From fbf1ae37c3ef66479b44e747e2b7cca7561d22ab Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 20 Nov 2024 13:37:06 +0000 Subject: [PATCH] import RHEL 10 Beta chrony-4.5-5.el10 --- .chrony.metadata | 2 - .gitignore | 4 +- SOURCES/chrony-cmac.patch | 56 -- SOURCES/chrony-defconfig.patch | 38 - SOURCES/chrony-dnssrv@.service | 8 - SOURCES/chrony-dnssrv@.timer | 9 - SOURCES/chrony-nm-dispatcher-dhcp.patch | 164 ----- SOURCES/chrony-reload.patch | 86 --- SOURCES/chrony-serverstats.patch | 39 - SOURCES/chrony-service-helper.patch | 12 - SOURCES/chrony-services.patch | 81 --- SOURCES/chrony.helper | 285 -------- SOURCES/ntp2chrony.py | 680 ------------------ chrony-4.5-tar-gz-asc.txt | 16 + chrony-nm-dispatcher-dhcp.patch | 39 + SOURCES/chrony.dhclient => chrony.dhclient | 10 +- SPECS/chrony.spec => chrony.spec | 375 +++++++--- chrony.sysusers | 2 + ...375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc | 54 ++ sources | 2 + 20 files changed, 378 insertions(+), 1584 deletions(-) delete mode 100644 .chrony.metadata delete mode 100644 SOURCES/chrony-cmac.patch delete mode 100644 SOURCES/chrony-defconfig.patch delete mode 100644 SOURCES/chrony-dnssrv@.service delete mode 100644 SOURCES/chrony-dnssrv@.timer delete mode 100644 SOURCES/chrony-nm-dispatcher-dhcp.patch delete mode 100644 SOURCES/chrony-reload.patch delete mode 100644 SOURCES/chrony-serverstats.patch delete mode 100644 SOURCES/chrony-service-helper.patch delete mode 100644 SOURCES/chrony-services.patch delete mode 100644 SOURCES/chrony.helper delete mode 100644 SOURCES/ntp2chrony.py create mode 100644 chrony-4.5-tar-gz-asc.txt create mode 100644 chrony-nm-dispatcher-dhcp.patch rename SOURCES/chrony.dhclient => chrony.dhclient (55%) rename SPECS/chrony.spec => chrony.spec (62%) create mode 100644 chrony.sysusers create mode 100644 gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc create mode 100644 sources diff --git a/.chrony.metadata b/.chrony.metadata deleted file mode 100644 index 59f2c95..0000000 --- a/.chrony.metadata +++ /dev/null @@ -1,2 +0,0 @@ -4661e5df181a9761b73caeaef2f2ab755bbe086a SOURCES/chrony-4.5.tar.gz -e021461c23fe4e5c46fd53c449587d8f6cc217ae SOURCES/clknetsim-5d1dc0.tar.gz diff --git a/.gitignore b/.gitignore index 55ba819..ccbfe6c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/chrony-4.5.tar.gz -SOURCES/clknetsim-5d1dc0.tar.gz \ No newline at end of file +chrony-4.5.tar.gz +clknetsim-5d1dc0.tar.gz diff --git a/SOURCES/chrony-cmac.patch b/SOURCES/chrony-cmac.patch deleted file mode 100644 index b8884d3..0000000 --- a/SOURCES/chrony-cmac.patch +++ /dev/null @@ -1,56 +0,0 @@ -commit 8eb5dd54efd13aa0209aea38dbad2a7904377f75 -Author: Miroslav Lichvar -Date: Tue Sep 17 13:00:43 2024 +0200 - - configure: enable AES-CMAC using gnutls - - Allow gnutls to be used for AES-CMAC when nettle doesn't support it - without switching also hashing. - -diff --git a/configure b/configure -index eefe5de8..0fb3aa38 100755 ---- a/configure -+++ b/configure -@@ -937,14 +937,26 @@ if [ $feat_sechash = "1" ] && [ "x$HASH_LINK" = "x" ] && [ $try_gnutls = "1" ]; - HASH_LINK="$test_link" - MYCPPFLAGS="$MYCPPFLAGS $test_cflags" - add_def FEAT_SECHASH -+ fi -+fi - -- if test_code 'CMAC in gnutls' 'gnutls/crypto.h' "$test_cflags" "$test_link" \ -- 'return gnutls_hmac_init((void *)1, GNUTLS_MAC_AES_CMAC_128, (void *)2, 0);' -- then -- add_def HAVE_CMAC -- EXTRA_OBJECTS="$EXTRA_OBJECTS cmac_gnutls.o" -- EXTRA_CLI_OBJECTS="$EXTRA_CLI_OBJECTS cmac_gnutls.o" -- fi -+if [ $feat_sechash = "1" ] && [ $try_gnutls = "1" ] && -+ ! grep '#define HAVE_CMAC' config.h > /dev/null; then -+ if [ "$HASH_OBJ" = "hash_gnutls.o" ]; then -+ test_cflags="" -+ test_link="" -+ else -+ test_cflags="`pkg_config --cflags gnutls`" -+ test_link="`pkg_config --libs gnutls`" -+ fi -+ if test_code 'CMAC in gnutls' 'gnutls/crypto.h' "$test_cflags" "$test_link" \ -+ 'return gnutls_hmac_init((void *)1, GNUTLS_MAC_AES_CMAC_128, (void *)2, 0);' -+ then -+ add_def HAVE_CMAC -+ EXTRA_OBJECTS="$EXTRA_OBJECTS cmac_gnutls.o" -+ EXTRA_CLI_OBJECTS="$EXTRA_CLI_OBJECTS cmac_gnutls.o" -+ LIBS="$LIBS $test_link" -+ MYCPPFLAGS="$MYCPPFLAGS $test_cflags" - fi - fi - -@@ -978,7 +990,7 @@ EXTRA_CLI_OBJECTS="$EXTRA_CLI_OBJECTS $HASH_OBJ" - LIBS="$LIBS $HASH_LINK" - - if [ $feat_ntp = "1" ] && [ $feat_nts = "1" ] && [ $try_gnutls = "1" ]; then -- if [ "$HASH_OBJ" = "hash_gnutls.o" ]; then -+ if echo "$HASH_OBJ $EXTRA_OBJECTS" | grep "_gnutls\.o" > /dev/null; then - test_cflags="" - test_link="" - else diff --git a/SOURCES/chrony-defconfig.patch b/SOURCES/chrony-defconfig.patch deleted file mode 100644 index 24f3123..0000000 --- a/SOURCES/chrony-defconfig.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff -up chrony-4.1/examples/chrony.conf.example2.defconfig chrony-4.1/examples/chrony.conf.example2 ---- chrony-4.1/examples/chrony.conf.example2.defconfig 2021-05-12 13:06:15.000000000 +0200 -+++ chrony-4.1/examples/chrony.conf.example2 2019-05-10 12:22:57.000000000 +0200 -@@ -1,5 +1,5 @@ - # Use public servers from the pool.ntp.org project. --# Please consider joining the pool (https://www.pool.ntp.org/join.html). -+# Please consider joining the pool (http://www.pool.ntp.org/join.html). - pool pool.ntp.org iburst - - # Record the rate at which the system clock gains/losses time. -@@ -25,18 +25,9 @@ rtcsync - # Serve time even if not synchronized to a time source. - #local stratum 10 - --# Require authentication (nts or key option) for all NTP sources. --#authselectmode require -- - # Specify file containing keys for NTP authentication. - #keyfile /etc/chrony.keys - --# Save NTS keys and cookies. --ntsdumpdir /var/lib/chrony -- --# Insert/delete leap seconds by slewing instead of stepping. --#leapsecmode slew -- - # Get TAI-UTC offset and leap seconds from the system tz database. - #leapsectz right/UTC - -diff -up chrony-4.5/examples/chrony.keys.example.keys chrony-4.5/examples/chrony.keys.example ---- chrony-4.5/examples/chrony.keys.example.keys 2023-12-05 14:22:10.000000000 +0100 -+++ chrony-4.5/examples/chrony.keys.example 2023-12-06 09:59:26.089508934 +0100 -@@ -11,5 +11,3 @@ - #1 MD5 AVeryLongAndRandomPassword - #2 MD5 HEX:12114855C7931009B4049EF3EFC48A139C3F989F - #3 SHA1 HEX:B2159C05D6A219673A3B7E896B6DE07F6A440995 --#4 AES128 HEX:2DA837C4B6573748CA692B8C828E4891 --#5 AES256 HEX:2666B8099BFF2D5BA20876121788ED24D2BE59111B8FFB562F0F56AE6EC7246E diff --git a/SOURCES/chrony-dnssrv@.service b/SOURCES/chrony-dnssrv@.service deleted file mode 100644 index 139ed28..0000000 --- a/SOURCES/chrony-dnssrv@.service +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=DNS SRV lookup of %I for chrony -After=chronyd.service network-online.target -Wants=network-online.target - -[Service] -Type=oneshot -ExecStart=/usr/libexec/chrony-helper update-dnssrv-servers %I diff --git a/SOURCES/chrony-dnssrv@.timer b/SOURCES/chrony-dnssrv@.timer deleted file mode 100644 index 8495e01..0000000 --- a/SOURCES/chrony-dnssrv@.timer +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Periodic DNS SRV lookup of %I for chrony - -[Timer] -OnActiveSec=0 -OnUnitInactiveSec=1h - -[Install] -WantedBy=timers.target diff --git a/SOURCES/chrony-nm-dispatcher-dhcp.patch b/SOURCES/chrony-nm-dispatcher-dhcp.patch deleted file mode 100644 index f2381a5..0000000 --- a/SOURCES/chrony-nm-dispatcher-dhcp.patch +++ /dev/null @@ -1,164 +0,0 @@ -First, revert upstream changes since 4.2 - -diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp -index 547ce83f..6ea4c370 100644 ---- a/examples/chrony.nm-dispatcher.dhcp -+++ b/examples/chrony.nm-dispatcher.dhcp -@@ -1,7 +1,8 @@ - #!/bin/sh - # This is a NetworkManager dispatcher script for chronyd to update --# its NTP sources with servers from DHCP options passed by NetworkManager --# in the DHCP4_NTP_SERVERS and DHCP6_DHCP6_NTP_SERVERS environment variables. -+# its NTP sources passed from DHCP options. Note that this script is -+# specific to NetworkManager-dispatcher due to use of the -+# DHCP4_NTP_SERVERS environment variable. - - export LC_ALL=C - -@@ -9,23 +10,17 @@ interface=$1 - action=$2 - - chronyc=/usr/bin/chronyc --server_options=iburst -+default_server_options=iburst - server_dir=/var/run/chrony-dhcp - - dhcp_server_file=$server_dir/$interface.sources --dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS" -+# DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager. -+nm_dhcp_servers=$DHCP4_NTP_SERVERS - - add_servers_from_dhcp() { - rm -f "$dhcp_server_file" -- for server in $dhcp_ntp_servers; do -- # Check for invalid characters (from the DHCPv6 NTP FQDN suboption) -- len1=$(printf '%s' "$server" | wc -c) -- len2=$(printf '%s' "$server" | tr -d -c 'A-Za-z0-9:.