* [ptxdist] Chrony package option --without-tomcrypt makes chronyc unusable
@ 2021-06-15 9:55 Mircea Ciocan
2021-06-16 10:26 ` Michael Olbrich
0 siblings, 1 reply; 3+ messages in thread
From: Mircea Ciocan @ 2021-06-15 9:55 UTC (permalink / raw)
To: ptxdist
Hello everybody,
unless I'm doing something very wrong, the "out of the box" chrony
package does not allow talking with the chronyc, the client and daemon
control user-space utility, it doesn't even create the Unix socket:
/var/run/chrony/chronyd.sock.
Once the line "--without-tomcrypt" in CHRONY_CONF_OPT is removed,
everything will work OK. Also the option "--with-user=chrony" may make
the daemon more secure, but it certainly messes up the logging and drift
files due to permissions of the /var/run and /var/log.
Out of these only the tomcrypt removal is critical, if somebody can
explain the reason behind it, or what can be done to enable the client
functionality with the existing compile time options I'll be most happy,
because now I had to move the rule to project rules and remove it.
Thanks and best regards,
Mircea
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [ptxdist] Chrony package option --without-tomcrypt makes chronyc unusable
2021-06-15 9:55 [ptxdist] Chrony package option --without-tomcrypt makes chronyc unusable Mircea Ciocan
@ 2021-06-16 10:26 ` Michael Olbrich
2021-06-16 14:15 ` Bruno Thomsen
0 siblings, 1 reply; 3+ messages in thread
From: Michael Olbrich @ 2021-06-16 10:26 UTC (permalink / raw)
To: ptxdist
Hi,
I don't use chrony myself, so I can just look at the build-system.
On Tue, Jun 15, 2021 at 11:55:47AM +0200, Mircea Ciocan wrote:
> unless I'm doing something very wrong, the "out of the box" chrony package
> does not allow talking with the chronyc, the client and daemon control
> user-space utility, it doesn't even create the Unix socket:
> /var/run/chrony/chronyd.sock.
>
> Once the line "--without-tomcrypt" in CHRONY_CONF_OPT is removed, everything
> will work OK.
This makes no sense at all. tomcrypt is a external library that is
currently not available in PTXdist. So removing this options should not
change anything.
Please take a look at the build (e.g. changes to config.h and Makefile) to
see what actually happens.
> Also the option "--with-user=chrony" may make the daemon more
> secure, but it certainly messes up the logging and drift files due to
> permissions of the /var/run and /var/log.
That's just the default user. And as far as I know, this works fine with
systemd. If you use busybox init, then maybe the init script needs to be
changed to create directories with the correct permissions.
Patches are welcome.
> Out of these only the tomcrypt removal is critical, if somebody can explain
> the reason behind it, or what can be done to enable the client functionality
> with the existing compile time options I'll be most happy, because now I had
> to move the rule to project rules and remove it.
Michael
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [ptxdist] Chrony package option --without-tomcrypt makes chronyc unusable
2021-06-16 10:26 ` Michael Olbrich
@ 2021-06-16 14:15 ` Bruno Thomsen
0 siblings, 0 replies; 3+ messages in thread
From: Bruno Thomsen @ 2021-06-16 14:15 UTC (permalink / raw)
To: ptxdist
Den ons. 16. jun. 2021 kl. 12.26 skrev Michael Olbrich
<m.olbrich@pengutronix.de>:
>
> Hi,
>
> I don't use chrony myself, so I can just look at the build-system.
>
> On Tue, Jun 15, 2021 at 11:55:47AM +0200, Mircea Ciocan wrote:
> > unless I'm doing something very wrong, the "out of the box" chrony package
> > does not allow talking with the chronyc, the client and daemon control
> > user-space utility, it doesn't even create the Unix socket:
> > /var/run/chrony/chronyd.sock.
> >
> > Once the line "--without-tomcrypt" in CHRONY_CONF_OPT is removed, everything
> > will work OK.
>
> This makes no sense at all. tomcrypt is a external library that is
> currently not available in PTXdist. So removing this options should not
> change anything.
> Please take a look at the build (e.g. changes to config.h and Makefile) to
> see what actually happens.
>
> > Also the option "--with-user=chrony" may make the daemon more
> > secure, but it certainly messes up the logging and drift files due to
> > permissions of the /var/run and /var/log.
>
> That's just the default user. And as far as I know, this works fine with
> systemd. If you use busybox init, then maybe the init script needs to be
> changed to create directories with the correct permissions.
I can confirm that it works as expected in systemd.
This is how it looks when service is started as chrony.
As root user:
root@xxxxxxxx:~ chronyc -n sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 10.10.10.10 3 6 377 45 +141us[ +315us] +/- 30ms
root@xxxxxxxx:~ ls -lah /run/chrony/
total 8.0K
drwxr-x--- 2 chrony chrony 100 Jun 16 08:11 .
drwxr-xr-x 21 root root 600 Jun 16 08:11 ..
-rw-r--r-- 1 chrony chrony 42 Jun 16 07:57 chrony.drift
-rw-r--r-- 1 root root 4 Jun 15 06:48 chronyd.pid
srwxr-xr-x 1 chrony chrony 0 Jun 15 06:48 chronyd.sock
As tech user (another user, not in chrony group);
tech@xxxxxxxx:~ chronyc -n sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 10.10.10.10 3 6 377 45 -134us[ -266us] +/- 31ms
tech@xxxxxxxx:~ ls -lah /run/chrony/
ls: cannot open directory '/run/chrony/': Permission denied
> Patches are welcome.
We could revert the service user to root when using busybox init.
/Bruno
> > Out of these only the tomcrypt removal is critical, if somebody can explain
> > the reason behind it, or what can be done to enable the client functionality
> > with the existing compile time options I'll be most happy, because now I had
> > to move the rule to project rules and remove it.
>
> Michael
>
> --
> Pengutronix e.K. | |
> Steuerwalder Str. 21 | http://www.pengutronix.de/ |
> 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
> Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-06-16 14:16 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-15 9:55 [ptxdist] Chrony package option --without-tomcrypt makes chronyc unusable Mircea Ciocan
2021-06-16 10:26 ` Michael Olbrich
2021-06-16 14:15 ` Bruno Thomsen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox