bd49fe97b97503126 examples/chrony.keys.example
|
||||||
6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate
|
6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate
|
||||||
a7054c9352c07384bd7ea0477e6e8a8c examples/chrony.nm-dispatcher.dhcp
|
c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp
|
||||||
8f5a98fcb400a482d355b929d04b5518 examples/chrony.nm-dispatcher.onoffline
|
2b81c60c020626165ac655b2633608eb examples/chrony.nm-dispatcher.onoffline
|
||||||
32c34c995c59fd1c3ad1616d063ae4a0 examples/chronyd.service
|
619dd00009ea312c7201beefde10341a examples/chronyd.service
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# don't allow packaging without vendor zone
|
# don't allow packaging without vendor zone
|
||||||
@ -105,7 +108,10 @@ mv clknetsim-%{clknetsim_ver}* test/simulation/clknetsim
|
|||||||
--with-user=chrony \
|
--with-user=chrony \
|
||||||
--with-hwclockfile=%{_sysconfdir}/adjtime \
|
--with-hwclockfile=%{_sysconfdir}/adjtime \
|
||||||
--with-pidfile=/run/chrony/chronyd.pid \
|
--with-pidfile=/run/chrony/chronyd.pid \
|
||||||
--with-sendmail=%{_sbindir}/sendmail
|
--with-sendmail=%{_sbindir}/sendmail \
|
||||||
|
--without-nettle \
|
||||||
|
--without-nss \
|
||||||
|
--without-tomcrypt
|
||||||
%make_build
|
%make_build
|
||||||
|
|
||||||
%install
|
%install
|
||||||
@ -161,8 +167,6 @@ getent passwd chrony > /dev/null || /usr/sbin/useradd -r -g chrony \
|
|||||||
:
|
:
|
||||||
|
|
||||||
%post
|
%post
|
||||||
# workaround for late reload of unit file (#1614751)
|
|
||||||
%{_bindir}/systemctl daemon-reload
|
|
||||||
# migrate from chrony-helper to sourcedir directive
|
# migrate from chrony-helper to sourcedir directive
|
||||||
if test -a %{_libexecdir}/chrony-helper; then
|
if test -a %{_libexecdir}/chrony-helper; then
|
||||||
grep -qi 'sourcedir /run/chrony-dhcp$' %{_sysconfdir}/chrony.conf 2> /dev/null || \
|
grep -qi 'sourcedir /run/chrony-dhcp$' %{_sysconfdir}/chrony.conf 2> /dev/null || \
|
||||||
@ -202,9 +206,14 @@ fi
|
|||||||
%dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony
|
%dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed May 18 2022 Eduard Abdullin <eabdullin@almalinux.org> - 4.1-3.alma
|
* Tue Nov 15 2022 Eduard Abdullin <eabdullin@almalinux.org> - 4.2-1.alma
|
||||||
- use rhel ntp pool
|
- use rhel ntp pool
|
||||||
|
|
||||||
|
* Wed Mar 23 2022 Miroslav Lichvar <mlichvar@redhat.com> 4.2-1
|
||||||
|
- update to 4.2 (#2051441)
|
||||||
|
- fully switch from nettle to gnutls (#1953463 #1954483)
|
||||||
|
- use NTP servers from DHCPv6 NTP server option (#2047415)
|
||||||
|
- drop obsolete workaround in scriptlet
|
||||||
* Tue Aug 10 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.1-3
|
* Tue Aug 10 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.1-3
|
||||||
- update seccomp filter for new glibc (#1990589)
|
- update seccomp filter for new glibc (#1990589)
|
||||||
- remove unnecessary build requirement
|
- remove unnecessary build requirement
|
||||||
|
Loading…
Reference in New Issue
Block a user