diff --git a/.chrony.metadata b/.chrony.metadata index 40fb2fc..b0c5d0d 100644 --- a/.chrony.metadata +++ b/.chrony.metadata @@ -1,3 +1,3 @@ -0f5de043b395311a58bcf4be9800f7118afd5f59 SOURCES/chrony-4.2.tar.gz -2e1fac8161ea8d92d76532c0b272fb31799bc310 SOURCES/clknetsim-824c48.tar.gz +bc7884eb4fde69478a00faee3d42092d426d57c1 SOURCES/chrony-4.3.tar.gz +9c453ae65e5c1a6983cd1121410faf1ffd2d9092 SOURCES/clknetsim-f00531.tar.gz 1395afa521d2e3302a31083edcf568bbc036aafc SOURCES/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc diff --git a/.gitignore b/.gitignore index 65f6088..422eb36 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -SOURCES/chrony-4.2.tar.gz -SOURCES/clknetsim-824c48.tar.gz +SOURCES/chrony-4.3.tar.gz +SOURCES/clknetsim-f00531.tar.gz SOURCES/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc diff --git a/README.debrand b/README.debrand deleted file mode 100644 index 01c46d2..0000000 --- a/README.debrand +++ /dev/null @@ -1,2 +0,0 @@ -Warning: This package was configured for automatic debranding, but the changes -failed to apply. diff --git a/SOURCES/chrony-4.2-tar-gz-asc.txt b/SOURCES/chrony-4.2-tar-gz-asc.txt deleted file mode 100644 index 23c7755..0000000 --- a/SOURCES/chrony-4.2-tar-gz-asc.txt +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmG7LoQACgkQU34rdvdo -Daw47w//fpF3YlqSJWQObHv/hMC6EGQSX6hRVzckXgzq7PFN2HaTX1iZV2UsP1KN -NtXfH3V7PxTdT4jT41bHUw++vN0HXkaAw3ccbm31MVTc353JFv5VUKT/OtK+I8dZ -CKGDy7X4REET7rCYTEfhgvAwjisIlc81xFq9fMYiGasj2LXZD9GUFHqu0JzvvyMz -R0PNGDSYaJX5Ex1GtbgULjDJNF0FRDE+T6SBjs8Xlej020DbNRb4MNZitzygMNum -ChN2MltzEccw/UegrsaN1UYQG2C4/Xgdjeqfa4ioiewBL0/79oPkNyJT0GCtOIUM -TCAdDRrwLuh7d3+Hl6szy8FxKRFN4s/TTjSTinwDCaexqqNgKeSRkJPFWPWhq4l1 -2W+hh5cYtToP4wYNpFdadz+LJYrRzYEtAKdFMegYt2Q/MMVtsNji4qeJ/VOnyrUI -cJD6sWqDtrUQnegVky1QDwKIYLzO+h6kDaTEm7ZhaT3pR4gGC47umPR9HAcgch0/ -QdmHd1dP1rutDdpiGmXRicvSV48M1Ol6AAs7rUERuQGJ4Tl/zoMGWmN93UQEpisS -9L1PBNdAjdutJaZKA3Bgq49BOPzcRGvhamH63fO5Q+h6uXCzxd9s8MDeY8wh3Idn -2aHcGnx32z3DNbpG/nXtKE3GeiSDbw6FmN4KUmKKBR552lCcgpA= -=F4BS ------END PGP SIGNATURE----- diff --git a/SOURCES/chrony-4.3-tar-gz-asc.txt b/SOURCES/chrony-4.3-tar-gz-asc.txt new file mode 100644 index 0000000..995ffc5 --- /dev/null +++ b/SOURCES/chrony-4.3-tar-gz-asc.txt @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmMPLJAACgkQU34rdvdo +DaxDKRAAh5wfl990Q6sTPxXI92GegZYIGUxJDlCkJtemoI98g+DQbuCJ46AXsAn/ +CIBTbPU3Brvq2KR1nDze/G/YOXkaqoFyaJD00H73qBI7MOMiSS4KbMQ26xLNrnHL +MCHrgZs+MHhyo6IEpesvr7F/+qyGHZifFlHT+HtCM+SBU1qooYUyQAdnhyK0rb16 +j7/Jc5A28jROZB4lcRQyvB085whPj299FsB/0wJW5RjwA5tcpPH0sTozain3vvlo +64BAJXcQsyRsilcaPFlkY5zPgFiAuaEJnfTe/uMdfDO/V/g6wADt64+HhaxNPO+z +p3vzEGpio4Oi1HyYiXpDx9bMM1RLTpmKt9p1V5Y98Fn5Ymx6I7yAe1qwvA7T8eoC +hK8C27jPytiOgaWSYqPYb0WaHY3JZZpFzdtr0bAPSkEzL4EwrxVmbgTnkuzk2hxk +6MiIuDLUd9Zl1oroqv+rTd0XA8lXUcoyFhqtsMXHWdAC3yzteaPcJKzv7l9DT6xV +YadKrSBkzob9jRWRngY3FMKjTvcwnxLE8dfsNlsDNGyLNtTEOJ/QYgh6muOHh80L +MAayI8hSWPTR/3IXKlathjLIeilsrFthIZcrPq520FoS4A7E3A80vR3uKOqAIDwh +Y+6ASvEkCHAUneJqlLihqglYTNJlFnVhGw9/LV85JsmRsCZ0+j8= +=2xMP +-----END PGP SIGNATURE----- diff --git a/SOURCES/chrony-nm-dispatcher-dhcp.patch b/SOURCES/chrony-nm-dispatcher-dhcp.patch index d424737..dd9fc2a 100644 --- a/SOURCES/chrony-nm-dispatcher-dhcp.patch +++ b/SOURCES/chrony-nm-dispatcher-dhcp.patch @@ -1,146 +1,3 @@ -commit 5bd13c8d593a74ad168057efe94dd2b3aeeffe14 -Author: Miroslav Lichvar -Date: Mon Feb 7 13:27:25 2022 +0100 - - examples: support DHCPv6 NTP servers in NM dispatcher script - - Latest NetworkManager code provides NTP servers from the DHCPv6 NTP - option (RFC 5908) in the DHCP6_DHCP6_NTP_SERVERS variable to dispatcher - scripts. - - Check for invalid characters (which can come from the FQDN suboption) - and include the servers in the interface-specific sources file. - -diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp -index 6ea4c370..4454f037 100644 ---- a/examples/chrony.nm-dispatcher.dhcp -+++ b/examples/chrony.nm-dispatcher.dhcp -@@ -1,8 +1,7 @@ - #!/bin/sh - # This is a NetworkManager dispatcher script for chronyd to update --# its NTP sources passed from DHCP options. Note that this script is --# specific to NetworkManager-dispatcher due to use of the --# DHCP4_NTP_SERVERS environment variable. -+# its NTP sources with servers from DHCP options passed by NetworkManager -+# in the DHCP4_NTP_SERVERS and DHCP6_DHCP6_NTP_SERVERS environment variables. - - export LC_ALL=C - -@@ -10,17 +9,19 @@ interface=$1 - action=$2 - - chronyc=/usr/bin/chronyc --default_server_options=iburst -+server_options=iburst - server_dir=/var/run/chrony-dhcp - - dhcp_server_file=$server_dir/$interface.sources --# DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager. --nm_dhcp_servers=$DHCP4_NTP_SERVERS -+dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS" - - add_servers_from_dhcp() { - rm -f "$dhcp_server_file" -- for server in $nm_dhcp_servers; do -- echo "server $server $default_server_options" >> "$dhcp_server_file" -+ for server in $dhcp_ntp_servers; do -+ # Check for invalid characters (from the DHCPv6 NTP FQDN suboption) -+ printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue -+ -+ printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file" - done - $chronyc reload sources > /dev/null 2>&1 || : - } -@@ -34,10 +35,11 @@ clear_servers_from_dhcp() { - - mkdir -p $server_dir - --if [ "$action" = "up" ] || [ "$action" = "dhcp4-change" ]; then -- add_servers_from_dhcp --elif [ "$action" = "down" ]; then -- clear_servers_from_dhcp --fi -+case "$action" in -+ up|dhcp4-change|dhcp6-change) -+ add_servers_from_dhcp;; -+ down) -+ clear_servers_from_dhcp;; -+esac - - exit 0 - -commit e55f174bd3a7ae82fb24afd43443d0b55d5536cf -Author: Miroslav Lichvar -Date: Mon Feb 7 13:27:48 2022 +0100 - - examples: handle more actions in NM dispatcher script - - Run the chronyc onoffline command also when the connectivity-change - and dhcp6-change actions are reported by the NetworkManager dispatcher. - - The latter should not be necessary, but there currently doesn't seem to - be any action for IPv6 becoming routable after duplicate address - detection, so at least in networks using DHCPv6, IPv6 NTP servers should - not be stuck in the offline state from a previously reported action. - -diff --git a/examples/chrony.nm-dispatcher.onoffline b/examples/chrony.nm-dispatcher.onoffline -index 34cfa0db..01e6fdb1 100644 ---- a/examples/chrony.nm-dispatcher.onoffline -+++ b/examples/chrony.nm-dispatcher.onoffline -@@ -7,8 +7,18 @@ export LC_ALL=C - - chronyc=/usr/bin/chronyc - --# For