-' | wc -c) -- if [ "$len1" -ne "$len2" ] || [ "$len2" -lt 1 ] || [ "$len2" -gt 255 ]; then -- continue -- fi -- -- printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file" -+ for server in $nm_dhcp_servers; do -+ echo "server $server $default_server_options" >> "$dhcp_server_file" - done - $chronyc reload sources > /dev/null 2>&1 || : - } -@@ -39,11 +34,10 @@ clear_servers_from_dhcp() { - - mkdir -p $server_dir - --case "$action" in -- up|dhcp4-change|dhcp6-change) -- add_servers_from_dhcp;; -- down) -- clear_servers_from_dhcp;; --esac -+if [ "$action" = "up" ] || [ "$action" = "dhcp4-change" ]; then -+ add_servers_from_dhcp -+elif [ "$action" = "down" ]; then -+ clear_servers_from_dhcp -+fi - - exit 0 - -From: Robert Fairley -Date: Wed, 17 Jun 2020 10:14:19 -0400 -Subject: [PATCH] examples/nm-dispatcher.dhcp: use sysconfig - -Use the PEERNTP and NTPSERVERARGS environment variables from -/etc/sysconfig/network{-scripts}. - -Co-Authored-By: Christian Glombek - -diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp -index 6ea4c37..a6ad35a 100644 ---- a/examples/chrony.nm-dispatcher.dhcp -+++ b/examples/chrony.nm-dispatcher.dhcp -@@ -6,16 +6,24 @@ - - chronyc=/usr/bin/chronyc - default_server_options=iburst --server_dir=/var/run/chrony-dhcp -+server_dir=/run/chrony-dhcp - - dhcp_server_file=$server_dir/$interface.sources - # DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager. - nm_dhcp_servers=$DHCP4_NTP_SERVERS - -+[ -f /etc/sysconfig/network ] && . /etc/sysconfig/network -+[ -f /etc/sysconfig/network-scripts/ifcfg-"${interface}" ] && \ -+ . /etc/sysconfig/network-scripts/ifcfg-"${interface}" -+ - add_servers_from_dhcp() { - rm -f "$dhcp_server_file" -+ -+ # Don't add NTP servers if PEERNTP=no specified; return early. -+ [ "$PEERNTP" = "no" ] && return -+ - for server in $nm_dhcp_servers; do -- echo "server $server $default_server_options" >> "$dhcp_server_file" -+ echo "server $server ${NTPSERVERARGS:-$default_server_options}" >> "$dhcp_server_file" - done - $chronyc reload sources > /dev/null 2>&1 || : - } --- -2.29.2 - -Use chrony-helper instead of chronyc to avoid changes in default chrony.conf - -diff -up chrony-4.1/examples/chrony.nm-dispatcher.dhcp.nm-dispatcher-dhcp chrony-4.1/examples/chrony.nm-dispatcher.dhcp ---- chrony-4.1/examples/chrony.nm-dispatcher.dhcp.nm-dispatcher-dhcp 2021-06-09 11:10:30.997416152 +0200 -+++ chrony-4.1/examples/chrony.nm-dispatcher.dhcp 2021-06-09 11:16:23.598381336 +0200 -@@ -9,11 +9,12 @@ export LC_ALL=C - interface=$1 - action=$2 - --chronyc=/usr/bin/chronyc -+helper=/usr/libexec/chrony-helper - default_server_options=iburst --server_dir=/run/chrony-dhcp -+server_dir=/run/chrony-helper - --dhcp_server_file=$server_dir/$interface.sources -+dhcp_server_tmpfile=$server_dir/tmp-nm-dhcp.$interface -+dhcp_server_file=$server_dir/nm-dhcp.$interface - # DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager. - nm_dhcp_servers=$DHCP4_NTP_SERVERS - -@@ -24,24 +24,30 @@ nm_dhcp_servers=$DHCP4_NTP_SERVERS - add_servers_from_dhcp() { - rm -f "$dhcp_server_file" - -+ # Remove servers saved by the dhclient script before it detected NM. -+ rm -f "/var/lib/dhclient/chrony.servers.$interface" -+ - # Don't add NTP servers if PEERNTP=no specified; return early. - [ "$PEERNTP" = "no" ] && return - -+ # Create the directory with correct SELinux context. -+ $helper create-helper-directory > /dev/null 2>&1 -+ - for server in $nm_dhcp_servers; do -- echo "server $server ${NTPSERVERARGS:-$default_server_options}" >> "$dhcp_server_file" -+ echo "$server ${NTPSERVERARGS:-$default_server_options}" >> "$dhcp_server_tmpfile" - done -+ [ -e "$dhcp_server_tmpfile" ] && mv "$dhcp_server_tmpfile" "$dhcp_server_file" -- $chronyc reload sources > /dev/null 2>&1 || : -+ -+ $helper update-daemon > /dev/null 2>&1 || : - } - - clear_servers_from_dhcp() { - if [ -f "$dhcp_server_file" ]; then - rm -f "$dhcp_server_file" -- $chronyc reload sources > /dev/null 2>&1 || : -+ $helper update-daemon > /dev/null 2>&1 || : - fi - } - --mkdir -p $server_dir -- - if [ "$action" = "up" ] || [ "$action" = "dhcp4-change" ]; then - add_servers_from_dhcp - elif [ "$action" = "down" ]; then diff --git a/SOURCES/chrony-reload.patch b/SOURCES/chrony-reload.patch deleted file mode 100644 index b8ac742..0000000 --- a/SOURCES/chrony-reload.patch +++ /dev/null @@ -1,86 +0,0 @@ -commit f49be7f06343ee27fff2950937d7f6742f53976f -Author: Miroslav Lichvar -Date: Tue Mar 12 14:30:27 2024 +0100 - - conf: don't load sourcedir during initstepslew and RTC init - - If the reload sources command was received in the chronyd start-up - sequence with initstepslew and/or RTC init (-s option), the sources - loaded from sourcedirs caused a crash due to failed assertion after - adding sources specified in the config. - - Ignore the reload sources command until chronyd enters the normal - operation mode. - - Fixes: 519796de3756 ("conf: add sourcedirs directive") - -diff --git a/conf.c b/conf.c -index 6eae11c9..8849bdce 100644 ---- a/conf.c -+++ b/conf.c -@@ -298,6 +298,8 @@ static ARR_Instance ntp_sources; - static ARR_Instance ntp_source_dirs; - /* Array of uint32_t corresponding to ntp_sources (for sourcedirs reload) */ - static ARR_Instance ntp_source_ids; -+/* Flag indicating ntp_sources and ntp_source_ids are used for sourcedirs */ -+static int conf_ntp_sources_added = 0; - - /* Array of RefclockParameters */ - static ARR_Instance refclock_sources; -@@ -1689,8 +1691,12 @@ reload_source_dirs(void) - NSR_Status s; - int d, pass; - -+ /* Ignore reload command before adding configured sources */ -+ if (!conf_ntp_sources_added) -+ return; -+ - prev_size = ARR_GetSize(ntp_source_ids); -- if (prev_size > 0 && ARR_GetSize(ntp_sources) != prev_size) -+ if (ARR_GetSize(ntp_sources) != prev_size) - assert(0); - - /* Save the current sources and their configuration IDs */ -@@ -1859,7 +1865,10 @@ CNF_AddSources(void) - Free(source->params.name); - } - -+ /* The arrays will be used for sourcedir (re)loading */ - ARR_SetSize(ntp_sources, 0); -+ ARR_SetSize(ntp_source_ids, 0); -+ conf_ntp_sources_added = 1; - - reload_source_dirs(); - } -diff --git a/test/simulation/203-initreload b/test/simulation/203-initreload -new file mode 100755 -index 00000000..cf7924b8 ---- /dev/null -+++ b/test/simulation/203-initreload -@@ -0,0 +1,26 @@ -+#!/usr/bin/env bash -+ -+. ./test.common -+ -+check_config_h 'FEAT_CMDMON 1' || test_skip -+ -+# Test fix "conf: don't load sourcedir during initstepslew and RTC init" -+ -+test_start "reload during initstepslew" -+ -+client_conf="initstepslew 5 192.168.123.1 -+sourcedir tmp" -+client_server_conf="#" -+chronyc_conf="reload sources" -+chronyc_start=4 -+ -+echo 'server 192.168.123.1' > tmp/sources.sources -+ -+run_test || test_fail -+check_chronyd_exit || test_fail -+check_source_selection || test_fail -+check_sync || test_fail -+ -+check_log_messages "Added source 192\.168\.123\.1" 1 1 || test_fail -+ -+test_pass diff --git a/SOURCES/chrony-serverstats.patch b/SOURCES/chrony-serverstats.patch deleted file mode 100644 index a5131fe..0000000 --- a/SOURCES/chrony-serverstats.patch +++ /dev/null @@ -1,39 +0,0 @@ -commit e11b518a1ffa704986fb1f1835c425844ba248ef -Author: Miroslav Lichvar -Date: Mon Jan 8 11:35:56 2024 +0100 - - ntp: fix authenticated requests in serverstats - - Fix the CLG_UpdateNtpStats() call to count requests passing the - authentication check instead of requests triggering a KoD response - (i.e. NTS NAK). - -diff --git a/ntp_core.c b/ntp_core.c -index 023e60b2..35801744 100644 ---- a/ntp_core.c -+++ b/ntp_core.c -@@ -2736,7 +2736,7 @@ NCR_ProcessRxUnknown(NTP_Remote_Address *remote_addr, NTP_Local_Address *local_a - CLG_DisableNtpTimestamps(&ntp_rx); - } - -- CLG_UpdateNtpStats(kod != 0 && info.auth.mode != NTP_AUTH_NONE && -+ CLG_UpdateNtpStats(kod == 0 && info.auth.mode != NTP_AUTH_NONE && - info.auth.mode != NTP_AUTH_MSSNTP, - rx_ts->source, interleaved ? tx_ts->source : NTP_TS_DAEMON); - -diff --git a/test/system/010-nts b/test/system/010-nts -index 8d92bbc8..b215efa3 100755 ---- a/test/system/010-nts -+++ b/test/system/010-nts -@@ -45,6 +45,11 @@ check_chronyc_output "^Name/IP address Mode KeyID Type KLen Last Atm - ========================================================================= - 127\.0\.0\.1 NTS 1 (30|15) (128|256) [0-9] 0 0 [78] ( 64|100)$" || test_fail - -+run_chronyc "serverstats" || test_fail -+check_chronyc_output "NTS-KE connections accepted: 1 -+NTS-KE connections dropped : 0 -+Authenticated NTP packets : [1-9][0-9]*" || test_fail -+ - stop_chronyd || test_fail - check_chronyd_messages || test_fail - check_chronyd_files || test_fail diff --git a/SOURCES/chrony-service-helper.patch b/SOURCES/chrony-service-helper.patch deleted file mode 100644 index 5b7f8d3..0000000 --- a/SOURCES/chrony-service-helper.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up chrony-4.1/examples/chronyd.service.service-helper chrony-4.1/examples/chronyd.service ---- chrony-4.1/examples/chronyd.service.service-helper 2021-05-12 13:06:15.000000000 +0200 -+++ chrony-4.1/examples/chronyd.service 2021-06-15 09:01:56.948968576 +0200 -@@ -10,6 +10,8 @@ Type=forking - PIDFile=/run/chrony/chronyd.pid - EnvironmentFile=-/etc/sysconfig/chronyd - ExecStart=/usr/sbin/chronyd $OPTIONS -+ExecStartPost=/usr/libexec/chrony-helper update-daemon -+ExecStopPost=/usr/libexec/chrony-helper remove-daemon-state - PrivateTmp=yes - ProtectHome=yes - ProtectSystem=full diff --git a/SOURCES/chrony-services.patch b/SOURCES/chrony-services.patch deleted file mode 100644 index 77a3c22..0000000 --- a/SOURCES/chrony-services.patch +++ /dev/null @@ -1,81 +0,0 @@ -diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service -index 72b028f2..b3aa7aa2 100644 ---- a/examples/chrony-wait.service -+++ b/examples/chrony-wait.service -@@ -16,31 +16,5 @@ TimeoutStartSec=180 - RemainAfterExit=yes - StandardOutput=null - --CapabilityBoundingSet= --DevicePolicy=closed --DynamicUser=yes --IPAddressAllow=localhost --IPAddressDeny=any --LockPersonality=yes --MemoryDenyWriteExecute=yes --PrivateDevices=yes --PrivateUsers=yes --ProtectClock=yes --ProtectControlGroups=yes --ProtectHome=yes --ProtectHostname=yes --ProtectKernelLogs=yes --ProtectKernelModules=yes --ProtectKernelTunables=yes --ProtectProc=invisible --ProtectSystem=strict --RestrictAddressFamilies=AF_INET AF_INET6 --RestrictNamespaces=yes --RestrictRealtime=yes --SystemCallArchitectures=native --SystemCallFilter=@system-service --SystemCallFilter=~@privileged @resources --UMask=0777 -- - [Install] - WantedBy=multi-user.target -diff --git a/examples/chronyd.service b/examples/chronyd.service -index 4fb930ef..289548cb 100644 ---- a/examples/chronyd.service -+++ b/examples/chronyd.service -@@ -10,39 +10,9 @@ Type=forking - PIDFile=/run/chrony/chronyd.pid - EnvironmentFile=-/etc/sysconfig/chronyd - ExecStart=/usr/sbin/chronyd $OPTIONS -- --CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE --CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE --CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN --CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT --CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM --DeviceAllow=char-pps rw --DeviceAllow=char-ptp rw --DeviceAllow=char-rtc rw --DevicePolicy=closed --LockPersonality=yes --MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - PrivateTmp=yes --ProtectControlGroups=yes - ProtectHome=yes --ProtectHostname=yes --ProtectKernelLogs=yes --ProtectKernelModules=yes --ProtectKernelTunables=yes --ProtectProc=invisible --ProtectSystem=strict --ReadWritePaths=/run /var/lib/chrony -/var/log --RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX --RestrictNamespaces=yes --RestrictSUIDSGID=yes --SystemCallArchitectures=native --SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap -- --# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive) --NoNewPrivileges=no --ReadWritePaths=-/var/spool --RestrictAddressFamilies=AF_NETLINK -+ProtectSystem=full - - [Install] - WantedBy=multi-user.target diff --git a/SOURCES/chrony.helper b/SOURCES/chrony.helper deleted file mode 100644 index b9797d6..0000000 --- a/SOURCES/chrony.helper +++ /dev/null @@ -1,285 +0,0 @@ -#!/bin/bash -# This script configures running chronyd to use NTP servers obtained from -# DHCP and _ntp._udp DNS SRV records. Files with servers from DHCP are managed -# externally (e.g. by a dhclient script). Files with servers from DNS SRV -# records are updated here using the dig utility. The script can also list -# and set static sources in the chronyd configuration file. - -chronyc=/usr/bin/chronyc -chrony_conf=/etc/chrony.conf -chrony_service=chronyd.service -helper_dir=/run/chrony-helper -added_servers_file=$helper_dir/added_servers - -network_sysconfig_file=/etc/sysconfig/network -nm_servers_files="$helper_dir/nm-dhcp.*" -dhclient_servers_files="/var/lib/dhclient/chrony.servers.*" -dnssrv_servers_files="$helper_dir/dnssrv@*" -dnssrv_timer_prefix=chrony-dnssrv@ - -. $network_sysconfig_file &> /dev/null - -chrony_command() { - $chronyc -n -m "$@" -} - -is_running() { - chrony_command "tracking" &> /dev/null -} - -get_servers_files() { - [ "$PEERNTP" != "no" ] && echo "$nm_servers_files" - [ "$PEERNTP" != "no" ] && echo "$dhclient_servers_files" - echo "$dnssrv_servers_files" -} - -is_update_needed() { - for file in $(get_servers_files) $added_servers_file; do - [ -e "$file" ] && return 0 - done - return 1 -} - -remove_daemon_state() { - rm -f $added_servers_file -} - -update_daemon() { - local all_servers_with_args all_servers added_servers - - if ! is_running; then - remove_daemon_state - return 0 - fi - - all_servers_with_args=$(cat $(get_servers_files) 2> /dev/null) - - all_servers=$( - echo "$all_servers_with_args" | - while read -r server serverargs; do - echo "$server" - done | sort -u) - added_servers=$( ( - cat $added_servers_file 2> /dev/null - echo "$all_servers_with_args" | - while read -r server serverargs; do - [ -z "$server" ] && continue - chrony_command "add server $server $serverargs" &> /dev/null && - echo "$server" - done) | sort -u) - - comm -23 <(echo -n "$added_servers") <(echo -n "$all_servers") | - while read -r server; do - chrony_command -c sources -a 2>/dev/null | - while IFS=, read -r type _ address _; do - [ "$type" = "^" ] || continue - [ "$(chrony_command "sourcename $address")" = "$server" ] || continue - chrony_command "delete $address" &> /dev/null - break - done - done - - added_servers=$(comm -12 <(echo -n "$added_servers") <(echo -n "$all_servers")) - - if [ -n "$added_servers" ]; then - echo "$added_servers" > $added_servers_file - else - rm -f $added_servers_file - fi -} - -get_dnssrv_servers() { - local name=$1 output - - if ! command -v dig &> /dev/null; then - echo "Missing dig (DNS lookup utility)" >&2 - return 1 - fi - - output=$(dig "$name" srv +short +ndots=2 +search 2> /dev/null) || return 0 - - echo "$output" | while read -r _ _ port target; do - server=${target%.} - [ -z "$server" ] && continue - echo "$server port $port ${NTPSERVERARGS:-iburst}" - done -} - -check_dnssrv_name() { - local name=$1 - - if [ -z "$name" ]; then - echo "No DNS SRV name specified" >&2 - return 1 - fi - - if [ "${name:0:9}" != _ntp._udp ]; then - echo "DNS SRV name $name doesn't start with _ntp._udp" >&2 - return 1 - fi -} - -update_dnssrv_servers() { - local name=$1 - local srv_file=$helper_dir/dnssrv@$name servers - - check_dnssrv_name "$name" || return 1 - - servers=$(get_dnssrv_servers "$name") - if [ -n "$servers" ]; then - echo "$servers" > "$srv_file" - else - rm -f "$srv_file" - fi -} - -set_dnssrv_timer() { - local state=$1 name=$2 - local srv_file=$helper_dir/dnssrv@$name servers - local timer - - timer=$dnssrv_timer_prefix$(systemd-escape "$name").timer || return 1 - - check_dnssrv_name "$name" || return 1 - - if [ "$state" = enable ]; then - systemctl enable "$timer" - systemctl start "$timer" - elif [ "$state" = disable ]; then - systemctl stop "$timer" - systemctl disable "$timer" - rm -f "$srv_file" - fi -} - -list_dnssrv_timers() { - systemctl --all --full -t timer list-units | grep "^$dnssrv_timer_prefix" | \ - sed "s|^$dnssrv_timer_prefix\(.*\)\.timer.*|\1|" | - while read -r name; do - systemd-escape --unescape "$name" - done -} - -prepare_helper_dir() { - mkdir -p $helper_dir - exec 100> $helper_dir/lock - if ! flock -w 20 100; then - echo "Failed to lock $helper_dir" >&2 - return 1 - fi -} - -is_source_line() { - local pattern="^[ \t]*(server|pool|peer|refclock)[ \t]+[^ \t]+" - [[ "$1" =~ $pattern ]] -} - -list_static_sources() { - while read -r line; do - if is_source_line "$line"; then - echo "$line" - fi - done < $chrony_conf -} - -set_static_sources() { - local new_config tmp_conf - - new_config=$( - sources=$( - while read -r line; do - is_source_line "$line" && echo "$line" - done) - - while read -r line; do - if ! is_source_line "$line"; then - echo "$line" - continue - fi - - tmp_sources=$( - local removed=0 - - echo "$sources" | while read -r line2; do - if [ "$removed" -ne 0 ] || [ "$line" != "$line2" ]; then - echo "$line2" - else - removed=1 - fi - done) - - [ "$sources" == "$tmp_sources" ] && continue - sources=$tmp_sources - echo "$line" - done < $chrony_conf - - echo "$sources" - ) - - tmp_conf=${chrony_conf}.tmp - - cp -a $chrony_conf $tmp_conf && - echo "$new_config" > $tmp_conf && - mv $tmp_conf $chrony_conf || return 1 - - systemctl try-restart $chrony_service -} - -print_help() { - echo "Usage: $0 COMMAND" - echo - echo "Commands:" - echo " create-helper-directory" - echo " update-daemon" - echo " remove-daemon-state" - echo " update-dnssrv-servers NAME" - echo " enable-dnssrv NAME" - echo " disable-dnssrv NAME" - echo " list-dnssrv" - echo " list-static-sources" - echo " set-static-sources < sources.list" - echo " is-running" - echo " command CHRONYC-COMMAND" -} - -case "$1" in - create-helper-directory) - prepare_helper_dir - ;; - update-daemon|add-dhclient-servers|remove-dhclient-servers) - is_update_needed || exit 0 - prepare_helper_dir && update_daemon - ;; - remove-daemon-state) - remove_daemon_state - ;; - update-dnssrv-servers) - prepare_helper_dir && update_dnssrv_servers "$2" && update_daemon - ;; - enable-dnssrv) - set_dnssrv_timer enable "$2" - ;; - disable-dnssrv) - set_dnssrv_timer disable "$2" && prepare_helper_dir && update_daemon - ;; - list-dnssrv) - list_dnssrv_timers - ;; - list-static-sources) - list_static_sources - ;; - set-static-sources) - set_static_sources - ;; - is-running) - is_running - ;; - command|forced-command) - chrony_command "$2" - ;; - *) - print_help - exit 2 -esac - -exit $? diff --git a/SOURCES/ntp2chrony.py b/SOURCES/ntp2chrony.py deleted file mode 100644 index 48efe32..0000000 --- a/SOURCES/ntp2chrony.py +++ /dev/null @@ -1,680 +0,0 @@ -#!/usr/bin/python3 -# -# Convert ntp configuration to chrony -# -# Copyright (C) 2018-2019 Miroslav Lichvar -# -# Permission is hereby granted, free of charge, to any person obtaining -# a copy of this software and associated documentation files (the -# "Software"), to deal in the Software without restriction, including -# without limitation the rights to use, copy, modify, merge, publish, -# distribute, sublicense, and/or sell copies of the Software, and to -# permit persons to whom the Software is furnished to do so, subject to -# the following conditions: -# -# The above copyright notice and this permission notice shall be included -# in all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. -# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY -# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, -# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE -# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - - -import argparse -import ipaddress -import logging -import os -import re -import subprocess -import sys - -# python2 compatibility hacks -if sys.version_info[0] < 3: - from io import open - reload(sys) - sys.setdefaultencoding("utf-8") - - -class NtpConfiguration(object): - def __init__(self, root_dir, ntp_conf, step_tickers): - self.root_dir = root_dir if root_dir != "/" else "" - self.ntp_conf_path = ntp_conf - self.step_tickers_path = step_tickers - - # Read and write files using an 8-bit transparent encoding - self.file_encoding = "latin-1" - self.enabled_services = set() - self.step_tickers = [] - self.time_sources = [] - self.fudges = {} - self.restrictions = { - # Built-in defaults - ipaddress.ip_network(u"0.0.0.0/0"): set(), - ipaddress.ip_network(u"::/0"): set(), - } - self.keyfile = "" - self.keys = [] - self.trusted_keys = [] - self.driftfile = "" - self.statistics = [] - self.leapfile = "" - self.tos_options = {} - self.ignored_directives = set() - self.ignored_lines = [] - - # self.detect_enabled_services() - self.parse_step_tickers() - self.parse_ntp_conf() - - def detect_enabled_services(self): - for service in ["ntpdate", "ntpd", "ntp-wait"]: - service_path = os.path.join(self.root_dir, - "etc/systemd/system/multi-user.target.wants/{}.service".format(service)) - if os.path.islink(service_path): - self.enabled_services.add(service) - logging.info("Enabled services found in /etc/systemd/system: %s", - " ".join(self.enabled_services)) - - def parse_step_tickers(self): - if not self.step_tickers_path: - return - - path = os.path.join(self.root_dir, self.step_tickers_path) - if not os.path.isfile(path): - logging.info("Missing %s", path) - return - - with open(path, encoding=self.file_encoding) as f: - for line in f: - line = line[:line.find('#')] - - words = line.split() - - if not words: - continue - - self.step_tickers.extend(words) - - def parse_ntp_conf(self, path=None): - if path is None: - path = os.path.join(self.root_dir, self.ntp_conf_path) - - with open(path, encoding=self.file_encoding) as f: - logging.info("Reading %s", path) - - for line in f: - line = line[:line.find('#')] - - words = line.split() - - if not words: - continue - - if not self.parse_directive(words): - self.ignored_lines.append(line) - - def parse_directive(self, words): - name = words.pop(0) - if name.startswith("logconfig"): - name = "logconfig" - - if words: - if name in ["server", "peer", "pool"]: - return self.parse_source(name, words) - elif name == "fudge": - return self.parse_fudge(words) - elif name == "restrict": - return self.parse_restrict(words) - elif name == "tos": - return self.parse_tos(words) - elif name == "includefile": - return self.parse_includefile(words) - elif name == "keys": - return self.parse_keys(words) - elif name == "trustedkey": - return self.parse_trustedkey(words) - elif name == "driftfile": - self.driftfile = words[0] - elif name == "statistics": - self.statistics = words - elif name == "leapfile": - self.leapfile = words[0] - else: - self.ignored_directives.add(name) - return False - else: - self.ignored_directives.add(name) - return False - - return True - - def parse_source(self, source_type, words): - ipv4_only = False - ipv6_only = False - source = { - "type": source_type, - "options": [] - } - - if words[0] == "-4": - ipv4_only = True - words.pop(0) - elif words[0] == "-6": - ipv6_only = True - words.pop(0) - - if not words: - return False - - source["address"] = words.pop(0) - - # Check if -4/-6 corresponds to the address and ignore hostnames - if ipv4_only or ipv6_only: - try: - version = ipaddress.ip_address(source["address"]).version - if (ipv4_only and version != 4) or (ipv6_only and version != 6): - return False - except ValueError: - return False - - if source["address"].startswith("127.127."): - if not source["address"].startswith("127.127.1."): - # Ignore non-LOCAL refclocks - return False - - while words: - if len(words) >= 2 and words[0] in ["minpoll", "maxpoll", "version", "key"]: - source["options"].append((words[0], words[1])) - words = words[2:] - elif words[0] in ["burst", "iburst", "noselect", "prefer", "true", "xleave"]: - source["options"].append((words[0],)) - words.pop(0) - else: - return False - - self.time_sources.append(source) - return True - - def parse_fudge(self, words): - address = words.pop(0) - options = {} - - while words: - if len(words) >= 2 and words[0] in ["stratum"]: - if not words[1].isdigit(): - return False - options[words[0]] = int(words[1]) - words = words[2:] - elif len(words) >= 2: - words = words[2:] - else: - return False - - self.fudges[address] = options - return True - - def parse_restrict(self, words): - ipv4_only = False - ipv6_only = False - flags = set() - mask = "" - - if words[0] == "-4": - ipv4_only = True - words.pop(0) - elif words[0] == "-6": - ipv6_only = True - words.pop(0) - - if not words: - return False - - address = words.pop(0) - - while words: - if len(words) >= 2 and words[0] == "mask": - mask = words[1] - words = words[2:] - else: - if words[0] not in ["kod", "nomodify", "notrap", "nopeer", "noquery", - "limited", "ignore", "noserve"]: - return False - flags.add(words[0]) - words.pop(0) - - # Convert to IP network(s), ignoring restrictions with hostnames - networks = [] - if address == "default" and not mask: - if not ipv6_only: - networks.append(ipaddress.ip_network(u"0.0.0.0/0")) - if not ipv4_only: - networks.append(ipaddress.ip_network(u"::/0")) - else: - try: - if mask: - # Count bits in the mask (ipaddress does not support - # expanded IPv6 netmasks) - mask_ip = ipaddress.ip_address(mask) - mask_str = "{0:0{1}b}".format(int(mask_ip), mask_ip.max_prefixlen) - networks.append(ipaddress.ip_network( - u"{}/{}".format(address, len(mask_str.rstrip('0'))))) - else: - networks.append(ipaddress.ip_network(address)) - except ValueError: - return False - - if (ipv4_only and networks[-1].version != 4) or \ - (ipv6_only and networks[-1].version != 6): - return False - - for network in networks: - self.restrictions[network] = flags - - return True - - def parse_tos(self, words): - options = {} - while words: - if len(words) >= 2 and words[0] in ["minsane", "orphan"]: - if not words[1].isdigit(): - return False - options[words[0]] = int(words[1]) - words = words[2:] - elif len(words) >= 2 and words[0] in ["maxdist"]: - # Check if it is a float value - if not words[1].replace('.', '', 1).isdigit(): - return False - options[words[0]] = float(words[1]) - words = words[2:] - else: - return False - - self.tos_options.update(options) - - return True - - def parse_includefile(self, words): - path = os.path.join(self.root_dir, words[0]) - if not os.path.isfile(path): - return False - - self.parse_ntp_conf(path) - return True - - def parse_keys(self, words): - keyfile = words[0] - path = os.path.join(self.root_dir, keyfile) - if not os.path.isfile(path): - logging.info("Missing %s", path) - return False - - with open(path, encoding=self.file_encoding) as f: - logging.info("Reading %s", path) - keys = [] - for line in f: - words = line.split() - if len(words) < 3 or not words[0].isdigit(): - continue - keys.append((int(words[0]), words[1], words[2])) - - self.keyfile = keyfile - self.keys = keys - - return True - - def parse_trustedkey(self, words): - key_ranges = [] - for word in words: - if word.isdigit(): - key_ranges.append((int(word), int(word))) - elif re.match("^[0-9]+-[0-9]+$", word): - first, last = word.split("-") - key_ranges.append((int(first), int(last))) - else: - return False - - self.trusted_keys = key_ranges - return True - - def write_chrony_configuration(self, chrony_conf_path, chrony_keys_path, - dry_run=False, backup=False): - chrony_conf = self.get_chrony_conf(chrony_keys_path) - logging.debug("Generated %s:\n%s", chrony_conf_path, chrony_conf) - - if not dry_run: - self.write_file(chrony_conf_path, 0o644, chrony_conf, backup) - - chrony_keys = self.get_chrony_keys() - if chrony_keys: - logging.debug("Generated %s:\n%s", chrony_keys_path, chrony_keys) - - if not dry_run: - self.write_file(chrony_keys_path, 0o640, chrony_keys, backup) - - def get_processed_time_sources(self): - # Convert {0,1,2,3}.*pool.ntp.org servers to 2.*pool.ntp.org pools - - # Make shallow copies of all sources (only type will be modified) - time_sources = [s.copy() for s in self.time_sources] - - pools = {} - for source in time_sources: - if source["type"] != "server": - continue - m = re.match("^([0123])(\\.\\w+)?\\.pool\\.ntp\\.org$", source["address"]) - if m is None: - continue - number = m.group(1) - zone = m.group(2) - if zone not in pools: - pools[zone] = [] - pools[zone].append((int(number), source)) - - remove_servers = set() - for zone, pool in pools.items(): - # sort and skip all pools not in [0, 3] range - pool.sort() - if [number for number, source in pool] != [0, 1, 2, 3]: - # only exact group of 4 servers can be converted, nothing to do here - continue - # verify that parameters are the same for all servers in the pool - if not all([p[1]["options"] == pool[0][1]["options"] for p in pool]): - break - remove_servers.update([pool[i][1]["address"] for i in [0, 1, 3]]) - pool[2][1]["type"] = "pool" - - processed_sources = [] - for source in time_sources: - if source["type"] == "server" and source["address"] in remove_servers: - continue - processed_sources.append(source) - return processed_sources - - def get_chrony_conf_sources(self): - conf = "" - - if self.step_tickers: - conf += "# Specify NTP servers used for initial correction.\n" - conf += "initstepslew 0.1 {}\n".format(" ".join(self.step_tickers)) - conf += "\n" - - conf += "# Specify time sources.\n" - - for source in self.get_processed_time_sources(): - address = source["address"] - if address.startswith("127.127."): - if address.startswith("127.127.1."): - continue - # No other refclocks are expected from the parser - assert False - else: - conf += "{} {}".format(source["type"], address) - for option in source["options"]: - if option[0] in ["minpoll", "maxpoll", "version", "key", - "iburst", "noselect", "prefer", "xleave"]: - conf += " {}".format(" ".join(option)) - elif option[0] == "burst": - conf += " presend 6" - elif option[0] == "true": - conf += " trust" - else: - # No other options are expected from the parser - assert False - conf += "\n" - conf += "\n" - - return conf - - def get_chrony_conf_allows(self): - allowed_networks = filter(lambda n: "ignore" not in self.restrictions[n] and - "noserve" not in self.restrictions[n], - self.restrictions.keys()) - - conf = "" - for network in sorted(allowed_networks, key=lambda n: (n.version, n)): - if network.num_addresses > 1: - conf += "allow {}\n".format(network) - else: - conf += "allow {}\n".format(network.network_address) - - if conf: - conf = "# Allow NTP client access.\n" + conf - conf += "\n" - - return conf - - def get_chrony_conf_cmdallows(self): - allowed_networks = filter(lambda n: "ignore" not in self.restrictions[n] and - "noquery" not in self.restrictions[n] and - n != ipaddress.ip_network(u"127.0.0.1/32") and - n != ipaddress.ip_network(u"::1/128"), - self.restrictions.keys()) - - ip_versions = set() - conf = "" - for network in sorted(allowed_networks, key=lambda n: (n.version, n)): - ip_versions.add(network.version) - if network.num_addresses > 1: - conf += "cmdallow {}\n".format(network) - else: - conf += "cmdallow {}\n".format(network.network_address) - - if conf: - conf = "# Allow remote monitoring.\n" + conf - if 4 in ip_versions: - conf += "bindcmdaddress 0.0.0.0\n" - if 6 in ip_versions: - conf += "bindcmdaddress ::\n" - conf += "\n" - - return conf - - def get_chrony_conf(self, chrony_keys_path): - local_stratum = 0 - maxdistance = 0.0 - minsources = 1 - orphan_stratum = 0 - logs = [] - - for source in self.time_sources: - address = source["address"] - if address.startswith("127.127.1."): - if address in self.fudges and "stratum" in self.fudges[address]: - local_stratum = self.fudges[address]["stratum"] - else: - local_stratum = 5 - - if "maxdist" in self.tos_options: - maxdistance = self.tos_options["maxdist"] - if "minsane" in self.tos_options: - minsources = self.tos_options["minsane"] - if "orphan" in self.tos_options: - orphan_stratum = self.tos_options["orphan"] - - if "clockstats" in self.statistics: - logs.append("refclocks") - if "loopstats" in self.statistics: - logs.append("tracking") - if "peerstats" in self.statistics: - logs.append("statistics") - if "rawstats" in self.statistics: - logs.append("measurements") - - conf = "# This file was converted from {}{}.\n".format( - self.ntp_conf_path, - " and " + self.step_tickers_path if self.step_tickers_path else "") - conf += "\n" - - if self.ignored_lines: - conf += "# The following directives were ignored in the conversion:\n" - - for line in self.ignored_lines: - # Remove sensitive information - line = re.sub(r"\s+pw\s+\S+", " pw XXX", line.rstrip()) - conf += "# " + line + "\n" - conf += "\n" - - conf += self.get_chrony_conf_sources() - - conf += "# Record the rate at which the system clock gains/losses time.\n" - if not self.driftfile: - conf += "#" - conf += "driftfile /var/lib/chrony/drift\n" - conf += "\n" - - conf += "# Allow the system clock to be stepped in the first three updates\n" - conf += "# if its offset is larger than 1 second.\n" - conf += "makestep 1.0 3\n" - conf += "\n" - - conf += "# Enable kernel synchronization of the real-time clock (RTC).\n" - conf += "rtcsync\n" - conf += "\n" - - conf += "# Enable hardware timestamping on all interfaces that support it.\n" - conf += "#hwtimestamp *\n" - conf += "\n" - - if maxdistance > 0.0: - conf += "# Specify the maximum distance of sources to be selectable.\n" - conf += "maxdistance {}\n".format(maxdistance) - conf += "\n" - - conf += "# Increase the minimum number of selectable sources required to adjust\n" - conf += "# the system clock.\n" - if minsources > 1: - conf += "minsources {}\n".format(minsources) - else: - conf += "#minsources 2\n" - conf += "\n" - - conf += self.get_chrony_conf_allows() - - conf += self.get_chrony_conf_cmdallows() - - conf += "# Serve time even if not synchronized to a time source.\n" - if orphan_stratum > 0 and orphan_stratum < 16: - conf += "local stratum {} orphan\n".format(orphan_stratum) - elif local_stratum > 0 and local_stratum < 16: - conf += "local stratum {}\n".format(local_stratum) - else: - conf += "#local stratum 10\n" - conf += "\n" - - conf += "# Specify file containing keys for NTP authentication.\n" - conf += "keyfile {}\n".format(chrony_keys_path) - conf += "\n" - - conf += "# Get TAI-UTC offset and leap seconds from the system tz database.\n" - conf += "leapsectz right/UTC\n" - conf += "\n" - - conf += "# Specify directory for log files.\n" - conf += "logdir /var/log/chrony\n" - conf += "\n" - - conf += "# Select which information is logged.\n" - if logs: - conf += "log {}\n".format(" ".join(logs)) - else: - conf += "#log measurements statistics tracking\n" - - return conf - - def get_chrony_keys(self): - if not self.keyfile: - return "" - - keys = "# This file was converted from {}.\n".format(self.keyfile) - keys += "\n" - - for key in self.keys: - key_id = key[0] - key_type = key[1] - password = key[2] - - if key_type in ["m", "M"]: - key_type = "MD5" - elif key_type == "AES128CMAC": - key_type = "AES128" - elif key_type not in ["MD5", "SHA1", "SHA256", "SHA384", "SHA512"]: - continue - - prefix = "ASCII" if len(password) <= 20 else "HEX" - - for first, last in self.trusted_keys: - if first <= key_id <= last: - trusted = True - break - else: - trusted = False - - # Disable keys that were not marked as trusted - if not trusted: - keys += "#" - - keys += "{} {} {}:{}\n".format(key_id, key_type, prefix, password) - - return keys - - def write_file(self, path, mode, content, backup): - path = self.root_dir + path - if backup and os.path.isfile(path): - os.rename(path, path + ".old") - - with open(os.open(path, os.O_CREAT | os.O_WRONLY | os.O_EXCL, mode), "w", - encoding=self.file_encoding) as f: - logging.info("Writing %s", path) - f.write(u"" + content) - - # Fix SELinux context if restorecon is installed - try: - subprocess.call(["restorecon", path]) - except OSError: - pass - - -def main(): - parser = argparse.ArgumentParser(description="Convert ntp configuration to chrony.") - parser.add_argument("-r", "--root", dest="roots", default=["/"], nargs="+", - metavar="DIR", help="specify root directory (default /)") - parser.add_argument("--ntp-conf", action="store", default="/etc/ntp.conf", - metavar="FILE", help="specify ntp config (default /etc/ntp.conf)") - parser.add_argument("--step-tickers", action="store", default="", - metavar="FILE", help="specify ntpdate step-tickers config (no default)") - parser.add_argument("--chrony-conf", action="store", default="/etc/chrony.conf", - metavar="FILE", help="specify chrony config (default /etc/chrony.conf)") - parser.add_argument("--chrony-keys", action="store", default="/etc/chrony.keys", - metavar="FILE", help="specify chrony keyfile (default /etc/chrony.keys)") - parser.add_argument("-b", "--backup", action="store_true", help="backup existing configs before writing") - parser.add_argument("-L", "--ignored-lines", action="store_true", help="print ignored lines") - parser.add_argument("-D", "--ignored-directives", action="store_true", - help="print names of ignored directives") - parser.add_argument("-n", "--dry-run", action="store_true", help="don't make any changes") - parser.add_argument("-v", "--verbose", action="count", default=0, help="increase verbosity") - - args = parser.parse_args() - - logging.basicConfig(format="%(message)s", - level=[logging.ERROR, logging.INFO, logging.DEBUG][min(args.verbose, 2)]) - - for root in args.roots: - conf = NtpConfiguration(root, args.ntp_conf, args.step_tickers) - - if args.ignored_lines: - for line in conf.ignored_lines: - print(line) - - if args.ignored_directives: - for directive in conf.ignored_directives: - print(directive) - - conf.write_chrony_configuration(args.chrony_conf, args.chrony_keys, args.dry_run, args.backup) - - -if __name__ == "__main__": - main() diff --git a/chrony-4.5-tar-gz-asc.txt b/chrony-4.5-tar-gz-asc.txt new file mode 100644 index 0000000..16dae25 --- /dev/null +++ b/chrony-4.5-tar-gz-asc.txt @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmVvJPkACgkQU34rdvdo +DawQjw//Zkq4UTPZDpU/gifjUtE/jpIa6+tyhSFpRI5abNScOPaEa8nZz6Q33/s4 +qiS9RJh1AA13xnal7bIHsixadON01x91ysW1sbNhFx942SwTpk00wDdLmySqW+u5 +klrTfGlGRejp7ahasbXx/dXqk3Sz+J19YIvdz2X1o2HaUZwp1SIwq5Y8BYS8iE0a +G5ov/ail2965hwSoYWNbR7/UuOTEO3YgRk2YSpKKKGJgL27pAzwGlOVwgP9JLAD0 +WsGDEpn+EY+4BOkwMyFeACOHyJ+QCcpKXF9B6CGJELyPqTp2uQy+OkaF4VtkGvpp +wRs6IhMoHFt5NjvCiBhOMvocKd6JrxDxN84gGhSG6OtSFp8GZoFhTxIp//mnZDoz +WPl/Z+n3yABdaG7IWavl6tn2wvipMsgcTJHxRYg6A4d2+mKKy0pRyfLUtGTM9EA/ +NEhTIHVZZLORNK7zPaB8CkFmmsmDQVhowBjXjFcq2HDNzQawbU5gjWUBEH+4R4bq +rb4P9Eg3Kus0fvBxj4z72XkzYGNn951YFhwW26x4w09+J35/1eoshNkBaPfOdsRf +Xgb37MmEe5yfU32k27aYtERnH9w/+rOk1RISrVcK0c87uz0RnzPN5HBzc4PnEpx6 +KQFkFxVaaMeJNc0Ca5/u9aE9nli1DIS8Afo/Z4zQtjVMqLsvecQ= +=4/yB +-----END PGP SIGNATURE----- diff --git a/chrony-nm-dispatcher-dhcp.patch b/chrony-nm-dispatcher-dhcp.patch new file mode 100644 index 0000000..dd9fc2a --- /dev/null +++ b/chrony-nm-dispatcher-dhcp.patch @@ -0,0 +1,39 @@ +From: Robert Fairley +Date: Wed, 17 Jun 2020 10:14:19 -0400 +Subject: [PATCH] examples/nm-dispatcher.dhcp: use sysconfig + +Use the PEERNTP and NTPSERVERARGS environment variables from +/etc/sysconfig/network{-scripts}. + +Co-Authored-By: Christian Glombek + +diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp +index 6ea4c37..a6ad35a 100644 +--- a/examples/chrony.nm-dispatcher.dhcp ++++ b/examples/chrony.nm-dispatcher.dhcp +@@ -8,15 +8,23 @@ export LC_ALL=C + interface=$1 + action=$2 + ++[ -f /etc/sysconfig/network ] && . /etc/sysconfig/network ++[ -f /etc/sysconfig/network-scripts/ifcfg-"${interface}" ] && \ ++ . /etc/sysconfig/network-scripts/ifcfg-"${interface}" ++ + chronyc=/usr/bin/chronyc +-server_options=iburst +-server_dir=/var/run/chrony-dhcp ++server_options=${NTPSERVERARGS:-iburst} ++server_dir=/run/chrony-dhcp + + dhcp_server_file=$server_dir/$interface.sources + dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS" + + add_servers_from_dhcp() { + rm -f "$dhcp_server_file" ++ ++ # Don't add NTP servers if PEERNTP=no specified; return early. ++ [ "$PEERNTP" = "no" ] && return ++ + for server in $dhcp_ntp_servers; do + # Check for invalid characters (from the DHCPv6 NTP FQDN suboption) + len1=$(printf '%s' "$server" | wc -c) diff --git a/SOURCES/chrony.dhclient b/chrony.dhclient similarity index 55% rename from SOURCES/chrony.dhclient rename to chrony.dhclient index d5398e8..3fe9e92 100644 --- a/SOURCES/chrony.dhclient +++ b/chrony.dhclient @@ -1,6 +1,7 @@ #!/bin/bash -SERVERFILE=$SAVEDIR/chrony.servers.$interface +CHRONY_SOURCEDIR=/run/chrony-dhcp +SERVERFILE=$CHRONY_SOURCEDIR/$interface.sources chrony_config() { # Disable modifications if called from a NM dispatcher script @@ -8,10 +9,11 @@ chrony_config() { rm -f "$SERVERFILE" if [ "$PEERNTP" != "no" ]; then + mkdir -p $CHRONY_SOURCEDIR for server in $new_ntp_servers; do - echo "$server ${NTPSERVERARGS:-iburst}" >> "$SERVERFILE" + echo "server $server ${NTPSERVERARGS:-iburst}" >> "$SERVERFILE" done - /usr/libexec/chrony-helper update-daemon || : + /usr/bin/chronyc reload sources > /dev/null 2>&1 || : fi } @@ -20,6 +22,6 @@ chrony_restore() { if [ -f "$SERVERFILE" ]; then rm -f "$SERVERFILE" - /usr/libexec/chrony-helper update-daemon || : + /usr/bin/chronyc reload sources > /dev/null 2>&1 || : fi } diff --git a/SPECS/chrony.spec b/chrony.spec similarity index 62% rename from SPECS/chrony.spec rename to chrony.spec index 0e70e5b..f6ccf7b 100644 --- a/SPECS/chrony.spec +++ b/chrony.spec @@ -1,57 +1,44 @@ %global _hardened_build 1 %global clknetsim_ver 5d1dc0 -%global ntp2chrony_ver 233b75 %bcond_without debug %bcond_without nts +%ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x +%bcond_without seccomp +%endif + Name: chrony Version: 4.5 -Release: 2%{?dist} +Release: 5%{?dist} Summary: An NTP client/server -Group: System Environment/Daemons -License: GPLv2 +License: GPL-2.0-only URL: https://chrony-project.org Source0: https://chrony-project.org/releases/chrony-%{version}%{?prerelease}.tar.gz -Source1: chrony.dhclient -Source2: chrony.helper -Source3: chrony-dnssrv@.service -Source4: chrony-dnssrv@.timer +Source1: https://chrony-project.org/releases/chrony-%{version}%{?prerelease}-tar-gz-asc.txt +Source2: https://chrony-project.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc +Source3: chrony.dhclient +Source4: chrony.sysusers # simulator for test suite Source10: https://gitlab.com/chrony/clknetsim/-/archive/master/clknetsim-%{clknetsim_ver}.tar.gz -# script for converting ntp configuration to chrony -Source11: https://github.com/mlichvar/ntp2chrony/raw/%{ntp2chrony_ver}/ntp2chrony/ntp2chrony.py %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz} -# revert upstream changes in packaged service files -Patch0: chrony-services.patch -# modify NetworkManager DHCP dispatcher to work with chrony-helper and -# follow distribution-specific configuration +# add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch -# add NTP servers from DHCP when starting service -Patch2: chrony-service-helper.patch -# revert upstream changes in packaged configuration examples -Patch3: chrony-defconfig.patch -# fix serverstats to correctly count authenticated packets -Patch4: chrony-serverstats.patch -# fix crash on reload command during start -Patch5: chrony-reload.patch -# enable AES-CMAC support using gnutls (but keep nettle for hashing) -Patch6: chrony-cmac.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel -%ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x -BuildRequires: libseccomp-devel -%endif -BuildRequires: gcc gcc-c++ make bison systemd -BuildRequires: kernel-headers > 4.18.0-87 +BuildRequires: gcc gcc-c++ make bison systemd gnupg2 %{?with_nts:BuildRequires: gnutls-devel gnutls-utils} +%{?with_seccomp:BuildRequires: libseccomp-devel} -Requires(pre): shadow-utils %{?systemd_requires} +%{?sysusers_requires_compat} -# install timedated implementation that can control chronyd service -Recommends: timedatex +# Needed by the leapsectz directive in default chrony.conf +Requires: tzdata + +# Old NetworkManager expects the dispatcher scripts in a different place +Conflicts: NetworkManager < 1.20 # suggest drivers for hardware reference clocks Suggests: ntp-refclock @@ -68,27 +55,22 @@ service to other computers in the network. %endif %prep +%{gpgverify} --keyring=%{SOURCE2} --signature=%{SOURCE1} --data=%{SOURCE0} %setup -q -n %{name}-%{version}%{?prerelease} -a 10 -%{?gitpatch:%patch0 -p1} -%patch0 -p1 -b .services -%patch1 -p1 -b .nm-dispatcher-dhcp -%patch2 -p1 -b .service-helper -%patch3 -p1 -b .defconfig -%patch4 -p1 -b .serverstats -%patch5 -p1 -%patch6 -p1 -b .cmac +%{?gitpatch:%patch -P 0 -p1} +%patch -P 1 -p1 -b .nm-dispatcher-dhcp %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') - bc563c1bcf67b2da774bd8c2aef55a06 examples/chrony-wait.service - e473a9fab7fe200cacce3dca8b66290b examples/chrony.conf.example2 - 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example + 5530d6e60f84b76c27495485d2510bac examples/chrony-wait.service + 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate - fabb5b3f127b802c27c82837feff0fe6 examples/chrony.nm-dispatcher.dhcp + c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline - 56d221eba8ce8a2e03d3e0dd87999a81 examples/chronyd.service + c11159b78b89684eca773db6236a9855 examples/chronyd.service + 46fa3e2d42c8eb9c42e71095686c90ed examples/chronyd-restricted.service EOF # don't allow packaging without vendor zone @@ -97,26 +79,28 @@ test -n "%{vendorzone}" # use example chrony.conf as the default config with some modifications: # - use our vendor zone (2.*pool.ntp.org names include IPv6 addresses) # - enable leapsectz to get TAI-UTC offset and leap seconds from tzdata -# - enable keyfile +# - use NTP servers from DHCP sed -e 's|^\(pool \)\(pool.ntp.org\)|\12.%{vendorzone}\2|' \ -e 's|#\(leapsectz\)|\1|' \ - -e 's|#\(keyfile\)|\1|' \ + -e 's|^pool.*pool.ntp.org.*|&\n\n# Use NTP servers from DHCP.\nsourcedir /run/chrony-dhcp|' \ < examples/chrony.conf.example2 > chrony.conf touch -r examples/chrony.conf.example2 chrony.conf +# set selinux context in chronyd-restricted service +sed -i '/^ExecStart/a SELinuxContext=system_u:system_r:chronyd_restricted_t:s0' \ + examples/chronyd-restricted.service + # regenerate the file from getdate.y rm -f getdate.c mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim -install -m 644 -p %{SOURCE11} ntp2chrony.py - %build %configure \ %{?with_debug: --enable-debug} \ --enable-ntp-signd \ - --enable-scfilter \ +%{?with_seccomp: --enable-scfilter} \ %{!?with_nts: --disable-nts} \ --chronyrundir=/run/chrony \ --docdir=%{_docdir} \ @@ -124,48 +108,49 @@ install -m 644 -p %{SOURCE11} ntp2chrony.py --with-user=chrony \ --with-hwclockfile=%{_sysconfdir}/adjtime \ --with-pidfile=/run/chrony/chronyd.pid \ - --with-sendmail=%{_sbindir}/sendmail -make %{?_smp_mflags} + --with-sendmail=%{_sbindir}/sendmail \ + --without-nettle +%make_build %install -make install DESTDIR=$RPM_BUILD_ROOT +%make_install rm -rf $RPM_BUILD_ROOT%{_docdir} mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/{sysconfig,logrotate.d} mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/{lib,log}/chrony -mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dhcp/dhclient.d mkdir -p $RPM_BUILD_ROOT%{_libexecdir} +mkdir -p $RPM_BUILD_ROOT%{_sysusersdir} +mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d mkdir -p $RPM_BUILD_ROOT{%{_unitdir},%{_prefix}/lib/systemd/ntp-units.d} install -m 644 -p chrony.conf $RPM_BUILD_ROOT%{_sysconfdir}/chrony.conf -install -m 640 -p examples/chrony.keys.example \ - $RPM_BUILD_ROOT%{_sysconfdir}/chrony.keys -install -m 755 -p examples/chrony.nm-dispatcher.onoffline \ - $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d/20-chrony-onoffline -install -m 755 -p examples/chrony.nm-dispatcher.dhcp \ - $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d/20-chrony-dhcp -install -m 755 -p %{SOURCE1} \ +install -m 755 -p %{SOURCE3} \ $RPM_BUILD_ROOT%{_sysconfdir}/dhcp/dhclient.d/chrony.sh install -m 644 -p examples/chrony.logrotate \ $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/chrony install -m 644 -p examples/chronyd.service \ $RPM_BUILD_ROOT%{_unitdir}/chronyd.service +install -m 644 -p examples/chronyd-restricted.service \ + $RPM_BUILD_ROOT%{_unitdir}/chronyd-restricted.service +install -m 755 -p examples/chrony.nm-dispatcher.onoffline \ + $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-onoffline +install -m 755 -p examples/chrony.nm-dispatcher.dhcp \ + $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-dhcp install -m 644 -p examples/chrony-wait.service \ $RPM_BUILD_ROOT%{_unitdir}/chrony-wait.service -install -m 644 -p %{SOURCE3} $RPM_BUILD_ROOT%{_unitdir}/chrony-dnssrv@.service -install -m 644 -p %{SOURCE4} $RPM_BUILD_ROOT%{_unitdir}/chrony-dnssrv@.timer - -install -m 755 -p %{SOURCE2} $RPM_BUILD_ROOT%{_libexecdir}/chrony-helper +install -m 644 -p %{SOURCE4} \ + $RPM_BUILD_ROOT%{_sysusersdir}/chrony.conf cat > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/chronyd < \ @@ -173,51 +158,47 @@ echo 'chronyd.service' > \ %check # set random seed to get deterministic results -export CLKNETSIM_RANDOM_SEED=24502 -make %{?_smp_mflags} -C test/simulation/clknetsim +export CLKNETSIM_RANDOM_SEED=24508 +%make_build -C test/simulation/clknetsim make quickcheck %pre -getent group chrony > /dev/null || /usr/sbin/groupadd -r chrony -getent passwd chrony > /dev/null || /usr/sbin/useradd -r -g chrony \ - -d %{_localstatedir}/lib/chrony -s /sbin/nologin chrony -: +%sysusers_create_compat %{SOURCE4} %post -# fix PIDFile in local chronyd.service on upgrades from chrony < 3.3-2 -if grep -q 'PIDFile=%{_localstatedir}/run/chronyd.pid' \ - %{_sysconfdir}/systemd/system/chronyd.service 2> /dev/null && \ - ! grep -qi '^[ '$'\t'']*pidfile' %{_sysconfdir}/chrony.conf 2> /dev/null -then - sed -i '/PIDFile=/s|/run/|/run/chrony/|' \ - %{_sysconfdir}/systemd/system/chronyd.service +# migrate from chrony-helper to sourcedir directive +if test -a %{_libexecdir}/chrony-helper; then + grep -qi 'sourcedir /run/chrony-dhcp$' %{_sysconfdir}/chrony.conf 2> /dev/null || \ + echo -e '\n# Use NTP servers from DHCP.\nsourcedir /run/chrony-dhcp' >> \ + %{_sysconfdir}/chrony.conf + mkdir -p /run/chrony-dhcp + for f in %{_localstatedir}/lib/dhclient/chrony.servers.*; do + sed 's|.*|server &|' < $f > /run/chrony-dhcp/"${f##*servers.}.sources" + done 2> /dev/null fi -# workaround for late reload of unit file (#1614751) -%{_bindir}/systemctl daemon-reload -%systemd_post chronyd.service chrony-wait.service +%systemd_post chronyd.service chronyd-restricted.service chrony-wait.service %preun -%systemd_preun chronyd.service chrony-wait.service +%systemd_preun chronyd.service chronyd-restricted.service chrony-wait.service %postun -%systemd_postun_with_restart chronyd.service +%systemd_postun_with_restart chronyd.service chronyd-restricted.service %files %{!?_licensedir:%global license %%doc} %license COPYING -%doc FAQ NEWS README ntp2chrony.py +%doc FAQ NEWS README examples/chrony.keys.example %config(noreplace) %{_sysconfdir}/chrony.conf -%config(noreplace) %verify(not md5 size mtime) %attr(640,root,chrony) %{_sysconfdir}/chrony.keys +%ghost %config %attr(640,root,chrony) %{_sysconfdir}/chrony.keys %config(noreplace) %{_sysconfdir}/logrotate.d/chrony %config(noreplace) %{_sysconfdir}/sysconfig/chronyd -%{_sysconfdir}/NetworkManager/dispatcher.d/20-chrony* %{_sysconfdir}/dhcp/dhclient.d/chrony.sh %{_bindir}/chronyc %{_sbindir}/chronyd -%{_libexecdir}/chrony-helper +%{_prefix}/lib/NetworkManager %{_prefix}/lib/systemd/ntp-units.d/*.list %{_unitdir}/chrony*.service -%{_unitdir}/chrony*.timer +%{_sysusersdir}/chrony.conf %{_mandir}/man[158]/%{name}*.[158]* %dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/drift @@ -225,49 +206,207 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog -* Wed Sep 18 2024 Miroslav Lichvar 4.5-2.el8_10 -- fix crash on reload command during start (RHEL-59112) -- enable AES-CMAC support using gnutls (RHEL-59032) +* Mon Jun 24 2024 Troy Dawson - 4.5-5 +- Bump release for June 2024 mass rebuild -* Wed Jan 10 2024 Miroslav Lichvar 4.5-1 -- update to 4.5 (RHEL-21069 RHEL-10701) +* Tue May 28 2024 Miroslav Lichvar 4.5-4 +- disable nettle support in favor of gnutls (RHEL-38924) -* Thu Jul 14 2022 Miroslav Lichvar 4.2-1 -- update to 4.2 (#2062356) -- fix chrony-helper to delete sources by their original name (#2061660) -- update ntp2chrony script (#2018045 #2063766) +* Tue Jan 23 2024 Fedora Release Engineering - 4.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Tue Jun 15 2021 Miroslav Lichvar 4.1-1 -- update to 4.1 (#1895003 #1847853 #1929157) -- add NetworkManager dispatcher script to add servers from DHCP even without - dhclient (#1933139) -- restrict permissions of /var/lib/chrony and /var/log/chrony (#1939295) -- reset chrony-helper state after stopping chronyd (#1971697) -- add gcc-c++ and make to build requirements +* Fri Jan 19 2024 Fedora Release Engineering - 4.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Tue Dec 05 2023 Miroslav Lichvar 4.5-1 +- update to 4.5 + +* Wed Nov 22 2023 Miroslav Lichvar 4.5-0.1.pre1 +- update to 4.5-pre1 + +* Wed Aug 09 2023 Miroslav Lichvar 4.4-1 +- update to 4.4 +- require tzdata (#2218368) + +* Wed Jul 19 2023 Fedora Release Engineering - 4.4-0.4.pre2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Wed Jun 21 2023 Miroslav Lichvar 4.4-0.3.pre2 +- update to 4.4-pre2 +- set selinux context in chronyd-restricted service (#2169949) + +* Tue Jun 06 2023 Miroslav Lichvar 4.4-0.2.pre1 +- rebuild for AES-GCM-SIV in new nettle + +* Wed May 10 2023 Miroslav Lichvar 4.4-0.1.pre1 +- update to 4.4-pre1 +- switch from patchX to patch -P X + +* Wed Jan 25 2023 Miroslav Lichvar 4.3-3 +- drop default chrony.keys config (#2104918) +- add chronyd-restricted service for minimal NTP client configurations +- convert license tag to SPDX + +* Wed Jan 18 2023 Fedora Release Engineering - 4.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Wed Aug 31 2022 Miroslav Lichvar 4.3-1 +- update to 4.3 + +* Thu Aug 11 2022 Miroslav Lichvar 4.3-0.1.pre1 +- update to 4.3-pre1 + +* Wed Jul 20 2022 Fedora Release Engineering - 4.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Tue May 24 2022 Luca BRUNO - 4.2-6 +- Add a sysusers.d fragment for chrony user/group + +* Wed Feb 16 2022 Zbigniew Jędrzejewski-Szmek - 4.2-5 +- Drop obsolete workaround in scriptlet + +* Wed Feb 09 2022 Miroslav Lichvar 4.2-4 +- update seccomp filter for latest glibc + +* Tue Feb 08 2022 Miroslav Lichvar 4.2-3 +- use NTP servers passed by NetworkManager from DHCPv6 NTP server option + +* Wed Jan 19 2022 Fedora Release Engineering - 4.