import chrony-4.3-1.el9

This commit is contained in:
CentOS Sources 2023-05-09 05:36:12 +00:00 committed by Stepan Oksanichenko
parent 7377631a84
commit 6f89a4a737
8 changed files with 36 additions and 204 deletions

View File

@ -1,3 +1,3 @@
0f5de043b395311a58bcf4be9800f7118afd5f59 SOURCES/chrony-4.2.tar.gz
2e1fac8161ea8d92d76532c0b272fb31799bc310 SOURCES/clknetsim-824c48.tar.gz
bc7884eb4fde69478a00faee3d42092d426d57c1 SOURCES/chrony-4.3.tar.gz
9c453ae65e5c1a6983cd1121410faf1ffd2d9092 SOURCES/clknetsim-f00531.tar.gz
1395afa521d2e3302a31083edcf568bbc036aafc SOURCES/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc

4
.gitignore vendored
View File

@ -1,3 +1,3 @@
SOURCES/chrony-4.2.tar.gz
SOURCES/clknetsim-824c48.tar.gz
SOURCES/chrony-4.3.tar.gz
SOURCES/clknetsim-f00531.tar.gz
SOURCES/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmG7LoQACgkQU34rdvdo
Daw47w//fpF3YlqSJWQObHv/hMC6EGQSX6hRVzckXgzq7PFN2HaTX1iZV2UsP1KN
NtXfH3V7PxTdT4jT41bHUw++vN0HXkaAw3ccbm31MVTc353JFv5VUKT/OtK+I8dZ
CKGDy7X4REET7rCYTEfhgvAwjisIlc81xFq9fMYiGasj2LXZD9GUFHqu0JzvvyMz
R0PNGDSYaJX5Ex1GtbgULjDJNF0FRDE+T6SBjs8Xlej020DbNRb4MNZitzygMNum
ChN2MltzEccw/UegrsaN1UYQG2C4/Xgdjeqfa4ioiewBL0/79oPkNyJT0GCtOIUM
TCAdDRrwLuh7d3+Hl6szy8FxKRFN4s/TTjSTinwDCaexqqNgKeSRkJPFWPWhq4l1
2W+hh5cYtToP4wYNpFdadz+LJYrRzYEtAKdFMegYt2Q/MMVtsNji4qeJ/VOnyrUI
cJD6sWqDtrUQnegVky1QDwKIYLzO+h6kDaTEm7ZhaT3pR4gGC47umPR9HAcgch0/
QdmHd1dP1rutDdpiGmXRicvSV48M1Ol6AAs7rUERuQGJ4Tl/zoMGWmN93UQEpisS
9L1PBNdAjdutJaZKA3Bgq49BOPzcRGvhamH63fO5Q+h6uXCzxd9s8MDeY8wh3Idn
2aHcGnx32z3DNbpG/nXtKE3GeiSDbw6FmN4KUmKKBR552lCcgpA=
=F4BS
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmMPLJAACgkQU34rdvdo
DaxDKRAAh5wfl990Q6sTPxXI92GegZYIGUxJDlCkJtemoI98g+DQbuCJ46AXsAn/
CIBTbPU3Brvq2KR1nDze/G/YOXkaqoFyaJD00H73qBI7MOMiSS4KbMQ26xLNrnHL
MCHrgZs+MHhyo6IEpesvr7F/+qyGHZifFlHT+HtCM+SBU1qooYUyQAdnhyK0rb16
j7/Jc5A28jROZB4lcRQyvB085whPj299FsB/0wJW5RjwA5tcpPH0sTozain3vvlo
64BAJXcQsyRsilcaPFlkY5zPgFiAuaEJnfTe/uMdfDO/V/g6wADt64+HhaxNPO+z
p3vzEGpio4Oi1HyYiXpDx9bMM1RLTpmKt9p1V5Y98Fn5Ymx6I7yAe1qwvA7T8eoC
hK8C27jPytiOgaWSYqPYb0WaHY3JZZpFzdtr0bAPSkEzL4EwrxVmbgTnkuzk2hxk
6MiIuDLUd9Zl1oroqv+rTd0XA8lXUcoyFhqtsMXHWdAC3yzteaPcJKzv7l9DT6xV
YadKrSBkzob9jRWRngY3FMKjTvcwnxLE8dfsNlsDNGyLNtTEOJ/QYgh6muOHh80L
MAayI8hSWPTR/3IXKlathjLIeilsrFthIZcrPq520FoS4A7E3A80vR3uKOqAIDwh
Y+6ASvEkCHAUneJqlLihqglYTNJlFnVhGw9/LV85JsmRsCZ0+j8=
=2xMP
-----END PGP SIGNATURE-----

View File

@ -1,146 +1,3 @@
commit 5bd13c8d593a74ad168057efe94dd2b3aeeffe14
Author: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon Feb 7 13:27:25 2022 +0100
examples: support DHCPv6 NTP servers in NM dispatcher script
Latest NetworkManager code provides NTP servers from the DHCPv6 NTP
option (RFC 5908) in the DHCP6_DHCP6_NTP_SERVERS variable to dispatcher
scripts.
Check for invalid characters (which can come from the FQDN suboption)
and include the servers in the interface-specific sources file.
diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp
index 6ea4c370..4454f037 100644
--- a/examples/chrony.nm-dispatcher.dhcp
+++ b/examples/chrony.nm-dispatcher.dhcp
@@ -1,8 +1,7 @@
#!/bin/sh
# This is a NetworkManager dispatcher script for chronyd to update
-# its NTP sources passed from DHCP options. Note that this script is
-# specific to NetworkManager-dispatcher due to use of the
-# DHCP4_NTP_SERVERS environment variable.
+# its NTP sources with servers from DHCP options passed by NetworkManager
+# in the DHCP4_NTP_SERVERS and DHCP6_DHCP6_NTP_SERVERS environment variables.
export LC_ALL=C
@@ -10,17 +9,19 @@ interface=$1
action=$2
chronyc=/usr/bin/chronyc
-default_server_options=iburst
+server_options=iburst
server_dir=/var/run/chrony-dhcp
dhcp_server_file=$server_dir/$interface.sources
-# DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager.
-nm_dhcp_servers=$DHCP4_NTP_SERVERS
+dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS"
add_servers_from_dhcp() {
rm -f "$dhcp_server_file"
- for server in $nm_dhcp_servers; do
- echo "server $server $default_server_options" >> "$dhcp_server_file"
+ for server in $dhcp_ntp_servers; do
+ # Check for invalid characters (from the DHCPv6 NTP FQDN suboption)
+ printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue
+
+ printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file"
done
$chronyc reload sources > /dev/null 2>&1 || :
}
@@ -34,10 +35,11 @@ clear_servers_from_dhcp() {
mkdir -p $server_dir
-if [ "$action" = "up" ] || [ "$action" = "dhcp4-change" ]; then
- add_servers_from_dhcp
-elif [ "$action" = "down" ]; then
- clear_servers_from_dhcp
-fi
+case "$action" in
+ up|dhcp4-change|dhcp6-change)
+ add_servers_from_dhcp;;
+ down)
+ clear_servers_from_dhcp;;
+esac
exit 0
commit e55f174bd3a7ae82fb24afd43443d0b55d5536cf
Author: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon Feb 7 13:27:48 2022 +0100
examples: handle more actions in NM dispatcher script
Run the chronyc onoffline command also when the connectivity-change
and dhcp6-change actions are reported by the NetworkManager dispatcher.
The latter should not be necessary, but there currently doesn't seem to
be any action for IPv6 becoming routable after duplicate address
detection, so at least in networks using DHCPv6, IPv6 NTP servers should
not be stuck in the offline state from a previously reported action.
diff --git a/examples/chrony.nm-dispatcher.onoffline b/examples/chrony.nm-dispatcher.onoffline
index 34cfa0db..01e6fdb1 100644
--- a/examples/chrony.nm-dispatcher.onoffline
+++ b/examples/chrony.nm-dispatcher.onoffline
@@ -7,8 +7,18 @@ export LC_ALL=C
chronyc=/usr/bin/chronyc
-# For NetworkManager consider only up/down events
-[ $# -ge 2 ] && [ "$2" != "up" ] && [ "$2" != "down" ] && exit 0
+# For NetworkManager consider only selected events
+if [ $# -ge 2 ]; then
+ case "$2" in
+ up|down|connectivity-change)
+ ;;
+ dhcp6-change)
+ # No other action is reported for routable IPv6
+ ;;
+ *)
+ exit 0;;
+ esac
+fi
# Note: for networkd-dispatcher routable.d ~= on and off.d ~= off
commit fca8966adaaf8376536af86ba2afe02501463588
Author: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed Mar 23 15:17:03 2022 +0100
examples: replace grep command in NM dispatcher script
Some grep implementations detect binary data and return success without
matching whole line. This might be an issue for the DHCPv6 NTP FQDN
check. The GNU grep in the C locale seems to check only for the NUL
character, which cannot be passed in an environment variable, but other
implementations might behave differently and there doesn't seem to be a
portable way to force matching the whole line.
Instead of the grep command, check for invalid characters by comparing
the length of the input passed through "tr -d -c".
diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp
index 4454f037..547ce83f 100644
--- a/examples/chrony.nm-dispatcher.dhcp
+++ b/examples/chrony.nm-dispatcher.dhcp
@@ -19,7 +19,11 @@ add_servers_from_dhcp() {
rm -f "$dhcp_server_file"
for server in $dhcp_ntp_servers; do
# Check for invalid characters (from the DHCPv6 NTP FQDN suboption)
- printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue
+ len1=$(printf '%s' "$server" | wc -c)
+ len2=$(printf '%s' "$server" | tr -d -c 'A-Za-z0-9:.-' | wc -c)
+ if [ "$len1" -ne "$len2" ] || [ "$len2" -lt 1 ] || [ "$len2" -gt 255 ]; then
+ continue
+ fi
printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file"
done
From: Robert Fairley <rfairley@redhat.com>
Date: Wed, 17 Jun 2020 10:14:19 -0400
Subject: [PATCH] examples/nm-dispatcher.dhcp: use sysconfig

