From cafc2b7a759c623057666ae578e847c78b6e7811 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 23 May 2019 09:50:28 +0200 Subject: [PATCH 001/137] fix shellcheck warnings in helper scripts --- chrony.dhclient | 8 ++++---- chrony.helper | 49 +++++++++++++++++++++++++++++++------------------ 2 files changed, 35 insertions(+), 22 deletions(-) diff --git a/chrony.dhclient b/chrony.dhclient index 8b12441..be17e2a 100644 --- a/chrony.dhclient +++ b/chrony.dhclient @@ -3,18 +3,18 @@ SERVERFILE=$SAVEDIR/chrony.servers.$interface chrony_config() { - rm -f $SERVERFILE + rm -f "$SERVERFILE" if [ "$PEERNTP" != "no" ]; then for server in $new_ntp_servers; do - echo "$server ${NTPSERVERARGS:-iburst}" >> $SERVERFILE + echo "$server ${NTPSERVERARGS:-iburst}" >> "$SERVERFILE" done /usr/libexec/chrony-helper update-daemon || : fi } chrony_restore() { - if [ -f $SERVERFILE ]; then - rm -f $SERVERFILE + if [ -f "$SERVERFILE" ]; then + rm -f "$SERVERFILE" /usr/libexec/chrony-helper update-daemon || : fi } diff --git a/chrony.helper b/chrony.helper index ef1a4e9..95414af 100644 --- a/chrony.helper +++ b/chrony.helper @@ -12,8 +12,8 @@ helper_dir=/var/run/chrony-helper added_servers_file=$helper_dir/added_servers network_sysconfig_file=/etc/sysconfig/network -dhclient_servers_files=/var/lib/dhclient/chrony.servers.* -dnssrv_servers_files=$helper_dir/dnssrv@* +dhclient_servers_files="/var/lib/dhclient/chrony.servers.*" +dnssrv_servers_files="$helper_dir/dnssrv@*" dnssrv_timer_prefix=chrony-dnssrv@ . $network_sysconfig_file &> /dev/null @@ -50,27 +50,30 @@ update_daemon() { all_servers=$( echo "$all_servers_with_args" | - while read server serverargs; do + while read -r server serverargs; do echo "$server" done | sort -u) added_servers=$( ( cat $added_servers_file 2> /dev/null echo "$all_servers_with_args" | - while read server serverargs; do + while read -r server serverargs; do [ -z "$server" ] && continue chrony_command "add server $server $serverargs" &> /dev/null && echo "$server" done) | sort -u) comm -23 <(echo -n "$added_servers") <(echo -n "$all_servers") | - while read server; do + while read -r server; do chrony_command "delete $server" &> /dev/null done added_servers=$(comm -12 <(echo -n "$added_servers") <(echo -n "$all_servers")) - [ -n "$added_servers" ] && echo "$added_servers" > $added_servers_file || + if [ -n "$added_servers" ]; then + echo "$added_servers" > $added_servers_file + else rm -f $added_servers_file + fi } get_dnssrv_servers() { @@ -81,10 +84,9 @@ get_dnssrv_servers() { return 1 fi - output=$(dig "$name" srv +short +ndots=2 +search 2> /dev/null) - [ $? -ne 0 ] && return 0 + output=$(dig "$name" srv +short +ndots=2 +search 2> /dev/null) || return 0 - echo "$output" | while read prio weight port target; do + echo "$output" | while read -r _ _ port target; do server=${target%.} [ -z "$server" ] && continue echo "$server port $port ${NTPSERVERARGS:-iburst}" @@ -112,13 +114,19 @@ update_dnssrv_servers() { check_dnssrv_name "$name" || return 1 servers=$(get_dnssrv_servers "$name") - [ -n "$servers" ] && echo "$servers" > "$srv_file" || rm -f "$srv_file" + if [ -n "$servers" ]; then + echo "$servers" > "$srv_file" + else + rm -f "$srv_file" + fi } set_dnssrv_timer() { local state=$1 name=$2 local srv_file=$helper_dir/dnssrv@$name servers - local timer=$dnssrv_timer_prefix$(systemd-escape "$name").timer + local timer + + timer=$dnssrv_timer_prefix$(systemd-escape "$name").timer || return 1 check_dnssrv_name "$name" || return 1 @@ -155,8 +163,10 @@ is_source_line() { } list_static_sources() { - while read line; do - is_source_line "$line" && echo "$line" || : + while read -r line; do + if is_source_line "$line"; then + echo "$line" + fi done < $chrony_conf } @@ -165,11 +175,11 @@ set_static_sources() { new_config=$( sources=$( - while read line; do + while read -r line; do is_source_line "$line" && echo "$line" done) - while read line; do + while read -r line; do if ! is_source_line "$line"; then echo "$line" continue @@ -178,9 +188,12 @@ set_static_sources() { tmp_sources=$( local removed=0 - echo "$sources" | while read line2; do - [ "$removed" -ne 0 -o "$line" != "$line2" ] && \ - echo "$line2" || removed=1 + echo "$sources" | while read -r line2; do + if [ "$removed" -ne 0 ] || [ "$line" != "$line2" ]; then + echo "$line2" + else + removed=1 + fi done) [ "$sources" == "$tmp_sources" ] && continue From 06bbe31ce32454c9fea9df0d3e899b3dfadf4808 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 23 May 2019 09:52:48 +0200 Subject: [PATCH 002/137] 3.5-2 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 757dc36..49f23f5 100644 --- a/chrony.spec +++ b/chrony.spec @@ -4,7 +4,7 @@ Name: chrony Version: 3.5 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPLv2 @@ -191,6 +191,9 @@ fi %dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu May 23 2019 Miroslav Lichvar 3.5-2 +- fix shellcheck warnings in helper scripts + * Tue May 14 2019 Miroslav Lichvar 3.5-1 - update to 3.5 From 3364ee9583990113222e544ab1d760bc257c7549 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 16 Jul 2019 15:39:26 +0200 Subject: [PATCH 003/137] 3.5-3 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 49f23f5..ae86e5d 100644 --- a/chrony.spec +++ b/chrony.spec @@ -4,7 +4,7 @@ Name: chrony Version: 3.5 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An NTP client/server License: GPLv2 @@ -191,6 +191,9 @@ fi %dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Jul 16 2019 Miroslav Lichvar 3.5-3 +- rebuild for new nettle + * Thu May 23 2019 Miroslav Lichvar 3.5-2 - fix shellcheck warnings in helper scripts From e6d617a744968b6e84255dbd89e949765a6deb46 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 24 Jul 2019 20:14:40 +0000 Subject: [PATCH 004/137] - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index ae86e5d..aa890c5 100644 --- a/chrony.spec +++ b/chrony.spec @@ -4,7 +4,7 @@ Name: chrony Version: 3.5 -Release: 3%{?dist} +Release: 4%{?dist} Summary: An NTP client/server License: GPLv2 @@ -191,6 +191,9 @@ fi %dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jul 24 2019 Fedora Release Engineering - 3.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + * Tue Jul 16 2019 Miroslav Lichvar 3.5-3 - rebuild for new nettle From c0f3bfcbcd8f9c8807e27f1e82e1a2a597dfd816 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 27 Aug 2019 15:32:07 +0200 Subject: [PATCH 005/137] verify upstream signatures --- chrony.spec | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/chrony.spec b/chrony.spec index aa890c5..ef270bc 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,10 +10,12 @@ Summary: An NTP client/server License: GPLv2 URL: https://chrony.tuxfamily.org Source0: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}.tar.gz -Source1: chrony.dhclient -Source2: chrony.helper -Source3: chrony-dnssrv@.service -Source4: chrony-dnssrv@.timer +Source1: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}-tar-gz-asc.txt +Source2: https://chrony.tuxfamily.org/gpgkey-8B1F4A9ADA73D401E3085A0B5FF06F29BA1E013B.asc +Source3: chrony.dhclient +Source4: chrony.helper +Source5: chrony-dnssrv@.service +Source6: chrony-dnssrv@.timer # simulator for test suite Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz} @@ -25,7 +27,7 @@ BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel %ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x BuildRequires: libseccomp-devel %endif -BuildRequires: gcc gcc-c++ bison systemd +BuildRequires: gcc gcc-c++ bison systemd gnupg2 Requires(pre): shadow-utils %{?systemd_requires} @@ -48,6 +50,7 @@ service to other computers in the network. %endif %prep +%{gpgverify} --keyring=%{SOURCE2} --signature=%{SOURCE1} --data=%{SOURCE0} %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch2 -p1 -b .service-helper @@ -113,7 +116,7 @@ install -m 640 -p examples/chrony.keys.example \ $RPM_BUILD_ROOT%{_sysconfdir}/chrony.keys install -m 755 -p examples/chrony.nm-dispatcher \ $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d/20-chrony -install -m 755 -p %{SOURCE1} \ +install -m 755 -p %{SOURCE3} \ $RPM_BUILD_ROOT%{_sysconfdir}/dhcp/dhclient.d/chrony.sh install -m 644 -p examples/chrony.logrotate \ $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/chrony @@ -122,10 +125,10 @@ install -m 644 -p examples/chronyd.service \ $RPM_BUILD_ROOT%{_unitdir}/chronyd.service install -m 644 -p examples/chrony-wait.service \ $RPM_BUILD_ROOT%{_unitdir}/chrony-wait.service -install -m 644 -p %{SOURCE3} $RPM_BUILD_ROOT%{_unitdir}/chrony-dnssrv@.service -install -m 644 -p %{SOURCE4} $RPM_BUILD_ROOT%{_unitdir}/chrony-dnssrv@.timer +install -m 644 -p %{SOURCE5} $RPM_BUILD_ROOT%{_unitdir}/chrony-dnssrv@.service +install -m 644 -p %{SOURCE6} $RPM_BUILD_ROOT%{_unitdir}/chrony-dnssrv@.timer -install -m 755 -p %{SOURCE2} $RPM_BUILD_ROOT%{_libexecdir}/chrony-helper +install -m 755 -p %{SOURCE4} $RPM_BUILD_ROOT%{_libexecdir}/chrony-helper cat > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/chronyd < Date: Tue, 27 Aug 2019 15:37:42 +0200 Subject: [PATCH 006/137] upload new sources --- .gitignore | 1 + ...1F4A9ADA73D401E3085A0B5FF06F29BA1E013B.asc | 29 +++++++++++++++++++ sources | 1 + 3 files changed, 31 insertions(+) create mode 100644 gpgkey-8B1F4A9ADA73D401E3085A0B5FF06F29BA1E013B.asc diff --git a/.gitignore b/.gitignore index 6d8cbb5..dc37315 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ /chrony-3.5.tar.gz +/chrony-3.5-tar-gz-asc.txt /clknetsim-3f5ef9.tar.gz diff --git a/gpgkey-8B1F4A9ADA73D401E3085A0B5FF06F29BA1E013B.asc b/gpgkey-8B1F4A9ADA73D401E3085A0B5FF06F29BA1E013B.asc new file mode 100644 index 0000000..ce59e23 --- /dev/null +++ b/gpgkey-8B1F4A9ADA73D401E3085A0B5FF06F29BA1E013B.asc @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGiBEYLz1cRBADYNM9gn8g1Bw8t2Zj+HT9hbSHVs9ofSdxqdLEVAbNySeLftOlZ +ba+4CU+lIfC/6XHZ0r+UvTBVK+r/KLjFxWz5cWGGFVUrXOSjo2PDXDqWrs9VALtT +zH8sr0/7qJCByF9fnryPO1fmMKlh9R0+X5cF7vZjlWbM+BV/yxARi4lb4wCgpf9M +7uo9hJUcMyy2zJSdzjUPkcMEAMVyDpw7kwTjnWzwaOHnPlT/x31OkGAO2sZgzRGu +VE1zGN4Ruv36GS7hNPndtpTGZuPtmLrE2wJS2exer4kTYANfiGj/JDTiuGQYF2jp +9cN3zJL7e7Bik004TZVUGg3HzpuWWc/uiTXgrZxIDz4uPxjy5kdDfbhUziNsy9Uj +igOZBADQ9T6XYQBTfRmGUkl7hEeAeu+WfEGDVlHP+EpMtk/uANUqYef5xUG4RomE +EyjRlrEXwG7Ly2HhH3UADBuPjkP68AGN8WslbCNx5Na+nZr6r1sT1+Z3OdUDprpY +PQxCu5WWYsYgzroO/JEA2d3pYgaaHEAhyZxau1UtW4hpAn8svbQmTWlyb3NsYXYg +TGljaHZhciA8bWxpY2h2YXJAcmVkaGF0LmNvbT6IZgQTEQIAJgIbAwYLCQgHAwIE +FQIIAwQWAgMBAh4BAheABQJbt20rBQkb2aQNAAoJEF/wbym6HgE7MOkAnjdG94MF +4XAVLnzCVbrJb/Ishao4AJ9o1EL9U/at8KzvfZdpPyNrmoeq+bkCDQRGC89XEAgA +medsNk8FIYdzJYyP2eaIYKMTpSCFgTKE1EHdiRaX5n3oo9o26+vfA1NfIwKM8G54 +3Ddr1yl2PRmQermHMQahMMsXcehQXjsJoZXTglJq6kw5Xb1V1K6SyXQv/sLmWGxw +T91T+0I+9g+UqMeqR8B2hj950BbfWn6Pu5CRk2voTsYEU2ecejKOWOOrbUnD/5wy +mkSD/1g+T7bgGOHMrSgYWH3Fk7dWNKpGBtQn3cL7fKy+cn4koDW1L3ebxg4zWpFo +l51m3u8DXc9lqUjg9AoqJH1bc9eQPQvJKxd5syU2pkgtHhT2rlSqpRtsKsgRNfBC +qBbK9gtEM3DRUD+EbbEZgwADBQf8CTSksVEUs5svpQlldZERwViUwwVb4TMszKKq +nEti6zu6oMkIDreGzSISDsrWq1WxzUv9IYumwanzkgTpVVfFPxK7samtol8Lol5V +r3Zbil3Q0IGJ9thhitMHRSU3ClhVRZF5QF/MhSzD1j0cXK4Ls0np5DePT3H4tItZ ++OcEhZcDb8k2DMcJW/REuiisWOElwIDM0o0kZyQiy+5QRfE2xancu3n8+wGtwc0N +2Yp/elmIigreu0xuK7HaFOiScUYv00BJa/ZEO2aOkRuiKkdp3oxtz3MIdDYyGbI6 +mL4h+X8079i95yu+L2tUJGHeN5u+X0Hsg9sE6TpVEggQEI30YYhPBBgRAgAPAhsM +BQJbt22dBQkb2aZBAAoJEF/wbym6HgE7rJYAn1gpOMPrFyjezpaYsloAwjSZhu8t +AKCTJlsZByvaTTXjUMyQy2z7tjnVpw== +=4XBU +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index cf7fa3f..8257254 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ SHA512 (chrony-3.5.tar.gz) = c4f6376a44d71b6ac2b6d86e3d6fb4348642faeef7f3f3a4d6431627b5645efcc868b005cc398c8292bc3b63a1161fbd1a042c6ac2a0595843f908fe32eed90c +SHA512 (chrony-3.5-tar-gz-asc.txt) = b66ccc22fb7ae2f0597b5e20705a71f0d7fabad396d6efc427f49247361a09e3b13e2af31460123451268268d663a181361769795758c4ee96ade2b24e31ba48 SHA512 (clknetsim-3f5ef9.tar.gz) = 01eea027ec8289d1053236fcc9ee09a8411e5f68cb3279077e50d330169a1ba1284798a50786dbd94382444aeaa652e276b94668c7adf5be66e910f937a9e55d From 58f87738eaeda62fde441fa5afaa10578298939d Mon Sep 17 00:00:00 2001 From: Lubomir Rintel Date: Thu, 22 Aug 2019 15:42:00 +0200 Subject: [PATCH 007/137] Move the NetworkManager dispatcher script out of /etc It's not user configuration and shouldn't ever have been there. Except for that it used to be the only location NetworkManager looked into. With NetworkManager 1.20 that is no longer the case and the dispatcher scripts can be moved to /usr/lib. --- chrony.spec | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/chrony.spec b/chrony.spec index ef270bc..3b44989 100644 --- a/chrony.spec +++ b/chrony.spec @@ -4,7 +4,7 @@ Name: chrony Version: 3.5 -Release: 4%{?dist} +Release: 5%{?dist} Summary: An NTP client/server License: GPLv2 @@ -35,6 +35,9 @@ Requires(pre): shadow-utils # install timedated implementation that can control chronyd service Recommends: timedatex +# Old NetworkManager expects the dispatcher scripts in a different place +Conflicts: NetworkManager < 1.20 + # suggest drivers for hardware reference clocks Suggests: ntp-refclock @@ -105,17 +108,15 @@ rm -rf $RPM_BUILD_ROOT%{_docdir} mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/{sysconfig,logrotate.d} mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/{lib,log}/chrony -mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dhcp/dhclient.d mkdir -p $RPM_BUILD_ROOT%{_libexecdir} +mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d mkdir -p $RPM_BUILD_ROOT{%{_unitdir},%{_prefix}/lib/systemd/ntp-units.d} install -m 644 -p chrony.conf $RPM_BUILD_ROOT%{_sysconfdir}/chrony.conf install -m 640 -p examples/chrony.keys.example \ $RPM_BUILD_ROOT%{_sysconfdir}/chrony.keys -install -m 755 -p examples/chrony.nm-dispatcher \ - $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d/20-chrony install -m 755 -p %{SOURCE3} \ $RPM_BUILD_ROOT%{_sysconfdir}/dhcp/dhclient.d/chrony.sh install -m 644 -p examples/chrony.logrotate \ @@ -123,6 +124,8 @@ install -m 644 -p examples/chrony.logrotate \ install -m 644 -p examples/chronyd.service \ $RPM_BUILD_ROOT%{_unitdir}/chronyd.service +install -m 755 -p examples/chrony.nm-dispatcher \ + $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony install -m 644 -p examples/chrony-wait.service \ $RPM_BUILD_ROOT%{_unitdir}/chrony-wait.service install -m 644 -p %{SOURCE5} $RPM_BUILD_ROOT%{_unitdir}/chrony-dnssrv@.service @@ -179,11 +182,11 @@ fi %config(noreplace) %verify(not md5 size mtime) %attr(640,root,chrony) %{_sysconfdir}/chrony.keys %config(noreplace) %{_sysconfdir}/logrotate.d/chrony %config(noreplace) %{_sysconfdir}/sysconfig/chronyd -%{_sysconfdir}/NetworkManager/dispatcher.d/20-chrony %{_sysconfdir}/dhcp/dhclient.d/chrony.sh %{_bindir}/chronyc %{_sbindir}/chronyd %{_libexecdir}/chrony-helper +%{_prefix}/lib/NetworkManager %{_prefix}/lib/systemd/ntp-units.d/*.list %{_unitdir}/chrony*.service %{_unitdir}/chrony*.timer @@ -194,6 +197,9 @@ fi %dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Aug 22 2019 Lubomir Rintel - 3.5-5 +- Move the NetworkManager dispatcher script out of /etc + * Wed Jul 24 2019 Fedora Release Engineering - 3.5-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild From ae57c18ced305eaf2330d84d4c68a07f08c046e5 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 9 Oct 2019 16:58:16 +0200 Subject: [PATCH 008/137] drop timedatex recommendation systemd-timedated has obsoleted timedatex in F31. --- chrony.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/chrony.spec b/chrony.spec index 3b44989..95b353e 100644 --- a/chrony.spec +++ b/chrony.spec @@ -32,9 +32,6 @@ BuildRequires: gcc gcc-c++ bison systemd gnupg2 Requires(pre): shadow-utils %{?systemd_requires} -# install timedated implementation that can control chronyd service -Recommends: timedatex - # Old NetworkManager expects the dispatcher scripts in a different place Conflicts: NetworkManager < 1.20 From 718aa8464cb77972e1a6205f7ce68e7095a8cad4 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 9 Oct 2019 17:05:00 +0200 Subject: [PATCH 009/137] 3.5-6 --- chrony.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 95b353e..2154987 100644 --- a/chrony.spec +++ b/chrony.spec @@ -4,7 +4,7 @@ Name: chrony Version: 3.5 -Release: 5%{?dist} +Release: 6%{?dist} Summary: An NTP client/server License: GPLv2 @@ -194,6 +194,10 @@ fi %dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Oct 09 2019 Miroslav Lichvar 3.5-6 +- drop timedatex recommendation +- verify upstream signatures + * Thu Aug 22 2019 Lubomir Rintel - 3.5-5 - Move the NetworkManager dispatcher script out of /etc From 1e0baf8ccbb1fe587a5864ef53e7513851a4113a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 20 Jan 2020 12:19:21 +0100 Subject: [PATCH 010/137] fix testing with new glibc (#1792854) --- .gitignore | 2 +- chrony-packettest.patch | 25 +++++++++++++++++++++++++ chrony.spec | 5 ++++- sources | 2 +- 4 files changed, 31 insertions(+), 3 deletions(-) create mode 100644 chrony-packettest.patch diff --git a/.gitignore b/.gitignore index dc37315..db535c0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ /chrony-3.5.tar.gz /chrony-3.5-tar-gz-asc.txt -/clknetsim-3f5ef9.tar.gz +/clknetsim-79ffe4.tar.gz diff --git a/chrony-packettest.patch b/chrony-packettest.patch new file mode 100644 index 0000000..ff1e207 --- /dev/null +++ b/chrony-packettest.patch @@ -0,0 +1,25 @@ +commit 62d6aed6a64b887c9e3b7f03d9e0db1deaa2696a +Author: Miroslav Lichvar +Date: Tue Jun 18 15:41:50 2019 +0200 + + test: update processing of packet log + + Two new fields have been added to the packet log, which broke some + of the simulation tests. + +diff --git a/test/simulation/test.common b/test/simulation/test.common +index 951a794b..8ed6ad9e 100644 +--- a/test/simulation/test.common ++++ b/test/simulation/test.common +@@ -391,9 +391,9 @@ check_packet_port() { + for i in $(seq 1 $(get_chronyd_nodes)); do + test_message 3 0 "node $i:" + +- grep -E -q " $port [0-9]+\$" tmp/log.packets && \ ++ grep -E -q "^([0-9e.+-]+ ){5}$port " tmp/log.packets && \ + ! grep -E "^[0-9e.+-]+ $i " tmp/log.packets | \ +- grep -E -q -v " $port [0-9]+\$" && \ ++ grep -E -q -v "^([0-9e.+-]+ ){5}$port " && \ + test_ok || test_bad + [ $? -eq 0 ] || ret=1 + done diff --git a/chrony.spec b/chrony.spec index 2154987..3ef0a2f 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,5 @@ %global _hardened_build 1 -%global clknetsim_ver 3f5ef9 +%global clknetsim_ver 79ffe4 %bcond_without debug Name: chrony @@ -22,6 +22,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add NTP servers from DHCP when starting service Patch2: chrony-service-helper.patch +# fix test suite to work with newer clknetsim +Patch3: chrony-packettest.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel %ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x @@ -54,6 +56,7 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch2 -p1 -b .service-helper +%patch3 -p1 -b .packettest %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} diff --git a/sources b/sources index 8257254..4cc2cf2 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (chrony-3.5.tar.gz) = c4f6376a44d71b6ac2b6d86e3d6fb4348642faeef7f3f3a4d6431627b5645efcc868b005cc398c8292bc3b63a1161fbd1a042c6ac2a0595843f908fe32eed90c SHA512 (chrony-3.5-tar-gz-asc.txt) = b66ccc22fb7ae2f0597b5e20705a71f0d7fabad396d6efc427f49247361a09e3b13e2af31460123451268268d663a181361769795758c4ee96ade2b24e31ba48 -SHA512 (clknetsim-3f5ef9.tar.gz) = 01eea027ec8289d1053236fcc9ee09a8411e5f68cb3279077e50d330169a1ba1284798a50786dbd94382444aeaa652e276b94668c7adf5be66e910f937a9e55d +SHA512 (clknetsim-79ffe4.tar.gz) = ae118c0e5fbb26d57489eba941b57593454bd41b714e305ed76f78b2eb469b59b6c14cd1781e8eda42895199294bb577ca3b6895a7d120d6b8dd6db4e08c1396 From b4ceda5f404d60000418d51bad351763feade25f Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 20 Jan 2020 12:21:29 +0100 Subject: [PATCH 011/137] 3.5-7 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 3ef0a2f..e85ae11 100644 --- a/chrony.spec +++ b/chrony.spec @@ -4,7 +4,7 @@ Name: chrony Version: 3.5 -Release: 6%{?dist} +Release: 7%{?dist} Summary: An NTP client/server License: GPLv2 @@ -197,6 +197,9 @@ fi %dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Mon Jan 20 2020 Miroslav Lichvar 3.5-7 +- fix testing with new glibc (#1792854) + * Wed Oct 09 2019 Miroslav Lichvar 3.5-6 - drop timedatex recommendation - verify upstream signatures From 680f8eded33449d4a2fd3bc5905883d408aa6ac2 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 28 Jan 2020 14:01:03 +0000 Subject: [PATCH 012/137] - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index e85ae11..e102c8f 100644 --- a/chrony.spec +++ b/chrony.spec @@ -4,7 +4,7 @@ Name: chrony Version: 3.5 -Release: 7%{?dist} +Release: 8%{?dist} Summary: An NTP client/server License: GPLv2 @@ -197,6 +197,9 @@ fi %dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Jan 28 2020 Fedora Release Engineering - 3.5-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + * Mon Jan 20 2020 Miroslav Lichvar 3.5-7 - fix testing with new glibc (#1792854) From 127d88dd27178a4db73ca90a684552b8b9c9034f Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 16 Mar 2020 17:54:42 +0100 Subject: [PATCH 013/137] add missing dependency on coreutils --- chrony.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/chrony.spec b/chrony.spec index e102c8f..760e776 100644 --- a/chrony.spec +++ b/chrony.spec @@ -34,6 +34,9 @@ BuildRequires: gcc gcc-c++ bison systemd gnupg2 Requires(pre): shadow-utils %{?systemd_requires} +# required by chrony-helper +Requires: coreutils + # Old NetworkManager expects the dispatcher scripts in a different place Conflicts: NetworkManager < 1.20 From eff127108e7a7fc922d09825b32c8b20c78c127c Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 16 Mar 2020 17:56:14 +0100 Subject: [PATCH 014/137] add net-tools to build requirements for testing --- chrony.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 760e776..6aa30db 100644 --- a/chrony.spec +++ b/chrony.spec @@ -29,7 +29,7 @@ BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel %ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x BuildRequires: libseccomp-devel %endif -BuildRequires: gcc gcc-c++ bison systemd gnupg2 +BuildRequires: gcc gcc-c++ bison systemd gnupg2 net-tools Requires(pre): shadow-utils %{?systemd_requires} From 3292ab8a8e7ad9571d867e6dd3097c32aa20c45a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 17 Mar 2020 15:15:28 +0100 Subject: [PATCH 015/137] update to 4.0-pre1 --- .gitignore | 6 +++--- chrony-packettest.patch | 25 ------------------------- chrony.spec | 11 ++++++----- sources | 6 +++--- 4 files changed, 12 insertions(+), 36 deletions(-) delete mode 100644 chrony-packettest.patch diff --git a/.gitignore b/.gitignore index db535c0..cacea2e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-3.5.tar.gz -/chrony-3.5-tar-gz-asc.txt -/clknetsim-79ffe4.tar.gz +/chrony-4.0-pre1.tar.gz +/chrony-4.0-pre1-tar-gz-asc.txt +/clknetsim-09cbc3.tar.gz diff --git a/chrony-packettest.patch b/chrony-packettest.patch deleted file mode 100644 index ff1e207..0000000 --- a/chrony-packettest.patch +++ /dev/null @@ -1,25 +0,0 @@ -commit 62d6aed6a64b887c9e3b7f03d9e0db1deaa2696a -Author: Miroslav Lichvar -Date: Tue Jun 18 15:41:50 2019 +0200 - - test: update processing of packet log - - Two new fields have been added to the packet log, which broke some - of the simulation tests. - -diff --git a/test/simulation/test.common b/test/simulation/test.common -index 951a794b..8ed6ad9e 100644 ---- a/test/simulation/test.common -+++ b/test/simulation/test.common -@@ -391,9 +391,9 @@ check_packet_port() { - for i in $(seq 1 $(get_chronyd_nodes)); do - test_message 3 0 "node $i:" - -- grep -E -q " $port [0-9]+\$" tmp/log.packets && \ -+ grep -E -q "^([0-9e.+-]+ ){5}$port " tmp/log.packets && \ - ! grep -E "^[0-9e.+-]+ $i " tmp/log.packets | \ -- grep -E -q -v " $port [0-9]+\$" && \ -+ grep -E -q -v "^([0-9e.+-]+ ){5}$port " && \ - test_ok || test_bad - [ $? -eq 0 ] || ret=1 - done diff --git a/chrony.spec b/chrony.spec index 6aa30db..d9026f6 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,9 +1,11 @@ %global _hardened_build 1 -%global clknetsim_ver 79ffe4 +%global prerelease -pre1 +%global clknetsim_ver 09cbc3 %bcond_without debug +%bcond_without nts Name: chrony -Version: 3.5 +Version: 4.0 Release: 8%{?dist} Summary: An NTP client/server @@ -22,14 +24,13 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add NTP servers from DHCP when starting service Patch2: chrony-service-helper.patch -# fix test suite to work with newer clknetsim -Patch3: chrony-packettest.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel %ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x BuildRequires: libseccomp-devel %endif BuildRequires: gcc gcc-c++ bison systemd gnupg2 net-tools +%{?with_nts:BuildRequires: gnutls-devel gnutls-utils} Requires(pre): shadow-utils %{?systemd_requires} @@ -59,7 +60,6 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch2 -p1 -b .service-helper -%patch3 -p1 -b .packettest %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -97,6 +97,7 @@ mv clknetsim-%{clknetsim_ver}* test/simulation/clknetsim %{?with_debug: --enable-debug} \ --enable-ntp-signd \ --enable-scfilter \ +%{!?with_nts: --disable-nts} \ --docdir=%{_docdir} \ --with-ntp-era=$(date -d '1970-01-01 00:00:00+00:00' +'%s') \ --with-user=chrony \ diff --git a/sources b/sources index 4cc2cf2..3856e6a 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-3.5.tar.gz) = c4f6376a44d71b6ac2b6d86e3d6fb4348642faeef7f3f3a4d6431627b5645efcc868b005cc398c8292bc3b63a1161fbd1a042c6ac2a0595843f908fe32eed90c -SHA512 (chrony-3.5-tar-gz-asc.txt) = b66ccc22fb7ae2f0597b5e20705a71f0d7fabad396d6efc427f49247361a09e3b13e2af31460123451268268d663a181361769795758c4ee96ade2b24e31ba48 -SHA512 (clknetsim-79ffe4.tar.gz) = ae118c0e5fbb26d57489eba941b57593454bd41b714e305ed76f78b2eb469b59b6c14cd1781e8eda42895199294bb577ca3b6895a7d120d6b8dd6db4e08c1396 +SHA512 (chrony-4.0-pre1.tar.gz) = 0b850d57fded23ac3cfe5907edb2a2b8441397a37575ce3b4af54f3b8f28ae7ae74f92926f619e4907a24d9bc10bb6b416bfe3ccc9d567720e3511d7f9513c59 +SHA512 (chrony-4.0-pre1-tar-gz-asc.txt) = 882ad890b500a4cfb2a33bd0804ccbe6548d415cad1ec21930957d55d2eec6a56647f909e928eba78da47d2227bfeeb9a6db1bb52dccbae24470a76a99b92cc5 +SHA512 (clknetsim-09cbc3.tar.gz) = 6910121e77bc4976b5b684d49cc376990f95275a27e73ecc1f7c50000f160a9e4f4a2faf6c6e2abfe566c557719a39a2dc1a4fffc5483024fe8d5dc2c4277d37 From 7c4c641397cd4cadc9b5231eb4a7b31cb129df3b Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 17 Mar 2020 15:19:06 +0100 Subject: [PATCH 016/137] 4.0-0.1.pre1 --- chrony.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index d9026f6..de07f89 100644 --- a/chrony.spec +++ b/chrony.spec @@ -6,7 +6,7 @@ Name: chrony Version: 4.0 -Release: 8%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPLv2 @@ -201,6 +201,11 @@ fi %dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Mar 17 2020 Miroslav Lichvar 4.0-0.1.pre1 +- update to 4.0-pre1 +- add net-tools to build requirements for testing +- add missing dependency on coreutils + * Tue Jan 28 2020 Fedora Release Engineering - 3.5-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild From 14baaf0f8f9a3c90183dd3e24090c49d3ee68585 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 18 Mar 2020 12:48:56 +0100 Subject: [PATCH 017/137] fix testing on ppc64le and s390x --- .gitignore | 2 +- chrony.spec | 4 ++-- sources | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index cacea2e..3fe0a7c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ /chrony-4.0-pre1.tar.gz /chrony-4.0-pre1-tar-gz-asc.txt -/clknetsim-09cbc3.tar.gz +/clknetsim-cbea2f.tar.gz diff --git a/chrony.spec b/chrony.spec index de07f89..6d3c675 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,6 @@ %global _hardened_build 1 %global prerelease -pre1 -%global clknetsim_ver 09cbc3 +%global clknetsim_ver cbea2f %bcond_without debug %bcond_without nts @@ -149,7 +149,7 @@ echo 'chronyd.service' > \ %check # set random seed to get deterministic results -export CLKNETSIM_RANDOM_SEED=24502 +export CLKNETSIM_RANDOM_SEED=24505 make %{?_smp_mflags} -C test/simulation/clknetsim make quickcheck diff --git a/sources b/sources index 3856e6a..25882ed 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (chrony-4.0-pre1.tar.gz) = 0b850d57fded23ac3cfe5907edb2a2b8441397a37575ce3b4af54f3b8f28ae7ae74f92926f619e4907a24d9bc10bb6b416bfe3ccc9d567720e3511d7f9513c59 SHA512 (chrony-4.0-pre1-tar-gz-asc.txt) = 882ad890b500a4cfb2a33bd0804ccbe6548d415cad1ec21930957d55d2eec6a56647f909e928eba78da47d2227bfeeb9a6db1bb52dccbae24470a76a99b92cc5 -SHA512 (clknetsim-09cbc3.tar.gz) = 6910121e77bc4976b5b684d49cc376990f95275a27e73ecc1f7c50000f160a9e4f4a2faf6c6e2abfe566c557719a39a2dc1a4fffc5483024fe8d5dc2c4277d37 +SHA512 (clknetsim-cbea2f.tar.gz) = 75a82ecec352b2604477885cb091d61237bff2b2481eaa342b158cefa67c9e9dfe88bb49f01ff1b0d6b0636008a0da188de307af1ceab2c5e1456d7885b2fbe2 From 6e0c18861d4115d8250d11bb1200c71b28cdb769 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 20 Apr 2020 16:54:04 +0200 Subject: [PATCH 018/137] update to 4.0-pre2 --- .gitignore | 6 +++--- chrony.spec | 4 ++-- sources | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index 3fe0a7c..2408c09 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.0-pre1.tar.gz -/chrony-4.0-pre1-tar-gz-asc.txt -/clknetsim-cbea2f.tar.gz +/chrony-4.0-pre2.tar.gz +/chrony-4.0-pre2-tar-gz-asc.txt +/clknetsim-0a5e99.tar.gz diff --git a/chrony.spec b/chrony.spec index 6d3c675..acf649f 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,6 @@ %global _hardened_build 1 -%global prerelease -pre1 -%global clknetsim_ver cbea2f +%global prerelease -pre2 +%global clknetsim_ver 0a5e99 %bcond_without debug %bcond_without nts diff --git a/sources b/sources index 25882ed..a7cd1e3 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.0-pre1.tar.gz) = 0b850d57fded23ac3cfe5907edb2a2b8441397a37575ce3b4af54f3b8f28ae7ae74f92926f619e4907a24d9bc10bb6b416bfe3ccc9d567720e3511d7f9513c59 -SHA512 (chrony-4.0-pre1-tar-gz-asc.txt) = 882ad890b500a4cfb2a33bd0804ccbe6548d415cad1ec21930957d55d2eec6a56647f909e928eba78da47d2227bfeeb9a6db1bb52dccbae24470a76a99b92cc5 -SHA512 (clknetsim-cbea2f.tar.gz) = 75a82ecec352b2604477885cb091d61237bff2b2481eaa342b158cefa67c9e9dfe88bb49f01ff1b0d6b0636008a0da188de307af1ceab2c5e1456d7885b2fbe2 +SHA512 (chrony-4.0-pre2.tar.gz) = be3ca7c57c62c9ecf8d20d0b8d7b5a34ac455fb333be0587eabd5dfd7eebbcb3a3601ad161554a62098a9ca8d6530bee2900e9e7476bf477c3cb11907091dbd2 +SHA512 (chrony-4.0-pre2-tar-gz-asc.txt) = 81ab677d101c8fc08f24ef251281c4609cceef33b22fc6067d6961379b4700b2d00b308c21aa777d77a9f775dece0fd479f4f5736108938bd111a50b481519d7 +SHA512 (clknetsim-0a5e99.tar.gz) = 8e9c95a848624c65f2e391488c5c8de658117f16be9d9d67043397f126b3533f01d1a62348825fd1c51efe4683421cd72cd01c04774d9d0ff3953902b7a5515f From 069897be457899547d62a65bdbade35f73593c2d Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 20 Apr 2020 16:54:25 +0200 Subject: [PATCH 019/137] 4.0-0.2.pre2 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index acf649f..86ff938 100644 --- a/chrony.spec +++ b/chrony.spec @@ -6,7 +6,7 @@ Name: chrony Version: 4.0 -Release: 0.1.pre1%{?dist} +Release: 0.2.pre2%{?dist} Summary: An NTP client/server License: GPLv2 @@ -201,6 +201,9 @@ fi %dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Mon Apr 20 2020 Miroslav Lichvar 4.0-0.2.pre2 +- update to 4.0-pre2 + * Tue Mar 17 2020 Miroslav Lichvar 4.0-0.1.pre1 - update to 4.0-pre1 - add net-tools to build requirements for testing From 58c7956c635459773f81b59f4a54b3385d8c42fb Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 4 May 2020 09:44:41 +0200 Subject: [PATCH 020/137] 4.0-0.3.pre2 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 86ff938..520043d 100644 --- a/chrony.spec +++ b/chrony.spec @@ -6,7 +6,7 @@ Name: chrony Version: 4.0 -Release: 0.2.pre2%{?dist} +Release: 0.3.pre2%{?dist} Summary: An NTP client/server License: GPLv2 @@ -201,6 +201,9 @@ fi %dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Mon May 04 2020 Miroslav Lichvar 4.0-0.3.pre2 +- rebuild for new nettle + * Mon Apr 20 2020 Miroslav Lichvar 4.0-0.2.pre2 - update to 4.0-pre2 From 26ef0d15b0dd7a74644af97652780a1646a1e1d3 Mon Sep 17 00:00:00 2001 From: Tom Stellard Date: Mon, 13 Jul 2020 18:49:38 +0000 Subject: [PATCH 021/137] use make macros https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro --- chrony.spec | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/chrony.spec b/chrony.spec index 520043d..3fa3af9 100644 --- a/chrony.spec +++ b/chrony.spec @@ -6,7 +6,7 @@ Name: chrony Version: 4.0 -Release: 0.3.pre2%{?dist} +Release: 0.4.pre2%{?dist} Summary: An NTP client/server License: GPLv2 @@ -103,10 +103,10 @@ mv clknetsim-%{clknetsim_ver}* test/simulation/clknetsim --with-user=chrony \ --with-hwclockfile=%{_sysconfdir}/adjtime \ --with-sendmail=%{_sbindir}/sendmail -make %{?_smp_mflags} +%make_build %install -make install DESTDIR=$RPM_BUILD_ROOT +%make_install rm -rf $RPM_BUILD_ROOT%{_docdir} @@ -150,7 +150,7 @@ echo 'chronyd.service' > \ %check # set random seed to get deterministic results export CLKNETSIM_RANDOM_SEED=24505 -make %{?_smp_mflags} -C test/simulation/clknetsim +%make_build -C test/simulation/clknetsim make quickcheck %pre @@ -201,6 +201,9 @@ fi %dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Mon Jul 13 2020 Tom Stellard 4.0-0.4.pre2 +- use make macros + * Mon May 04 2020 Miroslav Lichvar 4.0-0.3.pre2 - rebuild for new nettle From e041600a118a44bd768d317f3dd52768ccb29821 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Mon, 27 Jul 2020 13:57:34 +0000 Subject: [PATCH 022/137] - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 3fa3af9..bfa76f9 100644 --- a/chrony.spec +++ b/chrony.spec @@ -6,7 +6,7 @@ Name: chrony Version: 4.0 -Release: 0.4.pre2%{?dist} +Release: 0.5.pre2%{?dist} Summary: An NTP client/server License: GPLv2 @@ -201,6 +201,9 @@ fi %dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Mon Jul 27 2020 Fedora Release Engineering - 4.0-0.5.pre2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + * Mon Jul 13 2020 Tom Stellard 4.0-0.4.pre2 - use make macros From 42541fd056c16d559649948819ed3f98366187df Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 1 Aug 2020 00:22:10 +0000 Subject: [PATCH 023/137] - Second attempt - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- chrony.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index bfa76f9..f5c2a6e 100644 --- a/chrony.spec +++ b/chrony.spec @@ -6,7 +6,7 @@ Name: chrony Version: 4.0 -Release: 0.5.pre2%{?dist} +Release: 0.6.pre2%{?dist} Summary: An NTP client/server License: GPLv2 @@ -201,6 +201,10 @@ fi %dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Sat Aug 01 2020 Fedora Release Engineering - 4.0-0.6.pre2 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + * Mon Jul 27 2020 Fedora Release Engineering - 4.0-0.5.pre2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild From 26e6c4a46d31ef4631d496f0f51d59ddba0caf28 Mon Sep 17 00:00:00 2001 From: Jeff Law Date: Mon, 10 Aug 2020 14:51:17 -0600 Subject: [PATCH 024/137] Disable LTO on s390x for now --- chrony.spec | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index f5c2a6e..5c15402 100644 --- a/chrony.spec +++ b/chrony.spec @@ -6,7 +6,7 @@ Name: chrony Version: 4.0 -Release: 0.6.pre2%{?dist} +Release: 0.7.pre2%{?dist} Summary: An NTP client/server License: GPLv2 @@ -93,6 +93,11 @@ rm -f getdate.c mv clknetsim-%{clknetsim_ver}* test/simulation/clknetsim %build +# This package fails its testsuite when LTO is enabled on s390x +# Disable LTO for now +%ifarch s390x +%define _lto_cflags %{nil} +%endif %configure \ %{?with_debug: --enable-debug} \ --enable-ntp-signd \ @@ -201,6 +206,9 @@ fi %dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Mon Aug 10 2020 Jeff Law - 4.0-0.7.pre2 +- Disable LTO on s390x + * Sat Aug 01 2020 Fedora Release Engineering - 4.0-0.6.pre2 - Second attempt - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild From 304dad1ba3e72da305a7b746c29472565798fa15 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 25 Aug 2020 12:59:37 +0200 Subject: [PATCH 025/137] update to 4.0-pre3 --- .gitignore | 6 +++--- chrony.spec | 10 +++++----- sources | 6 +++--- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.gitignore b/.gitignore index 2408c09..5cd8862 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.0-pre2.tar.gz -/chrony-4.0-pre2-tar-gz-asc.txt -/clknetsim-0a5e99.tar.gz +/chrony-4.0-pre3.tar.gz +/chrony-4.0-pre3-tar-gz-asc.txt +/clknetsim-c4ccc2.tar.gz diff --git a/chrony.spec b/chrony.spec index 5c15402..4640e4b 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,6 @@ %global _hardened_build 1 -%global prerelease -pre2 -%global clknetsim_ver 0a5e99 +%global prerelease -pre3 +%global clknetsim_ver c4ccc2 %bcond_without debug %bcond_without nts @@ -66,10 +66,10 @@ service to other computers in the network. # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') 47ad7eccc410b981d2f2101cf5682616 examples/chrony-wait.service - e473a9fab7fe200cacce3dca8b66290b examples/chrony.conf.example2 + dcad37a5f1aae2d2ea7b935f279e0eca examples/chrony.conf.example2 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate - 8748a663f0b1943ea491858f414a6b26 examples/chrony.nm-dispatcher + 8f5a98fcb400a482d355b929d04b5518 examples/chrony.nm-dispatcher.onoffline b23bcc3bd78e195ca2849459e459f3ed examples/chronyd.service EOF @@ -133,7 +133,7 @@ install -m 644 -p examples/chrony.logrotate \ install -m 644 -p examples/chronyd.service \ $RPM_BUILD_ROOT%{_unitdir}/chronyd.service -install -m 755 -p examples/chrony.nm-dispatcher \ +install -m 755 -p examples/chrony.nm-dispatcher.onoffline \ $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony install -m 644 -p examples/chrony-wait.service \ $RPM_BUILD_ROOT%{_unitdir}/chrony-wait.service diff --git a/sources b/sources index a7cd1e3..d606734 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.0-pre2.tar.gz) = be3ca7c57c62c9ecf8d20d0b8d7b5a34ac455fb333be0587eabd5dfd7eebbcb3a3601ad161554a62098a9ca8d6530bee2900e9e7476bf477c3cb11907091dbd2 -SHA512 (chrony-4.0-pre2-tar-gz-asc.txt) = 81ab677d101c8fc08f24ef251281c4609cceef33b22fc6067d6961379b4700b2d00b308c21aa777d77a9f775dece0fd479f4f5736108938bd111a50b481519d7 -SHA512 (clknetsim-0a5e99.tar.gz) = 8e9c95a848624c65f2e391488c5c8de658117f16be9d9d67043397f126b3533f01d1a62348825fd1c51efe4683421cd72cd01c04774d9d0ff3953902b7a5515f +SHA512 (chrony-4.0-pre3.tar.gz) = e52f2454b0cbe60ab7c8975deba499f1ff2e84cd1c3d0a0fb208f11f12ca762f2d0cd74af7aacc8022e628cdeaa4ac388fdd134715cc3e274b3818d5c12da460 +SHA512 (chrony-4.0-pre3-tar-gz-asc.txt) = 3f08c7c99697de17948b3a6bac137e8eb943e8819ffecd7c6dec4e9c645957bd34051343782fed0d973a7d8a2e50435e5ac0a5f531514fe291adb003719bf3e2 +SHA512 (clknetsim-c4ccc2.tar.gz) = d2f71b2036e33ee92cd3590079dac04bc57bf2e9909f11e9ba66cd61c9946e92d2ebbdfd03c359cf39c6c8c07b28557d35fee3cb57eec75f5b1201858aa1d701 From 0ecc1e4fe9727fcf53fd57d51e8e9c6c9e1fb015 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 25 Aug 2020 15:10:11 +0200 Subject: [PATCH 026/137] switch to sourcedir directive for loading servers from DHCP Drop the chrony-helper script in favor of the new sourcedir directive. Modify the dhclient script to save NTP servers from DHCP to /run/chrony-dhcp/$interface.sources and configure chronyd to (re)load the sources from files in that directory on start and the "reload sources" command. Other functionality of the helper script is dropped with no replacemement. --- chrony-service-helper.patch | 11 -- chrony.dhclient | 10 +- chrony.helper | 265 ------------------------------------ chrony.spec | 25 ++-- 4 files changed, 19 insertions(+), 292 deletions(-) delete mode 100644 chrony-service-helper.patch delete mode 100644 chrony.helper diff --git a/chrony-service-helper.patch b/chrony-service-helper.patch deleted file mode 100644 index 6376e0b..0000000 --- a/chrony-service-helper.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up chrony-3.5/examples/chronyd.service.service-helper chrony-3.5/examples/chronyd.service ---- chrony-3.5/examples/chronyd.service.service-helper 2019-05-10 12:22:57.000000000 +0200 -+++ chrony-3.5/examples/chronyd.service 2019-05-14 13:42:38.069516800 +0200 -@@ -10,6 +10,7 @@ Type=forking - PIDFile=/run/chrony/chronyd.pid - EnvironmentFile=-/etc/sysconfig/chronyd - ExecStart=/usr/sbin/chronyd $OPTIONS -+ExecStartPost=/usr/libexec/chrony-helper update-daemon - PrivateTmp=yes - ProtectHome=yes - ProtectSystem=full diff --git a/chrony.dhclient b/chrony.dhclient index be17e2a..92fa4fa 100644 --- a/chrony.dhclient +++ b/chrony.dhclient @@ -1,20 +1,22 @@ #!/bin/bash -SERVERFILE=$SAVEDIR/chrony.servers.$interface +CHRONY_SOURCEDIR=/run/chrony-dhcp +SERVERFILE=$CHRONY_SOURCEDIR/$interface.sources chrony_config() { rm -f "$SERVERFILE" if [ "$PEERNTP" != "no" ]; then + mkdir -p $CHRONY_SOURCEDIR for server in $new_ntp_servers; do - echo "$server ${NTPSERVERARGS:-iburst}" >> "$SERVERFILE" + echo "server $server ${NTPSERVERARGS:-iburst}" >> "$SERVERFILE" done - /usr/libexec/chrony-helper update-daemon || : + /usr/bin/chronyc reload sources > /dev/null 2>&1 || : fi } chrony_restore() { if [ -f "$SERVERFILE" ]; then rm -f "$SERVERFILE" - /usr/libexec/chrony-helper update-daemon || : + /usr/bin/chronyc reload sources > /dev/null 2>&1 || : fi } diff --git a/chrony.helper b/chrony.helper deleted file mode 100644 index 95414af..0000000 --- a/chrony.helper +++ /dev/null @@ -1,265 +0,0 @@ -#!/bin/bash -# This script configures running chronyd to use NTP servers obtained from -# DHCP and _ntp._udp DNS SRV records. Files with servers from DHCP are managed -# externally (e.g. by a dhclient script). Files with servers from DNS SRV -# records are updated here using the dig utility. The script can also list -# and set static sources in the chronyd configuration file. - -chronyc=/usr/bin/chronyc -chrony_conf=/etc/chrony.conf -chrony_service=chronyd.service -helper_dir=/var/run/chrony-helper -added_servers_file=$helper_dir/added_servers - -network_sysconfig_file=/etc/sysconfig/network -dhclient_servers_files="/var/lib/dhclient/chrony.servers.*" -dnssrv_servers_files="$helper_dir/dnssrv@*" -dnssrv_timer_prefix=chrony-dnssrv@ - -. $network_sysconfig_file &> /dev/null - -chrony_command() { - $chronyc -a -n -m "$1" -} - -is_running() { - chrony_command "tracking" &> /dev/null -} - -get_servers_files() { - [ "$PEERNTP" != "no" ] && echo "$dhclient_servers_files" - echo "$dnssrv_servers_files" -} - -is_update_needed() { - for file in $(get_servers_files) $added_servers_file; do - [ -e "$file" ] && return 0 - done - return 1 -} - -update_daemon() { - local all_servers_with_args all_servers added_servers - - if ! is_running; then - rm -f $added_servers_file - return 0 - fi - - all_servers_with_args=$(cat $(get_servers_files) 2> /dev/null) - - all_servers=$( - echo "$all_servers_with_args" | - while read -r server serverargs; do - echo "$server" - done | sort -u) - added_servers=$( ( - cat $added_servers_file 2> /dev/null - echo "$all_servers_with_args" | - while read -r server serverargs; do - [ -z "$server" ] && continue - chrony_command "add server $server $serverargs" &> /dev/null && - echo "$server" - done) | sort -u) - - comm -23 <(echo -n "$added_servers") <(echo -n "$all_servers") | - while read -r server; do - chrony_command "delete $server" &> /dev/null - done - - added_servers=$(comm -12 <(echo -n "$added_servers") <(echo -n "$all_servers")) - - if [ -n "$added_servers" ]; then - echo "$added_servers" > $added_servers_file - else - rm -f $added_servers_file - fi -} - -get_dnssrv_servers() { - local name=$1 output - - if ! command -v dig &> /dev/null; then - echo "Missing dig (DNS lookup utility)" >&2 - return 1 - fi - - output=$(dig "$name" srv +short +ndots=2 +search 2> /dev/null) || return 0 - - echo "$output" | while read -r _ _ port target; do - server=${target%.} - [ -z "$server" ] && continue - echo "$server port $port ${NTPSERVERARGS:-iburst}" - done -} - -check_dnssrv_name() { - local name=$1 - - if [ -z "$name" ]; then - echo "No DNS SRV name specified" >&2 - return 1 - fi - - if [ "${name:0:9}" != _ntp._udp ]; then - echo "DNS SRV name $name doesn't start with _ntp._udp" >&2 - return 1 - fi -} - -update_dnssrv_servers() { - local name=$1 - local srv_file=$helper_dir/dnssrv@$name servers - - check_dnssrv_name "$name" || return 1 - - servers=$(get_dnssrv_servers "$name") - if [ -n "$servers" ]; then - echo "$servers" > "$srv_file" - else - rm -f "$srv_file" - fi -} - -set_dnssrv_timer() { - local state=$1 name=$2 - local srv_file=$helper_dir/dnssrv@$name servers - local timer - - timer=$dnssrv_timer_prefix$(systemd-escape "$name").timer || return 1 - - check_dnssrv_name "$name" || return 1 - - if [ "$state" = enable ]; then - systemctl enable "$timer" - systemctl start "$timer" - elif [ "$state" = disable ]; then - systemctl stop "$timer" - systemctl disable "$timer" - rm -f "$srv_file" - fi -} - -list_dnssrv_timers() { - systemctl --all --full -t timer list-units | grep "^$dnssrv_timer_prefix" | \ - sed "s|^$dnssrv_timer_prefix\(.*\)\.timer.*|\1|" | - while read -r name; do - systemd-escape --unescape "$name" - done -} - -prepare_helper_dir() { - mkdir -p $helper_dir - exec 100> $helper_dir/lock - if ! flock -w 20 100; then - echo "Failed to lock $helper_dir" >&2 - return 1 - fi -} - -is_source_line() { - local pattern="^[ \t]*(server|pool|peer|refclock)[ \t]+[^ \t]+" - [[ "$1" =~ $pattern ]] -} - -list_static_sources() { - while read -r line; do - if is_source_line "$line"; then - echo "$line" - fi - done < $chrony_conf -} - -set_static_sources() { - local new_config tmp_conf - - new_config=$( - sources=$( - while read -r line; do - is_source_line "$line" && echo "$line" - done) - - while read -r line; do - if ! is_source_line "$line"; then - echo "$line" - continue - fi - - tmp_sources=$( - local removed=0 - - echo "$sources" | while read -r line2; do - if [ "$removed" -ne 0 ] || [ "$line" != "$line2" ]; then - echo "$line2" - else - removed=1 - fi - done) - - [ "$sources" == "$tmp_sources" ] && continue - sources=$tmp_sources - echo "$line" - done < $chrony_conf - - echo "$sources" - ) - - tmp_conf=${chrony_conf}.tmp - - cp -a $chrony_conf $tmp_conf && - echo "$new_config" > $tmp_conf && - mv $tmp_conf $chrony_conf || return 1 - - systemctl try-restart $chrony_service -} - -print_help() { - echo "Usage: $0 COMMAND" - echo - echo "Commands:" - echo " update-daemon" - echo " update-dnssrv-servers NAME" - echo " enable-dnssrv NAME" - echo " disable-dnssrv NAME" - echo " list-dnssrv" - echo " list-static-sources" - echo " set-static-sources < sources.list" - echo " is-running" - echo " command CHRONYC-COMMAND" -} - -case "$1" in - update-daemon|add-dhclient-servers|remove-dhclient-servers) - is_update_needed || exit 0 - prepare_helper_dir && update_daemon - ;; - update-dnssrv-servers) - prepare_helper_dir && update_dnssrv_servers "$2" && update_daemon - ;; - enable-dnssrv) - set_dnssrv_timer enable "$2" - ;; - disable-dnssrv) - set_dnssrv_timer disable "$2" && prepare_helper_dir && update_daemon - ;; - list-dnssrv) - list_dnssrv_timers - ;; - list-static-sources) - list_static_sources - ;; - set-static-sources) - set_static_sources - ;; - is-running) - is_running - ;; - command|forced-command) - chrony_command "$2" - ;; - *) - print_help - exit 2 -esac - -exit $? diff --git a/chrony.spec b/chrony.spec index 4640e4b..e0a9cb5 100644 --- a/chrony.spec +++ b/chrony.spec @@ -15,16 +15,12 @@ Source0: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerel Source1: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}-tar-gz-asc.txt Source2: https://chrony.tuxfamily.org/gpgkey-8B1F4A9ADA73D401E3085A0B5FF06F29BA1E013B.asc Source3: chrony.dhclient -Source4: chrony.helper Source5: chrony-dnssrv@.service Source6: chrony-dnssrv@.timer # simulator for test suite Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz} -# add NTP servers from DHCP when starting service -Patch2: chrony-service-helper.patch - BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel %ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x BuildRequires: libseccomp-devel @@ -35,9 +31,6 @@ BuildRequires: gcc gcc-c++ bison systemd gnupg2 net-tools Requires(pre): shadow-utils %{?systemd_requires} -# required by chrony-helper -Requires: coreutils - # Old NetworkManager expects the dispatcher scripts in a different place Conflicts: NetworkManager < 1.20 @@ -59,7 +52,6 @@ service to other computers in the network. %{gpgverify} --keyring=%{SOURCE2} --signature=%{SOURCE1} --data=%{SOURCE0} %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} -%patch2 -p1 -b .service-helper %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -70,7 +62,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate 8f5a98fcb400a482d355b929d04b5518 examples/chrony.nm-dispatcher.onoffline - b23bcc3bd78e195ca2849459e459f3ed examples/chronyd.service + 32c34c995c59fd1c3ad1616d063ae4a0 examples/chronyd.service EOF # don't allow packaging without vendor zone @@ -80,9 +72,11 @@ test -n "%{vendorzone}" # - use our vendor zone (2.*pool.ntp.org names include IPv6 addresses) # - enable leapsectz to get TAI-UTC offset and leap seconds from tzdata # - enable keyfile +# - use NTP servers from DHCP sed -e 's|^\(pool \)\(pool.ntp.org\)|\12.%{vendorzone}\2|' \ -e 's|#\(leapsectz\)|\1|' \ -e 's|#\(keyfile\)|\1|' \ + -e 's|^pool.*pool.ntp.org.*|&\n\n# Use NTP servers from DHCP.\nsourcedir /run/chrony-dhcp|' \ < examples/chrony.conf.example2 > chrony.conf touch -r examples/chrony.conf.example2 chrony.conf @@ -140,8 +134,6 @@ install -m 644 -p examples/chrony-wait.service \ install -m 644 -p %{SOURCE5} $RPM_BUILD_ROOT%{_unitdir}/chrony-dnssrv@.service install -m 644 -p %{SOURCE6} $RPM_BUILD_ROOT%{_unitdir}/chrony-dnssrv@.timer -install -m 755 -p %{SOURCE4} $RPM_BUILD_ROOT%{_libexecdir}/chrony-helper - cat > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/chronyd < /dev/null || \ + echo -e '\n# Use NTP servers from DHCP.\nsourcedir /run/chrony-dhcp' >> \ + %{_sysconfdir}/chrony.conf + mkdir -p /run/chrony-dhcp + for f in %{_localstatedir}/lib/dhclient/chrony.servers.*; do + sed 's|.*|server &|' < $f > /run/chrony-dhcp/"${f##*servers.}.sources" + done 2> /dev/null +fi %systemd_post chronyd.service chrony-wait.service %preun @@ -194,7 +196,6 @@ fi %{_sysconfdir}/dhcp/dhclient.d/chrony.sh %{_bindir}/chronyc %{_sbindir}/chronyd -%{_libexecdir}/chrony-helper %{_prefix}/lib/NetworkManager %{_prefix}/lib/systemd/ntp-units.d/*.list %{_unitdir}/chrony*.service From 9bae83fd8045e6a4351e7021586e53ee8de5c8bf Mon Sep 17 00:00:00 2001 From: Robert Fairley Date: Fri, 26 Jun 2020 00:56:53 +0000 Subject: [PATCH 027/137] patch DHCP NM dispatcher for distribution Patch the upstream example `nm-dispatcher.dhcp` with Fedora/RHEL-specific behavior including exiting if a dhclient install is detected, and using the /etc/sysconfig paths. Originally part of work for fixing integration between the NetworkManager internal DHCP client and chrony: https://bugzilla.redhat.com/show_bug.cgi?id=1800901 --- chrony-nm-dispatcher-dhcp.patch | 52 +++++++++++++++++++++++++++++++++ chrony.spec | 10 ++++++- 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 chrony-nm-dispatcher-dhcp.patch diff --git a/chrony-nm-dispatcher-dhcp.patch b/chrony-nm-dispatcher-dhcp.patch new file mode 100644 index 0000000..b183f5c --- /dev/null +++ b/chrony-nm-dispatcher-dhcp.patch @@ -0,0 +1,52 @@ +From e0c6457fd42252f88ec60d16582b7b6e6fb04f41 Mon Sep 17 00:00:00 2001 +From: Robert Fairley +Date: Wed, 17 Jun 2020 10:14:19 -0400 +Subject: [PATCH] examples/nm-dispatcher.dhcp: use sysconfig, detect dhclient + +Use the PEERNTP and NTPSERVERARGS environment variables from +/etc/sysconfig/network{-scripts}. Detect a dhclient install to avoid a +redundant operation with the 11-dhclient NM dispatcher in the +dhcp-client package. +--- + examples/chrony.nm-dispatcher.dhcp | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp +index 6ea4c37..878e72f 100644 +--- a/examples/chrony.nm-dispatcher.dhcp ++++ b/examples/chrony.nm-dispatcher.dhcp +@@ -6,6 +6,11 @@ + + export LC_ALL=C + ++# If a dhclient installation is present, avoid a redundant operation ++# with dhclient which handles NTP server config through its own ++# NetworkManager dispatcher script 11-dhclient. ++[ -e /usr/sbin/dhclient ] && exit 0 ++ + interface=$1 + action=$2 + +@@ -17,10 +22,18 @@ dhcp_server_file=$server_dir/$interface.sources + # DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager. + nm_dhcp_servers=$DHCP4_NTP_SERVERS + ++[ -f /etc/sysconfig/network ] && . /etc/sysconfig/network ++[ -f /etc/sysconfig/network-scripts/ifcfg-"${interface}" ] && \ ++ . /etc/sysconfig/network-scripts/ifcfg-"${interface}" ++ + add_servers_from_dhcp() { + rm -f "$dhcp_server_file" ++ ++ # Don't add NTP servers if PEERNTP=no specified; return early. ++ [ "$PEERNTP" = "no" ] && return ++ + for server in $nm_dhcp_servers; do +- echo "server $server $default_server_options" >> "$dhcp_server_file" ++ echo "server $server ${NTPSERVERARGS:-$default_server_options}" >> "$dhcp_server_file" + done + $chronyc reload sources > /dev/null 2>&1 || : + } +-- +2.26.2 + diff --git a/chrony.spec b/chrony.spec index e0a9cb5..c585c2d 100644 --- a/chrony.spec +++ b/chrony.spec @@ -21,6 +21,10 @@ Source6: chrony-dnssrv@.timer Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz} +# add Fedora/RHEL-specific bits to DHCP dispatcher, including +# deferring to dhclient if installled, and using /etc/sysconfig +Patch1: chrony-nm-dispatcher-dhcp.patch + BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel %ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x BuildRequires: libseccomp-devel @@ -52,6 +56,7 @@ service to other computers in the network. %{gpgverify} --keyring=%{SOURCE2} --signature=%{SOURCE1} --data=%{SOURCE0} %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} +%patch1 -p1 -b .nm-dispatcher-dhcp %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -61,6 +66,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') dcad37a5f1aae2d2ea7b935f279e0eca examples/chrony.conf.example2 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate + 63aa1412fd9044bde26475e4a9770fbf examples/chrony.nm-dispatcher.dhcp 8f5a98fcb400a482d355b929d04b5518 examples/chrony.nm-dispatcher.onoffline 32c34c995c59fd1c3ad1616d063ae4a0 examples/chronyd.service EOF @@ -128,7 +134,9 @@ install -m 644 -p examples/chrony.logrotate \ install -m 644 -p examples/chronyd.service \ $RPM_BUILD_ROOT%{_unitdir}/chronyd.service install -m 755 -p examples/chrony.nm-dispatcher.onoffline \ - $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony + $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-onoffline +install -m 755 -p examples/chrony.nm-dispatcher.dhcp \ + $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-dhcp install -m 644 -p examples/chrony-wait.service \ $RPM_BUILD_ROOT%{_unitdir}/chrony-wait.service install -m 644 -p %{SOURCE5} $RPM_BUILD_ROOT%{_unitdir}/chrony-dnssrv@.service From 3b687e3ada30a24d0609d0e8950ef5d8781c6d2c Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 25 Aug 2020 15:59:13 +0200 Subject: [PATCH 028/137] drop old migration code from scriptlet --- chrony.spec | 8 -------- 1 file changed, 8 deletions(-) diff --git a/chrony.spec b/chrony.spec index c585c2d..c3580fa 100644 --- a/chrony.spec +++ b/chrony.spec @@ -165,14 +165,6 @@ getent passwd chrony > /dev/null || /usr/sbin/useradd -r -g chrony \ : %post -# fix PIDFile in local chronyd.service on upgrades from chrony < 3.3-2 -if grep -q 'PIDFile=%{_localstatedir}/run/chronyd.pid' \ - %{_sysconfdir}/systemd/system/chronyd.service 2> /dev/null && \ - ! grep -qi '^[ '$'\t'']*pidfile' %{_sysconfdir}/chrony.conf 2> /dev/null -then - sed -i '/PIDFile=/s|/run/|/run/chrony/|' \ - %{_sysconfdir}/systemd/system/chronyd.service -fi # workaround for late reload of unit file (#1614751) %{_bindir}/systemctl daemon-reload # migrate from chrony-helper to sourcedir directive From 4578c8d659f1affd76bea36593dbceda1099d105 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 26 Aug 2020 09:30:32 +0200 Subject: [PATCH 029/137] move default paths in /var/run to /run --- chrony-nm-dispatcher-dhcp.patch | 12 ++++++++++++ chrony.spec | 4 +++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/chrony-nm-dispatcher-dhcp.patch b/chrony-nm-dispatcher-dhcp.patch index b183f5c..afb56cf 100644 --- a/chrony-nm-dispatcher-dhcp.patch +++ b/chrony-nm-dispatcher-dhcp.patch @@ -50,3 +50,15 @@ index 6ea4c37..878e72f 100644 -- 2.26.2 +diff -up chrony-4.0-pre3/examples/chrony.nm-dispatcher.dhcp.nm-dispatcher-dhcp chrony-4.0-pre3/examples/chrony.nm-dispatcher.dhcp +--- chrony-4.0-pre3/examples/chrony.nm-dispatcher.dhcp.nm-dispatcher-dhcp 2020-08-26 09:27:47.076282468 +0200 ++++ chrony-4.0-pre3/examples/chrony.nm-dispatcher.dhcp 2020-08-26 09:27:51.847297974 +0200 +@@ -16,7 +16,7 @@ action=$2 + + chronyc=/usr/bin/chronyc + default_server_options=iburst +-server_dir=/var/run/chrony-dhcp ++server_dir=/run/chrony-dhcp + + dhcp_server_file=$server_dir/$interface.sources + # DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager. diff --git a/chrony.spec b/chrony.spec index c3580fa..be54d76 100644 --- a/chrony.spec +++ b/chrony.spec @@ -66,7 +66,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') dcad37a5f1aae2d2ea7b935f279e0eca examples/chrony.conf.example2 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate - 63aa1412fd9044bde26475e4a9770fbf examples/chrony.nm-dispatcher.dhcp + e051740bb4b21e2e12e6dc63f5195c48 examples/chrony.nm-dispatcher.dhcp 8f5a98fcb400a482d355b929d04b5518 examples/chrony.nm-dispatcher.onoffline 32c34c995c59fd1c3ad1616d063ae4a0 examples/chronyd.service EOF @@ -103,10 +103,12 @@ mv clknetsim-%{clknetsim_ver}* test/simulation/clknetsim --enable-ntp-signd \ --enable-scfilter \ %{!?with_nts: --disable-nts} \ + --chronyrundir=/run/chrony \ --docdir=%{_docdir} \ --with-ntp-era=$(date -d '1970-01-01 00:00:00+00:00' +'%s') \ --with-user=chrony \ --with-hwclockfile=%{_sysconfdir}/adjtime \ + --with-pidfile=/run/chrony/chronyd.pid \ --with-sendmail=%{_sbindir}/sendmail %make_build From 8b2e77bb85332fbf8288a3d596a756c87a873aac Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 26 Aug 2020 09:12:47 +0200 Subject: [PATCH 030/137] 4.0-0.8.pre3 --- chrony.spec | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index be54d76..94331dc 100644 --- a/chrony.spec +++ b/chrony.spec @@ -6,7 +6,7 @@ Name: chrony Version: 4.0 -Release: 0.7.pre2%{?dist} +Release: 0.8.pre3%{?dist} Summary: An NTP client/server License: GPLv2 @@ -209,6 +209,14 @@ fi %dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Aug 26 2020 Miroslav Lichvar 4.0-0.8.pre3 +- update to 4.0-pre3 +- switch to sourcedir directive for loading servers from DHCP +- add NetworkManager dispatcher script to save servers from DHCP when + dhclient is not installed (Robert Fairley) +- drop old migration code from scriptlet +- move default paths in /var/run to /run + * Mon Aug 10 2020 Jeff Law - 4.0-0.7.pre2 - Disable LTO on s390x From 252f14c474d17af6d6cb804a862046cead6dd8e0 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 16 Sep 2020 12:36:57 +0200 Subject: [PATCH 031/137] update to 4.0-pre4 --- .gitignore | 4 ++-- chrony.spec | 4 ++-- sources | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 5cd8862..d15e044 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.0-pre3.tar.gz -/chrony-4.0-pre3-tar-gz-asc.txt +/chrony-4.0-pre4.tar.gz +/chrony-4.0-pre4-tar-gz-asc.txt /clknetsim-c4ccc2.tar.gz diff --git a/chrony.spec b/chrony.spec index 94331dc..5ebf44c 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,5 @@ %global _hardened_build 1 -%global prerelease -pre3 +%global prerelease -pre4 %global clknetsim_ver c4ccc2 %bcond_without debug %bcond_without nts @@ -62,7 +62,7 @@ service to other computers in the network. # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') - 47ad7eccc410b981d2f2101cf5682616 examples/chrony-wait.service + bc563c1bcf67b2da774bd8c2aef55a06 examples/chrony-wait.service dcad37a5f1aae2d2ea7b935f279e0eca examples/chrony.conf.example2 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate diff --git a/sources b/sources index d606734..6d66ea9 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.0-pre3.tar.gz) = e52f2454b0cbe60ab7c8975deba499f1ff2e84cd1c3d0a0fb208f11f12ca762f2d0cd74af7aacc8022e628cdeaa4ac388fdd134715cc3e274b3818d5c12da460 -SHA512 (chrony-4.0-pre3-tar-gz-asc.txt) = 3f08c7c99697de17948b3a6bac137e8eb943e8819ffecd7c6dec4e9c645957bd34051343782fed0d973a7d8a2e50435e5ac0a5f531514fe291adb003719bf3e2 +SHA512 (chrony-4.0-pre4.tar.gz) = 81471682b091851f79dfe08315a016c01199b850a1cc6289a3f3d6f56df2ab415266e156900f2e9d60804197097ff8bb89bf7c8072a90a05d6f257b5368e5939 +SHA512 (chrony-4.0-pre4-tar-gz-asc.txt) = 016ac5ddbd41eeb13cfc210dc33b66fce320a5e0b612112068379b07926e023e045b5f53dbdf1d274f1f5635d6bddd640f37166301526c62bd6496c0f3228c25 SHA512 (clknetsim-c4ccc2.tar.gz) = d2f71b2036e33ee92cd3590079dac04bc57bf2e9909f11e9ba66cd61c9946e92d2ebbdfd03c359cf39c6c8c07b28557d35fee3cb57eec75f5b1201858aa1d701 From 960e995c5386ff6388877ac32ab0627ce9c35050 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 16 Sep 2020 12:54:51 +0200 Subject: [PATCH 032/137] 4.0-0.9.pre3 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 5ebf44c..999b792 100644 --- a/chrony.spec +++ b/chrony.spec @@ -6,7 +6,7 @@ Name: chrony Version: 4.0 -Release: 0.8.pre3%{?dist} +Release: 0.9.pre4%{?dist} Summary: An NTP client/server License: GPLv2 @@ -209,6 +209,9 @@ fi %dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Sep 16 2020 Miroslav Lichvar 4.0-0.9.pre4 +- update to 4.0-pre4 + * Wed Aug 26 2020 Miroslav Lichvar 4.0-0.8.pre3 - update to 4.0-pre3 - switch to sourcedir directive for loading servers from DHCP From 1fd00dcac38b25b55cda0a6af9968d450642fca9 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 24 Sep 2020 11:12:47 +0200 Subject: [PATCH 033/137] update directory permissions to follow upstream --- chrony.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/chrony.spec b/chrony.spec index 999b792..c39e3a4 100644 --- a/chrony.spec +++ b/chrony.spec @@ -203,10 +203,10 @@ fi %{_unitdir}/chrony*.service %{_unitdir}/chrony*.timer %{_mandir}/man[158]/%{name}*.[158]* -%dir %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony +%dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/drift %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/rtc -%dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony +%dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog * Wed Sep 16 2020 Miroslav Lichvar 4.0-0.9.pre4 From 2baf9594abc1e0ed67a72e7be9d13e3f5ff1af9b Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 7 Oct 2020 18:33:19 +0200 Subject: [PATCH 034/137] update to 4.0 --- .gitignore | 4 ++-- chrony.spec | 3 +-- sources | 4 ++-- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index d15e044..e4a6ac3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.0-pre4.tar.gz -/chrony-4.0-pre4-tar-gz-asc.txt +/chrony-4.0.tar.gz +/chrony-4.0-tar-gz-asc.txt /clknetsim-c4ccc2.tar.gz diff --git a/chrony.spec b/chrony.spec index c39e3a4..996bb39 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,4 @@ %global _hardened_build 1 -%global prerelease -pre4 %global clknetsim_ver c4ccc2 %bcond_without debug %bcond_without nts @@ -63,7 +62,7 @@ service to other computers in the network. # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') bc563c1bcf67b2da774bd8c2aef55a06 examples/chrony-wait.service - dcad37a5f1aae2d2ea7b935f279e0eca examples/chrony.conf.example2 + 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate e051740bb4b21e2e12e6dc63f5195c48 examples/chrony.nm-dispatcher.dhcp diff --git a/sources b/sources index 6d66ea9..96eabab 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.0-pre4.tar.gz) = 81471682b091851f79dfe08315a016c01199b850a1cc6289a3f3d6f56df2ab415266e156900f2e9d60804197097ff8bb89bf7c8072a90a05d6f257b5368e5939 -SHA512 (chrony-4.0-pre4-tar-gz-asc.txt) = 016ac5ddbd41eeb13cfc210dc33b66fce320a5e0b612112068379b07926e023e045b5f53dbdf1d274f1f5635d6bddd640f37166301526c62bd6496c0f3228c25 +SHA512 (chrony-4.0.tar.gz) = a1c11a386c43f495910f7f2e9b5fbb1652c3631471d182b9b8203dfef98611d11535ad547a879856551263aed0ae2e30e4135b8ed89553684706166bc1c725c9 +SHA512 (chrony-4.0-tar-gz-asc.txt) = c3156d91f4fdb6f9e2fdbc83b1399afb0ecdfa9b7bc92648c5bce477c3f0f921d2a13aa21ac6c281f18b008c60f08e3db6d82b642b646f064aea1dbe19295c4c SHA512 (clknetsim-c4ccc2.tar.gz) = d2f71b2036e33ee92cd3590079dac04bc57bf2e9909f11e9ba66cd61c9946e92d2ebbdfd03c359cf39c6c8c07b28557d35fee3cb57eec75f5b1201858aa1d701 From 38e248d3375971d1b61e17b0daedf7537f98dc97 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 7 Oct 2020 18:33:52 +0200 Subject: [PATCH 035/137] 4.0-1 --- chrony.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 996bb39..3e42b2c 100644 --- a/chrony.spec +++ b/chrony.spec @@ -5,7 +5,7 @@ Name: chrony Version: 4.0 -Release: 0.9.pre4%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPLv2 @@ -208,6 +208,10 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Oct 07 2020 Miroslav Lichvar 4.0-1 +- update to 4.0 +- update directory permissions to follow upstream + * Wed Sep 16 2020 Miroslav Lichvar 4.0-0.9.pre4 - update to 4.0-pre4 From 0fb07c271c53829807e884a0a9c15e2cc53f954d Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 4 Nov 2020 15:51:41 +0100 Subject: [PATCH 036/137] drop dnssrv service and timer They no longer work as they rely on the chrony-helper script, which was dropped in 4.0-1. --- chrony-dnssrv@.service | 8 -------- chrony-dnssrv@.timer | 9 --------- chrony.spec | 5 ----- 3 files changed, 22 deletions(-) delete mode 100644 chrony-dnssrv@.service delete mode 100644 chrony-dnssrv@.timer diff --git a/chrony-dnssrv@.service b/chrony-dnssrv@.service deleted file mode 100644 index 139ed28..0000000 --- a/chrony-dnssrv@.service +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=DNS SRV lookup of %I for chrony -After=chronyd.service network-online.target -Wants=network-online.target - -[Service] -Type=oneshot -ExecStart=/usr/libexec/chrony-helper update-dnssrv-servers %I diff --git a/chrony-dnssrv@.timer b/chrony-dnssrv@.timer deleted file mode 100644 index 8495e01..0000000 --- a/chrony-dnssrv@.timer +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Periodic DNS SRV lookup of %I for chrony - -[Timer] -OnActiveSec=0 -OnUnitInactiveSec=1h - -[Install] -WantedBy=timers.target diff --git a/chrony.spec b/chrony.spec index 3e42b2c..15f5680 100644 --- a/chrony.spec +++ b/chrony.spec @@ -14,8 +14,6 @@ Source0: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerel Source1: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}-tar-gz-asc.txt Source2: https://chrony.tuxfamily.org/gpgkey-8B1F4A9ADA73D401E3085A0B5FF06F29BA1E013B.asc Source3: chrony.dhclient -Source5: chrony-dnssrv@.service -Source6: chrony-dnssrv@.timer # simulator for test suite Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz} @@ -140,8 +138,6 @@ install -m 755 -p examples/chrony.nm-dispatcher.dhcp \ $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-dhcp install -m 644 -p examples/chrony-wait.service \ $RPM_BUILD_ROOT%{_unitdir}/chrony-wait.service -install -m 644 -p %{SOURCE5} $RPM_BUILD_ROOT%{_unitdir}/chrony-dnssrv@.service -install -m 644 -p %{SOURCE6} $RPM_BUILD_ROOT%{_unitdir}/chrony-dnssrv@.timer cat > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/chronyd < Date: Sat, 19 Dec 2020 05:13:45 +0000 Subject: [PATCH 037/137] Add BuildRequires: make https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot --- chrony.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/chrony.spec b/chrony.spec index 15f5680..472e074 100644 --- a/chrony.spec +++ b/chrony.spec @@ -27,6 +27,7 @@ BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: libseccomp-devel %endif BuildRequires: gcc gcc-c++ bison systemd gnupg2 net-tools +BuildRequires: make %{?with_nts:BuildRequires: gnutls-devel gnutls-utils} Requires(pre): shadow-utils From 65b8f20ff63288427e5425a3981e895dc88b7a46 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 26 Jan 2021 01:57:12 +0000 Subject: [PATCH 038/137] - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 472e074..dc39db6 100644 --- a/chrony.spec +++ b/chrony.spec @@ -5,7 +5,7 @@ Name: chrony Version: 4.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPLv2 @@ -204,6 +204,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Jan 26 2021 Fedora Release Engineering - 4.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + * Wed Oct 07 2020 Miroslav Lichvar 4.0-1 - update to 4.0 - update directory permissions to follow upstream From a565083d9b17fb0f90a5ec642e285fcd53f78238 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 12 Jan 2021 11:23:15 +0100 Subject: [PATCH 039/137] fix spec indentation --- chrony.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/chrony.spec b/chrony.spec index dc39db6..3b1049d 100644 --- a/chrony.spec +++ b/chrony.spec @@ -26,8 +26,7 @@ BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel %ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x BuildRequires: libseccomp-devel %endif -BuildRequires: gcc gcc-c++ bison systemd gnupg2 net-tools -BuildRequires: make +BuildRequires: gcc gcc-c++ make bison systemd gnupg2 net-tools %{?with_nts:BuildRequires: gnutls-devel gnutls-utils} Requires(pre): shadow-utils From 7f89c4666b798ba0736359100595702698cf0b93 Mon Sep 17 00:00:00 2001 From: Christian Glombek Date: Mon, 1 Feb 2021 16:32:54 +0000 Subject: [PATCH 040/137] update NM DHCP dispatcher script Updates the patch with downstream changes from https://github.com/openshift/os/pull/486 and https://github.com/openshift/os/pull/494 --- chrony-nm-dispatcher-dhcp.patch | 44 ++++++++++++++++----------------- chrony.spec | 2 +- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/chrony-nm-dispatcher-dhcp.patch b/chrony-nm-dispatcher-dhcp.patch index afb56cf..bdd199d 100644 --- a/chrony-nm-dispatcher-dhcp.patch +++ b/chrony-nm-dispatcher-dhcp.patch @@ -1,4 +1,4 @@ -From e0c6457fd42252f88ec60d16582b7b6e6fb04f41 Mon Sep 17 00:00:00 2001 +From 1b29e43133d992e735ffbf87d79f008994479036 Mon Sep 17 00:00:00 2001 From: Robert Fairley Date: Wed, 17 Jun 2020 10:14:19 -0400 Subject: [PATCH] examples/nm-dispatcher.dhcp: use sysconfig, detect dhclient @@ -7,27 +7,39 @@ Use the PEERNTP and NTPSERVERARGS environment variables from /etc/sysconfig/network{-scripts}. Detect a dhclient install to avoid a redundant operation with the 11-dhclient NM dispatcher in the dhcp-client package. + +Co-Authored-By: Christian Glombek --- - examples/chrony.nm-dispatcher.dhcp | 15 ++++++++++++++- - 1 file changed, 14 insertions(+), 1 deletion(-) + examples/chrony.nm-dispatcher.dhcp | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp -index 6ea4c37..878e72f 100644 +index 6ea4c37..a6ad35a 100644 --- a/examples/chrony.nm-dispatcher.dhcp +++ b/examples/chrony.nm-dispatcher.dhcp -@@ -6,6 +6,11 @@ +@@ -6,21 +6,39 @@ export LC_ALL=C +# If a dhclient installation is present, avoid a redundant operation -+# with dhclient which handles NTP server config through its own -+# NetworkManager dispatcher script 11-dhclient. -+[ -e /usr/sbin/dhclient ] && exit 0 ++# in case dhclient handles NTP server config through its own chrony config script, ++# exec'ed by NetworkManager's 11-dhclient dispatcher script. ++# In RHCOS, 11-dhclient is excluded and not shipped with base image. ++[ -e /usr/sbin/dhclient ] && \ ++ [ -e /etc/dhcp/dhclient.d/chrony.sh ] && \ ++ [ -e /etc/NetworkManager/dispatcher.d/11-dhclient -o \ ++ -e /usr/lib/NetworkManager/dispatcher.d/11-dhclient ] && \ ++ exit 0 + interface=$1 action=$2 -@@ -17,10 +22,18 @@ dhcp_server_file=$server_dir/$interface.sources + chronyc=/usr/bin/chronyc + default_server_options=iburst +-server_dir=/var/run/chrony-dhcp ++server_dir=/run/chrony-dhcp + + dhcp_server_file=$server_dir/$interface.sources # DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager. nm_dhcp_servers=$DHCP4_NTP_SERVERS @@ -48,17 +60,5 @@ index 6ea4c37..878e72f 100644 $chronyc reload sources > /dev/null 2>&1 || : } -- -2.26.2 +2.29.2 -diff -up chrony-4.0-pre3/examples/chrony.nm-dispatcher.dhcp.nm-dispatcher-dhcp chrony-4.0-pre3/examples/chrony.nm-dispatcher.dhcp ---- chrony-4.0-pre3/examples/chrony.nm-dispatcher.dhcp.nm-dispatcher-dhcp 2020-08-26 09:27:47.076282468 +0200 -+++ chrony-4.0-pre3/examples/chrony.nm-dispatcher.dhcp 2020-08-26 09:27:51.847297974 +0200 -@@ -16,7 +16,7 @@ action=$2 - - chronyc=/usr/bin/chronyc - default_server_options=iburst --server_dir=/var/run/chrony-dhcp -+server_dir=/run/chrony-dhcp - - dhcp_server_file=$server_dir/$interface.sources - # DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager. diff --git a/chrony.spec b/chrony.spec index 3b1049d..cd9c222 100644 --- a/chrony.spec +++ b/chrony.spec @@ -63,7 +63,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate - e051740bb4b21e2e12e6dc63f5195c48 examples/chrony.nm-dispatcher.dhcp + 2da011da89727ef009799502d84e7cd0 examples/chrony.nm-dispatcher.dhcp 8f5a98fcb400a482d355b929d04b5518 examples/chrony.nm-dispatcher.onoffline 32c34c995c59fd1c3ad1616d063ae4a0 examples/chronyd.service EOF From ed6f12d1c1f5c3419fcbd28c3c03e54bcec4d8bd Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 2 Feb 2021 10:47:17 +0100 Subject: [PATCH 041/137] 4.0-3 --- chrony.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index cd9c222..0492642 100644 --- a/chrony.spec +++ b/chrony.spec @@ -5,7 +5,7 @@ Name: chrony Version: 4.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An NTP client/server License: GPLv2 @@ -203,8 +203,13 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Feb 02 2021 Miroslav Lichvar 4.0-3 +- update NM DHCP dispatcher script + * Tue Jan 26 2021 Fedora Release Engineering - 4.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild +- Add BuildRequires: make +- drop dnssrv service and timer * Wed Oct 07 2020 Miroslav Lichvar 4.0-1 - update to 4.0 From b1f5ca15234e40cdeffd79563c184142864db8a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 2 Mar 2021 16:14:05 +0100 Subject: [PATCH 042/137] Rebuilt for updated systemd-rpm-macros See https://pagure.io/fesco/issue/2583. --- chrony.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 0492642..ef092b6 100644 --- a/chrony.spec +++ b/chrony.spec @@ -5,7 +5,7 @@ Name: chrony Version: 4.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: An NTP client/server License: GPLv2 @@ -203,6 +203,10 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 4.0-4 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + * Tue Feb 02 2021 Miroslav Lichvar 4.0-3 - update NM DHCP dispatcher script From c3c3f0c2dd19c2842afb2c915658bf8e55b27ed5 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 25 Mar 2021 15:37:59 +0100 Subject: [PATCH 043/137] enable LTO on s390x Update clknetsim to fix test failure on s390x with enabled LTO. --- .gitignore | 2 +- chrony.spec | 7 +------ sources | 2 +- 3 files changed, 3 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index e4a6ac3..d53e4c7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ /chrony-4.0.tar.gz /chrony-4.0-tar-gz-asc.txt -/clknetsim-c4ccc2.tar.gz +/clknetsim-1ca4a9.tar.gz diff --git a/chrony.spec b/chrony.spec index ef092b6..e26f14e 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,5 @@ %global _hardened_build 1 -%global clknetsim_ver c4ccc2 +%global clknetsim_ver 1ca4a9 %bcond_without debug %bcond_without nts @@ -90,11 +90,6 @@ rm -f getdate.c mv clknetsim-%{clknetsim_ver}* test/simulation/clknetsim %build -# This package fails its testsuite when LTO is enabled on s390x -# Disable LTO for now -%ifarch s390x -%define _lto_cflags %{nil} -%endif %configure \ %{?with_debug: --enable-debug} \ --enable-ntp-signd \ diff --git a/sources b/sources index 96eabab..3a81e73 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (chrony-4.0.tar.gz) = a1c11a386c43f495910f7f2e9b5fbb1652c3631471d182b9b8203dfef98611d11535ad547a879856551263aed0ae2e30e4135b8ed89553684706166bc1c725c9 SHA512 (chrony-4.0-tar-gz-asc.txt) = c3156d91f4fdb6f9e2fdbc83b1399afb0ecdfa9b7bc92648c5bce477c3f0f921d2a13aa21ac6c281f18b008c60f08e3db6d82b642b646f064aea1dbe19295c4c -SHA512 (clknetsim-c4ccc2.tar.gz) = d2f71b2036e33ee92cd3590079dac04bc57bf2e9909f11e9ba66cd61c9946e92d2ebbdfd03c359cf39c6c8c07b28557d35fee3cb57eec75f5b1201858aa1d701 +SHA512 (clknetsim-1ca4a9.tar.gz) = 23c74ad9eadd3e09209bf0826901fefb1d11d210a882e15e83f0ef5903ea3d3fdce6859ac2cd9021485aef9d6771a609aa339af9ce4448522605c88b512c8943 From ba7e409249ade51a2686295e03bf5b068665fe0f Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 22 Apr 2021 12:32:13 +0200 Subject: [PATCH 044/137] rework NM-dispatcher/dhclient detection The packaged NM dispatcher and dhclient scripts provide the same functionality. Only one should be active depending on the system configuration. Instead of guessing in the NM dispatcher script whether the dhclient script is executed, check in the dhclient script whether it is called from a NM dispatcher script (the 11-dhclient script included in the dhcp-client package). This is simpler and it removes dependency on the 11-dhclient script. --- chrony-nm-dispatcher-dhcp.patch | 27 +++------------------------ chrony.dhclient | 5 +++++ chrony.spec | 2 +- 3 files changed, 9 insertions(+), 25 deletions(-) diff --git a/chrony-nm-dispatcher-dhcp.patch b/chrony-nm-dispatcher-dhcp.patch index bdd199d..23087d6 100644 --- a/chrony-nm-dispatcher-dhcp.patch +++ b/chrony-nm-dispatcher-dhcp.patch @@ -1,38 +1,17 @@ -From 1b29e43133d992e735ffbf87d79f008994479036 Mon Sep 17 00:00:00 2001 From: Robert Fairley Date: Wed, 17 Jun 2020 10:14:19 -0400 -Subject: [PATCH] examples/nm-dispatcher.dhcp: use sysconfig, detect dhclient +Subject: [PATCH] examples/nm-dispatcher.dhcp: use sysconfig Use the PEERNTP and NTPSERVERARGS environment variables from -/etc/sysconfig/network{-scripts}. Detect a dhclient install to avoid a -redundant operation with the 11-dhclient NM dispatcher in the -dhcp-client package. +/etc/sysconfig/network{-scripts}. Co-Authored-By: Christian Glombek ---- - examples/chrony.nm-dispatcher.dhcp | 21 +++++++++++++++++++-- - 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp index 6ea4c37..a6ad35a 100644 --- a/examples/chrony.nm-dispatcher.dhcp +++ b/examples/chrony.nm-dispatcher.dhcp -@@ -6,21 +6,39 @@ - - export LC_ALL=C - -+# If a dhclient installation is present, avoid a redundant operation -+# in case dhclient handles NTP server config through its own chrony config script, -+# exec'ed by NetworkManager's 11-dhclient dispatcher script. -+# In RHCOS, 11-dhclient is excluded and not shipped with base image. -+[ -e /usr/sbin/dhclient ] && \ -+ [ -e /etc/dhcp/dhclient.d/chrony.sh ] && \ -+ [ -e /etc/NetworkManager/dispatcher.d/11-dhclient -o \ -+ -e /usr/lib/NetworkManager/dispatcher.d/11-dhclient ] && \ -+ exit 0 -+ - interface=$1 - action=$2 +@@ -6,16 +6,24 @@ chronyc=/usr/bin/chronyc default_server_options=iburst diff --git a/chrony.dhclient b/chrony.dhclient index 92fa4fa..3fe9e92 100644 --- a/chrony.dhclient +++ b/chrony.dhclient @@ -4,6 +4,9 @@ CHRONY_SOURCEDIR=/run/chrony-dhcp SERVERFILE=$CHRONY_SOURCEDIR/$interface.sources chrony_config() { + # Disable modifications if called from a NM dispatcher script + [ -n "$NM_DISPATCHER_ACTION" ] && return 0 + rm -f "$SERVERFILE" if [ "$PEERNTP" != "no" ]; then mkdir -p $CHRONY_SOURCEDIR @@ -15,6 +18,8 @@ chrony_config() { } chrony_restore() { + [ -n "$NM_DISPATCHER_ACTION" ] && return 0 + if [ -f "$SERVERFILE" ]; then rm -f "$SERVERFILE" /usr/bin/chronyc reload sources > /dev/null 2>&1 || : diff --git a/chrony.spec b/chrony.spec index e26f14e..2fc3452 100644 --- a/chrony.spec +++ b/chrony.spec @@ -63,7 +63,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate - 2da011da89727ef009799502d84e7cd0 examples/chrony.nm-dispatcher.dhcp + a7054c9352c07384bd7ea0477e6e8a8c examples/chrony.nm-dispatcher.dhcp 8f5a98fcb400a482d355b929d04b5518 examples/chrony.nm-dispatcher.onoffline 32c34c995c59fd1c3ad1616d063ae4a0 examples/chronyd.service EOF From f9f7cf22a938e5ba0d2907742bae09f993609e98 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 22 Apr 2021 13:06:22 +0200 Subject: [PATCH 045/137] update to 4.1-pre1 --- .gitignore | 6 +++--- chrony.spec | 5 +++-- sources | 6 +++--- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index d53e4c7..c713489 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.0.tar.gz -/chrony-4.0-tar-gz-asc.txt -/clknetsim-1ca4a9.tar.gz +/chrony-4.1-pre1.tar.gz +/chrony-4.1-pre1-tar-gz-asc.txt +/clknetsim-f89702.tar.gz diff --git a/chrony.spec b/chrony.spec index 2fc3452..1ad5da2 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,10 +1,11 @@ %global _hardened_build 1 -%global clknetsim_ver 1ca4a9 +%global prerelease -pre1 +%global clknetsim_ver f89702 %bcond_without debug %bcond_without nts Name: chrony -Version: 4.0 +Version: 4.1 Release: 4%{?dist} Summary: An NTP client/server diff --git a/sources b/sources index 3a81e73..94d11c5 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.0.tar.gz) = a1c11a386c43f495910f7f2e9b5fbb1652c3631471d182b9b8203dfef98611d11535ad547a879856551263aed0ae2e30e4135b8ed89553684706166bc1c725c9 -SHA512 (chrony-4.0-tar-gz-asc.txt) = c3156d91f4fdb6f9e2fdbc83b1399afb0ecdfa9b7bc92648c5bce477c3f0f921d2a13aa21ac6c281f18b008c60f08e3db6d82b642b646f064aea1dbe19295c4c -SHA512 (clknetsim-1ca4a9.tar.gz) = 23c74ad9eadd3e09209bf0826901fefb1d11d210a882e15e83f0ef5903ea3d3fdce6859ac2cd9021485aef9d6771a609aa339af9ce4448522605c88b512c8943 +SHA512 (chrony-4.1-pre1.tar.gz) = 03e28e6651d6aa3c99333b94ee503843c3a69b8c8366bf647c41a3a9e34e987c440e289ec16e5c62c2a7405271bddc533efbd59d6c6ab43712c8908dfb86322e +SHA512 (chrony-4.1-pre1-tar-gz-asc.txt) = 8eb695c3f85f90d02b22b1202c8766347289a6da1d0658a3d89eed90202799bcfc647b96e5f931fb862011e85feed5f4914b39e45a3e20f01827509fe271a2d7 +SHA512 (clknetsim-f89702.tar.gz) = d88d37472b99e4cc044b6c864dfcf5ebb06ef9e2e009ebce06defa07cd46961220707a69c6ec93e35623403a5b4e0683b78b388bf95bfff470fa771d69579c65 From 3353132ff79d04fa162207054fda37f17ec120d8 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 22 Apr 2021 14:53:52 +0200 Subject: [PATCH 046/137] 4.1-0.1.pre1 --- chrony.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 1ad5da2..c0806cd 100644 --- a/chrony.spec +++ b/chrony.spec @@ -6,7 +6,7 @@ Name: chrony Version: 4.1 -Release: 4%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPLv2 @@ -199,6 +199,11 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Apr 22 2021 Miroslav Lichvar 4.1-0.1.pre1 +- update to 4.1-pre1 +- rework NM-dispatcher/dhclient detection +- enable LTO on s390x + * Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 4.0-4 - Rebuilt for updated systemd-rpm-macros See https://pagure.io/fesco/issue/2583. From 7065ea6b2d7ce4f60a7fce760eb63370dac0b604 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 13 May 2021 16:02:08 +0200 Subject: [PATCH 047/137] update to 4.1 --- .gitignore | 4 +- chrony.spec | 3 +- ...1F4A9ADA73D401E3085A0B5FF06F29BA1E013B.asc | 29 ---------- ...375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc | 54 +++++++++++++++++++ sources | 4 +- 5 files changed, 59 insertions(+), 35 deletions(-) delete mode 100644 gpgkey-8B1F4A9ADA73D401E3085A0B5FF06F29BA1E013B.asc create mode 100644 gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc diff --git a/.gitignore b/.gitignore index c713489..76dba0d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.1-pre1.tar.gz -/chrony-4.1-pre1-tar-gz-asc.txt +/chrony-4.1.tar.gz +/chrony-4.1-tar-gz-asc.txt /clknetsim-f89702.tar.gz diff --git a/chrony.spec b/chrony.spec index c0806cd..ac3d46c 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,4 @@ %global _hardened_build 1 -%global prerelease -pre1 %global clknetsim_ver f89702 %bcond_without debug %bcond_without nts @@ -13,7 +12,7 @@ License: GPLv2 URL: https://chrony.tuxfamily.org Source0: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}.tar.gz Source1: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}-tar-gz-asc.txt -Source2: https://chrony.tuxfamily.org/gpgkey-8B1F4A9ADA73D401E3085A0B5FF06F29BA1E013B.asc +Source2: https://chrony.tuxfamily.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc Source3: chrony.dhclient # simulator for test suite Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz diff --git a/gpgkey-8B1F4A9ADA73D401E3085A0B5FF06F29BA1E013B.asc b/gpgkey-8B1F4A9ADA73D401E3085A0B5FF06F29BA1E013B.asc deleted file mode 100644 index ce59e23..0000000 --- a/gpgkey-8B1F4A9ADA73D401E3085A0B5FF06F29BA1E013B.asc +++ /dev/null @@ -1,29 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQGiBEYLz1cRBADYNM9gn8g1Bw8t2Zj+HT9hbSHVs9ofSdxqdLEVAbNySeLftOlZ -ba+4CU+lIfC/6XHZ0r+UvTBVK+r/KLjFxWz5cWGGFVUrXOSjo2PDXDqWrs9VALtT -zH8sr0/7qJCByF9fnryPO1fmMKlh9R0+X5cF7vZjlWbM+BV/yxARi4lb4wCgpf9M -7uo9hJUcMyy2zJSdzjUPkcMEAMVyDpw7kwTjnWzwaOHnPlT/x31OkGAO2sZgzRGu -VE1zGN4Ruv36GS7hNPndtpTGZuPtmLrE2wJS2exer4kTYANfiGj/JDTiuGQYF2jp -9cN3zJL7e7Bik004TZVUGg3HzpuWWc/uiTXgrZxIDz4uPxjy5kdDfbhUziNsy9Uj -igOZBADQ9T6XYQBTfRmGUkl7hEeAeu+WfEGDVlHP+EpMtk/uANUqYef5xUG4RomE -EyjRlrEXwG7Ly2HhH3UADBuPjkP68AGN8WslbCNx5Na+nZr6r1sT1+Z3OdUDprpY -PQxCu5WWYsYgzroO/JEA2d3pYgaaHEAhyZxau1UtW4hpAn8svbQmTWlyb3NsYXYg -TGljaHZhciA8bWxpY2h2YXJAcmVkaGF0LmNvbT6IZgQTEQIAJgIbAwYLCQgHAwIE -FQIIAwQWAgMBAh4BAheABQJbt20rBQkb2aQNAAoJEF/wbym6HgE7MOkAnjdG94MF -4XAVLnzCVbrJb/Ishao4AJ9o1EL9U/at8KzvfZdpPyNrmoeq+bkCDQRGC89XEAgA -medsNk8FIYdzJYyP2eaIYKMTpSCFgTKE1EHdiRaX5n3oo9o26+vfA1NfIwKM8G54 -3Ddr1yl2PRmQermHMQahMMsXcehQXjsJoZXTglJq6kw5Xb1V1K6SyXQv/sLmWGxw -T91T+0I+9g+UqMeqR8B2hj950BbfWn6Pu5CRk2voTsYEU2ecejKOWOOrbUnD/5wy -mkSD/1g+T7bgGOHMrSgYWH3Fk7dWNKpGBtQn3cL7fKy+cn4koDW1L3ebxg4zWpFo -l51m3u8DXc9lqUjg9AoqJH1bc9eQPQvJKxd5syU2pkgtHhT2rlSqpRtsKsgRNfBC -qBbK9gtEM3DRUD+EbbEZgwADBQf8CTSksVEUs5svpQlldZERwViUwwVb4TMszKKq -nEti6zu6oMkIDreGzSISDsrWq1WxzUv9IYumwanzkgTpVVfFPxK7samtol8Lol5V -r3Zbil3Q0IGJ9thhitMHRSU3ClhVRZF5QF/MhSzD1j0cXK4Ls0np5DePT3H4tItZ -+OcEhZcDb8k2DMcJW/REuiisWOElwIDM0o0kZyQiy+5QRfE2xancu3n8+wGtwc0N -2Yp/elmIigreu0xuK7HaFOiScUYv00BJa/ZEO2aOkRuiKkdp3oxtz3MIdDYyGbI6 -mL4h+X8079i95yu+L2tUJGHeN5u+X0Hsg9sE6TpVEggQEI30YYhPBBgRAgAPAhsM -BQJbt22dBQkb2aZBAAoJEF/wbym6HgE7rJYAn1gpOMPrFyjezpaYsloAwjSZhu8t -AKCTJlsZByvaTTXjUMyQy2z7tjnVpw== -=4XBU ------END PGP PUBLIC KEY BLOCK----- diff --git a/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc b/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc new file mode 100644 index 0000000..604babe --- /dev/null +++ b/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc @@ -0,0 +1,54 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGCc9dwBEADLydyZIqgarshQeCtIlWAgP3coy0mdJwxet1CvXwF1xpq18Qi1 +Tt9RZL64SkbQ8sKryBqnPjKZdOfVT5FwUucjp9L+/j7Bhk0tqv30EIQ57rnDLJ9T +c4LG1leO+Tc5Ym/0tvv4uMjkxr4KAKHPYrweHk6EAw06bbJ02mfy9xhlITSfyyFl +QRoRTEjy8N2IDutA4QzbZm0T5kvI7k7s/ILG5vyNo53X5PI/rWrSqmPZ5qs0lvDv +tA+rxOJp+FvlvOyBuv3ftIX0kAwRU+x/ET2Yd9qQWnXRx9d9D2UpFXm9DHfCDJYR +F56D0O3hf+rrCa/uSutIqmR33j5Wz4bYjWdmg4wbRQaoVxJl5AUrWuYEFwcCuY2B +FFgttLPb0qHpeBwuWaWJ9U6HM7qY3WEI2C/OWM0XFM8ERezedNEf7O2GTsoVVcm+ +LRg31R3eJzipKMAGZWScSDSRAXhh6oZhflMRjYKGvwRfgeos/Sl2bdYL80hqyjGV +jMhEYDC9sfLXRyLU+9FexruIzSLR8Vornma3zjzu9pRkbfTHb8FfBMt9MZEWraF2 +7riRq/zJE9QPWnBL/C8rdaXXxflBmGctn7RDKGOvxZ7SxPzzHbl5tV/Fizhkeph/ +v8YLVuCOk0pIpX65mFun3Xw5IF01x1GMzU1xYezExti9yBNiv9HVqf1DWwARAQAB +tCZNaXJvc2xhdiBMaWNodmFyIDxtbGljaHZhckByZWRoYXQuY29tPokCVAQTAQgA +PhYhBI83XH6NDuElo9O9UVN+K3b3aA2sBQJgnPXcAhsDBQkSzAMABQsJCAcCBhUK +CQgLAgQWAgMBAh4BAheAAAoJEFN+K3b3aA2sl8IQAJ9AMppV6cdxzt8g2Ypz0hw1 +6+9T5DjbYE/s0lozFQhCoYfo+SZyc3+yyKzlxI3ryHwFk9NjXGZZ8QjzT7FLj7/s +nKDjv5hUCOAi9Q+k217xwlBueeMyheeVaGGGa+Hv5CF1fZx/MtxiShUqu8oSqUyP +nW8lPGz73MfGAPT7kijVnz73pbht0vrZ9I+r8dnQGiweGBohexfCvmncrTyhjM8r +nvecycYBNnXhupzpmSMZgIA1s2v7oVmTnV0bntxE/gr7+SPk7KozhD12K8OU8deJ +cDD8F7NKa9Oe5NtuGVN4IPqp5cgj7GAyIj0sYss9Jknu4jX0imR5kwH6GbgFa7c/ +kU+fKTz57Rs1OGr3glYpMnNftXSWbC2V/OJxHVEcMk8HwKLgnQjtmKLVGeCo5iS6 +LFQuWaxpfjvxVjGSpnNu19cHVUhDM9cTP1DhUd4LdnltHQ+/xjwgzTgE4GJ1ZB0W +vhvxcdb69Sf50bGd4/WuURRoYSE7M6UKRwfXmMpyTiNhZz+3XjAoScA9AS7q9xfS +y3OddQEle/+qNFdABB12WmCgRhWemHzTZDXydIJuw+ucLO7U5RrDdqdaHkRVXJ9G +4mdk+3FgUlYgB9GY4pHQdqGdE60838R2zY9x0gK8cHU+FaRPAiTU8SJL0wb/Rko7 +qbZUY/6bgrDoXp4otAP2iF0EExECAB0WIQSLH0qa2nPUAeMIWgtf8G8puh4BOwUC +YJ0C3AAKCRBf8G8puh4BO9k2AJ4ohgz/p49IBfjf22sEL1FvYM/DhwCfTyCkbogO +uagIg5qwuEGwHMgn19G5Ag0EYJz13AEQAMrLXgl5u6vAakSF9n+xCP2WOiMHzzrR +OxHnWzsX6PTXpJt14LSZOZ5wjdyR3gLJWGLdkfHoxHpQYp7PLgNS29SuAc4HQ+Br +O5F4g9EmwDJ0ueUYxU1FcySRXfXR+gLabpQCc2s9bW6RaMwLuQNxZwkfXClkPQms +ImTFA0KntWpHc+uEr1J2i6LQS7D/BK6m72l9x8z9k9gqAabXw+xHsis+ffPMG5Jm +HOqeHYtsq+2JW1VvBnA4Qh3DKH9OQaD9hZbEiUC3nMmlLkPF/r29tWTPa7luBHBn +X556JTXVm+vDUDwZ2srLfaKyQCxbNLwvQ2Pn5SOyyCnuIWR2xZs/+KPDMhtKUBAV +HcboVu6iPCTU42CVMPaJvYD2iUEncZNeUGJOSuG240LSLNGEFFsD7YgXb1XHjQD5 +ci3Ki7P/hHi3AG53IsQTiaE5VgBdDje3zYCf5WaZ6c3DQQB9lab2RMz+5Fdr7Z6Y +mFRUbmxSnsMe0mwwcqVe3ofV0fKvE7Ep0T8bBg53dCqyU8hIbD5wUe99JmhMFnzs +5elwkv/Hb3Eg92dgu1zWb5kMzuvGEHtCIukIy1B+pzQOfT+iOC+lbmRHhPslJ9S0 +1vENJE+nEEsGxPy9pRHrmWSKI4Zh+ysjb/vW/vOwAd1RsvxTfgBeOOawmlz+n0pJ +T018ZnUgmc35ABEBAAGJAjwEGAEIACYWIQSPN1x+jQ7hJaPTvVFTfit292gNrAUC +YJz13AIbDAUJEswDAAAKCRBTfit292gNrPuRD/43kM0P71gxfJQj6PBpPtjIVVfm +4TIPWKmV+F4/9eCwAPC/o44Yw+nxGr77Rk2DsaSn0V51j2egRCXKuZBZx/v6JXP7 +qpDk3Uecml7IfxTd+N+gkI3viUsrt4ykUgyUH/wy/edMG3h9qhBQP0RxiDge18P6 +YUpQSnq3uP72ycTPLBJlqp/Y9+GXUapvcyDqBFnvs96ieDmSbjSf6tris1cuLv6f +eld4HNUY/LmI5MlYbywbgWGpSOyKUlTtyF33LqPnWd7UuTN7QNsYyjGnlJbkkGi/ +KwuNbIo5Gs4avaUSTc7SBLdCYneEIt7mt7hg0StKHQC6s/ak/w8yl1yFy5gRusO4 +QCFT2ZMQ6jZUAuaQGx0rhWQr9akNNJEDsHTBQR8pxpFp3LcDXcUXSSeySRSFZLt+ +hExvDQxXuhdbZHYGL1E6g5gtJQKnobNu2jMOziBcDivhAsqNw2Poq6fJVLavjBI5 +BI1xAqmymIExJFSlHdLuZq09cVzY3EOj3x23YTzPKNOI/qu4jTUT4Byi8Oy3PN1B +B0n5SqORWJ0KfAyVEewshSAqJ7zrZ5sJXWnKeVQqBOg5EwkOB8rz/M3mqgrnBRiq +hLiiiG5tKETA1YIQGXIbP8t1vqoQrpvYaJfkk3kQlktxfFkDRt8dKIxpFk8uPiNb +bcAu2uXfRrQxpaqcOg== +=/wbD +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index 94d11c5..14c91b8 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.1-pre1.tar.gz) = 03e28e6651d6aa3c99333b94ee503843c3a69b8c8366bf647c41a3a9e34e987c440e289ec16e5c62c2a7405271bddc533efbd59d6c6ab43712c8908dfb86322e -SHA512 (chrony-4.1-pre1-tar-gz-asc.txt) = 8eb695c3f85f90d02b22b1202c8766347289a6da1d0658a3d89eed90202799bcfc647b96e5f931fb862011e85feed5f4914b39e45a3e20f01827509fe271a2d7 +SHA512 (chrony-4.1.tar.gz) = 5e283d6a56e6852606c681a7c29c5786b102d584178cbd7033ebbc95a8e95533605631363b850a3087cca438a5878db7a317f120aab2fd856487d02fccfbcb1f +SHA512 (chrony-4.1-tar-gz-asc.txt) = 82faf9171d782c18224d2d44b340994b0ddab141e88cc803dea83d0ffbb6468bc51e8b11c8dd9bd327220cae04f7d789b58ab23141a2bdf038ce628f9adeb57a SHA512 (clknetsim-f89702.tar.gz) = d88d37472b99e4cc044b6c864dfcf5ebb06ef9e2e009ebce06defa07cd46961220707a69c6ec93e35623403a5b4e0683b78b388bf95bfff470fa771d69579c65 From c6a8172473c3f554e13326390214080e482a0666 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 13 May 2021 16:35:50 +0200 Subject: [PATCH 048/137] add bcond for seccomp --- chrony.spec | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/chrony.spec b/chrony.spec index ac3d46c..0862235 100644 --- a/chrony.spec +++ b/chrony.spec @@ -3,6 +3,10 @@ %bcond_without debug %bcond_without nts +%ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x +%bcond_without seccomp +%endif + Name: chrony Version: 4.1 Release: 0.1.pre1%{?dist} @@ -23,11 +27,9 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c Patch1: chrony-nm-dispatcher-dhcp.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel -%ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x -BuildRequires: libseccomp-devel -%endif BuildRequires: gcc gcc-c++ make bison systemd gnupg2 net-tools %{?with_nts:BuildRequires: gnutls-devel gnutls-utils} +%{?with_seccomp:BuildRequires: libseccomp-devel} Requires(pre): shadow-utils %{?systemd_requires} @@ -93,7 +95,7 @@ mv clknetsim-%{clknetsim_ver}* test/simulation/clknetsim %configure \ %{?with_debug: --enable-debug} \ --enable-ntp-signd \ - --enable-scfilter \ +%{?with_seccomp: --enable-scfilter} \ %{!?with_nts: --disable-nts} \ --chronyrundir=/run/chrony \ --docdir=%{_docdir} \ From eeffcafda90476da2600f66fa5cd1ac5d5bacebb Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 13 May 2021 16:39:42 +0200 Subject: [PATCH 049/137] enable seccomp filter by default Add -F 2 to default /etc/sysconfig/chronyd to enable a filter blocking a small number of specific system calls. The filter is incompatible with the mailonchange directive. --- chrony.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 0862235..47508e5 100644 --- a/chrony.spec +++ b/chrony.spec @@ -138,7 +138,7 @@ install -m 644 -p examples/chrony-wait.service \ cat > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/chronyd < Date: Thu, 13 May 2021 16:41:21 +0200 Subject: [PATCH 050/137] 4.1-1 --- chrony.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 47508e5..55d7831 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.1 -Release: 0.1.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPLv2 @@ -200,6 +200,10 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu May 13 2021 Miroslav Lichvar 4.1-1 +- update to 4.1 +- enable seccomp filter by default (incompatible with mailonchange directive) + * Thu Apr 22 2021 Miroslav Lichvar 4.1-0.1.pre1 - update to 4.1-pre1 - rework NM-dispatcher/dhclient detection From 1fbbda2376e0c7919baa7f3cedff59f1e03e3a47 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 21 Jul 2021 14:29:32 +0000 Subject: [PATCH 051/137] - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Signed-off-by: Fedora Release Engineering From 41461a14e352bb2d8d901655cb18e67d9c584286 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 21 Jul 2021 19:26:44 +0000 Subject: [PATCH 052/137] - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 55d7831..d5bb32e 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPLv2 @@ -200,6 +200,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jul 21 2021 Fedora Release Engineering - 4.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + * Thu May 13 2021 Miroslav Lichvar 4.1-1 - update to 4.1 - enable seccomp filter by default (incompatible with mailonchange directive) From db7c1c445084118522aec2bc55c4dc0a2fa26b01 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 8 Jun 2021 12:40:53 +0200 Subject: [PATCH 053/137] update out-of-date comment about NM DHCP script --- chrony.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/chrony.spec b/chrony.spec index d5bb32e..7c0e7ed 100644 --- a/chrony.spec +++ b/chrony.spec @@ -22,8 +22,7 @@ Source3: chrony.dhclient Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz} -# add Fedora/RHEL-specific bits to DHCP dispatcher, including -# deferring to dhclient if installled, and using /etc/sysconfig +# add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel From eeb573858395f7e9f9db7432e272b1868b3218b9 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 8 Jun 2021 15:07:16 +0200 Subject: [PATCH 054/137] remove unnecessary build requirement --- chrony.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 7c0e7ed..e226b88 100644 --- a/chrony.spec +++ b/chrony.spec @@ -26,7 +26,7 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c Patch1: chrony-nm-dispatcher-dhcp.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel -BuildRequires: gcc gcc-c++ make bison systemd gnupg2 net-tools +BuildRequires: gcc gcc-c++ make bison systemd gnupg2 %{?with_nts:BuildRequires: gnutls-devel gnutls-utils} %{?with_seccomp:BuildRequires: libseccomp-devel} From e7d17261da096ce9bbc39f709efdbdae363c5759 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 9 Aug 2021 15:52:10 +0200 Subject: [PATCH 055/137] update seccomp filter for new glibc --- chrony-seccomp.patch | 30 ++++++++++++++++++++++++++++++ chrony.spec | 3 +++ 2 files changed, 33 insertions(+) create mode 100644 chrony-seccomp.patch diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch new file mode 100644 index 0000000..1cc432d --- /dev/null +++ b/chrony-seccomp.patch @@ -0,0 +1,30 @@ +commit bbbd80bf03223f181d4abf5c8e5fe6136ab6129a +Author: Miroslav Lichvar +Date: Mon Aug 9 11:48:21 2021 +0200 + + sys_linux: allow clone3 and pread64 in seccomp filter + + These seem to be needed with the latest glibc. + +diff --git a/sys_linux.c b/sys_linux.c +index 50c08431..2b53f722 100644 +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -503,6 +503,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + + /* Process */ + SCMP_SYS(clone), ++#ifdef __NR_clone3 ++ SCMP_SYS(clone3), ++#endif + SCMP_SYS(exit), + SCMP_SYS(exit_group), + SCMP_SYS(getpid), +@@ -595,6 +598,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + #ifdef __NR_ppoll_time64 + SCMP_SYS(ppoll_time64), + #endif ++ SCMP_SYS(pread64), + SCMP_SYS(pselect6), + #ifdef __NR_pselect6_time64 + SCMP_SYS(pselect6_time64), diff --git a/chrony.spec b/chrony.spec index e226b88..034d007 100644 --- a/chrony.spec +++ b/chrony.spec @@ -24,6 +24,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch +# update seccomp filter for new glibc +Patch2: chrony-seccomp.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -55,6 +57,7 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp +%patch2 -p1 -b .seccomp %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} From 49d1a1fef3a3e9792006b4eb896c6adfd7db10fd Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 9 Aug 2021 15:54:00 +0200 Subject: [PATCH 056/137] 4.1-3 --- chrony.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 034d007..9ebf2c9 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An NTP client/server License: GPLv2 @@ -202,6 +202,10 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Mon Aug 09 2021 Miroslav Lichvar 4.1-3 +- update seccomp filter for new glibc +- remove unnecessary build requirement + * Wed Jul 21 2021 Fedora Release Engineering - 4.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild From cdae473dfcd2434d117f7144be641bd630b47ac3 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 29 Sep 2021 16:18:06 +0200 Subject: [PATCH 057/137] harden chronyd and chrony-wait services --- chrony-services.patch | 120 ++++++++++++++++++++++++++++++++++++++++++ chrony.spec | 7 ++- 2 files changed, 125 insertions(+), 2 deletions(-) create mode 100644 chrony-services.patch diff --git a/chrony-services.patch b/chrony-services.patch new file mode 100644 index 0000000..94af6fd --- /dev/null +++ b/chrony-services.patch @@ -0,0 +1,120 @@ +commit 83f96efdfd2d42a8de51ac3b05120acf5292bb00 +Author: Miroslav Lichvar +Date: Wed Sep 29 15:25:48 2021 +0200 + + examples: harden systemd services + + Add various settings to the example chronyd and chrony-wait services to + decrease the exposure reported by the "systemd-analyze security" + command. The original exposure was high as the analyzer does not check + the actual process (e.g. that it dropped the root privileges or that it + has its own seccomp filter). + + Limit read-write access to /run, /var/lib/chrony, and /var/spool. + Access to /run (instead of /run/chrony) is needed for the refclock + socket expected by gpsd. + + The mailonchange directive is most likely to break as it executes + /usr/sbin/sendmail, which can do unexpected operations depending on the + implementation. It should work with a setuid/setgid binary, but it is + not expected to write outside of /var/spool and the private /tmp. + +diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service +index b3aa7aa2..72b028f2 100644 +--- a/examples/chrony-wait.service ++++ b/examples/chrony-wait.service +@@ -16,5 +16,32 @@ TimeoutStartSec=180 + RemainAfterExit=yes + StandardOutput=null + ++CapabilityBoundingSet= ++DevicePolicy=closed ++DynamicUser=yes ++IPAddressAllow=localhost ++IPAddressDeny=any ++LockPersonality=yes ++MemoryDenyWriteExecute=yes ++PrivateDevices=yes ++PrivateUsers=yes ++ProcSubset=pid ++ProtectClock=yes ++ProtectControlGroups=yes ++ProtectHome=yes ++ProtectHostname=yes ++ProtectKernelLogs=yes ++ProtectKernelModules=yes ++ProtectKernelTunables=yes ++ProtectProc=invisible ++ProtectSystem=strict ++RestrictAddressFamilies=AF_INET AF_INET6 ++RestrictNamespaces=yes ++RestrictRealtime=yes ++SystemCallArchitectures=native ++SystemCallFilter=@system-service ++SystemCallFilter=~@privileged @resources ++UMask=0777 ++ + [Install] + WantedBy=multi-user.target +diff --git a/examples/chronyd.service b/examples/chronyd.service +index 289548cb..2cac6026 100644 +--- a/examples/chronyd.service ++++ b/examples/chronyd.service +@@ -10,9 +10,40 @@ Type=forking + PIDFile=/run/chrony/chronyd.pid + EnvironmentFile=-/etc/sysconfig/chronyd + ExecStart=/usr/sbin/chronyd $OPTIONS ++ ++CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE ++CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE ++CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN ++CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT ++CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM ++DeviceAllow=char-pps rw ++DeviceAllow=char-ptp rw ++DeviceAllow=char-rtc rw ++DevicePolicy=closed ++LockPersonality=yes ++MemoryDenyWriteExecute=yes ++NoNewPrivileges=yes + PrivateTmp=yes ++ProcSubset=pid ++ProtectControlGroups=yes + ProtectHome=yes +-ProtectSystem=full ++ProtectHostname=yes ++ProtectKernelLogs=yes ++ProtectKernelModules=yes ++ProtectKernelTunables=yes ++ProtectProc=invisible ++ProtectSystem=strict ++ReadWritePaths=/run /var/lib/chrony ++RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX ++RestrictNamespaces=yes ++RestrictSUIDSGID=yes ++SystemCallArchitectures=native ++SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap ++ ++# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive) ++NoNewPrivileges=no ++ReadWritePaths=/var/spool ++RestrictAddressFamilies=AF_NETLINK + + [Install] + WantedBy=multi-user.target + +Avoid a SELinux issue + +diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service +index 72b028f2..57646950 100644 +--- a/examples/chrony-wait.service ++++ b/examples/chrony-wait.service +@@ -18,7 +18,7 @@ StandardOutput=null + + CapabilityBoundingSet= + DevicePolicy=closed +-DynamicUser=yes ++#DynamicUser=yes + IPAddressAllow=localhost + IPAddressDeny=any + LockPersonality=yes diff --git a/chrony.spec b/chrony.spec index 9ebf2c9..07e6b41 100644 --- a/chrony.spec +++ b/chrony.spec @@ -26,6 +26,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c Patch1: chrony-nm-dispatcher-dhcp.patch # update seccomp filter for new glibc Patch2: chrony-seccomp.patch +# harden chronyd and chrony-wait services +Patch3: chrony-services.