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Thu Dec 16 2021 Miroslav Lichvar 4.2-1 +- update to 4.2 + +* Thu Dec 02 2021 Miroslav Lichvar 4.2-0.1.pre1 +- update to 4.2-pre1 + +* Tue Nov 16 2021 Miroslav Lichvar 4.1-5 +- fix hardened chronyd service to allow writing log files + +* Wed Sep 29 2021 Miroslav Lichvar 4.1-4 +- harden chronyd and chrony-wait services + +* Mon Aug 09 2021 Miroslav Lichvar 4.1-3 +- update seccomp filter for new glibc +- remove unnecessary build requirement + +* Wed Jul 21 2021 Fedora Release Engineering - 4.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Thu May 13 2021 Miroslav Lichvar 4.1-1 +- update to 4.1 +- enable seccomp filter by default (incompatible with mailonchange directive) + +* Thu Apr 22 2021 Miroslav Lichvar 4.1-0.1.pre1 +- update to 4.1-pre1 +- rework NM-dispatcher/dhclient detection +- enable LTO on s390x + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 4.0-4 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Tue Feb 02 2021 Miroslav Lichvar 4.0-3 +- update NM DHCP dispatcher script + +* Tue Jan 26 2021 Fedora Release Engineering - 4.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild +- Add BuildRequires: make +- drop dnssrv service and timer + +* Wed Oct 07 2020 Miroslav Lichvar 4.0-1 +- update to 4.0 +- update directory permissions to follow upstream + +* Wed Sep 16 2020 Miroslav Lichvar 4.0-0.9.pre4 +- update to 4.0-pre4 + +* Wed Aug 26 2020 Miroslav Lichvar 4.0-0.8.pre3 +- update to 4.0-pre3 +- switch to sourcedir directive for loading servers from DHCP +- add NetworkManager dispatcher script to save servers from DHCP when + dhclient is not installed (Robert Fairley) +- drop old migration code from scriptlet - move default paths in /var/run to /run -* Tue May 21 2019 Miroslav Lichvar 3.5-1 -- update to 3.5 (#1685469 #1677218) -- fix shellcheck warnings in helper scripts (#1711948) -- update ntp2chrony script +* Mon Aug 10 2020 Jeff Law - 4.0-0.7.pre2 +- Disable LTO on s390x -* Mon Aug 13 2018 Miroslav Lichvar 3.3-3 +* Sat Aug 01 2020 Fedora Release Engineering - 4.0-0.6.pre2 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jul 27 2020 Fedora Release Engineering - 4.0-0.5.pre2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jul 13 2020 Tom Stellard 4.0-0.4.pre2 +- use make macros + +* Mon May 04 2020 Miroslav Lichvar 4.0-0.3.pre2 +- rebuild for new nettle + +* Mon Apr 20 2020 Miroslav Lichvar 4.0-0.2.pre2 +- update to 4.0-pre2 + +* Tue Mar 17 2020 Miroslav Lichvar 4.0-0.1.pre1 +- update to 4.0-pre1 +- add net-tools to build requirements for testing +- add missing dependency on coreutils + +* Tue Jan 28 2020 Fedora Release Engineering - 3.5-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Jan 20 2020 Miroslav Lichvar 3.5-7 +- fix testing with new glibc (#1792854) + +* Wed Oct 09 2019 Miroslav Lichvar 3.5-6 +- drop timedatex recommendation +- verify upstream signatures + +* Thu Aug 22 2019 Lubomir Rintel - 3.5-5 +- Move the NetworkManager dispatcher script out of /etc + +* Wed Jul 24 2019 Fedora Release Engineering - 3.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Jul 16 2019 Miroslav Lichvar 3.5-3 +- rebuild for new nettle + +* Thu May 23 2019 Miroslav Lichvar 3.5-2 +- fix shellcheck warnings in helper scripts + +* Tue May 14 2019 Miroslav Lichvar 3.5-1 +- update to 3.5 + +* Thu May 02 2019 Miroslav Lichvar 3.5-0.1.pre1 +- update to 3.5-pre1 + +* Thu Jan 31 2019 Fedora Release Engineering - 3.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Sep 19 2018 Miroslav Lichvar 3.4-1 +- update to 3.4 + +* Fri Aug 31 2018 Miroslav Lichvar 3.4-0.1.pre1 +- update to 3.4-pre1 + +* Mon Aug 13 2018 Miroslav Lichvar 3.3-5 - fix PIDFile in local chronyd.service on upgrades from chrony < 3.3-2 - (#1614800) - add workaround for late reload of unit file (#1614751) +* Mon Jul 16 2018 Miroslav Lichvar 3.3-4 +- add gcc-c++ to build requirements + +* Thu Jul 12 2018 Fedora Release Engineering - 3.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + * Mon Jun 18 2018 Miroslav Lichvar 3.3-2 - move pidfile to /var/run/chrony to allow chronyd to remove it on exit - (#1584585) -- avoid blocking in getrandom system call (#1592425) +- avoid blocking in getrandom system call -* Thu Apr 05 2018 Miroslav Lichvar 3.3-1 +* Wed Apr 04 2018 Miroslav Lichvar 3.3-1 - update to 3.3 - enable keyfile by default again -- update ntp2chrony script - -* Mon Mar 19 2018 Miroslav Lichvar 3.3-0.2.pre1 -- include ntp2chrony script in documentation (#1530987) * Thu Mar 15 2018 Miroslav Lichvar 3.3-0.1.pre1 - update to 3.3-pre1 diff --git a/chrony.sysusers b/chrony.sysusers new file mode 100644 index 0000000..b02f5fe --- /dev/null +++ b/chrony.sysusers @@ -0,0 +1,2 @@ +#Type Name ID GECOS Home directory Shell +u chrony - "chrony system user" /var/lib/chrony /sbin/nologin diff --git a/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc b/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc new file mode 100644 index 0000000..604babe --- /dev/null +++ b/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc @@ -0,0 +1,54 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGCc9dwBEADLydyZIqgarshQeCtIlWAgP3coy0mdJwxet1CvXwF1xpq18Qi1 +Tt9RZL64SkbQ8sKryBqnPjKZdOfVT5FwUucjp9L+/j7Bhk0tqv30EIQ57rnDLJ9T +c4LG1leO+Tc5Ym/0tvv4uMjkxr4KAKHPYrweHk6EAw06bbJ02mfy9xhlITSfyyFl +QRoRTEjy8N2IDutA4QzbZm0T5kvI7k7s/ILG5vyNo53X5PI/rWrSqmPZ5qs0lvDv +tA+rxOJp+FvlvOyBuv3ftIX0kAwRU+x/ET2Yd9qQWnXRx9d9D2UpFXm9DHfCDJYR +F56D0O3hf+rrCa/uSutIqmR33j5Wz4bYjWdmg4wbRQaoVxJl5AUrWuYEFwcCuY2B +FFgttLPb0qHpeBwuWaWJ9U6HM7qY3WEI2C/OWM0XFM8ERezedNEf7O2GTsoVVcm+ +LRg31R3eJzipKMAGZWScSDSRAXhh6oZhflMRjYKGvwRfgeos/Sl2bdYL80hqyjGV +jMhEYDC9sfLXRyLU+9FexruIzSLR8Vornma3zjzu9pRkbfTHb8FfBMt9MZEWraF2 +7riRq/zJE9QPWnBL/C8rdaXXxflBmGctn7RDKGOvxZ7SxPzzHbl5tV/Fizhkeph/ +v8YLVuCOk0pIpX65mFun3Xw5IF01x1GMzU1xYezExti9yBNiv9HVqf1DWwARAQAB +tCZNaXJvc2xhdiBMaWNodmFyIDxtbGljaHZhckByZWRoYXQuY29tPokCVAQTAQgA +PhYhBI83XH6NDuElo9O9UVN+K3b3aA2sBQJgnPXcAhsDBQkSzAMABQsJCAcCBhUK +CQgLAgQWAgMBAh4BAheAAAoJEFN+K3b3aA2sl8IQAJ9AMppV6cdxzt8g2Ypz0hw1 +6+9T5DjbYE/s0lozFQhCoYfo+SZyc3+yyKzlxI3ryHwFk9NjXGZZ8QjzT7FLj7/s +nKDjv5hUCOAi9Q+k217xwlBueeMyheeVaGGGa+Hv5CF1fZx/MtxiShUqu8oSqUyP +nW8lPGz73MfGAPT7kijVnz73pbht0vrZ9I+r8dnQGiweGBohexfCvmncrTyhjM8r +nvecycYBNnXhupzpmSMZgIA1s2v7oVmTnV0bntxE/gr7+SPk7KozhD12K8OU8deJ +cDD8F7NKa9Oe5NtuGVN4IPqp5cgj7GAyIj0sYss9Jknu4jX0imR5kwH6GbgFa7c/ +kU+fKTz57Rs1OGr3glYpMnNftXSWbC2V/OJxHVEcMk8HwKLgnQjtmKLVGeCo5iS6 +LFQuWaxpfjvxVjGSpnNu19cHVUhDM9cTP1DhUd4LdnltHQ+/xjwgzTgE4GJ1ZB0W +vhvxcdb69Sf50bGd4/WuURRoYSE7M6UKRwfXmMpyTiNhZz+3XjAoScA9AS7q9xfS +y3OddQEle/+qNFdABB12WmCgRhWemHzTZDXydIJuw+ucLO7U5RrDdqdaHkRVXJ9G +4mdk+3FgUlYgB9GY4pHQdqGdE60838R2zY9x0gK8cHU+FaRPAiTU8SJL0wb/Rko7 +qbZUY/6bgrDoXp4otAP2iF0EExECAB0WIQSLH0qa2nPUAeMIWgtf8G8puh4BOwUC +YJ0C3AAKCRBf8G8puh4BO9k2AJ4ohgz/p49IBfjf22sEL1FvYM/DhwCfTyCkbogO +uagIg5qwuEGwHMgn19G5Ag0EYJz13AEQAMrLXgl5u6vAakSF9n+xCP2WOiMHzzrR +OxHnWzsX6PTXpJt14LSZOZ5wjdyR3gLJWGLdkfHoxHpQYp7PLgNS29SuAc4HQ+Br +O5F4g9EmwDJ0ueUYxU1FcySRXfXR+gLabpQCc2s9bW6RaMwLuQNxZwkfXClkPQms +ImTFA0KntWpHc+uEr1J2i6LQS7D/BK6m72l9x8z9k9gqAabXw+xHsis+ffPMG5Jm +HOqeHYtsq+2JW1VvBnA4Qh3DKH9OQaD9hZbEiUC3nMmlLkPF/r29tWTPa7luBHBn +X556JTXVm+vDUDwZ2srLfaKyQCxbNLwvQ2Pn5SOyyCnuIWR2xZs/+KPDMhtKUBAV +HcboVu6iPCTU42CVMPaJvYD2iUEncZNeUGJOSuG240LSLNGEFFsD7YgXb1XHjQD5 +ci3Ki7P/hHi3AG53IsQTiaE5VgBdDje3zYCf5WaZ6c3DQQB9lab2RMz+5Fdr7Z6Y +mFRUbmxSnsMe0mwwcqVe3ofV0fKvE7Ep0T8bBg53dCqyU8hIbD5wUe99JmhMFnzs +5elwkv/Hb3Eg92dgu1zWb5kMzuvGEHtCIukIy1B+pzQOfT+iOC+lbmRHhPslJ9S0 +1vENJE+nEEsGxPy9pRHrmWSKI4Zh+ysjb/vW/vOwAd1RsvxTfgBeOOawmlz+n0pJ +T018ZnUgmc35ABEBAAGJAjwEGAEIACYWIQSPN1x+jQ7hJaPTvVFTfit292gNrAUC +YJz13AIbDAUJEswDAAAKCRBTfit292gNrPuRD/43kM0P71gxfJQj6PBpPtjIVVfm +4TIPWKmV+F4/9eCwAPC/o44Yw+nxGr77Rk2DsaSn0V51j2egRCXKuZBZx/v6JXP7 +qpDk3Uecml7IfxTd+N+gkI3viUsrt4ykUgyUH/wy/edMG3h9qhBQP0RxiDge18P6 +YUpQSnq3uP72ycTPLBJlqp/Y9+GXUapvcyDqBFnvs96ieDmSbjSf6tris1cuLv6f +eld4HNUY/LmI5MlYbywbgWGpSOyKUlTtyF33LqPnWd7UuTN7QNsYyjGnlJbkkGi/ +KwuNbIo5Gs4avaUSTc7SBLdCYneEIt7mt7hg0StKHQC6s/ak/w8yl1yFy5gRusO4 +QCFT2ZMQ6jZUAuaQGx0rhWQr9akNNJEDsHTBQR8pxpFp3LcDXcUXSSeySRSFZLt+ +hExvDQxXuhdbZHYGL1E6g5gtJQKnobNu2jMOziBcDivhAsqNw2Poq6fJVLavjBI5 +BI1xAqmymIExJFSlHdLuZq09cVzY3EOj3x23YTzPKNOI/qu4jTUT4Byi8Oy3PN1B +B0n5SqORWJ0KfAyVEewshSAqJ7zrZ5sJXWnKeVQqBOg5EwkOB8rz/M3mqgrnBRiq +hLiiiG5tKETA1YIQGXIbP8t1vqoQrpvYaJfkk3kQlktxfFkDRt8dKIxpFk8uPiNb +bcAu2uXfRrQxpaqcOg== +=/wbD +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources new file mode 100644 index 0000000..ec1071d --- /dev/null +++ b/sources @@ -0,0 +1,2 @@ +SHA512 (chrony-4.5.tar.gz) = 58a449e23186da799064b16ab16f799c1673296984b152b43e87c620d86e272c55365e83439d410fc89e4e0ba0befd7d5c625eac78a6665813b7ea75444f71b5 +SHA512 (clknetsim-5d1dc0.tar.gz) = 7d542443d7d9334d900cee821207fab1ee87e57fda6580a9d894f65fb36d265fdc4a72022b4293134d54cdeffba7e84d2f68f732f4b228b84d846d8668b314b2