View File

@ -1,31 +0,0 @@
commit 8bb8f15a7d049ed26c69d95087065b381f76ec4d
Author: Michael Hudson-Doyle <michael.hudson@canonical.com>
Date: Wed Feb 9 09:06:13 2022 +0100
sys_linux: allow rseq in seccomp filter
Libc 2.35 will use rseq syscalls [1][2] by default and thereby
break chrony in seccomp isolation.
[1]: https://www.efficios.com/blog/2019/02/08/linux-restartable-sequences/
[2]: https://sourceware.org/pipermail/libc-alpha/2022-February/136040.html
Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Michael Hudson-Doyle <michael.hudson@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
diff --git a/sys_linux.c b/sys_linux.c
index 9cab2efa..cc3c9311 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -497,6 +497,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
SCMP_SYS(getrlimit),
SCMP_SYS(getuid),
SCMP_SYS(getuid32),
+#ifdef __NR_rseq
+ SCMP_SYS(rseq),
+#endif
SCMP_SYS(rt_sigaction),
SCMP_SYS(rt_sigreturn),
SCMP_SYS(rt_sigprocmask),

2
SOURCES/chrony.sysusers Normal file
View File

@ -0,0 +1,2 @@
#Type Name ID GECOS Home directory Shell
u chrony - "chrony system user" /var/lib/chrony /sbin/nologin