NetworkManager consider only up/down events --[ $# -ge 2 ] && [ "$2" != "up" ] && [ "$2" != "down" ] && exit 0 -+# For NetworkManager consider only selected events -+if [ $# -ge 2 ]; then -+ case "$2" in -+ up|down|connectivity-change) -+ ;; -+ dhcp6-change) -+ # No other action is reported for routable IPv6 -+ ;; -+ *) -+ exit 0;; -+ esac -+fi - - # Note: for networkd-dispatcher routable.d ~= on and off.d ~= off - -commit fca8966adaaf8376536af86ba2afe02501463588 -Author: Miroslav Lichvar -Date: Wed Mar 23 15:17:03 2022 +0100 - - examples: replace grep command in NM dispatcher script - - Some grep implementations detect binary data and return success without - matching whole line. This might be an issue for the DHCPv6 NTP FQDN - check. The GNU grep in the C locale seems to check only for the NUL - character, which cannot be passed in an environment variable, but other - implementations might behave differently and there doesn't seem to be a - portable way to force matching the whole line. - - Instead of the grep command, check for invalid characters by comparing - the length of the input passed through "tr -d -c". - -diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp -index 4454f037..547ce83f 100644 ---- a/examples/chrony.nm-dispatcher.dhcp -+++ b/examples/chrony.nm-dispatcher.dhcp -@@ -19,7 +19,11 @@ add_servers_from_dhcp() { - rm -f "$dhcp_server_file" - for server in $dhcp_ntp_servers; do - # Check for invalid characters (from the DHCPv6 NTP FQDN suboption) -- printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue -+ len1=$(printf '%s' "$server" | wc -c) -+ len2=$(printf '%s' "$server" | tr -d -c 'A-Za-z0-9:.-' | wc -c) -+ if [ "$len1" -ne "$len2" ] || [ "$len2" -lt 1 ] || [ "$len2" -gt 255 ]; then -+ continue -+ fi - - printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file" - done From: Robert Fairley Date: Wed, 17 Jun 2020 10:14:19 -0400 Subject: [PATCH] examples/nm-dispatcher.dhcp: use sysconfig diff --git a/SOURCES/chrony-seccomp.patch b/SOURCES/chrony-seccomp.patch deleted file mode 100644 index 523759c..0000000 --- a/SOURCES/chrony-seccomp.patch +++ /dev/null @@ -1,31 +0,0 @@ -commit 8bb8f15a7d049ed26c69d95087065b381f76ec4d -Author: Michael Hudson-Doyle -Date: Wed Feb 9 09:06:13 2022 +0100 - - sys_linux: allow rseq in seccomp filter - - Libc 2.35 will use rseq syscalls [1][2] by default and thereby - break chrony in seccomp isolation. - - [1]: https://www.efficios.com/blog/2019/02/08/linux-restartable-sequences/ - [2]: https://sourceware.org/pipermail/libc-alpha/2022-February/136040.html - - Tested-by: Christian Ehrhardt - Reviewed-by: Christian Ehrhardt - Signed-off-by: Michael Hudson-Doyle - Signed-off-by: Christian Ehrhardt - -diff --git a/sys_linux.c b/sys_linux.c -index 9cab2efa..cc3c9311 100644 ---- a/sys_linux.c -+++ b/sys_linux.c -@@ -497,6 +497,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) - SCMP_SYS(getrlimit), - SCMP_SYS(getuid), - SCMP_SYS(getuid32), -+#ifdef __NR_rseq -+ SCMP_SYS(rseq), -+#endif - SCMP_SYS(rt_sigaction), - SCMP_SYS(rt_sigreturn), - SCMP_SYS(rt_sigprocmask), diff --git a/SOURCES/chrony.sysusers b/SOURCES/chrony.sysusers new file mode 100644 index 0000000..b02f5fe --- /dev/null +++ b/SOURCES/chrony.sysusers @@ -0,0 +1,2 @@ +#Type Name ID GECOS Home directory Shell +u chrony - "chrony system user" /var/lib/chrony /sbin/nologin diff --git a/SPECS/chrony.spec b/SPECS/chrony.spec index 3525920..b2a8358 100644 --- a/SPECS/chrony.spec +++ b/SPECS/chrony.spec @@ -1,5 +1,5 @@ %global _hardened_build 1 -%global clknetsim_ver 824c48 +%global clknetsim_ver f00531 %bcond_without debug %bcond_without nts @@ -8,7 +8,7 @@ %endif Name: chrony -Version: 4.2 +Version: 4.3 Release: 1%{?dist} Summary: An NTP client/server @@ -18,14 +18,13 @@ Source0: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerel Source1: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}-tar-gz-asc.txt Source2: https://chrony.tuxfamily.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc Source3: chrony.dhclient +Source4: chrony.sysusers # simulator for test suite Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz} -# add IPv6 support and distribution-specific bits to DHCP dispatcher +# add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch -# update seccomp filter for new glibc -Patch2: chrony-seccomp.patch # revert some hardening options in service files Patch3: chrony-services.patch @@ -34,8 +33,8 @@ BuildRequires: gcc gcc-c++ make bison systemd gnupg2 %{?with_nts:BuildRequires: gnutls-utils} %{?with_seccomp:BuildRequires: libseccomp-devel} -Requires(pre): shadow-utils %{?systemd_requires} +%{?sysusers_requires_compat} # Old NetworkManager expects the dispatcher scripts in a different place Conflicts: NetworkManager < 1.20 @@ -59,7 +58,6 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp -%patch2 -p1 -b .seccomp %patch3 -p1 -b .services %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -123,6 +121,7 @@ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/{sysconfig,logrotate.d} mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/{lib,log}/chrony mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dhcp/dhclient.d mkdir -p $RPM_BUILD_ROOT%{_libexecdir} +mkdir -p $RPM_BUILD_ROOT%{_sysusersdir} mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d mkdir -p $RPM_BUILD_ROOT{%{_unitdir},%{_prefix}/lib/systemd/ntp-units.d} @@ -143,6 +142,8 @@ install -m 755 -p examples/chrony.nm-dispatcher.dhcp \ $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-dhcp install -m 644 -p examples/chrony-wait.service \ $RPM_BUILD_ROOT%{_unitdir}/chrony-wait.service +install -m 644 -p %{SOURCE4} \ + $RPM_BUILD_ROOT%{_sysusersdir}/chrony.conf cat > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/chronyd < /dev/null || /usr/sbin/groupadd -r chrony -getent passwd chrony > /dev/null || /usr/sbin/useradd -r -g chrony \ - -d %{_localstatedir}/lib/chrony -s /sbin/nologin chrony +%sysusers_create_compat %{SOURCE4} : %post @@ -199,6 +198,7 @@ fi %{_prefix}/lib/NetworkManager %{_prefix}/lib/systemd/ntp-units.d/*.list %{_unitdir}/chrony*.service +%{_sysusersdir}/chrony.conf %{_mandir}/man[158]/%{name}*.[158]* %dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/drift @@ -206,6 +206,10 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Oct 12 2022 Miroslav Lichvar 4.3-1 +- update to 4.3 (#2133754) +- add sysusers.d fragment for chrony user/group (#2095374) + * Wed Mar 23 2022 Miroslav Lichvar 4.2-1 - update to 4.2 (#2051441) - fully switch from nettle to gnutls (#1953463 #1954483)