From 9f7b83ff2ccc1f36d2210a52637e82e6382d73b9 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 15 2022 14:10:50 +0000 Subject: import chrony-4.2-1.el8 --- diff --git a/.chrony.metadata b/.chrony.metadata index c42eda1..0e4fc3a 100644 --- a/.chrony.metadata +++ b/.chrony.metadata @@ -1,2 +1,2 @@ -15dc1976653f17d290b65007a4779e3f4ac1833e SOURCES/chrony-4.1.tar.gz -6f953389765ec334465ebdef4199e25c0290646e SOURCES/clknetsim-f89702.tar.gz +0f5de043b395311a58bcf4be9800f7118afd5f59 SOURCES/chrony-4.2.tar.gz +2e1fac8161ea8d92d76532c0b272fb31799bc310 SOURCES/clknetsim-824c48.tar.gz diff --git a/.gitignore b/.gitignore index 49fef1b..851aa77 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/chrony-4.1.tar.gz -SOURCES/clknetsim-f89702.tar.gz +SOURCES/chrony-4.2.tar.gz +SOURCES/clknetsim-824c48.tar.gz diff --git a/SOURCES/chrony-ipsourcename.patch b/SOURCES/chrony-ipsourcename.patch new file mode 100644 index 0000000..426ca8a --- /dev/null +++ b/SOURCES/chrony-ipsourcename.patch @@ -0,0 +1,108 @@ +commit 33a1fe7a9ce223d6287ab7b11bca3208e9255cdd +Author: Miroslav Lichvar +Date: Wed Mar 9 15:30:16 2022 +0100 + + ntp: split out conf_id allocation + +diff --git a/ntp_sources.c b/ntp_sources.c +index 3cbb2ae7..30770825 100644 +--- a/ntp_sources.c ++++ b/ntp_sources.c +@@ -698,21 +698,25 @@ static int get_unused_pool_id(void) + + /* ================================================== */ + +-NSR_Status +-NSR_AddSource(NTP_Remote_Address *remote_addr, NTP_Source_Type type, +- SourceParameters *params, uint32_t *conf_id) ++static uint32_t ++get_next_conf_id(uint32_t *conf_id) + { +- NSR_Status s; +- +- s = add_source(remote_addr, NULL, type, params, INVALID_POOL, last_conf_id + 1); +- if (s != NSR_Success) +- return s; +- + last_conf_id++; ++ + if (conf_id) + *conf_id = last_conf_id; + +- return s; ++ return last_conf_id; ++} ++ ++/* ================================================== */ ++ ++NSR_Status ++NSR_AddSource(NTP_Remote_Address *remote_addr, NTP_Source_Type type, ++ SourceParameters *params, uint32_t *conf_id) ++{ ++ return add_source(remote_addr, NULL, type, params, INVALID_POOL, ++ get_next_conf_id(conf_id)); + } + + /* ================================================== */ +@@ -725,6 +729,7 @@ NSR_AddSourceByName(char *name, int port, int pool, NTP_Source_Type type, + struct SourcePool *sp; + NTP_Remote_Address remote_addr; + int i, new_sources, pool_id; ++ uint32_t cid; + + /* If the name is an IP address, add the source with the address directly */ + if (UTI_StringToIP(name, &remote_addr.ip_addr)) { +@@ -770,14 +775,12 @@ NSR_AddSourceByName(char *name, int port, int pool, NTP_Source_Type type, + + append_unresolved_source(us); + +- last_conf_id++; +- if (conf_id) +- *conf_id = last_conf_id; ++ cid = get_next_conf_id(conf_id); + + for (i = 0; i < new_sources; i++) { + if (i > 0) + remote_addr.ip_addr.addr.id = ++last_address_id; +- if (add_source(&remote_addr, name, type, params, us->pool_id, last_conf_id) != NSR_Success) ++ if (add_source(&remote_addr, name, type, params, us->pool_id, cid) != NSR_Success) + return NSR_TooManySources; + } + + +commit 1219f99935ca9597eb0e4f4c6039e536462cf1a6 +Author: Miroslav Lichvar +Date: Wed Mar 9 15:34:16 2022 +0100 + + ntp: keep original source IP address + + When an added source is specified by IP address, save the original + string instead of formatting a new string from the parsed address, which + can be different (e.g. compressed vs expanded IPv6 address). + + This fixes the chronyc sourcename command and -N option to print the IP + address exactly as it was specified in the configuration file or chronyc + add command. + +diff --git a/ntp_sources.c b/ntp_sources.c +index 30770825..d46c211d 100644 +--- a/ntp_sources.c ++++ b/ntp_sources.c +@@ -353,7 +353,6 @@ add_source(NTP_Remote_Address *remote_addr, char *name, NTP_Source_Type type, + record_lock = 1; + + record = get_record(slot); +- assert(!name || !UTI_IsStringIP(name)); + record->name = Strdup(name ? name : UTI_IPToString(&remote_addr->ip_addr)); + record->data = NCR_CreateInstance(remote_addr, type, params, record->name); + record->remote_addr = NCR_GetRemoteAddress(record->data); +@@ -734,7 +733,8 @@ NSR_AddSourceByName(char *name, int port, int pool, NTP_Source_Type