View File

@ -1,5 +1,5 @@
%global _hardened_build 1
%global clknetsim_ver 824c48
%global clknetsim_ver f00531
%bcond_without debug
%bcond_without nts
@ -8,7 +8,7 @@
%endif
Name: chrony
Version: 4.2
Version: 4.3
Release: 1%{?dist}
Summary: An NTP client/server
@ -18,14 +18,13 @@ Source0: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerel
Source1: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}-tar-gz-asc.txt
Source2: https://chrony.tuxfamily.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc
Source3: chrony.dhclient
Source4: chrony.sysusers
# simulator for test suite
Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz
%{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz}
# add IPv6 support and distribution-specific bits to DHCP dispatcher
# add distribution-specific bits to DHCP dispatcher
Patch1: chrony-nm-dispatcher-dhcp.patch
# update seccomp filter for new glibc
Patch2: chrony-seccomp.patch
# revert some hardening options in service files
Patch3: chrony-services.patch
@ -34,8 +33,8 @@ BuildRequires: gcc gcc-c++ make bison systemd gnupg2
%{?with_nts:BuildRequires: gnutls-utils}
%{?with_seccomp:BuildRequires: libseccomp-devel}
Requires(pre): shadow-utils
%{?systemd_requires}
%{?sysusers_requires_compat}
# Old NetworkManager expects the dispatcher scripts in a different place
Conflicts: NetworkManager < 1.20
@ -59,7 +58,6 @@ service to other computers in the network.
%setup -q -n %{name}-%{version}%{?prerelease} -a 10
%{?gitpatch:%patch0 -p1}
%patch1 -p1 -b .nm-dispatcher-dhcp
%patch2 -p1 -b .seccomp
%patch3 -p1 -b .services
%{?gitpatch: echo %{version}-%{gitpatch} > version.txt}
@ -123,6 +121,7 @@ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/{sysconfig,logrotate.d}
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/{lib,log}/chrony
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dhcp/dhclient.d
mkdir -p $RPM_BUILD_ROOT%{_libexecdir}
mkdir -p $RPM_BUILD_ROOT%{_sysusersdir}
mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d
mkdir -p $RPM_BUILD_ROOT{%{_unitdir},%{_prefix}/lib/systemd/ntp-units.d}
@ -143,6 +142,8 @@ install -m 755 -p examples/chrony.nm-dispatcher.dhcp \
$RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-dhcp
install -m 644 -p examples/chrony-wait.service \
$RPM_BUILD_ROOT%{_unitdir}/chrony-wait.service
install -m 644 -p %{SOURCE4} \
$RPM_BUILD_ROOT%{_sysusersdir}/chrony.conf
cat > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/chronyd <<EOF
# Command-line options for chronyd
@ -161,9 +162,7 @@ export CLKNETSIM_RANDOM_SEED=24505
make quickcheck
%pre
getent group chrony > /dev/null || /usr/sbin/groupadd -r chrony
getent passwd chrony > /dev/null || /usr/sbin/useradd -r -g chrony \
-d %{_localstatedir}/lib/chrony -s /sbin/nologin chrony
%sysusers_create_compat %{SOURCE4}
:
%post
@ -199,6 +198,7 @@ fi
%{_prefix}/lib/NetworkManager
%{_prefix}/lib/systemd/ntp-units.d/*.list
%{_unitdir}/chrony*.service
%{_sysusersdir}/chrony.conf
%{_mandir}/man[158]/%{name}*.[158]*
%dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony
%ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/drift
@ -206,6 +206,10 @@ fi
%dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony
%changelog
* Wed Oct 12 2022 Miroslav Lichvar <mlichvar@redhat.com> 4.3-1
- update to 4.3 (#2133754)
- add sysusers.d fragment for chrony user/group (#2095374)
* Wed Mar 23 2022 Miroslav Lichvar <mlichvar@redhat.com> 4.2-1
- update to 4.2 (#2051441)
- fully switch from nettle to gnutls (#1953463 #1954483)