[ptxdist] [PATCH v2 1/6] chrony: version bump 3.3 -> 3.5

[ptxdist] [PATCH v2 1/6] chrony: version bump 3.3 -> 3.5

[Bruno Thomsen]

Always enable ntp support as it does not require
extra dependencies.

Updated project URL in package help as sunsite.dk has
been renamed to dotsrc.org and have shutdown the general
project hosting part.

Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
---
Changes since version 1:
- Fix typo in subject line.
- Updated URL in package help text.
- Explicit enable ntp option.
  This outputs unrecognized option, but we still get expected result.
  Unrecognized option :  --enable-ntp

 rules/chrony.in   | 2 +-
 rules/chrony.make | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/chrony.in b/rules/chrony.in
index ccdcb71d0..1f5e241c9 100644
--- a/rules/chrony.in
+++ b/rules/chrony.in
@@ -17,7 +17,7 @@ menuconfig CHRONY
 	  to chronyd for monitoring its performance and configuring
 	  various settings.
 
-	  See http://chrony.sunsite.dk/ for details
+	  See https://chrony.tuxfamily.org/ for details.
 
 if CHRONY
 
diff --git a/rules/chrony.make b/rules/chrony.make
index 61fe4a7fd..06fc7fd9a 100644
--- a/rules/chrony.make
+++ b/rules/chrony.make
@@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_CHRONY) += chrony
 #
 # Paths and names
 #
-CHRONY_VERSION	:= 3.3
-CHRONY_MD5	:= 81ab62cf5d60b4b3fa8cd2c1b267ffd9
+CHRONY_VERSION	:= 3.5
+CHRONY_MD5	:= 5f66338bc940a9b51eede8f391e7bed3
 CHRONY		:= chrony-$(CHRONY_VERSION)
 CHRONY_SUFFIX	:= tar.gz
 CHRONY_URL	:= http://download.tuxfamily.org/chrony/$(CHRONY).$(CHRONY_SUFFIX)
@@ -44,7 +44,7 @@ CHRONY_CONF_OPT		:= \
 	--without-nss \
 	--without-tomcrypt \
 	--disable-cmdmon \
-	--disable-ntp \
+	--enable-ntp \
 	--disable-refclock \
 	--disable-phc \
 	--disable-pps \

base-commit: 6721ecdd3deb6e5839462086e9526d6f6c744cea
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v2 2/6] chrony: nettle authentication support

[Bruno Thomsen]

Use nettle crypto lib for stronger time packet
authentication support.

Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
---
Changes since version 1:
- Replace ptx/ifdef with ptx/endis and ptx/wwo for explicit options.
  This outputs unrecognized options, but we still get expected result.
  Unrecognized option :  --enable-sechash
  Unrecognized option :  --with-nettle

 rules/chrony.in   | 8 ++++++++
 rules/chrony.make | 4 ++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/rules/chrony.in b/rules/chrony.in
index 1f5e241c9..c81eba868 100644
--- a/rules/chrony.in
+++ b/rules/chrony.in
@@ -6,6 +6,7 @@ menuconfig CHRONY
 	prompt "chrony                        "
 	select LIBC_M
 	select LIBCAP
+	select NETTLE	if CHRONY_USE_NETTLE
 	help
 	  This will install the Chrony NTPD Daemon (chronyd)
 	  Chrony is a pair of programs which are used to maintain
@@ -21,6 +22,13 @@ menuconfig CHRONY
 
 if CHRONY
 
+config CHRONY_USE_NETTLE
+	bool
+	prompt "Use nettle crypto library"
+	help
+	  Use nettle crypto library for stronger keys than MD5 in
+	  NTP authentication.
+
 comment "install options   ---"
 
 config CHRONY_INSTALL_CHRONY_COMMAND
diff --git a/rules/chrony.make b/rules/chrony.make
index 06fc7fd9a..c7571cfc8 100644
--- a/rules/chrony.make
+++ b/rules/chrony.make
@@ -39,8 +39,8 @@ CHRONY_CONF_OPT		:= \
 	$(CROSS_AUTOCONF_USR) \
 	--disable-readline \
 	--without-editline \
-	--disable-sechash \
-	--without-nettle \
+	--$(call ptx/endis, PTXCONF_CHRONY_USE_NETTLE)-sechash \
+	--$(call ptx/wwo, PTXCONF_CHRONY_USE_NETTLE)-nettle \
 	--without-nss \
 	--without-tomcrypt \
 	--disable-cmdmon \
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v2 3/6] chrony: systemd unit option

[Bruno Thomsen]

Include examples/chronyd.service from package in projectroot
so install_alternativ statment works.

Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
---
Changes since version 1:
- Fix install_alternative statement for service file.
- Added chrony-3.5/examples/chronyd.service to projectroot.

 .../usr/lib/systemd/system/chronyd.service     | 18 ++++++++++++++++++
 rules/chrony.in                                |  7 +++++++
 rules/chrony.make                              |  7 +++++++
 3 files changed, 32 insertions(+)
 create mode 100644 projectroot/usr/lib/systemd/system/chronyd.service

diff --git a/projectroot/usr/lib/systemd/system/chronyd.service b/projectroot/usr/lib/systemd/system/chronyd.service
new file mode 100644
index 000000000..289548cba
--- /dev/null
+++ b/projectroot/usr/lib/systemd/system/chronyd.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=NTP client/server
+Documentation=man:chronyd(8) man:chrony.conf(5)
+After=ntpdate.service sntp.service ntpd.service
+Conflicts=ntpd.service systemd-timesyncd.service
+ConditionCapability=CAP_SYS_TIME
+
+[Service]
+Type=forking
+PIDFile=/run/chrony/chronyd.pid
+EnvironmentFile=-/etc/sysconfig/chronyd
+ExecStart=/usr/sbin/chronyd $OPTIONS
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=full
+
+[Install]
+WantedBy=multi-user.target
diff --git a/rules/chrony.in b/rules/chrony.in
index c81eba868..16b730199 100644
--- a/rules/chrony.in
+++ b/rules/chrony.in
@@ -95,6 +95,13 @@ endif
 config CHRONY_STARTSCRIPT
 	bool
 	default y
+	depends on INITMETHOD_BBINIT
 	prompt "install /etc/init.d/chrony"
 
+config CHRONY_SYSTEMD_UNIT
+	bool
+	default y
+	depends on INITMETHOD_SYSTEMD
+	prompt "install systemd unit files"
+
 endif
diff --git a/rules/chrony.make b/rules/chrony.make
index c7571cfc8..a11ee5c5e 100644
--- a/rules/chrony.make
+++ b/rules/chrony.make
@@ -107,6 +107,13 @@ ifneq ($(call remove_quotes, $(PTXCONF_CHRONY_BBINIT_LINK)),)
 endif
 endif
 endif
+
+ifdef PTXCONF_CHRONY_SYSTEMD_UNIT
+	@$(call install_alternative, chrony, 0, 0, 0644, /usr/lib/systemd/system/chronyd.service)
+	@$(call install_link, chrony, ../chronyd.service, \
+		/usr/lib/systemd/system/multi-user.target.wants/chronyd.service)
+endif
+
 	@$(call install_finish, chrony)
 
 	@$(call touch)
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v2 4/6] passwd/group: added chrony UID/GID

[Bruno Thomsen]

Added chrony user id (UID) to /etc/passwd and
chrony group id (GID) to /etc/group based on
IDs from Fedora.

Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
---
No changes since version 1.

 projectroot/etc/group  | 1 +
 projectroot/etc/passwd | 1 +
 2 files changed, 2 insertions(+)

diff --git a/projectroot/etc/group b/projectroot/etc/group
index ad02970de..8c0d5a647 100644
--- a/projectroot/etc/group
+++ b/projectroot/etc/group
@@ -31,4 +31,5 @@ systemd-journal-remote:x:203:
 systemd-journal-upload:x:208:
 render:x:209:
 pulse:x:210:
+chrony:x:989:
 nogroup:x:65534:
diff --git a/projectroot/etc/passwd b/projectroot/etc/passwd
index d15650b38..a5f1e5ffe 100644
--- a/projectroot/etc/passwd
+++ b/projectroot/etc/passwd
@@ -15,5 +15,6 @@ systemd-journal-gateway:x:206:206:systemd-journal-gateway:/dev/null:/bin/false
 systemd-journal-remote:x:207:203:systemd-journal-remote:/dev/null:/bin/false
 systemd-journal-upload:x:208:208:systemd-journal-upload:/dev/null:/bin/false
 pulse:x:209:210:pulse:/dev/null:/bin/false
+chrony:x:994:989:chronyd:/dev/null:/bin/false
 rpcuser:x:65533:65534:RPC user:/dev/null:/bin/false
 nobody:x:65534:65534:Unprivileged Nobody:/dev/null:/bin/false
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v2 5/6] chrony: run as chrony user option

[Bruno Thomsen]

Default chrony service run as root and that is not
best practice as it's doing network communication.

Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
---
No changes since version 1.

 rules/chrony.in   | 7 +++++++
 rules/chrony.make | 1 +
 2 files changed, 8 insertions(+)

diff --git a/rules/chrony.in b/rules/chrony.in
index 16b730199..6e79270e5 100644
--- a/rules/chrony.in
+++ b/rules/chrony.in
@@ -29,6 +29,13 @@ config CHRONY_USE_NETTLE
 	  Use nettle crypto library for stronger keys than MD5 in
 	  NTP authentication.
 
+config CHRONY_RUN_AS_NON_ROOT
+	bool
+	prompt "Run chronyd as non root user"
+	help
+	  Default chronyd is started as root, select this
+	  to run service with chrony user.
+
 comment "install options   ---"
 
 config CHRONY_INSTALL_CHRONY_COMMAND
diff --git a/rules/chrony.make b/rules/chrony.make
index a11ee5c5e..b28eeb196 100644
--- a/rules/chrony.make
+++ b/rules/chrony.make
@@ -49,6 +49,7 @@ CHRONY_CONF_OPT		:= \
 	--disable-phc \
 	--disable-pps \
 	$(call ptx/ifdef, PTXCONF_GLOBAL_IPV6,,--disable-ipv6) \
+	$(call ptx/ifdef, PTXCONF_CHRONY_RUN_AS_USER,--with-user=chrony,) \
 	--without-seccomp
 
 # ----------------------------------------------------------------------------
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v2 6/6] chrony: advanced monitoring command option

[Bruno Thomsen]

When you need to dig deep into NTP sync status.

Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
---
Changes since version 1:
- Fixed yoda style subject line.
- Replace ptx/ifdef with ptx/endis for explicit options.
  This outputs unrecognized options, but we still get expected result.
  Unrecognized option :  --disable-debug
  Unrecognized option :  --enable-cmdmon

 rules/chrony.in   | 7 +++++++
 rules/chrony.make | 3 ++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/rules/chrony.in b/rules/chrony.in
index 6e79270e5..4f8c89a69 100644
--- a/rules/chrony.in
+++ b/rules/chrony.in
@@ -36,6 +36,13 @@ config CHRONY_RUN_AS_NON_ROOT
 	  Default chronyd is started as root, select this
 	  to run service with chrony user.
 
+config CHRONY_ADVANCED_COMMAND
+	bool
+	prompt "Enable advanced monitoring command"
+	help
+	  This allow getting advanced NTP sync status
+	  monitoring from the service.
+
 comment "install options   ---"
 
 config CHRONY_INSTALL_CHRONY_COMMAND
diff --git a/rules/chrony.make b/rules/chrony.make
index b28eeb196..ba05ee2e6 100644
--- a/rules/chrony.make
+++ b/rules/chrony.make
@@ -43,7 +43,8 @@ CHRONY_CONF_OPT		:= \
 	--$(call ptx/wwo, PTXCONF_CHRONY_USE_NETTLE)-nettle \
 	--without-nss \
 	--without-tomcrypt \
-	--disable-cmdmon \
+	--$(call ptx/endis, PTXCONF_CHRONY_ADVANCED_COMMAND)-cmdmon \
+	--$(call ptx/endis, PTXCONF_CHRONY_ADVANCED_COMMAND)-debug \
 	--enable-ntp \
 	--disable-refclock \
 	--disable-phc \
-- 
2.26.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH v2 1/6] chrony: version bump 3.3 -> 3.5

[Michael Olbrich]

On Wed, Jul 29, 2020 at 09:29:23PM +0200, Bruno Thomsen wrote:
> Always enable ntp support as it does not require
> extra dependencies.
> 
> Updated project URL in package help as sunsite.dk has
> been renamed to dotsrc.org and have shutdown the general
> project hosting part.
> 
> Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
> ---
> Changes since version 1:
> - Fix typo in subject line.
> - Updated URL in package help text.
> - Explicit enable ntp option.
>   This outputs unrecognized option, but we still get expected result.
>   Unrecognized option :  --enable-ntp

Please go back to the version and remove the options.
In this case I'd like to notice it if options become invalid after an
update. Even if I need to look at the configure output.

The same for the other patches.

And can you add a comment, that this is not autoconf, above the configure
options? This makes it clear why ptx/endis etc. is not used.

Bonus points if you replace the CROSS_AUTOCONF_USR with the actually
supported options and add a patch to make the 'Unrecognized option' a fatal
error. But I'll accept the patches without this part.