type, + /* If the name is an IP address, add the source with the address directly */ + if (UTI_StringToIP(name, &remote_addr.ip_addr)) { + remote_addr.port = port; +- return NSR_AddSource(&remote_addr, type, params, conf_id); ++ return add_source(&remote_addr, name, type, params, INVALID_POOL, ++ get_next_conf_id(conf_id)); + } + + /* Make sure the name is at least printable and has no spaces */ diff --git a/SOURCES/chrony-services.patch b/SOURCES/chrony-services.patch new file mode 100644 index 0000000..955be90 --- /dev/null +++ b/SOURCES/chrony-services.patch @@ -0,0 +1,83 @@ +diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service +index 72b028f2..b3aa7aa2 100644 +--- a/examples/chrony-wait.service ++++ b/examples/chrony-wait.service +@@ -16,32 +16,5 @@ TimeoutStartSec=180 + RemainAfterExit=yes + StandardOutput=null + +-CapabilityBoundingSet= +-DevicePolicy=closed +-DynamicUser=yes +-IPAddressAllow=localhost +-IPAddressDeny=any +-LockPersonality=yes +-MemoryDenyWriteExecute=yes +-PrivateDevices=yes +-PrivateUsers=yes +-ProcSubset=pid +-ProtectClock=yes +-ProtectControlGroups=yes +-ProtectHome=yes +-ProtectHostname=yes +-ProtectKernelLogs=yes +-ProtectKernelModules=yes +-ProtectKernelTunables=yes +-ProtectProc=invisible +-ProtectSystem=strict +-RestrictAddressFamilies=AF_INET AF_INET6 +-RestrictNamespaces=yes +-RestrictRealtime=yes +-SystemCallArchitectures=native +-SystemCallFilter=@system-service +-SystemCallFilter=~@privileged @resources +-UMask=0777 +- + [Install] + WantedBy=multi-user.target +diff --git a/examples/chronyd.service b/examples/chronyd.service +index 4fb930ef..289548cb 100644 +--- a/examples/chronyd.service ++++ b/examples/chronyd.service +@@ -10,40 +10,9 @@ Type=forking + PIDFile=/run/chrony/chronyd.pid + EnvironmentFile=-/etc/sysconfig/chronyd + ExecStart=/usr/sbin/chronyd $OPTIONS +- +-CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +-CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE +-CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN +-CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT +-CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM +-DeviceAllow=char-pps rw +-DeviceAllow=char-ptp rw +-DeviceAllow=char-rtc rw +-DevicePolicy=closed +-LockPersonality=yes +-MemoryDenyWriteExecute=yes +-NoNewPrivileges=yes + PrivateTmp=yes +-ProcSubset=pid +-ProtectControlGroups=yes + ProtectHome=yes +-ProtectHostname=yes +-ProtectKernelLogs=yes +-ProtectKernelModules=yes +-ProtectKernelTunables=yes +-ProtectProc=invisible +-ProtectSystem=strict +-ReadWritePaths=/run /var/lib/chrony -/var/log +-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +-RestrictNamespaces=yes +-RestrictSUIDSGID=yes +-SystemCallArchitectures=native +-SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap +- +-# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive) +-NoNewPrivileges=no +-ReadWritePaths=-/var/spool +-RestrictAddressFamilies=AF_NETLINK ++ProtectSystem=full + + [Install] + WantedBy=multi-user.target diff --git a/SOURCES/chrony.helper b/SOURCES/chrony.helper index 16deb61..b9797d6 100644 --- a/SOURCES/chrony.helper +++ b/SOURCES/chrony.helper @@ -20,7 +20,7 @@ dnssrv_timer_prefix=chrony-dnssrv@ . $network_sysconfig_file &> /dev/null chrony_command() { - $chronyc -a -n -m "$1" + $chronyc -n -m "$@" } is_running() { @@ -70,7 +70,13 @@ update_daemon() { comm -23 <(echo -n "$added_servers") <(echo -n "$all_servers") | while read -r server; do - chrony_command "delete $server" &> /dev/null + chrony_command -c sources -a 2>/dev/null | + while IFS=, read -r type _ address _; do + [ "$type" = "^" ] || continue + [ "$(chrony_command "sourcename $address")" = "$server" ] || continue + chrony_command "delete $address" &> /dev/null + break + done done added_servers=$(comm -12 <(echo -n "$added_servers") <(echo -n "$all_servers")) diff --git a/SOURCES/ntp2chrony.py b/SOURCES/ntp2chrony.py index b840225..48efe32 100644 --- a/SOURCES/ntp2chrony.py +++ b/SOURCES/ntp2chrony.py @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python3 # # Convert ntp configuration to chrony # @@ -28,7 +28,6 @@ import argparse import ipaddress import logging import os -import os.path import re import subprocess import sys @@ -39,6 +38,7 @@ if