diff --git a/.chrony.metadata b/.chrony.metadata
index c42eda1..0e4fc3a 100644
--- a/.chrony.metadata
+++ b/.chrony.metadata
@@ -1,2 +1,2 @@
-15dc1976653f17d290b65007a4779e3f4ac1833e SOURCES/chrony-4.1.tar.gz
-6f953389765ec334465ebdef4199e25c0290646e SOURCES/clknetsim-f89702.tar.gz
+0f5de043b395311a58bcf4be9800f7118afd5f59 SOURCES/chrony-4.2.tar.gz
+2e1fac8161ea8d92d76532c0b272fb31799bc310 SOURCES/clknetsim-824c48.tar.gz
diff --git a/.gitignore b/.gitignore
index 49fef1b..851aa77 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/chrony-4.1.tar.gz
-SOURCES/clknetsim-f89702.tar.gz
+SOURCES/chrony-4.2.tar.gz
+SOURCES/clknetsim-824c48.tar.gz
diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/chrony-ipsourcename.patch b/SOURCES/chrony-ipsourcename.patch
new file mode 100644
index 0000000..426ca8a
--- /dev/null
+++ b/SOURCES/chrony-ipsourcename.patch
@@ -0,0 +1,108 @@
+commit 33a1fe7a9ce223d6287ab7b11bca3208e9255cdd
+Author: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Wed Mar 9 15:30:16 2022 +0100
+
+ ntp: split out conf_id allocation
+
+diff --git a/ntp_sources.c b/ntp_sources.c
+index 3cbb2ae7..30770825 100644
+--- a/ntp_sources.c
++++ b/ntp_sources.c
+@@ -698,21 +698,25 @@ static int get_unused_pool_id(void)
+
+ /* ================================================== */
+
+-NSR_Status
+-NSR_AddSource(NTP_Remote_Address *remote_addr, NTP_Source_Type type,
+- SourceParameters *params, uint32_t *conf_id)
++static uint32_t
++get_next_conf_id(uint32_t *conf_id)
+ {
+- NSR_Status s;
+-
+- s = add_source(remote_addr, NULL, type, params, INVALID_POOL, last_conf_id + 1);
+- if (s != NSR_Success)
+- return s;
+-
+ last_conf_id++;
++
+ if (conf_id)
+ *conf_id = last_conf_id;
+
+- return s;
++ return last_conf_id;
++}
++
++/* ================================================== */
++
++NSR_Status
++NSR_AddSource(NTP_Remote_Address *remote_addr, NTP_Source_Type type,
++ SourceParameters *params, uint32_t *conf_id)
++{
++ return add_source(remote_addr, NULL, type, params, INVALID_POOL,
++ get_next_conf_id(conf_id));
+ }
+
+ /* ================================================== */
+@@ -725,6 +729,7 @@ NSR_AddSourceByName(char *name, int port, int pool, NTP_Source_Type type,
+ struct SourcePool *sp;
+ NTP_Remote_Address remote_addr;
+ int i, new_sources, pool_id;
++ uint32_t cid;
+
+ /* If the name is an IP address, add the source with the address directly */
+ if (UTI_StringToIP(name, &remote_addr.ip_addr)) {
+@@ -770,14 +775,12 @@ NSR_AddSourceByName(char *name, int port, int pool, NTP_Source_Type type,
+
+ append_unresolved_source(us);
+
+- last_conf_id++;
+- if (conf_id)
+- *conf_id = last_conf_id;
++ cid = get_next_conf_id(conf_id);
+
+ for (i = 0; i < new_sources; i++) {
+ if (i > 0)
+ remote_addr.ip_addr.addr.id = ++last_address_id;
+- if (add_source(&remote_addr, name, type, params, us->pool_id, last_conf_id) != NSR_Success)
++ if (add_source(&remote_addr, name, type, params, us->pool_id, cid) != NSR_Success)
+ return NSR_TooManySources;
+ }
+
+
+commit 1219f99935ca9597eb0e4f4c6039e536462cf1a6
+Author: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Wed Mar 9 15:34:16 2022 +0100
+
+ ntp: keep original source IP address
+
+ When an added source is specified by IP address, save the original
+ string instead of formatting a new string from the parsed address, which
+ can be different (e.g. compressed vs expanded IPv6 address).
+
+ This fixes the chronyc sourcename command and -N option to print the IP
+ address exactly as it was specified in the configuration file or chronyc
+ add command.
+
+diff --git a/ntp_sources.c b/ntp_sources.c
+index 30770825..d46c211d 100644
+--- a/ntp_sources.c
++++ b/ntp_sources.c
+@@ -353,7 +353,6 @@ add_source(NTP_Remote_Address *remote_addr, char *name, NTP_Source_Type type,
+ record_lock = 1;
+
+ record = get_record(slot);
+- assert(!name || !UTI_IsStringIP(name));
+ record->name = Strdup(name ? name : UTI_IPToString(&remote_addr->ip_addr));
+ record->data = NCR_CreateInstance(remote_addr, type, params, record->name);
+ record->remote_addr = NCR_GetRemoteAddress(record->data);
+@@ -734,7 +733,8 @@ NSR_AddSourceByName(char *name, int port, int pool, NTP_Source_Type type,
+ /* If the name is an IP address, add the source with the address directly */
+ if (UTI_StringToIP(name, &remote_addr.ip_addr)) {
+ remote_addr.port = port;
+- return NSR_AddSource(&remote_addr, type, params, conf_id);
++ return add_source(&remote_addr, name, type, params, INVALID_POOL,
++ get_next_conf_id(conf_id));
+ }
+
+ /* Make sure the name is at least printable and has no spaces */
diff --git a/SOURCES/chrony-services.patch b/SOURCES/chrony-services.patch
new file mode 100644
index 0000000..955be90
--- /dev/null
+++ b/SOURCES/chrony-services.patch
@@ -0,0 +1,83 @@
+diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service
+index 72b028f2..b3aa7aa2 100644
+--- a/examples/chrony-wait.service
++++ b/examples/chrony-wait.service
+@@ -16,32 +16,5 @@ TimeoutStartSec=180
+ RemainAfterExit=yes
+ StandardOutput=null
+
+-CapabilityBoundingSet=
+-DevicePolicy=closed
+-DynamicUser=yes
+-IPAddressAllow=localhost
+-IPAddressDeny=any
+-LockPersonality=yes
+-MemoryDenyWriteExecute=yes
+-PrivateDevices=yes
+-PrivateUsers=yes
+-ProcSubset=pid
+-ProtectClock=yes
+-ProtectControlGroups=yes
+-ProtectHome=yes
+-ProtectHostname=yes
+-ProtectKernelLogs=yes
+-ProtectKernelModules=yes
+-ProtectKernelTunables=yes
+-ProtectProc=invisible
+-ProtectSystem=strict
+-RestrictAddressFamilies=AF_INET AF_INET6
+-RestrictNamespaces=yes
+-RestrictRealtime=yes
+-SystemCallArchitectures=native
+-SystemCallFilter=@system-service
+-SystemCallFilter=~@privileged @resources
+-UMask=0777
+-
+ [Install]
+ WantedBy=multi-user.target
+diff --git a/examples/chronyd.service b/examples/chronyd.service
+index 4fb930ef..289548cb 100644
+--- a/examples/chronyd.service
++++ b/examples/chronyd.service
+@@ -10,40 +10,9 @@ Type=forking
+ PIDFile=/run/chrony/chronyd.pid
+ EnvironmentFile=-/etc/sysconfig/chronyd
+ ExecStart=/usr/sbin/chronyd $OPTIONS
+-
+-CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+-CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
+-CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
+-CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
+-CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
+-DeviceAllow=char-pps rw
+-DeviceAllow=char-ptp rw
+-DeviceAllow=char-rtc rw
+-DevicePolicy=closed
+-LockPersonality=yes
+-MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ PrivateTmp=yes
+-ProcSubset=pid
+-ProtectControlGroups=yes
+ ProtectHome=yes
+-ProtectHostname=yes
+-ProtectKernelLogs=yes
+-ProtectKernelModules=yes
+-ProtectKernelTunables=yes
+-ProtectProc=invisible
+-ProtectSystem=strict
+-ReadWritePaths=/run /var/lib/chrony -/var/log
+-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+-RestrictNamespaces=yes
+-RestrictSUIDSGID=yes
+-SystemCallArchitectures=native
+-SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap
+-
+-# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
+-NoNewPrivileges=no
+-ReadWritePaths=-/var/spool
+-RestrictAddressFamilies=AF_NETLINK
++ProtectSystem=full
+
+ [Install]
+ WantedBy=multi-user.target
diff --git a/SOURCES/chrony.helper b/SOURCES/chrony.helper
index 16deb61..b9797d6 100644
--- a/SOURCES/chrony.helper
+++ b/SOURCES/chrony.helper
@@ -20,7 +20,7 @@ dnssrv_timer_prefix=chrony-dnssrv@
. $network_sysconfig_file &> /dev/null
chrony_command() {
- $chronyc -a -n -m "$1"
+ $chronyc -n -m "$@"
}
is_running() {
@@ -70,7 +70,13 @@ update_daemon() {
comm -23 <(echo -n "$added_servers") <(echo -n "$all_servers") |
while read -r server; do
- chrony_command "delete $server" &> /dev/null
+ chrony_command -c sources -a 2>/dev/null |
+ while IFS=, read -r type _ address _; do
+ [ "$type" = "^" ] || continue
+ [ "$(chrony_command "sourcename $address")" = "$server" ] || continue
+ chrony_command "delete $address" &> /dev/null
+ break
+ done
done
added_servers=$(comm -12 <(echo -n "$added_servers") <(echo -n "$all_servers"))
diff --git a/SOURCES/ntp2chrony.py b/SOURCES/ntp2chrony.py
index b840225..48efe32 100644
--- a/SOURCES/ntp2chrony.py
+++ b/SOURCES/ntp2chrony.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
#
# Convert ntp configuration to chrony
#
@@ -28,7 +28,6 @@ import argparse
import ipaddress
import logging
import os
-import os.path
import re
import subprocess
import sys
@@ -39,6 +38,7 @@ if sys.version_info[0] < 3:
reload(sys)
sys.setdefaultencoding("utf-8")
+
class NtpConfiguration(object):
def __init__(self, root_dir, ntp_conf, step_tickers):
self.root_dir = root_dir if root_dir != "/" else ""
@@ -66,14 +66,15 @@ class NtpConfiguration(object):
self.ignored_directives = set()
self.ignored_lines = []
- #self.detect_enabled_services()
+ # self.detect_enabled_services()
self.parse_step_tickers()
self.parse_ntp_conf()
def detect_enabled_services(self):
for service in ["ntpdate", "ntpd", "ntp-wait"]:
- if os.path.islink("{}/etc/systemd/system/multi-user.target.wants/{}.service"
- .format(self.root_dir, service)):
+ service_path = os.path.join(self.root_dir,
+ "etc/systemd/system/multi-user.target.wants/{}.service".format(service))
+ if os.path.islink(service_path):
self.enabled_services.add(service)
logging.info("Enabled services found in /etc/systemd/system: %s",
" ".join(self.enabled_services))
@@ -255,7 +256,12 @@ class NtpConfiguration(object):
else:
try:
if mask:
- networks.append(ipaddress.ip_network(u"{}/{}".format(address, mask)))
+ # Count bits in the mask (ipaddress does not support
+ # expanded IPv6 netmasks)
+ mask_ip = ipaddress.ip_address(mask)
+ mask_str = "{0:0{1}b}".format(int(mask_ip), mask_ip.max_prefixlen)
+ networks.append(ipaddress.ip_network(
+ u"{}/{}".format(address, len(mask_str.rstrip('0')))))
else:
networks.append(ipaddress.ip_network(address))
except ValueError:
@@ -490,11 +496,11 @@ class NtpConfiguration(object):
orphan_stratum = self.tos_options["orphan"]
if "clockstats" in self.statistics:
- logs.append("refclocks");
+ logs.append("refclocks")
if "loopstats" in self.statistics:
logs.append("tracking")
if "peerstats" in self.statistics:
- logs.append("statistics");
+ logs.append("statistics")
if "rawstats" in self.statistics:
logs.append("measurements")
@@ -593,6 +599,8 @@ class NtpConfiguration(object):
if key_type in ["m", "M"]:
key_type = "MD5"
+ elif key_type == "AES128CMAC":
+ key_type = "AES128"
elif key_type not in ["MD5", "SHA1", "SHA256", "SHA384", "SHA512"]:
continue
@@ -667,5 +675,6 @@ def main():
conf.write_chrony_configuration(args.chrony_conf, args.chrony_keys, args.dry_run, args.backup)
+
if __name__ == "__main__":
main()
diff --git a/SPECS/chrony.spec b/SPECS/chrony.spec
index e6202a1..432cac7 100644
--- a/SPECS/chrony.spec
+++ b/SPECS/chrony.spec
@@ -1,11 +1,11 @@
%global _hardened_build 1
-%global clknetsim_ver f89702
-%global ntp2chrony_ver 2a0512
+%global clknetsim_ver 824c48
+%global ntp2chrony_ver 233b75
%bcond_without debug
%bcond_without nts
Name: chrony
-Version: 4.1
+Version: 4.2
Release: 1%{?dist}
Summary: An NTP client/server
@@ -23,6 +23,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c
Source11: https://github.com/mlichvar/ntp2chrony/raw/%{ntp2chrony_ver}/ntp2chrony/ntp2chrony.py
%{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz}
+# revert upstream changes in packaged service files
+Patch0: chrony-services.patch
# modify NetworkManager DHCP dispatcher to work with chrony-helper and
# follow distribution-specific configuration
Patch1: chrony-nm-dispatcher-dhcp.patch
@@ -30,6 +32,8 @@ Patch1: chrony-nm-dispatcher-dhcp.patch
Patch2: chrony-service-helper.patch
# revert upstream changes in packaged chrony.conf example
Patch3: chrony-defconfig.patch
+# fix chronyc sourcename command to print IP address in original format
+Patch4: chrony-ipsourcename.patch
BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel
%ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x
@@ -62,9 +66,11 @@ service to other computers in the network.
%prep
%setup -q -n %{name}-%{version}%{?prerelease} -a 10
%{?gitpatch:%patch0 -p1}
+%patch0 -p1 -b .services
%patch1 -p1 -b .nm-dispatcher-dhcp
%patch2 -p1 -b .service-helper
%patch3 -p1 -b .defconfig
+%patch4 -p1 -b .ipsourcename
%{?gitpatch: echo %{version}-%{gitpatch} > version.txt}
@@ -213,6 +219,11 @@ fi
%dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony
%changelog
+* Thu Jul 14 2022 Miroslav Lichvar <mlichvar@redhat.com> 4.2-1
+- update to 4.2 (#2062356)
+- fix chrony-helper to delete sources by their original name (#2061660)
+- update ntp2chrony script (#2018045 #2063766)
+
* Tue Jun 15 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.1-1
- update to 4.1 (#1895003 #1847853 #1929157)
- add NetworkManager dispatcher script to add servers from DHCP even without