[ptxdist] [PATCH 1/6] chrony: verion bump 3.3 -> 3.5

[ptxdist] [PATCH 1/6] chrony: verion bump 3.3 -> 3.5

[Bruno Thomsen]

Always enable ntp support as it does not require
extra dependencies.

Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
---
 rules/chrony.make | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/rules/chrony.make b/rules/chrony.make
index 61fe4a7fd..3b7456618 100644
--- a/rules/chrony.make
+++ b/rules/chrony.make
@@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_CHRONY) += chrony
 #
 # Paths and names
 #
-CHRONY_VERSION	:= 3.3
-CHRONY_MD5	:= 81ab62cf5d60b4b3fa8cd2c1b267ffd9
+CHRONY_VERSION	:= 3.5
+CHRONY_MD5	:= 5f66338bc940a9b51eede8f391e7bed3
 CHRONY		:= chrony-$(CHRONY_VERSION)
 CHRONY_SUFFIX	:= tar.gz
 CHRONY_URL	:= http://download.tuxfamily.org/chrony/$(CHRONY).$(CHRONY_SUFFIX)
@@ -44,7 +44,6 @@ CHRONY_CONF_OPT		:= \
 	--without-nss \
 	--without-tomcrypt \
 	--disable-cmdmon \
-	--disable-ntp \
 	--disable-refclock \
 	--disable-phc \
 	--disable-pps \

base-commit: 6721ecdd3deb6e5839462086e9526d6f6c744cea
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH 2/6] chrony: nettle authentication support

[Bruno Thomsen]

Use nettle crypto lib for stronger time packet
authentication support.

Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
---
 rules/chrony.in   | 8 ++++++++
 rules/chrony.make | 4 ++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/rules/chrony.in b/rules/chrony.in
index ccdcb71d0..9eac48971 100644
--- a/rules/chrony.in
+++ b/rules/chrony.in
@@ -6,6 +6,7 @@ menuconfig CHRONY
 	prompt "chrony                        "
 	select LIBC_M
 	select LIBCAP
+	select NETTLE	if CHRONY_USE_NETTLE
 	help
 	  This will install the Chrony NTPD Daemon (chronyd)
 	  Chrony is a pair of programs which are used to maintain
@@ -21,6 +22,13 @@ menuconfig CHRONY
 
 if CHRONY
 
+config CHRONY_USE_NETTLE
+	bool
+	prompt "Use nettle crypto library"
+	help
+	  Use nettle crypto library for stronger keys than MD5 in
+	  NTP authentication.
+
 comment "install options   ---"
 
 config CHRONY_INSTALL_CHRONY_COMMAND
diff --git a/rules/chrony.make b/rules/chrony.make
index 3b7456618..3f90a00b1 100644
--- a/rules/chrony.make
+++ b/rules/chrony.make
@@ -39,8 +39,8 @@ CHRONY_CONF_OPT		:= \
 	$(CROSS_AUTOCONF_USR) \
 	--disable-readline \
 	--without-editline \
-	--disable-sechash \
-	--without-nettle \
+	$(call ptx/ifdef, PTXCONF_CHRONY_USE_NETTLE,,--disable-sechash) \
+	$(call ptx/ifdef, PTXCONF_CHRONY_USE_NETTLE,,--without-nettle) \
 	--without-nss \
 	--without-tomcrypt \
 	--disable-cmdmon \
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH 3/6] chrony: systemd unit option

[Bruno Thomsen]

Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
---
 rules/chrony.in   | 7 +++++++
 rules/chrony.make | 8 ++++++++
 2 files changed, 15 insertions(+)

diff --git a/rules/chrony.in b/rules/chrony.in
index 9eac48971..525be2681 100644
--- a/rules/chrony.in
+++ b/rules/chrony.in
@@ -95,6 +95,13 @@ endif
 config CHRONY_STARTSCRIPT
 	bool
 	default y
+	depends on INITMETHOD_BBINIT
 	prompt "install /etc/init.d/chrony"
 
+config CHRONY_SYSTEMD_UNIT
+	bool
+	default y
+	depends on INITMETHOD_SYSTEMD
+	prompt "install systemd unit files"
+
 endif
diff --git a/rules/chrony.make b/rules/chrony.make
index 3f90a00b1..a72752030 100644
--- a/rules/chrony.make
+++ b/rules/chrony.make
@@ -106,6 +106,14 @@ ifneq ($(call remove_quotes, $(PTXCONF_CHRONY_BBINIT_LINK)),)
 endif
 endif
 endif
+
+ifdef PTXCONF_CHRONY_SYSTEMD_UNIT
+	@$(call install_alternative, chrony, 0, 0, 0644, \
+		$(CHRONY_DIR)/examples/chronyd.service, /usr/lib/systemd/system/chronyd.service)
+	@$(call install_link, chrony, ../chronyd.service, \
+		/usr/lib/systemd/system/multi-user.target.wants/chronyd.service)
+endif
+
 	@$(call install_finish, chrony)
 
 	@$(call touch)
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH 4/6] passwd/group: added chrony UID/GID

[Bruno Thomsen]

Added chrony user id (UID) to /etc/passwd and
chrony group id (GID) to /etc/group based on
IDs from Fedora.

Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
---
 projectroot/etc/group  | 1 +
 projectroot/etc/passwd | 1 +
 2 files changed, 2 insertions(+)

diff --git a/projectroot/etc/group b/projectroot/etc/group
index ad02970de..8c0d5a647 100644
--- a/projectroot/etc/group
+++ b/projectroot/etc/group
@@ -31,4 +31,5 @@ systemd-journal-remote:x:203:
 systemd-journal-upload:x:208:
 render:x:209:
 pulse:x:210:
+chrony:x:989:
 nogroup:x:65534:
diff --git a/projectroot/etc/passwd b/projectroot/etc/passwd
index d15650b38..a5f1e5ffe 100644
--- a/projectroot/etc/passwd
+++ b/projectroot/etc/passwd
@@ -15,5 +15,6 @@ systemd-journal-gateway:x:206:206:systemd-journal-gateway:/dev/null:/bin/false
 systemd-journal-remote:x:207:203:systemd-journal-remote:/dev/null:/bin/false
 systemd-journal-upload:x:208:208:systemd-journal-upload:/dev/null:/bin/false
 pulse:x:209:210:pulse:/dev/null:/bin/false
+chrony:x:994:989:chronyd:/dev/null:/bin/false
 rpcuser:x:65533:65534:RPC user:/dev/null:/bin/false
 nobody:x:65534:65534:Unprivileged Nobody:/dev/null:/bin/false
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH 5/6] chrony: run as chrony user option

[Bruno Thomsen]

Default chrony service run as root and that is not
best practice as it's doing network communication.

Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
---
 rules/chrony.in   | 7 +++++++
 rules/chrony.make | 1 +
 2 files changed, 8 insertions(+)

diff --git a/rules/chrony.in b/rules/chrony.in
index 525be2681..6a4f12de0 100644
--- a/rules/chrony.in
+++ b/rules/chrony.in
@@ -29,6 +29,13 @@ config CHRONY_USE_NETTLE
 	  Use nettle crypto library for stronger keys than MD5 in
 	  NTP authentication.
 
+config CHRONY_RUN_AS_NON_ROOT
+	bool
+	prompt "Run chronyd as non root user"
+	help
+	  Default chronyd is started as root, select this
+	  to run service with chrony user.
+
 comment "install options   ---"
 
 config CHRONY_INSTALL_CHRONY_COMMAND
diff --git a/rules/chrony.make b/rules/chrony.make
index a72752030..d5ae52883 100644
--- a/rules/chrony.make
+++ b/rules/chrony.make
@@ -48,6 +48,7 @@ CHRONY_CONF_OPT		:= \
 	--disable-phc \
 	--disable-pps \
 	$(call ptx/ifdef, PTXCONF_GLOBAL_IPV6,,--disable-ipv6) \
+	$(call ptx/ifdef, PTXCONF_CHRONY_RUN_AS_USER,--with-user=chrony,) \
 	--without-seccomp
 
 # ----------------------------------------------------------------------------
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH 6/6] chrony: advanced command monitoring option

[Bruno Thomsen]

When you need to dig deep into NTP sync status.

Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
---
 rules/chrony.in   | 7 +++++++
 rules/chrony.make | 3 ++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/rules/chrony.in b/rules/chrony.in
index 6a4f12de0..ad9baa2bf 100644
--- a/rules/chrony.in
+++ b/rules/chrony.in
@@ -36,6 +36,13 @@ config CHRONY_RUN_AS_NON_ROOT
 	  Default chronyd is started as root, select this
 	  to run service with chrony user.
 
+config CHRONY_ADVANCED_COMMAND
+	bool
+	prompt "Enable advanced command monitoring"
+	help
+	  This allow getting advanced NTP sync status
+	  monitoring from the service.
+
 comment "install options   ---"
 
 config CHRONY_INSTALL_CHRONY_COMMAND
diff --git a/rules/chrony.make b/rules/chrony.make
index d5ae52883..3d8b64b35 100644
--- a/rules/chrony.make
+++ b/rules/chrony.make
@@ -43,7 +43,8 @@ CHRONY_CONF_OPT		:= \
 	$(call ptx/ifdef, PTXCONF_CHRONY_USE_NETTLE,,--without-nettle) \
 	--without-nss \
 	--without-tomcrypt \
-	--disable-cmdmon \
+	$(call ptx/ifdef, CHRONY_ADVANCED_COMMAND,,--disable-cmdmon) \
+	$(call ptx/ifdef, CHRONY_ADVANCED_COMMAND,--enable-debug,) \
 	--disable-refclock \
 	--disable-phc \
 	--disable-pps \
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH 3/6] chrony: systemd unit option

[Bruno Thomsen]

Den fre. 24. jul. 2020 kl. 17.48 skrev Bruno Thomsen <bruno.thomsen@gmail.com>:
>
> Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
> ---
>  rules/chrony.in   | 7 +++++++
>  rules/chrony.make | 8 ++++++++
>  2 files changed, 15 insertions(+)

> +ifdef PTXCONF_CHRONY_SYSTEMD_UNIT
> +       @$(call install_alternative, chrony, 0, 0, 0644, \
> +               $(CHRONY_DIR)/examples/chronyd.service, /usr/lib/systemd/system/chronyd.service)

This should have been an install_copy.

/Bruno

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH 1/6] chrony: verion bump 3.3 -> 3.5

[Roland Hieber]

On Fri, Jul 24, 2020 at 05:48:38PM +0200, Bruno Thomsen wrote:
> Always enable ntp support as it does not require
> extra dependencies.
> 
> Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
> ---
>  rules/chrony.make | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/rules/chrony.make b/rules/chrony.make
> index 61fe4a7fd..3b7456618 100644
> --- a/rules/chrony.make
> +++ b/rules/chrony.make
> @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_CHRONY) += chrony
>  #
>  # Paths and names
>  #
> -CHRONY_VERSION	:= 3.3
> -CHRONY_MD5	:= 81ab62cf5d60b4b3fa8cd2c1b267ffd9
> +CHRONY_VERSION	:= 3.5
> +CHRONY_MD5	:= 5f66338bc940a9b51eede8f391e7bed3
>  CHRONY		:= chrony-$(CHRONY_VERSION)
>  CHRONY_SUFFIX	:= tar.gz
>  CHRONY_URL	:= http://download.tuxfamily.org/chrony/$(CHRONY).$(CHRONY_SUFFIX)
> @@ -44,7 +44,6 @@ CHRONY_CONF_OPT		:= \
>  	--without-nss \
>  	--without-tomcrypt \
>  	--disable-cmdmon \
> -	--disable-ntp \

With the reasoning in your commit message, I think this should rather be
--enable-ntp instead to prevent configure auto-detecting it.

 - Roland

>  	--disable-refclock \
>  	--disable-phc \
>  	--disable-pps \
> 
> base-commit: 6721ecdd3deb6e5839462086e9526d6f6c744cea
> -- 
> 2.26.2
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Roland Hieber, Pengutronix e.K.          | r.hieber@pengutronix.de     |
Steuerwalder Str. 21                     | https://www.pengutronix.de/ |
31137 Hildesheim, Germany                | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686         | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH 1/6] chrony: verion bump 3.3 -> 3.5

[Roland Hieber]

Also, "verion" in the subject line :-)

On Fri, Jul 24, 2020 at 05:48:38PM +0200, Bruno Thomsen wrote:
> Always enable ntp support as it does not require
> extra dependencies.
> 
> Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
> ---
>  rules/chrony.make | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/rules/chrony.make b/rules/chrony.make
> index 61fe4a7fd..3b7456618 100644
> --- a/rules/chrony.make
> +++ b/rules/chrony.make
> @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_CHRONY) += chrony
>  #
>  # Paths and names
>  #
> -CHRONY_VERSION	:= 3.3
> -CHRONY_MD5	:= 81ab62cf5d60b4b3fa8cd2c1b267ffd9
> +CHRONY_VERSION	:= 3.5
> +CHRONY_MD5	:= 5f66338bc940a9b51eede8f391e7bed3
>  CHRONY		:= chrony-$(CHRONY_VERSION)
>  CHRONY_SUFFIX	:= tar.gz
>  CHRONY_URL	:= http://download.tuxfamily.org/chrony/$(CHRONY).$(CHRONY_SUFFIX)
> @@ -44,7 +44,6 @@ CHRONY_CONF_OPT		:= \
>  	--without-nss \
>  	--without-tomcrypt \
>  	--disable-cmdmon \
> -	--disable-ntp \
>  	--disable-refclock \
>  	--disable-phc \
>  	--disable-pps \
> 
> base-commit: 6721ecdd3deb6e5839462086e9526d6f6c744cea
> -- 
> 2.26.2
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Roland Hieber, Pengutronix e.K.          | r.hieber@pengutronix.de     |
Steuerwalder Str. 21                     | https://www.pengutronix.de/ |
31137 Hildesheim, Germany                | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686         | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH 3/6] chrony: systemd unit option

[Roland Hieber]

On Mon, Jul 27, 2020 at 08:19:08AM +0200, Bruno Thomsen wrote:
> Den fre. 24. jul. 2020 kl. 17.48 skrev Bruno Thomsen <bruno.thomsen@gmail.com>:
> >
> > Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
> > ---
> >  rules/chrony.in   | 7 +++++++
> >  rules/chrony.make | 8 ++++++++
> >  2 files changed, 15 insertions(+)
> 
> > +ifdef PTXCONF_CHRONY_SYSTEMD_UNIT
> > +       @$(call install_alternative, chrony, 0, 0, 0644, \
> > +               $(CHRONY_DIR)/examples/chronyd.service, /usr/lib/systemd/system/chronyd.service)
> 
> This should have been an install_copy.

No, install_alternative is better, so users can adjust it via
projectroot/. It will take the file from the package's install dir
automatically if nothing is found in projectroot/ [1]. If you have no
way of getting the package to install its service file, just copy the
default version into projectroot/ so install_alternative can find it.

[1]: https://www.ptxdist.org/doc/ref_make_macros.html#install-alternative

 - Roland

> 
> /Bruno
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Roland Hieber, Pengutronix e.K.          | r.hieber@pengutronix.de     |
Steuerwalder Str. 21                     | https://www.pengutronix.de/ |
31137 Hildesheim, Germany                | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686         | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH 6/6] chrony: advanced command monitoring option

[Roland Hieber]

On Fri, Jul 24, 2020 at 05:48:43PM +0200, Bruno Thomsen wrote:
> When you need to dig deep into NTP sync status.
> 
> Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
> ---
>  rules/chrony.in   | 7 +++++++
>  rules/chrony.make | 3 ++-
>  2 files changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/rules/chrony.in b/rules/chrony.in
> index 6a4f12de0..ad9baa2bf 100644
> --- a/rules/chrony.in
> +++ b/rules/chrony.in
> @@ -36,6 +36,13 @@ config CHRONY_RUN_AS_NON_ROOT
>  	  Default chronyd is started as root, select this
>  	  to run service with chrony user.
>  
> +config CHRONY_ADVANCED_COMMAND
> +	bool
> +	prompt "Enable advanced command monitoring"
> +	help
> +	  This allow getting advanced NTP sync status
> +	  monitoring from the service.
> +
>  comment "install options   ---"
>  
>  config CHRONY_INSTALL_CHRONY_COMMAND
> diff --git a/rules/chrony.make b/rules/chrony.make
> index d5ae52883..3d8b64b35 100644
> --- a/rules/chrony.make
> +++ b/rules/chrony.make
> @@ -43,7 +43,8 @@ CHRONY_CONF_OPT		:= \
>  	$(call ptx/ifdef, PTXCONF_CHRONY_USE_NETTLE,,--without-nettle) \
>  	--without-nss \
>  	--without-tomcrypt \
> -	--disable-cmdmon \
> +	$(call ptx/ifdef, CHRONY_ADVANCED_COMMAND,,--disable-cmdmon) \
> +	$(call ptx/ifdef, CHRONY_ADVANCED_COMMAND,--enable-debug,) \

Here too – reproducible config options are important. Use

        --$(call ptx/endis, CHRONY_ADVANCED_COMMAND)-cmdmon \
        --$(call ptx/endis, CHRONY_ADVANCED_COMMAND)-debug \

instead (unless the configure option is broken…).

 - Roland

>  	--disable-refclock \
>  	--disable-phc \
>  	--disable-pps \
> -- 
> 2.26.2
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Roland Hieber, Pengutronix e.K.          | r.hieber@pengutronix.de     |
Steuerwalder Str. 21                     | https://www.pengutronix.de/ |
31137 Hildesheim, Germany                | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686         | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH 1/6] chrony: verion bump 3.3 -> 3.5

[Michael Olbrich]

On Mon, Jul 27, 2020 at 11:12:33AM +0200, Roland Hieber wrote:
> On Fri, Jul 24, 2020 at 05:48:38PM +0200, Bruno Thomsen wrote:
> > Always enable ntp support as it does not require
> > extra dependencies.
> > 
> > Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
> > ---
> >  rules/chrony.make | 5 ++---
> >  1 file changed, 2 insertions(+), 3 deletions(-)
> > 
> > diff --git a/rules/chrony.make b/rules/chrony.make
> > index 61fe4a7fd..3b7456618 100644
> > --- a/rules/chrony.make
> > +++ b/rules/chrony.make
> > @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_CHRONY) += chrony
> >  #
> >  # Paths and names
> >  #
> > -CHRONY_VERSION	:= 3.3
> > -CHRONY_MD5	:= 81ab62cf5d60b4b3fa8cd2c1b267ffd9
> > +CHRONY_VERSION	:= 3.5
> > +CHRONY_MD5	:= 5f66338bc940a9b51eede8f391e7bed3
> >  CHRONY		:= chrony-$(CHRONY_VERSION)
> >  CHRONY_SUFFIX	:= tar.gz
> >  CHRONY_URL	:= http://download.tuxfamily.org/chrony/$(CHRONY).$(CHRONY_SUFFIX)
> > @@ -44,7 +44,6 @@ CHRONY_CONF_OPT		:= \
> >  	--without-nss \
> >  	--without-tomcrypt \
> >  	--disable-cmdmon \
> > -	--disable-ntp \
> 
> With the reasoning in your commit message, I think this should rather be
> --enable-ntp instead to prevent configure auto-detecting it.

Unfortunately, this is a handwritten configure script and --enable-ntp does
not exist.

Michael

>  - Roland
> 
> >  	--disable-refclock \
> >  	--disable-phc \
> >  	--disable-pps \
> > 
> > base-commit: 6721ecdd3deb6e5839462086e9526d6f6c744cea
> > -- 
> > 2.26.2
> > 
> > 
> > _______________________________________________
> > ptxdist mailing list
> > ptxdist@pengutronix.de
> > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> > 
> 
> -- 
> Roland Hieber, Pengutronix e.K.          | r.hieber@pengutronix.de     |
> Steuerwalder Str. 21                     | https://www.pengutronix.de/ |
> 31137 Hildesheim, Germany                | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686         | Fax:   +49-5121-206917-5555 |
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH 3/6] chrony: systemd unit option

[Michael Olbrich]

On Mon, Jul 27, 2020 at 11:17:44AM +0200, Roland Hieber wrote:
> On Mon, Jul 27, 2020 at 08:19:08AM +0200, Bruno Thomsen wrote:
> > Den fre. 24. jul. 2020 kl. 17.48 skrev Bruno Thomsen <bruno.thomsen@gmail.com>:
> > >
> > > Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
> > > ---
> > >  rules/chrony.in   | 7 +++++++
> > >  rules/chrony.make | 8 ++++++++
> > >  2 files changed, 15 insertions(+)
> > 
> > > +ifdef PTXCONF_CHRONY_SYSTEMD_UNIT
> > > +       @$(call install_alternative, chrony, 0, 0, 0644, \
> > > +               $(CHRONY_DIR)/examples/chronyd.service, /usr/lib/systemd/system/chronyd.service)
> > 
> > This should have been an install_copy.
> 
> No, install_alternative is better, so users can adjust it via
> projectroot/. It will take the file from the package's install dir
> automatically if nothing is found in projectroot/ [1]. If you have no
> way of getting the package to install its service file, just copy the
> default version into projectroot/ so install_alternative can find it.

In this case, you should install $(CHRONY_DIR)/examples/chronyd.service to
$(CHRONY_PKGDIR)/usr/lib/systemd/system/chronyd.service in the install
stage. And then use install_alternative.

Michael

> [1]: https://www.ptxdist.org/doc/ref_make_macros.html#install-alternative
> 
>  - Roland
> 
> > 
> > /Bruno
> > 
> > _______________________________________________
> > ptxdist mailing list
> > ptxdist@pengutronix.de
> > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> > 
> 
> -- 
> Roland Hieber, Pengutronix e.K.          | r.hieber@pengutronix.de     |
> Steuerwalder Str. 21                     | https://www.pengutronix.de/ |
> 31137 Hildesheim, Germany                | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686         | Fax:   +49-5121-206917-5555 |
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH 6/6] chrony: advanced command monitoring option

[Michael Olbrich]

On Mon, Jul 27, 2020 at 11:22:00AM +0200, Roland Hieber wrote:
> On Fri, Jul 24, 2020 at 05:48:43PM +0200, Bruno Thomsen wrote:
> > When you need to dig deep into NTP sync status.
> > 
> > Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
> > ---
> >  rules/chrony.in   | 7 +++++++
> >  rules/chrony.make | 3 ++-
> >  2 files changed, 9 insertions(+), 1 deletion(-)
> > 
> > diff --git a/rules/chrony.in b/rules/chrony.in
> > index 6a4f12de0..ad9baa2bf 100644
> > --- a/rules/chrony.in
> > +++ b/rules/chrony.in
> > @@ -36,6 +36,13 @@ config CHRONY_RUN_AS_NON_ROOT
> >  	  Default chronyd is started as root, select this
> >  	  to run service with chrony user.
> >  
> > +config CHRONY_ADVANCED_COMMAND
> > +	bool
> > +	prompt "Enable advanced command monitoring"
> > +	help
> > +	  This allow getting advanced NTP sync status
> > +	  monitoring from the service.
> > +
> >  comment "install options   ---"
> >  
> >  config CHRONY_INSTALL_CHRONY_COMMAND
> > diff --git a/rules/chrony.make b/rules/chrony.make
> > index d5ae52883..3d8b64b35 100644
> > --- a/rules/chrony.make
> > +++ b/rules/chrony.make
> > @@ -43,7 +43,8 @@ CHRONY_CONF_OPT		:= \
> >  	$(call ptx/ifdef, PTXCONF_CHRONY_USE_NETTLE,,--without-nettle) \
> >  	--without-nss \
> >  	--without-tomcrypt \
> > -	--disable-cmdmon \
> > +	$(call ptx/ifdef, CHRONY_ADVANCED_COMMAND,,--disable-cmdmon) \
> > +	$(call ptx/ifdef, CHRONY_ADVANCED_COMMAND,--enable-debug,) \
> 
> Here too – reproducible config options are important. Use
> 
>         --$(call ptx/endis, CHRONY_ADVANCED_COMMAND)-cmdmon \
>         --$(call ptx/endis, CHRONY_ADVANCED_COMMAND)-debug \
> 
> instead (unless the configure option is broken…).

Not autoconf and very broken. The patch is correct.

Michael

>  - Roland
> 
> >  	--disable-refclock \
> >  	--disable-phc \
> >  	--disable-pps \
> > -- 
> > 2.26.2
> > 
> > 
> > _______________________________________________
> > ptxdist mailing list
> > ptxdist@pengutronix.de
> > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> > 
> 
> -- 
> Roland Hieber, Pengutronix e.K.          | r.hieber@pengutronix.de     |
> Steuerwalder Str. 21                     | https://www.pengutronix.de/ |
> 31137 Hildesheim, Germany                | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686         | Fax:   +49-5121-206917-5555 |
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH 4/6] passwd/group: added chrony UID/GID

[Michael Olbrich]

On Fri, Jul 24, 2020 at 05:48:41PM +0200, Bruno Thomsen wrote:
> Added chrony user id (UID) to /etc/passwd and
> chrony group id (GID) to /etc/group based on
> IDs from Fedora.
> 
> Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
> ---
>  projectroot/etc/group  | 1 +
>  projectroot/etc/passwd | 1 +
>  2 files changed, 2 insertions(+)
> 
> diff --git a/projectroot/etc/group b/projectroot/etc/group
> index ad02970de..8c0d5a647 100644
> --- a/projectroot/etc/group
> +++ b/projectroot/etc/group
> @@ -31,4 +31,5 @@ systemd-journal-remote:x:203:
>  systemd-journal-upload:x:208:
>  render:x:209:
>  pulse:x:210:
> +chrony:x:989:

Please just use the next number unless there is a good reason to use
anything else.

>  nogroup:x:65534:
> diff --git a/projectroot/etc/passwd b/projectroot/etc/passwd
> index d15650b38..a5f1e5ffe 100644
> --- a/projectroot/etc/passwd
> +++ b/projectroot/etc/passwd
> @@ -15,5 +15,6 @@ systemd-journal-gateway:x:206:206:systemd-journal-gateway:/dev/null:/bin/false
>  systemd-journal-remote:x:207:203:systemd-journal-remote:/dev/null:/bin/false
>  systemd-journal-upload:x:208:208:systemd-journal-upload:/dev/null:/bin/false
>  pulse:x:209:210:pulse:/dev/null:/bin/false
> +chrony:x:994:989:chronyd:/dev/null:/bin/false

s/chronyd/chrony/

Right?

Michael

>  rpcuser:x:65533:65534:RPC user:/dev/null:/bin/false
>  nobody:x:65534:65534:Unprivileged Nobody:/dev/null:/bin/false
> -- 
> 2.26.2
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH 5/6] chrony: run as chrony user option

[Michael Olbrich]

On Fri, Jul 24, 2020 at 05:48:42PM +0200, Bruno Thomsen wrote:
> Default chrony service run as root and that is not
> best practice as it's doing network communication.

Is there a use-case to run chrony as root? I think we can skip the option
and always run it as user chrony.

Michael

> Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
> ---
>  rules/chrony.in   | 7 +++++++
>  rules/chrony.make | 1 +
>  2 files changed, 8 insertions(+)
> 
> diff --git a/rules/chrony.in b/rules/chrony.in
> index 525be2681..6a4f12de0 100644
> --- a/rules/chrony.in
> +++ b/rules/chrony.in
> @@ -29,6 +29,13 @@ config CHRONY_USE_NETTLE
>  	  Use nettle crypto library for stronger keys than MD5 in
>  	  NTP authentication.
>  
> +config CHRONY_RUN_AS_NON_ROOT
> +	bool
> +	prompt "Run chronyd as non root user"
> +	help
> +	  Default chronyd is started as root, select this
> +	  to run service with chrony user.
> +
>  comment "install options   ---"
>  
>  config CHRONY_INSTALL_CHRONY_COMMAND
> diff --git a/rules/chrony.make b/rules/chrony.make
> index a72752030..d5ae52883 100644
> --- a/rules/chrony.make
> +++ b/rules/chrony.make
> @@ -48,6 +48,7 @@ CHRONY_CONF_OPT		:= \
>  	--disable-phc \
>  	--disable-pps \
>  	$(call ptx/ifdef, PTXCONF_GLOBAL_IPV6,,--disable-ipv6) \
> +	$(call ptx/ifdef, PTXCONF_CHRONY_RUN_AS_USER,--with-user=chrony,) \
>  	--without-seccomp
>  
>  # ----------------------------------------------------------------------------
> -- 
> 2.26.2
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de