sys.version_info[0] < 3: reload(sys) sys.setdefaultencoding("utf-8") + class NtpConfiguration(object): def __init__(self, root_dir, ntp_conf, step_tickers): self.root_dir = root_dir if root_dir != "/" else "" @@ -66,14 +66,15 @@ class NtpConfiguration(object): self.ignored_directives = set() self.ignored_lines = [] - #self.detect_enabled_services() + # self.detect_enabled_services() self.parse_step_tickers() self.parse_ntp_conf() def detect_enabled_services(self): for service in ["ntpdate", "ntpd", "ntp-wait"]: - if os.path.islink("{}/etc/systemd/system/multi-user.target.wants/{}.service" - .format(self.root_dir, service)): + service_path = os.path.join(self.root_dir, + "etc/systemd/system/multi-user.target.wants/{}.service".format(service)) + if os.path.islink(service_path): self.enabled_services.add(service) logging.info("Enabled services found in /etc/systemd/system: %s", " ".join(self.enabled_services)) @@ -255,7 +256,12 @@ class NtpConfiguration(object): else: try: if mask: - networks.append(ipaddress.ip_network(u"{}/{}".format(address, mask))) + # Count bits in the mask (ipaddress does not support + # expanded IPv6 netmasks) + mask_ip = ipaddress.ip_address(mask) + mask_str = "{0:0{1}b}".format(int(mask_ip), mask_ip.max_prefixlen) + networks.append(ipaddress.ip_network( + u"{}/{}".format(address, len(mask_str.rstrip('0'))))) else: networks.append(ipaddress.ip_network(address)) except ValueError: @@ -490,11 +496,11 @@ class NtpConfiguration(object): orphan_stratum = self.tos_options["orphan"] if "clockstats" in self.statistics: - logs.append("refclocks"); + logs.append("refclocks") if "loopstats" in self.statistics: logs.append("tracking") if "peerstats" in self.statistics: - logs.append("statistics"); + logs.append("statistics") if "rawstats" in self.statistics: logs.append("measurements") @@ -593,6 +599,8 @@ class NtpConfiguration(object): if key_type in ["m", "M"]: key_type = "MD5" + elif key_type == "AES128CMAC": + key_type = "AES128" elif key_type not in ["MD5", "SHA1", "SHA256", "SHA384", "SHA512"]: continue @@ -667,5 +675,6 @@ def main(): conf.write_chrony_configuration(args.chrony_conf, args.chrony_keys, args.dry_run, args.backup) + if __name__ == "__main__": main() diff --git a/SPECS/chrony.spec b/SPECS/chrony.spec index e6202a1..432cac7 100644 --- a/SPECS/chrony.spec +++ b/SPECS/chrony.spec @@ -1,11 +1,11 @@ %global _hardened_build 1 -%global clknetsim_ver f89702 -%global ntp2chrony_ver 2a0512 +%global clknetsim_ver 824c48 +%global ntp2chrony_ver 233b75 %bcond_without debug %bcond_without nts Name: chrony -Version: 4.1 +Version: 4.2 Release: 1%{?dist} Summary: An NTP client/server @@ -23,6 +23,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c Source11: https://github.com/mlichvar/ntp2chrony/raw/%{ntp2chrony_ver}/ntp2chrony/ntp2chrony.py %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz} +# revert upstream changes in packaged service files +Patch0: chrony-services.patch # modify NetworkManager DHCP dispatcher to work with chrony-helper and # follow distribution-specific configuration Patch1: chrony-nm-dispatcher-dhcp.patch @@ -30,6 +32,8 @@ Patch1: chrony-nm-dispatcher-dhcp.patch Patch2: chrony-service-helper.patch # revert upstream changes in packaged chrony.conf example Patch3: chrony-defconfig.patch +# fix chronyc sourcename command to print IP address in original format +Patch4: chrony-ipsourcename.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel %ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x @@ -62,9 +66,11 @@ service to other computers in the network. %prep %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} +%patch0 -p1 -b .services %patch1 -p1 -b .nm-dispatcher-dhcp %patch2 -p1 -b .service-helper %patch3 -p1 -b .defconfig +%patch4 -p1 -b .ipsourcename %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -213,6 +219,11 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Jul 14 2022 Miroslav Lichvar 4.2-1 +- update to 4.2 (#2062356) +- fix chrony-helper to delete sources by their original name (#2061660) +- update ntp2chrony script (#2018045 #2063766) + * Tue Jun 15 2021 Miroslav Lichvar 4.1-1 - update to 4.1 (#1895003 #1847853 #1929157) - add NetworkManager dispatcher script to add servers from DHCP even without