Michael

> 
>  rules/chrony.in   | 2 +-
>  rules/chrony.make | 6 +++---
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/rules/chrony.in b/rules/chrony.in
> index ccdcb71d0..1f5e241c9 100644
> --- a/rules/chrony.in
> +++ b/rules/chrony.in
> @@ -17,7 +17,7 @@ menuconfig CHRONY
>  	  to chronyd for monitoring its performance and configuring
>  	  various settings.
>  
> -	  See http://chrony.sunsite.dk/ for details
> +	  See https://chrony.tuxfamily.org/ for details.
>  
>  if CHRONY
>  
> diff --git a/rules/chrony.make b/rules/chrony.make
> index 61fe4a7fd..06fc7fd9a 100644
> --- a/rules/chrony.make
> +++ b/rules/chrony.make
> @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_CHRONY) += chrony
>  #
>  # Paths and names
>  #
> -CHRONY_VERSION	:= 3.3
> -CHRONY_MD5	:= 81ab62cf5d60b4b3fa8cd2c1b267ffd9
> +CHRONY_VERSION	:= 3.5
> +CHRONY_MD5	:= 5f66338bc940a9b51eede8f391e7bed3
>  CHRONY		:= chrony-$(CHRONY_VERSION)
>  CHRONY_SUFFIX	:= tar.gz
>  CHRONY_URL	:= http://download.tuxfamily.org/chrony/$(CHRONY).$(CHRONY_SUFFIX)
> @@ -44,7 +44,7 @@ CHRONY_CONF_OPT		:= \
>  	--without-nss \
>  	--without-tomcrypt \
>  	--disable-cmdmon \
> -	--disable-ntp \
> +	--enable-ntp \
>  	--disable-refclock \
>  	--disable-phc \
>  	--disable-pps \
> 
> base-commit: 6721ecdd3deb6e5839462086e9526d6f6c744cea
> -- 
> 2.26.2
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH v2 1/6] chrony: version bump 3.3 -> 3.5

[Bruno Thomsen]

Hi Michael

Thanks for review, and sorry for the mailing list spam.
I have collected replies from multiple mails in this.

Den tor. 30. jul. 2020 kl. 12.09 skrev Michael Olbrich
<m.olbrich@pengutronix.de>:
>
> On Wed, Jul 29, 2020 at 09:29:23PM +0200, Bruno Thomsen wrote:

> > Changes since version 1:
> > - Fix typo in subject line.
> > - Updated URL in package help text.
> > - Explicit enable ntp option.
> >   This outputs unrecognized option, but we still get expected result.
> >   Unrecognized option :  --enable-ntp
>
> Please go back to the version and remove the options.
> In this case I'd like to notice it if options become invalid after an
> update. Even if I need to look at the configure output.
>
> The same for the other patches.
>
> And can you add a comment, that this is not autoconf, above the configure
> options? This makes it clear why ptx/endis etc. is not used.

Okay, I will revert option selection to version 1 and add comment about
custom configure script.

> Bonus points if you replace the CROSS_AUTOCONF_USR with the actually
> supported options and add a patch to make the 'Unrecognized option' a fatal
> error. But I'll accept the patches without this part.

I have patched chrony so a fatal error happens when an unrecognized option
is detected, but added it as a separate patch in case you don't like
the solution.
So I had to replace CROSS_AUTOCONF_USR as it now caused configure
issue :)

> Is there a use-case to run chrony as root? I think we can skip the option
> and always run it as user chrony.

I am not aware of any use-case, so let's always run it as the chrony user.
But if we do that I have an extra sandbox patch I could send.

> > +chrony:x:994:989:chronyd:/dev/null:/bin/false
>
> s/chronyd/chrony/
>
> Right?

Well.. I don't think there are any real rules, but let's replace daemon
binary name with package name.

> In this case, you should install $(CHRONY_DIR)/examples/chronyd.service to
> $(CHRONY_PKGDIR)/usr/lib/systemd/system/chronyd.service in the install
> stage. And then use install_alternative.

Okay, I will try to do that.

/Bruno

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH v2 1/6] chrony: version bump 3.3 -> 3.5

[Roland Hieber]

On Fri, Jul 31, 2020 at 05:59:08PM +0200, Bruno Thomsen wrote:
> Hi Michael
> 
> Thanks for review, and sorry for the mailing list spam.

Sorry, that was partly my fault too. I didn't notice that the configure
script wasn't actually autotools but a custom made one, so my review
comments didn't make much sense at all in that context.

 - Roland

-- 
Roland Hieber, Pengutronix e.K.          | r.hieber@pengutronix.de     |
Steuerwalder Str. 21                     | https://www.pengutronix.de/ |
31137 Hildesheim, Germany                | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686         | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de