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -58,18 +60,19 @@ service to other computers in the network. %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp %patch2 -p1 -b .seccomp +%patch3 -p1 -b .services %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') - bc563c1bcf67b2da774bd8c2aef55a06 examples/chrony-wait.service + 222e652b95027289877fa77146d3b9b1 examples/chrony-wait.service 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate a7054c9352c07384bd7ea0477e6e8a8c examples/chrony.nm-dispatcher.dhcp 8f5a98fcb400a482d355b929d04b5518 examples/chrony.nm-dispatcher.onoffline - 32c34c995c59fd1c3ad1616d063ae4a0 examples/chronyd.service + 76c8a32a5ac6692a7f15f65e2b5f3239 examples/chronyd.service EOF # don't allow packaging without vendor zone From 89973469bd2cee828ef1b4744d11b9fbea9339db Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 29 Sep 2021 16:22:20 +0200 Subject: [PATCH 058/137] 4.1-4 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 07e6b41..100f4fa 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.1 -Release: 3%{?dist} +Release: 4%{?dist} Summary: An NTP client/server License: GPLv2 @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Sep 29 2021 Miroslav Lichvar 4.1-4 +- harden chronyd and chrony-wait services + * Mon Aug 09 2021 Miroslav Lichvar 4.1-3 - update seccomp filter for new glibc - remove unnecessary build requirement From a1a45e3283239a0efff5ad810012ab3591248397 Mon Sep 17 00:00:00 2001 From: Ondrej Mejzlik Date: Tue, 5 Oct 2021 14:50:46 +0200 Subject: [PATCH 059/137] Adding fmf plan --- .fmf/version | 1 + plans/ci.fmf | 6 ++++++ 2 files changed, 7 insertions(+) create mode 100644 .fmf/version create mode 100644 plans/ci.fmf diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/plans/ci.fmf b/plans/ci.fmf new file mode 100644 index 0000000..7834d37 --- /dev/null +++ b/plans/ci.fmf @@ -0,0 +1,6 @@ +summary: Test plan that runs all tests from tests repo. +discover: + how: fmf + url: https://src.fedoraproject.org/tests/chrony.git +execute: + how: tmt From 90ef1216ea0e211ccd63414542423c9702336a64 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 16 Nov 2021 16:45:53 +0100 Subject: [PATCH 060/137] fix hardened chronyd service to allow writing log files --- chrony-services.patch | 31 +++++++++++++++++++++++++++++++ chrony.spec | 2 +- 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/chrony-services.patch b/chrony-services.patch index 94af6fd..34aa909 100644 --- a/chrony-services.patch +++ b/chrony-services.patch @@ -118,3 +118,34 @@ index 72b028f2..57646950 100644 IPAddressAllow=localhost IPAddressDeny=any LockPersonality=yes +commit 76a905d652cafccfac1023f74d12ffa7facc4832 +Author: Miroslav Lichvar +Date: Mon Oct 4 10:54:40 2021 +0200 + + examples: improve chronyd service + + Allow writing logfiles (enabled by logdir or -l option) to /var/log and + don't require /var/spool to exist. + +diff --git a/examples/chronyd.service b/examples/chronyd.service +index 2cac6026..4fb930ef 100644 +--- a/examples/chronyd.service ++++ b/examples/chronyd.service +@@ -33,7 +33,7 @@ ProtectKernelModules=yes + ProtectKernelTunables=yes + ProtectProc=invisible + ProtectSystem=strict +-ReadWritePaths=/run /var/lib/chrony ++ReadWritePaths=/run /var/lib/chrony -/var/log + RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX + RestrictNamespaces=yes + RestrictSUIDSGID=yes +@@ -42,7 +42,7 @@ SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot + + # Adjust restrictions for /usr/sbin/sendmail (mailonchange directive) + NoNewPrivileges=no +-ReadWritePaths=/var/spool ++ReadWritePaths=-/var/spool + RestrictAddressFamilies=AF_NETLINK + + [Install] diff --git a/chrony.spec b/chrony.spec index 100f4fa..38df8eb 100644 --- a/chrony.spec +++ b/chrony.spec @@ -72,7 +72,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate a7054c9352c07384bd7ea0477e6e8a8c examples/chrony.nm-dispatcher.dhcp 8f5a98fcb400a482d355b929d04b5518 examples/chrony.nm-dispatcher.onoffline - 76c8a32a5ac6692a7f15f65e2b5f3239 examples/chronyd.service + 677ad16d6439daa369da44a1b75d1772 examples/chronyd.service EOF # don't allow packaging without vendor zone From 8ebbcb0ef4b80de42bdad159eae8fac950cfbb4c Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 16 Nov 2021 16:47:03 +0100 Subject: [PATCH 061/137] 4.1-5 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 38df8eb..5a2d960 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.1 -Release: 4%{?dist} +Release: 5%{?dist} Summary: An NTP client/server License: GPLv2 @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Nov 16 2021 Miroslav Lichvar 4.1-5 +- fix hardened chronyd service to allow writing log files + * Wed Sep 29 2021 Miroslav Lichvar 4.1-4 - harden chronyd and chrony-wait services From 2eeb6969c51c44cdadf53989aadbd523c3727b2a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 2 Dec 2021 13:14:09 +0100 Subject: [PATCH 062/137] update to 4.2-pre1 --- .gitignore | 6 +- chrony-seccomp.patch | 30 --------- chrony-services.patch | 151 ------------------------------------------ chrony.spec | 13 ++-- sources | 6 +- 5 files changed, 10 insertions(+), 196 deletions(-) delete mode 100644 chrony-seccomp.patch delete mode 100644 chrony-services.patch diff --git a/.gitignore b/.gitignore index 76dba0d..f18ac28 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.1.tar.gz -/chrony-4.1-tar-gz-asc.txt -/clknetsim-f89702.tar.gz +/chrony-4.2-pre1.tar.gz +/chrony-4.2-pre1-tar-gz-asc.txt +/clknetsim-470b5e.tar.gz diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch deleted file mode 100644 index 1cc432d..0000000 --- a/chrony-seccomp.patch +++ /dev/null @@ -1,30 +0,0 @@ -commit bbbd80bf03223f181d4abf5c8e5fe6136ab6129a -Author: Miroslav Lichvar -Date: Mon Aug 9 11:48:21 2021 +0200 - - sys_linux: allow clone3 and pread64 in seccomp filter - - These seem to be needed with the latest glibc. - -diff --git a/sys_linux.c b/sys_linux.c -index 50c08431..2b53f722 100644 ---- a/sys_linux.c -+++ b/sys_linux.c -@@ -503,6 +503,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) - - /* Process */ - SCMP_SYS(clone), -+#ifdef __NR_clone3 -+ SCMP_SYS(clone3), -+#endif - SCMP_SYS(exit), - SCMP_SYS(exit_group), - SCMP_SYS(getpid), -@@ -595,6 +598,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) - #ifdef __NR_ppoll_time64 - SCMP_SYS(ppoll_time64), - #endif -+ SCMP_SYS(pread64), - SCMP_SYS(pselect6), - #ifdef __NR_pselect6_time64 - SCMP_SYS(pselect6_time64), diff --git a/chrony-services.patch b/chrony-services.patch deleted file mode 100644 index 34aa909..0000000 --- a/chrony-services.patch +++ /dev/null @@ -1,151 +0,0 @@ -commit 83f96efdfd2d42a8de51ac3b05120acf5292bb00 -Author: Miroslav Lichvar -Date: Wed Sep 29 15:25:48 2021 +0200 - - examples: harden systemd services - - Add various settings to the example chronyd and chrony-wait services to - decrease the exposure reported by the "systemd-analyze security" - command. The original exposure was high as the analyzer does not check - the actual process (e.g. that it dropped the root privileges or that it - has its own seccomp filter). - - Limit read-write access to /run, /var/lib/chrony, and /var/spool. - Access to /run (instead of /run/chrony) is needed for the refclock - socket expected by gpsd. - - The mailonchange directive is most likely to break as it executes - /usr/sbin/sendmail, which can do unexpected operations depending on the - implementation. It should work with a setuid/setgid binary, but it is - not expected to write outside of /var/spool and the private /tmp. - -diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service -index b3aa7aa2..72b028f2 100644 ---- a/examples/chrony-wait.service -+++ b/examples/chrony-wait.service -@@ -16,5 +16,32 @@ TimeoutStartSec=180 - RemainAfterExit=yes - StandardOutput=null - -+CapabilityBoundingSet= -+DevicePolicy=closed -+DynamicUser=yes -+IPAddressAllow=localhost -+IPAddressDeny=any -+LockPersonality=yes -+MemoryDenyWriteExecute=yes -+PrivateDevices=yes -+PrivateUsers=yes -+ProcSubset=pid -+ProtectClock=yes -+ProtectControlGroups=yes -+ProtectHome=yes -+ProtectHostname=yes -+ProtectKernelLogs=yes -+ProtectKernelModules=yes -+ProtectKernelTunables=yes -+ProtectProc=invisible -+ProtectSystem=strict -+RestrictAddressFamilies=AF_INET AF_INET6 -+RestrictNamespaces=yes -+RestrictRealtime=yes -+SystemCallArchitectures=native -+SystemCallFilter=@system-service -+SystemCallFilter=~@privileged @resources -+UMask=0777 -+ - [Install] - WantedBy=multi-user.target -diff --git a/examples/chronyd.service b/examples/chronyd.service -index 289548cb..2cac6026 100644 ---- a/examples/chronyd.service -+++ b/examples/chronyd.service -@@ -10,9 +10,40 @@ Type=forking - PIDFile=/run/chrony/chronyd.pid - EnvironmentFile=-/etc/sysconfig/chronyd - ExecStart=/usr/sbin/chronyd $OPTIONS -+ -+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE -+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE -+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN -+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT -+CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM -+DeviceAllow=char-pps rw -+DeviceAllow=char-ptp rw -+DeviceAllow=char-rtc rw -+DevicePolicy=closed -+LockPersonality=yes -+MemoryDenyWriteExecute=yes -+NoNewPrivileges=yes - PrivateTmp=yes -+ProcSubset=pid -+ProtectControlGroups=yes - ProtectHome=yes --ProtectSystem=full -+ProtectHostname=yes -+ProtectKernelLogs=yes -+ProtectKernelModules=yes -+ProtectKernelTunables=yes -+ProtectProc=invisible -+ProtectSystem=strict -+ReadWritePaths=/run /var/lib/chrony -+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -+RestrictNamespaces=yes -+RestrictSUIDSGID=yes -+SystemCallArchitectures=native -+SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap -+ -+# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive) -+NoNewPrivileges=no -+ReadWritePaths=/var/spool -+RestrictAddressFamilies=AF_NETLINK - - [Install] - WantedBy=multi-user.target - -Avoid a SELinux issue - -diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service -index 72b028f2..57646950 100644 ---- a/examples/chrony-wait.service -+++ b/examples/chrony-wait.service -@@ -18,7 +18,7 @@ StandardOutput=null - - CapabilityBoundingSet= - DevicePolicy=closed --DynamicUser=yes -+#DynamicUser=yes - IPAddressAllow=localhost - IPAddressDeny=any - LockPersonality=yes -commit 76a905d652cafccfac1023f74d12ffa7facc4832 -Author: Miroslav Lichvar -Date: Mon Oct 4 10:54:40 2021 +0200 - - examples: improve chronyd service - - Allow writing logfiles (enabled by logdir or -l option) to /var/log and - don't require /var/spool to exist. - -diff --git a/examples/chronyd.service b/examples/chronyd.service -index 2cac6026..4fb930ef 100644 ---- a/examples/chronyd.service -+++ b/examples/chronyd.service -@@ -33,7 +33,7 @@ ProtectKernelModules=yes - ProtectKernelTunables=yes - ProtectProc=invisible - ProtectSystem=strict --ReadWritePaths=/run /var/lib/chrony -+ReadWritePaths=/run /var/lib/chrony -/var/log - RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX - RestrictNamespaces=yes - RestrictSUIDSGID=yes -@@ -42,7 +42,7 @@ SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot - - # Adjust restrictions for /usr/sbin/sendmail (mailonchange directive) - NoNewPrivileges=no --ReadWritePaths=/var/spool -+ReadWritePaths=-/var/spool - RestrictAddressFamilies=AF_NETLINK - - [Install] diff --git a/chrony.spec b/chrony.spec index 5a2d960..3955aa1 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver f89702 +%global prerelease -pre1 +%global clknetsim_ver 470b5e %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.1 +Version: 4.2 Release: 5%{?dist} Summary: An NTP client/server @@ -24,10 +25,6 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch -# update seccomp filter for new glibc -Patch2: chrony-seccomp.patch -# harden chronyd and chrony-wait services -Patch3: chrony-services.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -59,14 +56,12 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp -%patch2 -p1 -b .seccomp -%patch3 -p1 -b .services %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') - 222e652b95027289877fa77146d3b9b1 examples/chrony-wait.service + b40117b4aac846d31e4ad196dc44cda3 examples/chrony-wait.service 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate diff --git a/sources b/sources index 14c91b8..03b8ca6 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.1.tar.gz) = 5e283d6a56e6852606c681a7c29c5786b102d584178cbd7033ebbc95a8e95533605631363b850a3087cca438a5878db7a317f120aab2fd856487d02fccfbcb1f -SHA512 (chrony-4.1-tar-gz-asc.txt) = 82faf9171d782c18224d2d44b340994b0ddab141e88cc803dea83d0ffbb6468bc51e8b11c8dd9bd327220cae04f7d789b58ab23141a2bdf038ce628f9adeb57a -SHA512 (clknetsim-f89702.tar.gz) = d88d37472b99e4cc044b6c864dfcf5ebb06ef9e2e009ebce06defa07cd46961220707a69c6ec93e35623403a5b4e0683b78b388bf95bfff470fa771d69579c65 +SHA512 (chrony-4.2-pre1.tar.gz) = 19ec6a8d66415e0c64450dcc7ea268c47db8e256d24894072a4f4c1d23803089e911c0c05ba33e4ffcb106835eac0e473e8de356ee228d480bacd6a1d217ffb2 +SHA512 (chrony-4.2-pre1-tar-gz-asc.txt) = 57a65666df1f090dba674ff47364d192f18bb2f7776ee9a26b6c60fc0aed045112f171b09c3b36e1f1b61b1f620c41ddcc687d1eaef64c10b8b4b923ba5cf9bf +SHA512 (clknetsim-470b5e.tar.gz) = 5245414a0e2371ef22725b0cf8cf4b1f033ba9e5493a4a48ffb26e2cac6bb1975583216beb9c0800664159c52e632018ea93d36477dd520f164a55db44e89413 From 38c951ced8dc6eab718c12005934c65bf202e22f Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 2 Dec 2021 13:14:58 +0100 Subject: [PATCH 063/137] 4.2-0.1.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 3955aa1..a409943 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.2 -Release: 5%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPLv2 @@ -200,6 +200,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Dec 02 2021 Miroslav Lichvar 4.2-1 +- update to 4.2-pre1 + * Tue Nov 16 2021 Miroslav Lichvar 4.1-5 - fix hardened chronyd service to allow writing log files From 14a82308719c88c6f0f5914dcd01bc3278858f89 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 7 Dec 2021 15:49:36 +0100 Subject: [PATCH 064/137] add gating.yaml --- gating.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 gating.yaml diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..4bf1436 --- /dev/null +++ b/gating.yaml @@ -0,0 +1,16 @@ +--- !Policy +product_versions: + - fedora-* +decision_context: bodhi_update_push_testing +subject_type: koji_build +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/ci.functional} + +# rawhide +--- !Policy +product_versions: + - fedora-* +decision_context: bodhi_update_push_stable +subject_type: koji_build +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/ci.functional} From 8f45aa322d5fa5974522e87946a43d833337e21d Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 9 Dec 2021 12:37:24 +0100 Subject: [PATCH 065/137] fix gating.yaml to not rely on ci.fmf --- gating.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/gating.yaml b/gating.yaml index 4bf1436..f458db9 100644 --- a/gating.yaml +++ b/gating.yaml @@ -1,16 +1,16 @@ --- !Policy product_versions: - fedora-* -decision_context: bodhi_update_push_testing +decision_contexts: [bodhi_update_push_testing] subject_type: koji_build rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/ci.functional} + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} # rawhide --- !Policy product_versions: - fedora-* -decision_context: bodhi_update_push_stable +decision_contexts: [bodhi_update_push_stable] subject_type: koji_build rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/ci.functional} + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} From b410207eb69566a0adcf73f16a418b7281b09633 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 16 Dec 2021 16:22:37 +0100 Subject: [PATCH 066/137] fix changelog nvr --- chrony.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index a409943..9322a17 100644 --- a/chrony.spec +++ b/chrony.spec @@ -200,7 +200,7 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog -* Thu Dec 02 2021 Miroslav Lichvar 4.2-1 +* Thu Dec 02 2021 Miroslav Lichvar 4.2-0.1.pre1 - update to 4.2-pre1 * Tue Nov 16 2021 Miroslav Lichvar 4.1-5 From 5558df92e7b47448b7f10dae423a9d99a80872f4 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 16 Dec 2021 16:21:06 +0100 Subject: [PATCH 067/137] update to 4.2 --- .gitignore | 4 ++-- chrony.spec | 1 - sources | 4 ++-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index f18ac28..c143a9a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.2-pre1.tar.gz -/chrony-4.2-pre1-tar-gz-asc.txt +/chrony-4.2.tar.gz +/chrony-4.2-tar-gz-asc.txt /clknetsim-470b5e.tar.gz diff --git a/chrony.spec b/chrony.spec index 9322a17..36cc179 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,4 @@ %global _hardened_build 1 -%global prerelease -pre1 %global clknetsim_ver 470b5e %bcond_without debug %bcond_without nts diff --git a/sources b/sources index 03b8ca6..2cf5a81 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.2-pre1.tar.gz) = 19ec6a8d66415e0c64450dcc7ea268c47db8e256d24894072a4f4c1d23803089e911c0c05ba33e4ffcb106835eac0e473e8de356ee228d480bacd6a1d217ffb2 -SHA512 (chrony-4.2-pre1-tar-gz-asc.txt) = 57a65666df1f090dba674ff47364d192f18bb2f7776ee9a26b6c60fc0aed045112f171b09c3b36e1f1b61b1f620c41ddcc687d1eaef64c10b8b4b923ba5cf9bf +SHA512 (chrony-4.2.tar.gz) = 7f946b27de605b3ebea62cf23916dfad77c99e8b2338ba239ede6b8216ce436b3d4d87770f371c8d8e006507c51d5c831b51f067957abd2935adfdec3f5aa67d +SHA512 (chrony-4.2-tar-gz-asc.txt) = d8ae4b540ce3529a5a72e10c14765a33ca6fc41529b6fdc9928fb171f25bd6fb87f930b7783638892f42f4cbcfaab4cb1064c930bae1d5204a71babad72b6e10 SHA512 (clknetsim-470b5e.tar.gz) = 5245414a0e2371ef22725b0cf8cf4b1f033ba9e5493a4a48ffb26e2cac6bb1975583216beb9c0800664159c52e632018ea93d36477dd520f164a55db44e89413 From 6ed36d01fa50c55e4e4a66dd2172b79979d0bbb9 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 16 Dec 2021 16:21:49 +0100 Subject: [PATCH 068/137] 4.2-1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 36cc179..09017d3 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.2 -Release: 0.1.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPLv2 @@ -199,6 +199,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Dec 16 2021 Miroslav Lichvar 4.2-1 +- update to 4.2 + * Thu Dec 02 2021 Miroslav Lichvar 4.2-0.1.pre1 - update to 4.2-pre1 From 585d0a7e34a147228df3b4a1adeb4bbd782d55ad Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 19 Jan 2022 23:12:23 +0000 Subject: [PATCH 069/137] - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 09017d3..523d2f2 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPLv2 @@ -199,6 +199,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jan 19 2022 Fedora Release Engineering - 4.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + * Thu Dec 16 2021 Miroslav Lichvar 4.2-1 - update to 4.2 From 33529ab184aca78e606f24d67cd567df95802c4d Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 8 Feb 2022 11:11:27 +0100 Subject: [PATCH 070/137] use NTP servers passed by NetworkManager from DHCPv6 NTP server option --- chrony-nm-dispatcher-dhcp.patch | 144 +++++++++++++++++++++++++++----- chrony.spec | 4 +- 2 files changed, 127 insertions(+), 21 deletions(-) diff --git a/chrony-nm-dispatcher-dhcp.patch b/chrony-nm-dispatcher-dhcp.patch index 23087d6..d4d02c8 100644 --- a/chrony-nm-dispatcher-dhcp.patch +++ b/chrony-nm-dispatcher-dhcp.patch @@ -1,3 +1,113 @@ +commit 5bd13c8d593a74ad168057efe94dd2b3aeeffe14 +Author: Miroslav Lichvar +Date: Mon Feb 7 13:27:25 2022 +0100 + + examples: support DHCPv6 NTP servers in NM dispatcher script + + Latest NetworkManager code provides NTP servers from the DHCPv6 NTP + option (RFC 5908) in the DHCP6_DHCP6_NTP_SERVERS variable to dispatcher + scripts. + + Check for invalid characters (which can come from the FQDN suboption) + and include the servers in the interface-specific sources file. + +diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp +index 6ea4c370..4454f037 100644 +--- a/examples/chrony.nm-dispatcher.dhcp ++++ b/examples/chrony.nm-dispatcher.dhcp +@@ -1,8 +1,7 @@ + #!/bin/sh + # This is a NetworkManager dispatcher script for chronyd to update +-# its NTP sources passed from DHCP options. Note that this script is +-# specific to NetworkManager-dispatcher due to use of the +-# DHCP4_NTP_SERVERS environment variable. ++# its NTP sources with servers from DHCP options passed by NetworkManager ++# in the DHCP4_NTP_SERVERS and DHCP6_DHCP6_NTP_SERVERS environment variables. + + export LC_ALL=C + +@@ -10,17 +9,19 @@ interface=$1 + action=$2 + + chronyc=/usr/bin/chronyc +-default_server_options=iburst ++server_options=iburst + server_dir=/var/run/chrony-dhcp + + dhcp_server_file=$server_dir/$interface.sources +-# DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager. +-nm_dhcp_servers=$DHCP4_NTP_SERVERS ++dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS" + + add_servers_from_dhcp() { + rm -f "$dhcp_server_file" +- for server in $nm_dhcp_servers; do +- echo "server $server $default_server_options" >> "$dhcp_server_file" ++ for server in $dhcp_ntp_servers; do ++ # Check for invalid characters (from the DHCPv6 NTP FQDN suboption) ++ printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue ++ ++ printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file" + done + $chronyc reload sources > /dev/null 2>&1 || : + } +@@ -34,10 +35,11 @@ clear_servers_from_dhcp() { + + mkdir -p $server_dir + +-if [ "$action" = "up" ] || [ "$action" = "dhcp4-change" ]; then +- add_servers_from_dhcp +-elif [ "$action" = "down" ]; then +- clear_servers_from_dhcp +-fi ++case "$action" in ++ up|dhcp4-change|dhcp6-change) ++ add_servers_from_dhcp;; ++ down) ++ clear_servers_from_dhcp;; ++esac + + exit 0 + +commit e55f174bd3a7ae82fb24afd43443d0b55d5536cf +Author: Miroslav Lichvar +Date: Mon Feb 7 13:27:48 2022 +0100 + + examples: handle more actions in NM dispatcher script + + Run the chronyc onoffline command also when the connectivity-change + and dhcp6-change actions are reported by the NetworkManager dispatcher. + + The latter should not be necessary, but there currently doesn't seem to + be any action for IPv6 becoming routable after duplicate address + detection, so at least in networks using DHCPv6, IPv6 NTP servers should + not be stuck in the offline state from a previously reported action. + +diff --git a/examples/chrony.nm-dispatcher.onoffline b/examples/chrony.nm-dispatcher.onoffline +index 34cfa0db..01e6fdb1 100644 +--- a/examples/chrony.nm-dispatcher.onoffline ++++ b/examples/chrony.nm-dispatcher.onoffline +@@ -7,8 +7,18 @@ export LC_ALL=C + + chronyc=/usr/bin/chronyc + +-# For NetworkManager consider only up/down events +-[ $# -ge 2 ] && [ "$2" != "up" ] && [ "$2" != "down" ] && exit 0 ++# For NetworkManager consider only selected events ++if [ $# -ge 2 ]; then ++ case "$2" in ++ up|down|connectivity-change) ++ ;; ++ dhcp6-change) ++ # No other action is reported for routable IPv6 ++ ;; ++ *) ++ exit 0;; ++ esac ++fi + + # Note: for networkd-dispatcher routable.d ~= on and off.d ~= off + From: Robert Fairley Date: Wed, 17 Jun 2020 10:14:19 -0400 Subject: [PATCH] examples/nm-dispatcher.dhcp: use sysconfig @@ -11,33 +121,29 @@ diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher. index 6ea4c37..a6ad35a 100644 --- a/examples/chrony.nm-dispatcher.dhcp +++ b/examples/chrony.nm-dispatcher.dhcp -@@ -6,16 +6,24 @@ - - chronyc=/usr/bin/chronyc - default_server_options=iburst --server_dir=/var/run/chrony-dhcp -+server_dir=/run/chrony-dhcp - - dhcp_server_file=$server_dir/$interface.sources - # DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager. - nm_dhcp_servers=$DHCP4_NTP_SERVERS +@@ -8,15 +8,23 @@ export LC_ALL=C + interface=$1 + action=$2 +[ -f /etc/sysconfig/network ] && . /etc/sysconfig/network +[ -f /etc/sysconfig/network-scripts/ifcfg-"${interface}" ] && \ + . /etc/sysconfig/network-scripts/ifcfg-"${interface}" + + chronyc=/usr/bin/chronyc +-server_options=iburst +-server_dir=/var/run/chrony-dhcp ++server_options=${NTPSERVERARGS:-iburst} ++server_dir=/run/chrony-dhcp + + dhcp_server_file=$server_dir/$interface.sources + dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS" + add_servers_from_dhcp() { rm -f "$dhcp_server_file" + + # Don't add NTP servers if PEERNTP=no specified; return early. + [ "$PEERNTP" = "no" ] && return + - for server in $nm_dhcp_servers; do -- echo "server $server $default_server_options" >> "$dhcp_server_file" -+ echo "server $server ${NTPSERVERARGS:-$default_server_options}" >> "$dhcp_server_file" - done - $chronyc reload sources > /dev/null 2>&1 || : - } --- -2.29.2 - + for server in $dhcp_ntp_servers; do + # Check for invalid characters (from the DHCPv6 NTP FQDN suboption) + printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue diff --git a/chrony.spec b/chrony.spec index 523d2f2..f84fbd9 100644 --- a/chrony.spec +++ b/chrony.spec @@ -64,8 +64,8 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate - a7054c9352c07384bd7ea0477e6e8a8c examples/chrony.nm-dispatcher.dhcp - 8f5a98fcb400a482d355b929d04b5518 examples/chrony.nm-dispatcher.onoffline + 5d0c4758207a89a9a19471177b1107b9 examples/chrony.nm-dispatcher.dhcp + 2b81c60c020626165ac655b2633608eb examples/chrony.nm-dispatcher.onoffline 677ad16d6439daa369da44a1b75d1772 examples/chronyd.service EOF From f7730a70df37be7a0015438e5005679f0fbd295c Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 8 Feb 2022 11:17:56 +0100 Subject: [PATCH 071/137] 4.2-3 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index f84fbd9..e7e57bd 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.2 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An NTP client/server License: GPLv2 @@ -199,6 +199,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Feb 08 2022 Miroslav Lichvar 4.2-3 +- use NTP servers passed by NetworkManager from DHCPv6 NTP server option + * Wed Jan 19 2022 Fedora Release Engineering - 4.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild From d88eefe3d025f428f056b9ed07d8c06c18d4473a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 9 Feb 2022 11:41:07 +0100 Subject: [PATCH 072/137] update seccomp filter for latest glibc --- chrony-seccomp.patch | 31 +++++++++++++++++++++++++++++++ chrony.spec | 3 +++ 2 files changed, 34 insertions(+) create mode 100644 chrony-seccomp.patch diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch new file mode 100644 index 0000000..523759c --- /dev/null +++ b/chrony-seccomp.patch @@ -0,0 +1,31 @@ +commit 8bb8f15a7d049ed26c69d95087065b381f76ec4d +Author: Michael Hudson-Doyle +Date: Wed Feb 9 09:06:13 2022 +0100 + + sys_linux: allow rseq in seccomp filter + + Libc 2.35 will use rseq syscalls [1][2] by default and thereby + break chrony in seccomp isolation. + + [1]: https://www.efficios.com/blog/2019/02/08/linux-restartable-sequences/ + [2]: https://sourceware.org/pipermail/libc-alpha/2022-February/136040.html + + Tested-by: Christian Ehrhardt + Reviewed-by: Christian Ehrhardt + Signed-off-by: Michael Hudson-Doyle + Signed-off-by: Christian Ehrhardt + +diff --git a/sys_linux.c b/sys_linux.c +index 9cab2efa..cc3c9311 100644 +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -497,6 +497,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + SCMP_SYS(getrlimit), + SCMP_SYS(getuid), + SCMP_SYS(getuid32), ++#ifdef __NR_rseq ++ SCMP_SYS(rseq), ++#endif + SCMP_SYS(rt_sigaction), + SCMP_SYS(rt_sigreturn), + SCMP_SYS(rt_sigprocmask), diff --git a/chrony.spec b/chrony.spec index e7e57bd..79f3137 100644 --- a/chrony.spec +++ b/chrony.spec @@ -24,6 +24,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch +# update seccomp filter for latest glibc +Patch2: chrony-seccomp.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -55,6 +57,7 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp +%patch2 -p1 -b .seccomp %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} From 29c4de2d7709c14394b99777302108e1950b615e Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 9 Feb 2022 11:48:14 +0100 Subject: [PATCH 073/137] 4.2-4 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 79f3137..61cc102 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.2 -Release: 3%{?dist} +Release: 4%{?dist} Summary: An NTP client/server License: GPLv2 @@ -202,6 +202,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Feb 09 2022 Miroslav Lichvar 4.2-4 +- update seccomp filter for latest glibc + * Tue Feb 08 2022 Miroslav Lichvar 4.2-3 - use NTP servers passed by NetworkManager from DHCPv6 NTP server option From 043d045ae8f01842f6b543cee01b5ec2675309be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 16 Feb 2022 08:10:11 +0000 Subject: [PATCH 074/137] Drop obsolete workaround in scriptlet The bug with daemon-reload was fixed a long time ago. The direct invocation of 'systemctl daemon-reload' with no redirect of errors to /dev/null causes a user-visible message when installing into a chroot: Running scriptlet: chrony-4.2-4.fc37.x86_64 320/334 System has not been booted with systemd as init system (PID 1). Can't operate. Failed to connect to bus: Host is down ... --- chrony.spec | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/chrony.spec b/chrony.spec index 61cc102..16676c6 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.2 -Release: 4%{?dist} +Release: 5%{?dist} Summary: An NTP client/server License: GPLv2 @@ -161,8 +161,6 @@ getent passwd chrony > /dev/null || /usr/sbin/useradd -r -g chrony \ : %post -# workaround for late reload of unit file (#1614751) -%{_bindir}/systemctl daemon-reload # migrate from chrony-helper to sourcedir directive if test -a %{_libexecdir}/chrony-helper; then grep -qi 'sourcedir /run/chrony-dhcp$' %{_sysconfdir}/chrony.conf 2> /dev/null || \ @@ -202,6 +200,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Feb 16 2022 Zbigniew Jędrzejewski-Szmek - 4.2-5 +- Drop obsolete workaround in scriptlet + * Wed Feb 09 2022 Miroslav Lichvar 4.2-4 - update seccomp filter for latest glibc From e60c1652e564e5ed61ad65094b8d4fffbb8609c2 Mon Sep 17 00:00:00 2001 From: Luca BRUNO Date: Tue, 24 May 2022 14:55:50 +0000 Subject: [PATCH 075/137] Add a sysusers.d fragment for chrony user/group This installs a configuration fragment for systemd-sysusers which covers chrony user and group. For more details, see https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format --- chrony.spec | 17 +++++++++++------ chrony.sysusers | 2 ++ 2 files changed, 13 insertions(+), 6 deletions(-) create mode 100644 chrony.sysusers diff --git a/chrony.spec b/chrony.spec index 16676c6..fcbe5da 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.2 -Release: 5%{?dist} +Release: 6%{?dist} Summary: An NTP client/server License: GPLv2 @@ -18,6 +18,7 @@ Source0: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerel Source1: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}-tar-gz-asc.txt Source2: https://chrony.tuxfamily.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc Source3: chrony.dhclient +Source4: chrony.sysusers # simulator for test suite Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz} @@ -32,8 +33,8 @@ BuildRequires: gcc gcc-c++ make bison systemd gnupg2 %{?with_nts:BuildRequires: gnutls-devel gnutls-utils} %{?with_seccomp:BuildRequires: libseccomp-devel} -Requires(pre): shadow-utils %{?systemd_requires} +%{?sysusers_requires_compat} # Old NetworkManager expects the dispatcher scripts in a different place Conflicts: NetworkManager < 1.20 @@ -117,6 +118,7 @@ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/{sysconfig,logrotate.d} mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/{lib,log}/chrony mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dhcp/dhclient.d mkdir -p $RPM_BUILD_ROOT%{_libexecdir} +mkdir -p $RPM_BUILD_ROOT%{_sysusersdir} mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d mkdir -p $RPM_BUILD_ROOT{%{_unitdir},%{_prefix}/lib/systemd/ntp-units.d} @@ -137,6 +139,8 @@ install -m 755 -p examples/chrony.nm-dispatcher.dhcp \ $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-dhcp install -m 644 -p examples/chrony-wait.service \ $RPM_BUILD_ROOT%{_unitdir}/chrony-wait.service +install -m 644 -p %{SOURCE4} \ + $RPM_BUILD_ROOT%{_sysusersdir}/chrony.conf cat > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/chronyd < /dev/null || /usr/sbin/groupadd -r chrony -getent passwd chrony > /dev/null || /usr/sbin/useradd -r -g chrony \ - -d %{_localstatedir}/lib/chrony -s /sbin/nologin chrony -: +%sysusers_create_compat %{SOURCE4} %post # migrate from chrony-helper to sourcedir directive @@ -193,6 +194,7 @@ fi %{_prefix}/lib/NetworkManager %{_prefix}/lib/systemd/ntp-units.d/*.list %{_unitdir}/chrony*.service +%{_sysusersdir}/chrony.conf %{_mandir}/man[158]/%{name}*.[158]* %dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/drift @@ -200,6 +202,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue May 24 2022 Luca BRUNO - 4.2-6 +- Add a sysusers.d fragment for chrony user/group + * Wed Feb 16 2022 Zbigniew Jędrzejewski-Szmek - 4.2-5 - Drop obsolete workaround in scriptlet diff --git a/chrony.sysusers b/chrony.sysusers new file mode 100644 index 0000000..b02f5fe --- /dev/null +++ b/chrony.sysusers @@ -0,0 +1,2 @@ +#Type Name ID GECOS Home directory Shell +u chrony - "chrony system user" /var/lib/chrony /sbin/nologin From 9d18b2f3abc3d6675152489bd294e9739c001655 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 20 Jul 2022 22:54:57 +0000 Subject: [PATCH 076/137] Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index fcbe5da..e95bbc8 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.2 -Release: 6%{?dist} +Release: 7%{?dist} Summary: An NTP client/server License: GPLv2 @@ -202,6 +202,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jul 20 2022 Fedora Release Engineering - 4.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + * Tue May 24 2022 Luca BRUNO - 4.2-6 - Add a sysusers.d fragment for chrony user/group From 7a0122bf71a0a365e8830d2400d270ec583d95ec Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 11 Aug 2022 11:20:45 +0200 Subject: [PATCH 077/137] update to 4.3-pre1 --- .gitignore | 6 +- chrony-nm-dispatcher-dhcp.patch | 112 +------------------------------- chrony-seccomp.patch | 31 --------- chrony.spec | 10 ++- sources | 6 +- 5 files changed, 11 insertions(+), 154 deletions(-) delete mode 100644 chrony-seccomp.patch diff --git a/.gitignore b/.gitignore index c143a9a..788b938 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.2.tar.gz -/chrony-4.2-tar-gz-asc.txt -/clknetsim-470b5e.tar.gz +/chrony-4.3-pre1.tar.gz +/chrony-4.3-pre1-tar-gz-asc.txt +/clknetsim-f00531.tar.gz diff --git a/chrony-nm-dispatcher-dhcp.patch b/chrony-nm-dispatcher-dhcp.patch index d4d02c8..dd9fc2a 100644 --- a/chrony-nm-dispatcher-dhcp.patch +++ b/chrony-nm-dispatcher-dhcp.patch @@ -1,113 +1,3 @@ -commit 5bd13c8d593a74ad168057efe94dd2b3aeeffe14 -Author: Miroslav Lichvar -Date: Mon Feb 7 13:27:25 2022 +0100 - - examples: support DHCPv6 NTP servers in NM dispatcher script - - Latest NetworkManager code provides NTP servers from the DHCPv6 NTP - option (RFC 5908) in the DHCP6_DHCP6_NTP_SERVERS variable to dispatcher - scripts. - - Check for invalid characters (which can come from the FQDN suboption) - and include the servers in the interface-specific sources file. - -diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp -index 6ea4c370..4454f037 100644 ---- a/examples/chrony.nm-dispatcher.dhcp -+++ b/examples/chrony.nm-dispatcher.dhcp -@@ -1,8 +1,7 @@ - #!/bin/sh - # This is a NetworkManager dispatcher script for chronyd to update --# its NTP sources passed from DHCP options. Note that this script is --# specific to NetworkManager-dispatcher due to use of the --# DHCP4_NTP_SERVERS environment variable. -+# its NTP sources with servers from DHCP options passed by NetworkManager -+# in the DHCP4_NTP_SERVERS and DHCP6_DHCP6_NTP_SERVERS environment variables. - - export LC_ALL=C - -@@ -10,17 +9,19 @@ interface=$1 - action=$2 - - chronyc=/usr/bin/chronyc --default_server_options=iburst -+server_options=iburst - server_dir=/var/run/chrony-dhcp - - dhcp_server_file=$server_dir/$interface.sources --# DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager. --nm_dhcp_servers=$DHCP4_NTP_SERVERS -+dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS" - - add_servers_from_dhcp() { - rm -f "$dhcp_server_file" -- for server in $nm_dhcp_servers; do -- echo "server $server $default_server_options" >> "$dhcp_server_file" -+ for server in $dhcp_ntp_servers; do -+ # Check for invalid characters (from the DHCPv6 NTP FQDN suboption) -+ printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue -+ -+ printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file" - done - $chronyc reload sources > /dev/null 2>&1 || : - } -@@ -34,10 +35,11 @@ clear_servers_from_dhcp() { - - mkdir -p $server_dir - --if [ "$action" = "up" ] || [ "$action" = "dhcp4-change" ]; then -- add_servers_from_dhcp --elif [ "$action" = "down" ]; then -- clear_servers_from_dhcp --fi -+case "$action" in -+ up|dhcp4-change|dhcp6-change) -+ add_servers_from_dhcp;; -+ down) -+ clear_servers_from_dhcp;; -+esac - - exit 0 - -commit e55f174bd3a7ae82fb24afd43443d0b55d5536cf -Author: Miroslav Lichvar -Date: Mon Feb 7 13:27:48 2022 +0100 - - examples: handle more actions in NM dispatcher script - - Run the chronyc onoffline command also when the connectivity-change - and dhcp6-change actions are reported by the NetworkManager dispatcher. - - The latter should not be necessary, but there currently doesn't seem to - be any action for IPv6 becoming routable after duplicate address - detection, so at least in networks using DHCPv6, IPv6 NTP servers should - not be stuck in the offline state from a previously reported action. - -diff --git a/examples/chrony.nm-dispatcher.onoffline b/examples/chrony.nm-dispatcher.onoffline -index 34cfa0db..01e6fdb1 100644 ---- a/examples/chrony.nm-dispatcher.onoffline -+++ b/examples/chrony.nm-dispatcher.onoffline -@@ -7,8 +7,18 @@ export LC_ALL=C - - chronyc=/usr/bin/chronyc - --# For NetworkManager consider only up/down events --[ $# -ge 2 ] && [ "$2" != "up" ] && [ "$2" != "down" ] && exit 0 -+# For NetworkManager consider only selected events -+if [ $# -ge 2 ]; then -+ case "$2" in -+ up|down|connectivity-change) -+ ;; -+ dhcp6-change) -+ # No other action is reported for routable IPv6 -+ ;; -+ *) -+ exit 0;; -+ esac -+fi - - # Note: for networkd-dispatcher routable.d ~= on and off.d ~= off - From: Robert Fairley Date: Wed, 17 Jun 2020 10:14:19 -0400 Subject: [PATCH] examples/nm-dispatcher.dhcp: use sysconfig @@ -146,4 +36,4 @@ index 6ea4c37..a6ad35a 100644 + for server in $dhcp_ntp_servers; do # Check for invalid characters (from the DHCPv6 NTP FQDN suboption) - printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue + len1=$(printf '%s' "$server" | wc -c) diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch deleted file mode 100644 index 523759c..0000000 --- a/chrony-seccomp.patch +++ /dev/null @@ -1,31 +0,0 @@ -commit 8bb8f15a7d049ed26c69d95087065b381f76ec4d -Author: Michael Hudson-Doyle -Date: Wed Feb 9 09:06:13 2022 +0100 - - sys_linux: allow rseq in seccomp filter - - Libc 2.35 will use rseq syscalls [1][2] by default and thereby - break chrony in seccomp isolation. - - [1]: https://www.efficios.com/blog/2019/02/08/linux-restartable-sequences/ - [2]: https://sourceware.org/pipermail/libc-alpha/2022-February/136040.html - - Tested-by: Christian Ehrhardt - Reviewed-by: Christian Ehrhardt - Signed-off-by: Michael Hudson-Doyle - Signed-off-by: Christian Ehrhardt - -diff --git a/sys_linux.c b/sys_linux.c -index 9cab2efa..cc3c9311 100644 ---- a/sys_linux.c -+++ b/sys_linux.c -@@ -497,6 +497,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) - SCMP_SYS(getrlimit), - SCMP_SYS(getuid), - SCMP_SYS(getuid32), -+#ifdef __NR_rseq -+ SCMP_SYS(rseq), -+#endif - SCMP_SYS(rt_sigaction), - SCMP_SYS(rt_sigreturn), - SCMP_SYS(rt_sigprocmask), diff --git a/chrony.spec b/chrony.spec index e95bbc8..8536a46 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver 470b5e +%global prerelease -pre1 +%global clknetsim_ver f00531 %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.2 +Version: 4.3 Release: 7%{?dist} Summary: An NTP client/server @@ -25,8 +26,6 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch -# update seccomp filter for latest glibc -Patch2: chrony-seccomp.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -58,7 +57,6 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp -%patch2 -p1 -b .seccomp %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -68,7 +66,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate - 5d0c4758207a89a9a19471177b1107b9 examples/chrony.nm-dispatcher.dhcp + c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 2b81c60c020626165ac655b2633608eb examples/chrony.nm-dispatcher.onoffline 677ad16d6439daa369da44a1b75d1772 examples/chronyd.service EOF diff --git a/sources b/sources index 2cf5a81..e5d4b3b 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.2.tar.gz) = 7f946b27de605b3ebea62cf23916dfad77c99e8b2338ba239ede6b8216ce436b3d4d87770f371c8d8e006507c51d5c831b51f067957abd2935adfdec3f5aa67d -SHA512 (chrony-4.2-tar-gz-asc.txt) = d8ae4b540ce3529a5a72e10c14765a33ca6fc41529b6fdc9928fb171f25bd6fb87f930b7783638892f42f4cbcfaab4cb1064c930bae1d5204a71babad72b6e10 -SHA512 (clknetsim-470b5e.tar.gz) = 5245414a0e2371ef22725b0cf8cf4b1f033ba9e5493a4a48ffb26e2cac6bb1975583216beb9c0800664159c52e632018ea93d36477dd520f164a55db44e89413 +SHA512 (chrony-4.3-pre1.tar.gz) = 6a97b11cd7604808aa57db8cd67ae854391ef2bca84bb0256c043464e33683e15682a8ebadec3d2fcca83203d2c731953dfd4972976fe193246ca4af7fb7e0e7 +SHA512 (chrony-4.3-pre1-tar-gz-asc.txt) = 3a9cd53fcd0f2842241817d5bdeb3c6151eec9e1d0864ae4a89a2d7b93924ac28be7d4f090a32b99ab4b229437d027c2663bb552433182a97eca347175138164 +SHA512 (clknetsim-f00531.tar.gz) = a44f543574519d1d5b5778f91b88fc73a976de511b97011c8ff3bc61a7ebff868fe9c6b46947ff4b58b29bd45520ffa68147934b1d289b1ffada4a329c048df5 From b580bc676c24396eba9b89a80bdcdcda0232e4f1 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 11 Aug 2022 11:23:32 +0200 Subject: [PATCH 078/137] 4.3-0.1.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 8536a46..f7b0f6a 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.3 -Release: 7%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPLv2 @@ -200,6 +200,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Aug 11 2022 Miroslav Lichvar 4.3-0.1.pre1 +- update to 4.3-pre1 + * Wed Jul 20 2022 Fedora Release Engineering - 4.2-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild From cd216d6ebb6c520cea8b5c8aef7bc35ee499c9ad Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 31 Aug 2022 14:54:34 +0200 Subject: [PATCH 079/137] update to 4.3 --- .gitignore | 4 ++-- chrony.spec | 1 - sources | 4 ++-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 788b938..57bb59a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.3-pre1.tar.gz -/chrony-4.3-pre1-tar-gz-asc.txt +/chrony-4.3.tar.gz +/chrony-4.3-tar-gz-asc.txt /clknetsim-f00531.tar.gz diff --git a/chrony.spec b/chrony.spec index f7b0f6a..c1c0b58 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,4 @@ %global _hardened_build 1 -%global prerelease -pre1 %global clknetsim_ver f00531 %bcond_without debug %bcond_without nts diff --git a/sources b/sources index e5d4b3b..f352bac 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.3-pre1.tar.gz) = 6a97b11cd7604808aa57db8cd67ae854391ef2bca84bb0256c043464e33683e15682a8ebadec3d2fcca83203d2c731953dfd4972976fe193246ca4af7fb7e0e7 -SHA512 (chrony-4.3-pre1-tar-gz-asc.txt) = 3a9cd53fcd0f2842241817d5bdeb3c6151eec9e1d0864ae4a89a2d7b93924ac28be7d4f090a32b99ab4b229437d027c2663bb552433182a97eca347175138164 +SHA512 (chrony-4.3.tar.gz) = 1394bac3ed684352fe89b7fef7da50e61f9f522abee807627ae1fc4c2dde891017bc8e5b13759fced028f3a1e875d5e4e5a4f85de65c63b5f83d0ca03bb4c5df +SHA512 (chrony-4.3-tar-gz-asc.txt) = 300b06f253ac3727edb86a1b7c337f9529ee752bbb471b266217b6a8ac5183e827264177a3210d436425d746673bf11fbdc41da145673213e28165197c6c76b7 SHA512 (clknetsim-f00531.tar.gz) = a44f543574519d1d5b5778f91b88fc73a976de511b97011c8ff3bc61a7ebff868fe9c6b46947ff4b58b29bd45520ffa68147934b1d289b1ffada4a329c048df5 From ca4d1cf061ae6b7a55c01821646b9fc3a9cbe4de Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 31 Aug 2022 15:01:50 +0200 Subject: [PATCH 080/137] 4.3-1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index c1c0b58..7fa5835 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.3 -Release: 0.1.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPLv2 @@ -199,6 +199,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Aug 31 2022 Miroslav Lichvar 4.3-1 +- update to 4.3 + * Thu Aug 11 2022 Miroslav Lichvar 4.3-0.1.pre1 - update to 4.3-pre1 From ad0b95f5215380aec9d453548d0eb4c9e38c81a7 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 18 Jan 2023 23:50:34 +0000 Subject: [PATCH 081/137] Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 7fa5835..4115eb2 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPLv2 @@ -199,6 +199,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jan 18 2023 Fedora Release Engineering - 4.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + * Wed Aug 31 2022 Miroslav Lichvar 4.3-1 - update to 4.3 From 95d7d27489b2d8bbe9a2bf7f26191a2ccf9be1a8 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 24 Jan 2023 16:22:40 +0100 Subject: [PATCH 082/137] convert license tag to SPDX --- chrony.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 4115eb2..8506a31 100644 --- a/chrony.spec +++ b/chrony.spec @@ -12,7 +12,7 @@ Version: 4.3 Release: 2%{?dist} Summary: An NTP client/server -License: GPLv2 +License: GPL-2.0-only URL: https://chrony.tuxfamily.org Source0: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}.tar.gz Source1: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}-tar-gz-asc.txt From 906e072deb3d572ce89d45a03812b7457a17decd Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 25 Jan 2023 15:16:13 +0100 Subject: [PATCH 083/137] add chronyd-restricted service for minimal NTP client configurations --- chrony-restricted.patch | 79 +++++++++++++++++++++++++++++++++++++++++ chrony.spec | 12 +++++-- 2 files changed, 88 insertions(+), 3 deletions(-) create mode 100644 chrony-restricted.patch diff --git a/chrony-restricted.patch b/chrony-restricted.patch new file mode 100644 index 0000000..930e814 --- /dev/null +++ b/chrony-restricted.patch @@ -0,0 +1,79 @@ +commit 6fba5a4a7fbe785849c0ec759e18bce0b7e234e4 +Author: Miroslav Lichvar +Date: Tue Jan 10 15:02:49 2023 +0100 + + examples: add chronyd-restricted.service + + This is a more restricted version of the chronyd service intended for + minimal NTP/NTS client configurations. The daemon is started without + root privileges and is allowed to write only to its own runtime, state, + and log directories. It cannot bind to privileged ports in order to + operate as an NTP server, or provide monitoring access over IPv4/IPv6. + It cannot use reference clocks, HW timestamping, RTC tracking, and other + features. + +diff --git a/examples/chronyd-restricted.service b/examples/chronyd-restricted.service +new file mode 100644 +index 00000000..50998338 +--- /dev/null ++++ b/examples/chronyd-restricted.service +@@ -0,0 +1,59 @@ ++# This is a more restricted version of the chronyd service intended for ++# minimal NTP/NTS client configurations. The daemon is started without root ++# privileges and is allowed to write only to its own runtime, state, and log ++# directories. It cannot bind to privileged ports in order to operate as an ++# NTP server, or provide monitoring access over IPv4/IPv6. It cannot use ++# reference clocks, HW timestamping, RTC tracking, and other features. ++[Unit] ++Description=NTP client (restricted) ++Documentation=man:chronyd(8) man:chrony.conf(5) ++After=chronyd.service ntpdate.service sntp.service ntpd.service ++Conflicts=chronyd.service ntpd.service systemd-timesyncd.service ++ConditionCapability=CAP_SYS_TIME ++ ++[Service] ++Type=forking ++PIDFile=/run/chrony/chronyd.pid ++EnvironmentFile=-/etc/sysconfig/chronyd ++ExecStart=/usr/sbin/chronyd -U $OPTIONS ++ ++User=chrony ++LogsDirectory=chrony ++LogsDirectoryMode=0750 ++RuntimeDirectory=chrony ++RuntimeDirectoryMode=0750 ++RuntimeDirectoryPreserve=restart ++StateDirectory=chrony ++StateDirectoryMode=0750 ++ ++AmbientCapabilities=CAP_SYS_TIME ++CapabilityBoundingSet=CAP_SYS_TIME ++DevicePolicy=closed ++LockPersonality=yes ++MemoryDenyWriteExecute=yes ++NoNewPrivileges=yes ++PrivateDevices=yes ++PrivateTmp=yes ++# This breaks adjtimex() ++#PrivateUsers=yes ++ProcSubset=pid ++ProtectControlGroups=yes ++ProtectHome=yes ++ProtectHostname=yes ++ProtectKernelLogs=yes ++ProtectKernelModules=yes ++ProtectKernelTunables=yes ++ProtectProc=invisible ++ProtectSystem=strict ++RemoveIPC=yes ++RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX ++RestrictNamespaces=yes ++RestrictRealtime=yes ++RestrictSUIDSGID=yes ++SystemCallArchitectures=native ++SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io ++SystemCallFilter=~@reboot @resources @swap ++UMask=0077 ++ ++[Install] ++WantedBy=multi-user.target diff --git a/chrony.spec b/chrony.spec index 8506a31..01f924d 100644 --- a/chrony.spec +++ b/chrony.spec @@ -25,6 +25,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch +# add chronyd-restricted service +Patch2: chrony-restricted.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -56,6 +58,7 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp +%patch2 -p1 -b .restricted %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -68,6 +71,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 2b81c60c020626165ac655b2633608eb examples/chrony.nm-dispatcher.onoffline 677ad16d6439daa369da44a1b75d1772 examples/chronyd.service + f092f965dc61f691ca838958eeeb3377 examples/chronyd-restricted.service EOF # don't allow packaging without vendor zone @@ -130,6 +134,8 @@ install -m 644 -p examples/chrony.logrotate \ install -m 644 -p examples/chronyd.service \ $RPM_BUILD_ROOT%{_unitdir}/chronyd.service +install -m 644 -p examples/chronyd-restricted.service \ + $RPM_BUILD_ROOT%{_unitdir}/chronyd-restricted.service install -m 755 -p examples/chrony.nm-dispatcher.onoffline \ $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-onoffline install -m 755 -p examples/chrony.nm-dispatcher.dhcp \ @@ -169,13 +175,13 @@ if test -a %{_libexecdir}/chrony-helper; then sed 's|.*|server &|' < $f > /run/chrony-dhcp/"${f##*servers.}.sources" done 2> /dev/null fi -%systemd_post chronyd.service chrony-wait.service +%systemd_post chronyd.service chronyd-restricted.service chrony-wait.service %preun -%systemd_preun chronyd.service chrony-wait.service +%systemd_preun chronyd.service chronyd-restricted.service chrony-wait.service %postun -%systemd_postun_with_restart chronyd.service +%systemd_postun_with_restart chronyd.service chronyd-restricted.service %files %{!?_licensedir:%global license %%doc} From f078395411559297198a1ec8987715161a42c797 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 25 Jan 2023 16:42:23 +0100 Subject: [PATCH 084/137] drop default chrony.keys config (#2104918) --- chrony-keyaccess.patch | 191 +++++++++++++++++++++++++++++++++++++++++ chrony.spec | 13 ++- 2 files changed, 197 insertions(+), 7 deletions(-) create mode 100644 chrony-keyaccess.patch diff --git a/chrony-keyaccess.patch b/chrony-keyaccess.patch new file mode 100644 index 0000000..4beedd8 --- /dev/null +++ b/chrony-keyaccess.patch @@ -0,0 +1,191 @@ +commit 9cba9c8585bc5ebf19bafece118fb2362090547c +Author: Miroslav Lichvar +Date: Thu Jan 19 16:09:40 2023 +0100 + + keys+nts: warn if loading world-readable/writable key + + Log a warning message if the file specified by the keyfile or + ntsserverkey directive is world-readable or writable, which is likely + an insecure misconfiguration. There is no check of directories + containing the file. + +diff --git a/keys.c b/keys.c +index 11f8b761..9225e6cd 100644 +--- a/keys.c ++++ b/keys.c +@@ -182,6 +182,9 @@ KEY_Reload(void) + if (!key_file) + return; + ++ if (!UTI_CheckFilePermissions(key_file, 0771)) ++ ; ++ + in = UTI_OpenFile(NULL, key_file, NULL, 'r', 0); + if (!in) { + LOG(LOGS_WARN, "Could not open keyfile %s", key_file); +diff --git a/nts_ke_session.c b/nts_ke_session.c +index dfcd18ab..2ae1e915 100644 +--- a/nts_ke_session.c ++++ b/nts_ke_session.c +@@ -667,6 +667,8 @@ create_credentials(const char **certs, const char **keys, int n_certs_keys, + assert(0); + + for (i = 0; i < n_certs_keys; i++) { ++ if (!UTI_CheckFilePermissions(keys[i], 0771)) ++ ; + r = gnutls_certificate_set_x509_key_file(credentials, certs[i], keys[i], + GNUTLS_X509_FMT_PEM); + if (r < 0) +diff --git a/util.c b/util.c +index 064292ce..4b9d30ee 100644 +--- a/util.c ++++ b/util.c +@@ -1248,6 +1248,29 @@ UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid) + + /* ================================================== */ + ++int ++UTI_CheckFilePermissions(const char *path, mode_t perm) ++{ ++ mode_t extra_perm; ++ struct stat buf; ++ ++ if (stat(path, &buf) < 0 || !S_ISREG(buf.st_mode)) { ++ /* Not considered an error */ ++ return 1; ++ } ++ ++ extra_perm = (buf.st_mode & 0777) & ~perm; ++ if (extra_perm != 0) { ++ LOG(LOGS_WARN, "%s permissions on %s", extra_perm & 0006 ? ++ (extra_perm & 0004 ? "World-readable" : "World-writable") : "Wrong", path); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++/* ================================================== */ ++ + static int + join_path(const char *basedir, const char *name, const char *suffix, + char *buffer, size_t length, LOG_Severity severity) +diff --git a/util.h b/util.h +index 4655e537..6844798c 100644 +--- a/util.h ++++ b/util.h +@@ -196,6 +196,10 @@ extern int UTI_CreateDirAndParents(const char *path, mode_t mode, uid_t uid, gid + permissions and its uid/gid must match the specified values. */ + extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid); + ++/* Check and log a warning message if a file has more permissions than ++ specified. It does not return error if it is not an accessible file. */ ++extern int UTI_CheckFilePermissions(const char *path, mode_t perm); ++ + /* Open a file. The full path of the file is constructed from the basedir + (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL). + Created files have specified permissions (umasked). Returns NULL on error. + +commit 883b0dde946105e0910456a0bebb24d57fecb0fc +Author: Miroslav Lichvar +Date: Wed Jan 25 14:29:06 2023 +0100 + + conf: warn if not having read-only access to keys + + After dropping root privileges, log a warning message if chronyd + doesn't have read access or has (unnecessary) write access to the + files containing symmetric and server NTS keys. + +diff --git a/conf.c b/conf.c +index 9f42a426..0597836d 100644 +--- a/conf.c ++++ b/conf.c +@@ -1774,6 +1774,19 @@ CNF_CreateDirs(uid_t uid, gid_t gid) + + /* ================================================== */ + ++void ++CNF_CheckReadOnlyAccess(void) ++{ ++ unsigned int i; ++ ++ if (keys_file) ++ UTI_CheckReadOnlyAccess(keys_file); ++ for (i = 0; i < ARR_GetSize(nts_server_key_files); i++) ++ UTI_CheckReadOnlyAccess(*(char **)ARR_GetElement(nts_server_key_files, i)); ++} ++ ++/* ================================================== */ ++ + void + CNF_AddInitSources(void) + { +diff --git a/conf.h b/conf.h +index 11fd11df..d7acb4fd 100644 +--- a/conf.h ++++ b/conf.h +@@ -44,6 +44,8 @@ extern void CNF_ParseLine(const char *filename, int number, char *line); + + extern void CNF_CreateDirs(uid_t uid, gid_t gid); + ++extern void CNF_CheckReadOnlyAccess(void); ++ + extern void CNF_AddInitSources(void); + extern void CNF_AddSources(void); + extern void CNF_AddBroadcasts(void); +diff --git a/main.c b/main.c +index c40b5e4b..31e3c8f0 100644 +--- a/main.c ++++ b/main.c +@@ -637,9 +637,13 @@ int main + } + + /* Drop root privileges if the specified user has a non-zero UID */ +- if (!geteuid() && (pw->pw_uid || pw->pw_gid)) ++ if (!geteuid() && (pw->pw_uid || pw->pw_gid)) { + SYS_DropRoot(pw->pw_uid, pw->pw_gid, SYS_MAIN_PROCESS); + ++ /* Warn if missing read access or having write access to keys */ ++ CNF_CheckReadOnlyAccess(); ++ } ++ + if (!geteuid()) + LOG(LOGS_WARN, "Running with root privileges"); + +diff --git a/util.c b/util.c +index 4b9d30ee..0321720e 100644 +--- a/util.c ++++ b/util.c +@@ -1271,6 +1271,17 @@ UTI_CheckFilePermissions(const char *path, mode_t perm) + + /* ================================================== */ + ++void ++UTI_CheckReadOnlyAccess(const char *path) ++{ ++ if (access(path, R_OK) != 0 && errno != ENOENT) ++ LOG(LOGS_WARN, "Missing read access to %s : %s", path, strerror(errno)); ++ if (access(path, W_OK) == 0) ++ LOG(LOGS_WARN, "Having write access to %s", path); ++} ++ ++/* ================================================== */ ++ + static int + join_path(const char *basedir, const char *name, const char *suffix, + char *buffer, size_t length, LOG_Severity severity) +diff --git a/util.h b/util.h +index 6844798c..d8e25dee 100644 +--- a/util.h ++++ b/util.h +@@ -200,6 +200,10 @@ extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid + specified. It does not return error if it is not an accessible file. */ + extern int UTI_CheckFilePermissions(const char *path, mode_t perm); + ++/* Log a warning message if not having read access or having write access ++ to a file/directory */ ++extern void UTI_CheckReadOnlyAccess(const char *path); ++ + /* Open a file. The full path of the file is constructed from the basedir + (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL). + Created files have specified permissions (umasked). Returns NULL on error. diff --git a/chrony.spec b/chrony.spec index 01f924d..3744814 100644 --- a/chrony.spec +++ b/chrony.spec @@ -27,6 +27,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c Patch1: chrony-nm-dispatcher-dhcp.patch # add chronyd-restricted service Patch2: chrony-restricted.patch +# warn if keys are world-accessible or chronyd doesn't have read-only access +Patch3: chrony-keyaccess.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -59,6 +61,7 @@ service to other computers in the network. %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp %patch2 -p1 -b .restricted +%patch3 -p1 -b .keyaccess %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -66,7 +69,6 @@ service to other computers in the network. md5sum -c <<-EOF | (! grep -v 'OK$') b40117b4aac846d31e4ad196dc44cda3 examples/chrony-wait.service 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 - 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 2b81c60c020626165ac655b2633608eb examples/chrony.nm-dispatcher.onoffline @@ -80,11 +82,9 @@ test -n "%{vendorzone}" # use example chrony.conf as the default config with some modifications: # - use our vendor zone (2.*pool.ntp.org names include IPv6 addresses) # - enable leapsectz to get TAI-UTC offset and leap seconds from tzdata -# - enable keyfile # - use NTP servers from DHCP sed -e 's|^\(pool \)\(pool.ntp.org\)|\12.%{vendorzone}\2|' \ -e 's|#\(leapsectz\)|\1|' \ - -e 's|#\(keyfile\)|\1|' \ -e 's|^pool.*pool.ntp.org.*|&\n\n# Use NTP servers from DHCP.\nsourcedir /run/chrony-dhcp|' \ < examples/chrony.conf.example2 > chrony.conf @@ -125,8 +125,6 @@ mkdir -p $RPM_BUILD_ROOT{%{_unitdir},%{_prefix}/lib/systemd/ntp-units.d} install -m 644 -p chrony.conf $RPM_BUILD_ROOT%{_sysconfdir}/chrony.conf -install -m 640 -p examples/chrony.keys.example \ - $RPM_BUILD_ROOT%{_sysconfdir}/chrony.keys install -m 755 -p %{SOURCE3} \ $RPM_BUILD_ROOT%{_sysconfdir}/dhcp/dhclient.d/chrony.sh install -m 644 -p examples/chrony.logrotate \ @@ -150,6 +148,7 @@ cat > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/chronyd < \ @@ -186,9 +185,9 @@ fi %files %{!?_licensedir:%global license %%doc} %license COPYING -%doc FAQ NEWS README +%doc FAQ NEWS README examples/chrony.keys.example %config(noreplace) %{_sysconfdir}/chrony.conf -%config(noreplace) %verify(not md5 size mtime) %attr(640,root,chrony) %{_sysconfdir}/chrony.keys +%ghost %config %attr(640,root,chrony) %{_sysconfdir}/chrony.keys %config(noreplace) %{_sysconfdir}/logrotate.d/chrony %config(noreplace) %{_sysconfdir}/sysconfig/chronyd %{_sysconfdir}/dhcp/dhclient.d/chrony.sh From e8775477fe6c92fa7220b09b29b253f2f3763bcf Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 25 Jan 2023 16:47:23 +0100 Subject: [PATCH 085/137] 4.3-3 --- chrony.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 3744814..532f6ef 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.3 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -204,6 +204,11 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jan 25 2023 Miroslav Lichvar 4.3-3 +- drop default chrony.keys config (#2104918) +- add chronyd-restricted service for minimal NTP client configurations +- convert license tag to SPDX + * Wed Jan 18 2023 Fedora Release Engineering - 4.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild From 08a5b8042dc6d97cdefea10382e2c162abdf8a91 Mon Sep 17 00:00:00 2001 From: Ondrej Mejzlik Date: Mon, 17 Apr 2023 18:47:07 +0200 Subject: [PATCH 086/137] Adding fmf plans and gating --- ci.fmf | 1 + gating.yaml | 21 ++++++++++++++++----- plans/ci.fmf | 6 ------ plans/public.fmf | 6 ++++++ plans/tier1-internal.fmf | 12 ++++++++++++ 5 files changed, 35 insertions(+), 11 deletions(-) create mode 100644 ci.fmf delete mode 100644 plans/ci.fmf create mode 100644 plans/public.fmf create mode 100644 plans/tier1-internal.fmf diff --git a/ci.fmf b/ci.fmf new file mode 100644 index 0000000..c5aa0e0 --- /dev/null +++ b/ci.fmf @@ -0,0 +1 @@ +resultsdb-testcase: separate diff --git a/gating.yaml b/gating.yaml index f458db9..de5c323 100644 --- a/gating.yaml +++ b/gating.yaml @@ -1,16 +1,27 @@ --- !Policy product_versions: - fedora-* -decision_contexts: [bodhi_update_push_testing] +decision_context: bodhi_update_push_testing subject_type: koji_build rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/public.functional} -# rawhide +#Rawhide --- !Policy product_versions: - fedora-* -decision_contexts: [bodhi_update_push_stable] +decision_context: bodhi_update_push_stable subject_type: koji_build rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/public.functional} + +#gating rhel +--- !Policy +product_versions: + - rhel-* +decision_context: osci_compose_gate +rules: + - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional} + - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation} + - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional} + - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/public.functional} diff --git a/plans/ci.fmf b/plans/ci.fmf deleted file mode 100644 index 7834d37..0000000 --- a/plans/ci.fmf +++ /dev/null @@ -1,6 +0,0 @@ -summary: Test plan that runs all tests from tests repo. -discover: - how: fmf - url: https://src.fedoraproject.org/tests/chrony.git -execute: - how: tmt diff --git a/plans/public.fmf b/plans/public.fmf new file mode 100644 index 0000000..cff1391 --- /dev/null +++ b/plans/public.fmf @@ -0,0 +1,6 @@ +summary: Test plan with all Fedora tests +discover: + how: fmf + url: https://src.fedoraproject.org/tests/chrony.git +execute: + how: tmt diff --git a/plans/tier1-internal.fmf b/plans/tier1-internal.fmf new file mode 100644 index 0000000..9714336 --- /dev/null +++ b/plans/tier1-internal.fmf @@ -0,0 +1,12 @@ +summary: CI plan, picks internal Tier1 tests, runs in beakerlib. +discover: + - name: rhel + how: fmf + filter: 'tier: 1' + url: git://pkgs.devel.redhat.com/tests/chrony +execute: + how: tmt +adjust: + enabled: false + when: distro == centos-stream, fedora + because: They don't have access to internal repos. From e3bd39f52e4418bee9f0d3c1abcebe592b09d458 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 10 May 2023 15:51:12 +0200 Subject: [PATCH 087/137] update to 4.4-pre1 --- .gitignore | 6 +- chrony-keyaccess.patch | 191 ---------------------------------------- chrony-restricted.patch | 79 ----------------- chrony.spec | 13 +-- sources | 6 +- 5 files changed, 10 insertions(+), 285 deletions(-) delete mode 100644 chrony-keyaccess.patch delete mode 100644 chrony-restricted.patch diff --git a/.gitignore b/.gitignore index 57bb59a..b393483 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.3.tar.gz -/chrony-4.3-tar-gz-asc.txt -/clknetsim-f00531.tar.gz +/chrony-4.4-pre1.tar.gz +/chrony-4.4-pre1-tar-gz-asc.txt +/clknetsim-13b0a5.tar.gz diff --git a/chrony-keyaccess.patch b/chrony-keyaccess.patch deleted file mode 100644 index 4beedd8..0000000 --- a/chrony-keyaccess.patch +++ /dev/null @@ -1,191 +0,0 @@ -commit 9cba9c8585bc5ebf19bafece118fb2362090547c -Author: Miroslav Lichvar -Date: Thu Jan 19 16:09:40 2023 +0100 - - keys+nts: warn if loading world-readable/writable key - - Log a warning message if the file specified by the keyfile or - ntsserverkey directive is world-readable or writable, which is likely - an insecure misconfiguration. There is no check of directories - containing the file. - -diff --git a/keys.c b/keys.c -index 11f8b761..9225e6cd 100644 ---- a/keys.c -+++ b/keys.c -@@ -182,6 +182,9 @@ KEY_Reload(void) - if (!key_file) - return; - -+ if (!UTI_CheckFilePermissions(key_file, 0771)) -+ ; -+ - in = UTI_OpenFile(NULL, key_file, NULL, 'r', 0); - if (!in) { - LOG(LOGS_WARN, "Could not open keyfile %s", key_file); -diff --git a/nts_ke_session.c b/nts_ke_session.c -index dfcd18ab..2ae1e915 100644 ---- a/nts_ke_session.c -+++ b/nts_ke_session.c -@@ -667,6 +667,8 @@ create_credentials(const char **certs, const char **keys, int n_certs_keys, - assert(0); - - for (i = 0; i < n_certs_keys; i++) { -+ if (!UTI_CheckFilePermissions(keys[i], 0771)) -+ ; - r = gnutls_certificate_set_x509_key_file(credentials, certs[i], keys[i], - GNUTLS_X509_FMT_PEM); - if (r < 0) -diff --git a/util.c b/util.c -index 064292ce..4b9d30ee 100644 ---- a/util.c -+++ b/util.c -@@ -1248,6 +1248,29 @@ UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid) - - /* ================================================== */ - -+int -+UTI_CheckFilePermissions(const char *path, mode_t perm) -+{ -+ mode_t extra_perm; -+ struct stat buf; -+ -+ if (stat(path, &buf) < 0 || !S_ISREG(buf.st_mode)) { -+ /* Not considered an error */ -+ return 1; -+ } -+ -+ extra_perm = (buf.st_mode & 0777) & ~perm; -+ if (extra_perm != 0) { -+ LOG(LOGS_WARN, "%s permissions on %s", extra_perm & 0006 ? -+ (extra_perm & 0004 ? "World-readable" : "World-writable") : "Wrong", path); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+/* ================================================== */ -+ - static int - join_path(const char *basedir, const char *name, const char *suffix, - char *buffer, size_t length, LOG_Severity severity) -diff --git a/util.h b/util.h -index 4655e537..6844798c 100644 ---- a/util.h -+++ b/util.h -@@ -196,6 +196,10 @@ extern int UTI_CreateDirAndParents(const char *path, mode_t mode, uid_t uid, gid - permissions and its uid/gid must match the specified values. */ - extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid); - -+/* Check and log a warning message if a file has more permissions than -+ specified. It does not return error if it is not an accessible file. */ -+extern int UTI_CheckFilePermissions(const char *path, mode_t perm); -+ - /* Open a file. The full path of the file is constructed from the basedir - (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL). - Created files have specified permissions (umasked). Returns NULL on error. - -commit 883b0dde946105e0910456a0bebb24d57fecb0fc -Author: Miroslav Lichvar -Date: Wed Jan 25 14:29:06 2023 +0100 - - conf: warn if not having read-only access to keys - - After dropping root privileges, log a warning message if chronyd - doesn't have read access or has (unnecessary) write access to the - files containing symmetric and server NTS keys. - -diff --git a/conf.c b/conf.c -index 9f42a426..0597836d 100644 ---- a/conf.c -+++ b/conf.c -@@ -1774,6 +1774,19 @@ CNF_CreateDirs(uid_t uid, gid_t gid) - - /* ================================================== */ - -+void -+CNF_CheckReadOnlyAccess(void) -+{ -+ unsigned int i; -+ -+ if (keys_file) -+ UTI_CheckReadOnlyAccess(keys_file); -+ for (i = 0; i < ARR_GetSize(nts_server_key_files); i++) -+ UTI_CheckReadOnlyAccess(*(char **)ARR_GetElement(nts_server_key_files, i)); -+} -+ -+/* ================================================== */ -+ - void - CNF_AddInitSources(void) - { -diff --git a/conf.h b/conf.h -index 11fd11df..d7acb4fd 100644 ---- a/conf.h -+++ b/conf.h -@@ -44,6 +44,8 @@ extern void CNF_ParseLine(const char *filename, int number, char *line); - - extern void CNF_CreateDirs(uid_t uid, gid_t gid); - -+extern void CNF_CheckReadOnlyAccess(void); -+ - extern void CNF_AddInitSources(void); - extern void CNF_AddSources(void); - extern void CNF_AddBroadcasts(void); -diff --git a/main.c b/main.c -index c40b5e4b..31e3c8f0 100644 ---- a/main.c -+++ b/main.c -@@ -637,9 +637,13 @@ int main - } - - /* Drop root privileges if the specified user has a non-zero UID */ -- if (!geteuid() && (pw->pw_uid || pw->pw_gid)) -+ if (!geteuid() && (pw->pw_uid || pw->pw_gid)) { - SYS_DropRoot(pw->pw_uid, pw->pw_gid, SYS_MAIN_PROCESS); - -+ /* Warn if missing read access or having write access to keys */ -+ CNF_CheckReadOnlyAccess(); -+ } -+ - if (!geteuid()) - LOG(LOGS_WARN, "Running with root privileges"); - -diff --git a/util.c b/util.c -index 4b9d30ee..0321720e 100644 ---- a/util.c -+++ b/util.c -@@ -1271,6 +1271,17 @@ UTI_CheckFilePermissions(const char *path, mode_t perm) - - /* ================================================== */ - -+void -+UTI_CheckReadOnlyAccess(const char *path) -+{ -+ if (access(path, R_OK) != 0 && errno != ENOENT) -+ LOG(LOGS_WARN, "Missing read access to %s : %s", path, strerror(errno)); -+ if (access(path, W_OK) == 0) -+ LOG(LOGS_WARN, "Having write access to %s", path); -+} -+ -+/* ================================================== */ -+ - static int - join_path(const char *basedir, const char *name, const char *suffix, - char *buffer, size_t length, LOG_Severity severity) -diff --git a/util.h b/util.h -index 6844798c..d8e25dee 100644 ---- a/util.h -+++ b/util.h -@@ -200,6 +200,10 @@ extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid - specified. It does not return error if it is not an accessible file. */ - extern int UTI_CheckFilePermissions(const char *path, mode_t perm); - -+/* Log a warning message if not having read access or having write access -+ to a file/directory */ -+extern void UTI_CheckReadOnlyAccess(const char *path); -+ - /* Open a file. The full path of the file is constructed from the basedir - (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL). - Created files have specified permissions (umasked). Returns NULL on error. diff --git a/chrony-restricted.patch b/chrony-restricted.patch deleted file mode 100644 index 930e814..0000000 --- a/chrony-restricted.patch +++ /dev/null @@ -1,79 +0,0 @@ -commit 6fba5a4a7fbe785849c0ec759e18bce0b7e234e4 -Author: Miroslav Lichvar -Date: Tue Jan 10 15:02:49 2023 +0100 - - examples: add chronyd-restricted.service - - This is a more restricted version of the chronyd service intended for - minimal NTP/NTS client configurations. The daemon is started without - root privileges and is allowed to write only to its own runtime, state, - and log directories. It cannot bind to privileged ports in order to - operate as an NTP server, or provide monitoring access over IPv4/IPv6. - It cannot use reference clocks, HW timestamping, RTC tracking, and other - features. - -diff --git a/examples/chronyd-restricted.service b/examples/chronyd-restricted.service -new file mode 100644 -index 00000000..50998338 ---- /dev/null -+++ b/examples/chronyd-restricted.service -@@ -0,0 +1,59 @@ -+# This is a more restricted version of the chronyd service intended for -+# minimal NTP/NTS client configurations. The daemon is started without root -+# privileges and is allowed to write only to its own runtime, state, and log -+# directories. It cannot bind to privileged ports in order to operate as an -+# NTP server, or provide monitoring access over IPv4/IPv6. It cannot use -+# reference clocks, HW timestamping, RTC tracking, and other features. -+[Unit] -+Description=NTP client (restricted) -+Documentation=man:chronyd(8) man:chrony.conf(5) -+After=chronyd.service ntpdate.service sntp.service ntpd.service -+Conflicts=chronyd.service ntpd.service systemd-timesyncd.service -+ConditionCapability=CAP_SYS_TIME -+ -+[Service] -+Type=forking -+PIDFile=/run/chrony/chronyd.pid -+EnvironmentFile=-/etc/sysconfig/chronyd -+ExecStart=/usr/sbin/chronyd -U $OPTIONS -+ -+User=chrony -+LogsDirectory=chrony -+LogsDirectoryMode=0750 -+RuntimeDirectory=chrony -+RuntimeDirectoryMode=0750 -+RuntimeDirectoryPreserve=restart -+StateDirectory=chrony -+StateDirectoryMode=0750 -+ -+AmbientCapabilities=CAP_SYS_TIME -+CapabilityBoundingSet=CAP_SYS_TIME -+DevicePolicy=closed -+LockPersonality=yes -+MemoryDenyWriteExecute=yes -+NoNewPrivileges=yes -+PrivateDevices=yes -+PrivateTmp=yes -+# This breaks adjtimex() -+#PrivateUsers=yes -+ProcSubset=pid -+ProtectControlGroups=yes -+ProtectHome=yes -+ProtectHostname=yes -+ProtectKernelLogs=yes -+ProtectKernelModules=yes -+ProtectKernelTunables=yes -+ProtectProc=invisible -+ProtectSystem=strict -+RemoveIPC=yes -+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -+RestrictNamespaces=yes -+RestrictRealtime=yes -+RestrictSUIDSGID=yes -+SystemCallArchitectures=native -+SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io -+SystemCallFilter=~@reboot @resources @swap -+UMask=0077 -+ -+[Install] -+WantedBy=multi-user.target diff --git a/chrony.spec b/chrony.spec index 532f6ef..efe9f89 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver f00531 +%global clknetsim_ver 13b0a5 +%global prerelease -pre1 %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.3 +Version: 4.4 Release: 3%{?dist} Summary: An NTP client/server @@ -25,10 +26,6 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch -# add chronyd-restricted service -Patch2: chrony-restricted.patch -# warn if keys are world-accessible or chronyd doesn't have read-only access -Patch3: chrony-keyaccess.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -60,8 +57,6 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp -%patch2 -p1 -b .restricted -%patch3 -p1 -b .keyaccess %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -71,7 +66,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp - 2b81c60c020626165ac655b2633608eb examples/chrony.nm-dispatcher.onoffline + 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline 677ad16d6439daa369da44a1b75d1772 examples/chronyd.service f092f965dc61f691ca838958eeeb3377 examples/chronyd-restricted.service EOF diff --git a/sources b/sources index f352bac..73edab9 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.3.tar.gz) = 1394bac3ed684352fe89b7fef7da50e61f9f522abee807627ae1fc4c2dde891017bc8e5b13759fced028f3a1e875d5e4e5a4f85de65c63b5f83d0ca03bb4c5df -SHA512 (chrony-4.3-tar-gz-asc.txt) = 300b06f253ac3727edb86a1b7c337f9529ee752bbb471b266217b6a8ac5183e827264177a3210d436425d746673bf11fbdc41da145673213e28165197c6c76b7 -SHA512 (clknetsim-f00531.tar.gz) = a44f543574519d1d5b5778f91b88fc73a976de511b97011c8ff3bc61a7ebff868fe9c6b46947ff4b58b29bd45520ffa68147934b1d289b1ffada4a329c048df5 +SHA512 (chrony-4.4-pre1.tar.gz) = d251f822ff49be0ff691c41e08b2c68ca86c3c3b1896c11d8f72cb72c5d3fde38ec4609ffab2a737faf0824f603b6c36d56a827aacde3b296cadddca59ad7812 +SHA512 (chrony-4.4-pre1-tar-gz-asc.txt) = b03592f26603403eaff2140f640f88408a1bd5be3468cf91fdd221fc9579611bdd475017a5803d7a5b1db08b11e20f260a4af91ee0a4d3b33ae6232b81a109fe +SHA512 (clknetsim-13b0a5.tar.gz) = e23b90bd0650502856ce472489d9ea0274aab7c1bd8945cac460f3a12338a509cad76133c60ccc2c7c31375496ec55b42c62008250109453f237ceb750bee03a From 55b6de12265b76d0f989c382c0058dbffb783f49 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 10 May 2023 15:51:46 +0200 Subject: [PATCH 088/137] switch from patchX to patch -P X --- chrony.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/chrony.spec b/chrony.spec index efe9f89..e6d0be8 100644 --- a/chrony.spec +++ b/chrony.spec @@ -55,8 +55,8 @@ service to other computers in the network. %prep %{gpgverify} --keyring=%{SOURCE2} --signature=%{SOURCE1} --data=%{SOURCE0} %setup -q -n %{name}-%{version}%{?prerelease} -a 10 -%{?gitpatch:%patch0 -p1} -%patch1 -p1 -b .nm-dispatcher-dhcp +%{?gitpatch:%patch -P 0 -p1} +%patch -P 1 -p1 -b .nm-dispatcher-dhcp %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} From 014a45966ecf6abe66f489916f6d8f1e7ebbfbe5 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 10 May 2023 15:55:45 +0200 Subject: [PATCH 089/137] 4.4-0.1.pre1 --- chrony.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index e6d0be8..19bbcb2 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.4 -Release: 3%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -199,6 +199,10 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed May 10 2023 Miroslav Lichvar 4.4-0.1.pre1 +- update to 4.4-pre1 +- switch from patchX to patch -P X + * Wed Jan 25 2023 Miroslav Lichvar 4.3-3 - drop default chrony.keys config (#2104918) - add chronyd-restricted service for minimal NTP client configurations From cf4057bdecb7a430406dbc26aa7ac4e017ea6996 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 6 Jun 2023 13:08:16 +0200 Subject: [PATCH 090/137] 4.4-0.2.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 19bbcb2..90bcec0 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.4 -Release: 0.1.pre1%{?dist} +Release: 0.2.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -199,6 +199,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Jun 06 2023 Miroslav Lichvar 4.4-0.2.pre1 +- rebuild for AES-GCM-SIV in new nettle + * Wed May 10 2023 Miroslav Lichvar 4.4-0.1.pre1 - update to 4.4-pre1 - switch from patchX to patch -P X From dd472d8c34c2eeb10b4e2bddd3304ae4af48f5d4 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 21 Jun 2023 11:03:16 +0200 Subject: [PATCH 091/137] set selinux context in chronyd-restricted service (#2169949) --- chrony.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/chrony.spec b/chrony.spec index 90bcec0..fe057df 100644 --- a/chrony.spec +++ b/chrony.spec @@ -85,6 +85,10 @@ sed -e 's|^\(pool \)\(pool.ntp.org\)|\12.%{vendorzone}\2|' \ touch -r examples/chrony.conf.example2 chrony.conf +# set selinux context in chronyd-restricted service +sed -i '/^ExecStart/a SELinuxContext=system_u:system_r:chronyd_restricted_t:s0' \ + examples/chronyd-restricted.service + # regenerate the file from getdate.y rm -f getdate.c From 9d4dc9b2d9f09ade23f84cbcfa5ad702b8fd9a81 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 21 Jun 2023 14:32:30 +0200 Subject: [PATCH 092/137] update to 4.4-pre2 --- .gitignore | 4 ++-- chrony.spec | 10 +++++----- sources | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index b393483..62aad8b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.4-pre1.tar.gz -/chrony-4.4-pre1-tar-gz-asc.txt +/chrony-4.4-pre2.tar.gz +/chrony-4.4-pre2-tar-gz-asc.txt /clknetsim-13b0a5.tar.gz diff --git a/chrony.spec b/chrony.spec index fe057df..c8ffc8f 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,6 @@ %global _hardened_build 1 %global clknetsim_ver 13b0a5 -%global prerelease -pre1 +%global prerelease -pre2 %bcond_without debug %bcond_without nts @@ -62,13 +62,13 @@ service to other computers in the network. # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') - b40117b4aac846d31e4ad196dc44cda3 examples/chrony-wait.service + 5530d6e60f84b76c27495485d2510bac examples/chrony-wait.service 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline - 677ad16d6439daa369da44a1b75d1772 examples/chronyd.service - f092f965dc61f691ca838958eeeb3377 examples/chronyd-restricted.service + c11159b78b89684eca773db6236a9855 examples/chronyd.service + 46fa3e2d42c8eb9c42e71095686c90ed examples/chronyd-restricted.service EOF # don't allow packaging without vendor zone @@ -155,7 +155,7 @@ echo 'chronyd.service' > \ %check # set random seed to get deterministic results -export CLKNETSIM_RANDOM_SEED=24505 +export CLKNETSIM_RANDOM_SEED=24508 %make_build -C test/simulation/clknetsim make quickcheck diff --git a/sources b/sources index 73edab9..02f0816 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.4-pre1.tar.gz) = d251f822ff49be0ff691c41e08b2c68ca86c3c3b1896c11d8f72cb72c5d3fde38ec4609ffab2a737faf0824f603b6c36d56a827aacde3b296cadddca59ad7812 -SHA512 (chrony-4.4-pre1-tar-gz-asc.txt) = b03592f26603403eaff2140f640f88408a1bd5be3468cf91fdd221fc9579611bdd475017a5803d7a5b1db08b11e20f260a4af91ee0a4d3b33ae6232b81a109fe +SHA512 (chrony-4.4-pre2.tar.gz) = 4919cdbafa18f9cfc5d1ef0253373445c78f66480d3bfda2b58441d7abd2f330a2cd00ef7c498d733b74a0e3f02cb4c39b6ef2d054aed1648625e206f71888ad +SHA512 (chrony-4.4-pre2-tar-gz-asc.txt) = fe74013a75c143a651f9e3844ab231df8166bac24b919a0850d822430fbca81b17f2d9b0d2c17fe0edf3a7dc33a93718e5bbb892c3551d8d52bcc75c38cecc57 SHA512 (clknetsim-13b0a5.tar.gz) = e23b90bd0650502856ce472489d9ea0274aab7c1bd8945cac460f3a12338a509cad76133c60ccc2c7c31375496ec55b42c62008250109453f237ceb750bee03a From c2ad1d7c433d155d1950b5c6be2c8e51b11cd0ad Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 21 Jun 2023 14:39:06 +0200 Subject: [PATCH 093/137] 4.4-0.3.pre2 --- chrony.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index c8ffc8f..f431e5f 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.4 -Release: 0.2.pre1%{?dist} +Release: 0.3.pre2%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -203,6 +203,10 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jun 21 2023 Miroslav Lichvar 4.4-0.3.pre2 +- update to 4.4-pre2 +- set selinux context in chronyd-restricted service (#2169949) + * Tue Jun 06 2023 Miroslav Lichvar 4.4-0.2.pre1 - rebuild for AES-GCM-SIV in new nettle From 133e764afbd6c68e3b7d3e913deed91416ba21a5 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 19 Jul 2023 15:38:23 +0000 Subject: [PATCH 094/137] Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index f431e5f..abc71e4 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.4 -Release: 0.3.pre2%{?dist} +Release: 0.4.pre2%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -203,6 +203,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jul 19 2023 Fedora Release Engineering - 4.4-0.4.pre2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + * Wed Jun 21 2023 Miroslav Lichvar 4.4-0.3.pre2 - update to 4.4-pre2 - set selinux context in chronyd-restricted service (#2169949) From 0b020ff4e00e98543a1f4975ddbaf9bec9615472 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 29 Jun 2023 13:04:00 +0200 Subject: [PATCH 095/137] require tzdata (#2218368) --- chrony.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/chrony.spec b/chrony.spec index abc71e4..d35a2cb 100644 --- a/chrony.spec +++ b/chrony.spec @@ -35,6 +35,9 @@ BuildRequires: gcc gcc-c++ make bison systemd gnupg2 %{?systemd_requires} %{?sysusers_requires_compat} +# Needed by the leapsectz directive in default chrony.conf +Requires: tzdata + # Old NetworkManager expects the dispatcher scripts in a different place Conflicts: NetworkManager < 1.20 From 5782cfd640fc9f3bf45a0fdaf281c81ebd3d81f5 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 9 Aug 2023 16:38:03 +0200 Subject: [PATCH 096/137] update to 4.4 --- .gitignore | 6 +++--- chrony.spec | 11 +++++------ sources | 6 +++--- 3 files changed, 11 insertions(+), 12 deletions(-) diff --git a/.gitignore b/.gitignore index 62aad8b..57ee54b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.4-pre2.tar.gz -/chrony-4.4-pre2-tar-gz-asc.txt -/clknetsim-13b0a5.tar.gz +/chrony-4.4.tar.gz +/chrony-4.4-tar-gz-asc.txt +/clknetsim-ef2a7a.tar.gz diff --git a/chrony.spec b/chrony.spec index d35a2cb..a214149 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,5 @@ %global _hardened_build 1 -%global clknetsim_ver 13b0a5 -%global prerelease -pre2 +%global clknetsim_ver ef2a7a %bcond_without debug %bcond_without nts @@ -14,10 +13,10 @@ Release: 0.4.pre2%{?dist} Summary: An NTP client/server License: GPL-2.0-only -URL: https://chrony.tuxfamily.org -Source0: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}.tar.gz -Source1: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}-tar-gz-asc.txt -Source2: https://chrony.tuxfamily.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc +URL: https://chrony-project.org +Source0: https://chrony-project.org/releases/chrony-%{version}%{?prerelease}.tar.gz +Source1: https://chrony-project.org/releases/chrony-%{version}%{?prerelease}-tar-gz-asc.txt +Source2: https://chrony-project.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc Source3: chrony.dhclient Source4: chrony.sysusers # simulator for test suite diff --git a/sources b/sources index 02f0816..1c8d2e0 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.4-pre2.tar.gz) = 4919cdbafa18f9cfc5d1ef0253373445c78f66480d3bfda2b58441d7abd2f330a2cd00ef7c498d733b74a0e3f02cb4c39b6ef2d054aed1648625e206f71888ad -SHA512 (chrony-4.4-pre2-tar-gz-asc.txt) = fe74013a75c143a651f9e3844ab231df8166bac24b919a0850d822430fbca81b17f2d9b0d2c17fe0edf3a7dc33a93718e5bbb892c3551d8d52bcc75c38cecc57 -SHA512 (clknetsim-13b0a5.tar.gz) = e23b90bd0650502856ce472489d9ea0274aab7c1bd8945cac460f3a12338a509cad76133c60ccc2c7c31375496ec55b42c62008250109453f237ceb750bee03a +SHA512 (chrony-4.4.tar.gz) = 45e060eb0c5892552f28dc436429e5823409cc93533127af27b64d08ff9c769fdc72694272232114f5ca1884c2bc8b5e842fae7956dc457358e937bcd3dda4d7 +SHA512 (chrony-4.4-tar-gz-asc.txt) = bb795b428567434937cbf3a12c559b549b89abe65010d04eed0fbdcfde35e7266771ea01c2c5581f3e5fae993f1782fff5a62c5ae09259d2b65dab9473d756a3 +SHA512 (clknetsim-ef2a7a.tar.gz) = 55196099d975d635fcba7dce9e1bc42efe0aee25777c9ff0bc996e300922e70542ea784a78814dc888c2f7f281e9d7db68c893e2d3138e92fbc3fb1e64e7e2b6 From 271a50e6c18ca9e7d6fb5795753ca0777a4e0a19 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 9 Aug 2023 16:38:34 +0200 Subject: [PATCH 097/137] 4.4-1 --- chrony.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index a214149..0a0bb92 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.4 -Release: 0.4.pre2%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,10 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Aug 09 2023 Miroslav Lichvar 4.4-1 +- update to 4.4 +- require tzdata (#2218368) + * Wed Jul 19 2023 Fedora Release Engineering - 4.4-0.4.pre2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild From a1d483c64b6fc9223f0098a9cd31463d02d8274d Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 22 Nov 2023 14:44:06 +0100 Subject: [PATCH 098/137] update to 4.5-pre1 --- .gitignore | 6 +++--- chrony.spec | 5 +++-- sources | 6 +++--- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index 57ee54b..9b297b0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.4.tar.gz -/chrony-4.4-tar-gz-asc.txt -/clknetsim-ef2a7a.tar.gz +/chrony-4.5-pre1-tar-gz-asc.txt +/chrony-4.5-pre1.tar.gz +/clknetsim-5d1dc0.tar.gz diff --git a/chrony.spec b/chrony.spec index 0a0bb92..c72af99 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver ef2a7a +%global clknetsim_ver 5d1dc0 +%global prerelease -pre1 %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.4 +Version: 4.5 Release: 1%{?dist} Summary: An NTP client/server diff --git a/sources b/sources index 1c8d2e0..7493175 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.4.tar.gz) = 45e060eb0c5892552f28dc436429e5823409cc93533127af27b64d08ff9c769fdc72694272232114f5ca1884c2bc8b5e842fae7956dc457358e937bcd3dda4d7 -SHA512 (chrony-4.4-tar-gz-asc.txt) = bb795b428567434937cbf3a12c559b549b89abe65010d04eed0fbdcfde35e7266771ea01c2c5581f3e5fae993f1782fff5a62c5ae09259d2b65dab9473d756a3 -SHA512 (clknetsim-ef2a7a.tar.gz) = 55196099d975d635fcba7dce9e1bc42efe0aee25777c9ff0bc996e300922e70542ea784a78814dc888c2f7f281e9d7db68c893e2d3138e92fbc3fb1e64e7e2b6 +SHA512 (chrony-4.5-pre1-tar-gz-asc.txt) = 60030c572957afe2289ca3f20efaf92267d3f6eca1e8c220f9b24bcfacbfc830304151d47c048bdcb1972a6ed9c84e7e435fafd4276080ecb253b991087ce20f +SHA512 (chrony-4.5-pre1.tar.gz) = 1be4beb1257baf08a6c35613a5c547837f63aeab0f06b87dff1acdd912a49f79b276f376af7737c6d44bf6ba974829dddddee5e9153828abf90f828e749d8f6e +SHA512 (clknetsim-5d1dc0.tar.gz) = 76889da425dc9d63ba78811661d78ffa922a63c4f83aeb809fef02c866f64a97b09dd4b0906ccfd1e20cee5091d8b886aadfce54cd338d3bf597b0e976a78927 From 69e59ad695b88de1b38afb618e91cdff12e9989a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 22 Nov 2023 14:45:44 +0100 Subject: [PATCH 099/137] 4.5-0.1.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index c72af99..e13c68d 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.5 -Release: 1%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -206,6 +206,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Nov 22 2023 Miroslav Lichvar 4.5-0.1.pre1 +- update to 4.5-pre1 + * Wed Aug 09 2023 Miroslav Lichvar 4.4-1 - update to 4.4 - require tzdata (#2218368) From 9bca6ebe57a0846ff27e7495ad4ea1fa4d5a0c2b Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 5 Dec 2023 15:20:20 +0100 Subject: [PATCH 100/137] update to 4.5 --- .gitignore | 4 ++-- chrony.spec | 1 - sources | 4 ++-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 9b297b0..ca5815e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.5-pre1-tar-gz-asc.txt -/chrony-4.5-pre1.tar.gz +/chrony-4.5.tar.gz +/chrony-4.5-tar-gz-asc.txt /clknetsim-5d1dc0.tar.gz diff --git a/chrony.spec b/chrony.spec index e13c68d..a151383 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,5 @@ %global _hardened_build 1 %global clknetsim_ver 5d1dc0 -%global prerelease -pre1 %bcond_without debug %bcond_without nts diff --git a/sources b/sources index 7493175..0f64136 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.5-pre1-tar-gz-asc.txt) = 60030c572957afe2289ca3f20efaf92267d3f6eca1e8c220f9b24bcfacbfc830304151d47c048bdcb1972a6ed9c84e7e435fafd4276080ecb253b991087ce20f -SHA512 (chrony-4.5-pre1.tar.gz) = 1be4beb1257baf08a6c35613a5c547837f63aeab0f06b87dff1acdd912a49f79b276f376af7737c6d44bf6ba974829dddddee5e9153828abf90f828e749d8f6e +SHA512 (chrony-4.5.tar.gz) = 58a449e23186da799064b16ab16f799c1673296984b152b43e87c620d86e272c55365e83439d410fc89e4e0ba0befd7d5c625eac78a6665813b7ea75444f71b5 +SHA512 (chrony-4.5-tar-gz-asc.txt) = 05470e6cc34524fdab494f70cee71d46172b38bdd4acd8173ac79fdec12178239248880db474437690094aae7909002113289ac7f9305130c5e0a1d9364122cb SHA512 (clknetsim-5d1dc0.tar.gz) = 76889da425dc9d63ba78811661d78ffa922a63c4f83aeb809fef02c866f64a97b09dd4b0906ccfd1e20cee5091d8b886aadfce54cd338d3bf597b0e976a78927 From 17bd1206e37eb9f6eefa18fe8102b2752eb3e15e Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 5 Dec 2023 15:23:50 +0100 Subject: [PATCH 101/137] 4.5-1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index a151383..e4e6820 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.5 -Release: 0.1.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Dec 05 2023 Miroslav Lichvar 4.5-1 +- update to 4.5 + * Wed Nov 22 2023 Miroslav Lichvar 4.5-0.1.pre1 - update to 4.5-pre1 From 396d15c284b65cc88840488e2b72ca4696159ed8 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 9 Jan 2024 16:50:44 +0100 Subject: [PATCH 102/137] update clknetsim source --- chrony.spec | 4 ++-- sources | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/chrony.spec b/chrony.spec index e4e6820..b160209 100644 --- a/chrony.spec +++ b/chrony.spec @@ -20,7 +20,7 @@ Source2: https://chrony-project.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B Source3: chrony.dhclient Source4: chrony.sysusers # simulator for test suite -Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz +Source10: https://gitlab.com/chrony/clknetsim/-/archive/master/clknetsim-%{clknetsim_ver}.tar.gz %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz} # add distribution-specific bits to DHCP dispatcher @@ -94,7 +94,7 @@ sed -i '/^ExecStart/a SELinuxContext=system_u:system_r:chronyd_restricted_t:s0' # regenerate the file from getdate.y rm -f getdate.c -mv clknetsim-%{clknetsim_ver}* test/simulation/clknetsim +mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim %build %configure \ diff --git a/sources b/sources index 0f64136..970d87e 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (chrony-4.5.tar.gz) = 58a449e23186da799064b16ab16f799c1673296984b152b43e87c620d86e272c55365e83439d410fc89e4e0ba0befd7d5c625eac78a6665813b7ea75444f71b5 SHA512 (chrony-4.5-tar-gz-asc.txt) = 05470e6cc34524fdab494f70cee71d46172b38bdd4acd8173ac79fdec12178239248880db474437690094aae7909002113289ac7f9305130c5e0a1d9364122cb -SHA512 (clknetsim-5d1dc0.tar.gz) = 76889da425dc9d63ba78811661d78ffa922a63c4f83aeb809fef02c866f64a97b09dd4b0906ccfd1e20cee5091d8b886aadfce54cd338d3bf597b0e976a78927 +SHA512 (clknetsim-5d1dc0.tar.gz) = 7d542443d7d9334d900cee821207fab1ee87e57fda6580a9d894f65fb36d265fdc4a72022b4293134d54cdeffba7e84d2f68f732f4b228b84d846d8668b314b2 From 9cedf747bf723bba78cec22f32b236a1b3b4aa87 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 19 Jan 2024 15:25:29 +0000 Subject: [PATCH 103/137] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index b160209..c806558 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.5 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Fri Jan 19 2024 Fedora Release Engineering - 4.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Tue Dec 05 2023 Miroslav Lichvar 4.5-1 - update to 4.5 From 2484d4001eaa7d8378f1a4f97171ac58a01b68c4 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 23 Jan 2024 01:36:12 +0000 Subject: [PATCH 104/137] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index c806558..51a9c3a 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.5 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Jan 23 2024 Fedora Release Engineering - 4.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Fri Jan 19 2024 Fedora Release Engineering - 4.5-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From 5d030eca6da200ac89e44d66728a7623b8b8ad15 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 17 Jul 2024 19:17:25 +0000 Subject: [PATCH 105/137] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 51a9c3a..5401be6 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.5 -Release: 3%{?dist} +Release: 4%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jul 17 2024 Fedora Release Engineering - 4.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + * Tue Jan 23 2024 Fedora Release Engineering - 4.5-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From 2aac4c014b2cb70255833115cbfb4bc759ea8eb2 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 30 Jul 2024 14:52:18 +0200 Subject: [PATCH 106/137] update to 4.6-pre1 --- .gitignore | 6 +++--- chrony.spec | 13 +++++++------ sources | 6 +++--- 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/.gitignore b/.gitignore index ca5815e..55c253a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.5.tar.gz -/chrony-4.5-tar-gz-asc.txt -/clknetsim-5d1dc0.tar.gz +/chrony-4.6-pre1.tar.gz +/chrony-4.6-pre1-tar-gz-asc.txt +/clknetsim-633a0b.tar.gz diff --git a/chrony.spec b/chrony.spec index 5401be6..d43f3be 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver 5d1dc0 +%global clknetsim_ver 633a0b +%global prerelease -pre1 %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.5 +Version: 4.6 Release: 4%{?dist} Summary: An NTP client/server @@ -34,7 +35,7 @@ BuildRequires: gcc gcc-c++ make bison systemd gnupg2 %{?systemd_requires} %{?sysusers_requires_compat} -# Needed by the leapsectz directive in default chrony.conf +# Needed by the leapseclist directive in default chrony.conf Requires: tzdata # Old NetworkManager expects the dispatcher scripts in a different place @@ -65,7 +66,7 @@ service to other computers in the network. # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') 5530d6e60f84b76c27495485d2510bac examples/chrony-wait.service - 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 + 826354a2d467d6147e412d43bfe07484 examples/chrony.conf.example2 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline @@ -78,10 +79,10 @@ test -n "%{vendorzone}" # use example chrony.conf as the default config with some modifications: # - use our vendor zone (2.*pool.ntp.org names include IPv6 addresses) -# - enable leapsectz to get TAI-UTC offset and leap seconds from tzdata +# - enable leapseclist to get TAI-UTC offset and leap seconds # - use NTP servers from DHCP sed -e 's|^\(pool \)\(pool.ntp.org\)|\12.%{vendorzone}\2|' \ - -e 's|#\(leapsectz\)|\1|' \ + -e 's|#\(leapseclist\)|\1|' \ -e 's|^pool.*pool.ntp.org.*|&\n\n# Use NTP servers from DHCP.\nsourcedir /run/chrony-dhcp|' \ < examples/chrony.conf.example2 > chrony.conf diff --git a/sources b/sources index 970d87e..e895b1c 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.5.tar.gz) = 58a449e23186da799064b16ab16f799c1673296984b152b43e87c620d86e272c55365e83439d410fc89e4e0ba0befd7d5c625eac78a6665813b7ea75444f71b5 -SHA512 (chrony-4.5-tar-gz-asc.txt) = 05470e6cc34524fdab494f70cee71d46172b38bdd4acd8173ac79fdec12178239248880db474437690094aae7909002113289ac7f9305130c5e0a1d9364122cb -SHA512 (clknetsim-5d1dc0.tar.gz) = 7d542443d7d9334d900cee821207fab1ee87e57fda6580a9d894f65fb36d265fdc4a72022b4293134d54cdeffba7e84d2f68f732f4b228b84d846d8668b314b2 +SHA512 (chrony-4.6-pre1.tar.gz) = 9d978b359ac4a6d6859f0fb2d3b6d3ed455838c2dc31d3db1b15b360a62d4f2d8dce71d1e67648658407121020880cd545a4eeb69d0df88475db778851c15cb4 +SHA512 (chrony-4.6-pre1-tar-gz-asc.txt) = c6c7147e63fc19153e230fa81e6207a08b66da39a2156dd1d26d2435abb530210d4effcd8273ee6f3eede5ef0e29d33a601190ac41881f2d65a84a51e9070211 +SHA512 (clknetsim-633a0b.tar.gz) = 6fd8f5b0f3fc74e6dcaf64fc8058ef49806b1d010c8f76223715dd87286871e6bfc1c21be9b8379d9fddbd989490a98226f550805614c4b66c3ee0477acd6b59 From 02f36b402e2900050abfea5a93e23c49c3d31672 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 30 Jul 2024 14:52:53 +0200 Subject: [PATCH 107/137] 4.6-0.1.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index d43f3be..6e86955 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.6 -Release: 4%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -206,6 +206,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Jul 30 2024 Miroslav Lichvar 4.6-0.1.pre1 +- update to 4.6-pre1 + * Wed Jul 17 2024 Fedora Release Engineering - 4.5-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From 60a3986f3a58bac2d6cb7956d790103a52d858cd Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 2 Sep 2024 15:15:35 +0200 Subject: [PATCH 108/137] update to 4.6 --- .gitignore | 4 ++-- chrony.spec | 1 - sources | 4 ++-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 55c253a..bde5491 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.6-pre1.tar.gz -/chrony-4.6-pre1-tar-gz-asc.txt +/chrony-4.6.tar.gz +/chrony-4.6-tar-gz-asc.txt /clknetsim-633a0b.tar.gz diff --git a/chrony.spec b/chrony.spec index 6e86955..03a40e9 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,5 @@ %global _hardened_build 1 %global clknetsim_ver 633a0b -%global prerelease -pre1 %bcond_without debug %bcond_without nts diff --git a/sources b/sources index e895b1c..5265d98 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.6-pre1.tar.gz) = 9d978b359ac4a6d6859f0fb2d3b6d3ed455838c2dc31d3db1b15b360a62d4f2d8dce71d1e67648658407121020880cd545a4eeb69d0df88475db778851c15cb4 -SHA512 (chrony-4.6-pre1-tar-gz-asc.txt) = c6c7147e63fc19153e230fa81e6207a08b66da39a2156dd1d26d2435abb530210d4effcd8273ee6f3eede5ef0e29d33a601190ac41881f2d65a84a51e9070211 +SHA512 (chrony-4.6.tar.gz) = 84926b6c9eb90824ab98333412b001b18de9342dacb898d195ee8de52868b1945700a8b161de6b603c231460d290e02df6712c1dcb7f034ba45754b38466c8bd +SHA512 (chrony-4.6-tar-gz-asc.txt) = f735c1d52f1474d2af656e55d3a9abfd33b4ed706b983a393c7e3852b766b5179fe4098425ee7f32bb5db4a2e4170e8c5930cf63d20884be6c0eac338a3d26db SHA512 (clknetsim-633a0b.tar.gz) = 6fd8f5b0f3fc74e6dcaf64fc8058ef49806b1d010c8f76223715dd87286871e6bfc1c21be9b8379d9fddbd989490a98226f550805614c4b66c3ee0477acd6b59 From 0ba6e157c2d66353426798a3ca7938a29d10dcb8 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 2 Sep 2024 15:16:32 +0200 Subject: [PATCH 109/137] 4.6-1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 03a40e9..62acd40 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.6 -Release: 0.1.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Mon Sep 02 2024 Miroslav Lichvar 4.6-1 +- update to 4.6 + * Tue Jul 30 2024 Miroslav Lichvar 4.6-0.1.pre1 - update to 4.6-pre1 From bf7e96a93b94fecec55462ce210d8c1458b11ea6 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 2 Sep 2024 16:28:18 +0200 Subject: [PATCH 110/137] update clknetsim to fix %check on i686 --- .gitignore | 2 +- chrony.spec | 2 +- sources | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index bde5491..c02a352 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ /chrony-4.6.tar.gz /chrony-4.6-tar-gz-asc.txt -/clknetsim-633a0b.tar.gz +/clknetsim-64df92.tar.gz diff --git a/chrony.spec b/chrony.spec index 62acd40..98445d3 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,5 @@ %global _hardened_build 1 -%global clknetsim_ver 633a0b +%global clknetsim_ver 64df92 %bcond_without debug %bcond_without nts diff --git a/sources b/sources index 5265d98..d1a6a50 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (chrony-4.6.tar.gz) = 84926b6c9eb90824ab98333412b001b18de9342dacb898d195ee8de52868b1945700a8b161de6b603c231460d290e02df6712c1dcb7f034ba45754b38466c8bd SHA512 (chrony-4.6-tar-gz-asc.txt) = f735c1d52f1474d2af656e55d3a9abfd33b4ed706b983a393c7e3852b766b5179fe4098425ee7f32bb5db4a2e4170e8c5930cf63d20884be6c0eac338a3d26db -SHA512 (clknetsim-633a0b.tar.gz) = 6fd8f5b0f3fc74e6dcaf64fc8058ef49806b1d010c8f76223715dd87286871e6bfc1c21be9b8379d9fddbd989490a98226f550805614c4b66c3ee0477acd6b59 +SHA512 (clknetsim-64df92.tar.gz) = 3253e6823b66f23f63203aad0ea22c25cf9d1f5af789722662f4d383111cb2c1816cb23d2fa06171a65b102ae82a5371376becb029d7c9b163b0aee710374c02 From 73179b1fbd3f2e049997a996781663b4ecb1ad87 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 2 Sep 2024 16:29:00 +0200 Subject: [PATCH 111/137] 4.6-1 From 9999104b0943393d25de12a148cbdb03d8b4d649 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 8 Oct 2024 15:39:55 +0200 Subject: [PATCH 112/137] update to 4.6.1 --- .gitignore | 4 ++-- chrony.spec | 2 +- sources | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index c02a352..04fffa0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.6.tar.gz -/chrony-4.6-tar-gz-asc.txt +/chrony-4.6.1.tar.gz +/chrony-4.6.1-tar-gz-asc.txt /clknetsim-64df92.tar.gz diff --git a/chrony.spec b/chrony.spec index 98445d3..125cc4a 100644 --- a/chrony.spec +++ b/chrony.spec @@ -8,7 +8,7 @@ %endif Name: chrony -Version: 4.6 +Version: 4.6.1 Release: 1%{?dist} Summary: An NTP client/server diff --git a/sources b/sources index d1a6a50..a3dab97 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.6.tar.gz) = 84926b6c9eb90824ab98333412b001b18de9342dacb898d195ee8de52868b1945700a8b161de6b603c231460d290e02df6712c1dcb7f034ba45754b38466c8bd -SHA512 (chrony-4.6-tar-gz-asc.txt) = f735c1d52f1474d2af656e55d3a9abfd33b4ed706b983a393c7e3852b766b5179fe4098425ee7f32bb5db4a2e4170e8c5930cf63d20884be6c0eac338a3d26db +SHA512 (chrony-4.6.1.tar.gz) = 646ae08f2587366236796f2399d8ab3eb570979e0d82f5d13f5cec49939054c876cc93dc20c8d38e105fd3500e1720d05a223a15076783cd882d0de43afd9c7e +SHA512 (chrony-4.6.1-tar-gz-asc.txt) = 992b706636bf3a7eb6d502562a4990c9d8e20e5f3011d2cdb2ceb32220e9a1c2bfa6eca767212cee49b811823872602dc33f9e7201a7f9a93cc9c90e81b1db49 SHA512 (clknetsim-64df92.tar.gz) = 3253e6823b66f23f63203aad0ea22c25cf9d1f5af789722662f4d383111cb2c1816cb23d2fa06171a65b102ae82a5371376becb029d7c9b163b0aee710374c02 From efe2d99a073e9515ac7fe6145f33c9247539b432 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 8 Oct 2024 15:42:45 +0200 Subject: [PATCH 113/137] 4.6.1-1 --- chrony.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/chrony.spec b/chrony.spec index 125cc4a..391bff2 100644 --- a/chrony.spec +++ b/chrony.spec @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Oct 08 2024 Miroslav Lichvar 4.6.1-1 +- update to 4.6.1 + * Mon Sep 02 2024 Miroslav Lichvar 4.6-1 - update to 4.6 From 0aae5f7bf1ce7d871adec9ab714299a69b03ad57 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 16 Jan 2025 13:43:18 +0000 Subject: [PATCH 114/137] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 391bff2..3a4449a 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.6.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Jan 16 2025 Fedora Release Engineering - 4.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + * Tue Oct 08 2024 Miroslav Lichvar 4.6.1-1 - update to 4.6.1 From 18b59b582787633bac1fe86ec032536c38485d0c Mon Sep 17 00:00:00 2001 From: Ondrej Mejzlik Date: Tue, 1 Oct 2024 12:13:30 +0200 Subject: [PATCH 115/137] Update plans and gating --- gating.yaml | 14 +++++------- plans.fmf | 47 ++++++++++++++++++++++++++++++++++++++++ plans/public.fmf | 6 ----- plans/tier1-internal.fmf | 12 ---------- 4 files changed, 53 insertions(+), 26 deletions(-) create mode 100644 plans.fmf delete mode 100644 plans/public.fmf delete mode 100644 plans/tier1-internal.fmf diff --git a/gating.yaml b/gating.yaml index de5c323..1b16508 100644 --- a/gating.yaml +++ b/gating.yaml @@ -4,8 +4,8 @@ product_versions: decision_context: bodhi_update_push_testing subject_type: koji_build rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/public.functional} - + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional} + #Rawhide --- !Policy product_versions: @@ -13,15 +13,13 @@ product_versions: decision_context: bodhi_update_push_stable subject_type: koji_build rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/public.functional} - + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional} + #gating rhel --- !Policy product_versions: - rhel-* decision_context: osci_compose_gate rules: - - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional} - - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation} - - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional} - - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/public.functional} + - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-public.functional} + - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional} \ No newline at end of file diff --git a/plans.fmf b/plans.fmf new file mode 100644 index 0000000..661c046 --- /dev/null +++ b/plans.fmf @@ -0,0 +1,47 @@ +/tier1-internal: + plan: + import: + url: https://src.fedoraproject.org/tests/chrony.git + name: /plans/tier1/internal + adjust: + enabled: false + when: distro == centos-stream, fedora + because: They don't have access to internal repos. + +/tier1-public: + plan: + import: + url: https://src.fedoraproject.org/tests/chrony.git + name: /plans/tier1/public + +/tier2-tier3-internal: + plan: + import: + url: https://src.fedoraproject.org/tests/chrony.git + name: /plans/tier2-tier3/internal + adjust: + enabled: false + when: distro == centos-stream, fedora + because: They don't have access to internal repos. + +/tier2-tier3-public: + plan: + import: + url: https://src.fedoraproject.org/tests/chrony.git + name: /plans/tier2-tier3/public + +/others-internal: + plan: + import: + url: https://src.fedoraproject.org/tests/chrony.git + name: /plans/others/internal + adjust: + enabled: false + when: distro == centos-stream, fedora + because: They don't have access to internal repos. + +/others-public: + plan: + import: + url: https://src.fedoraproject.org/tests/chrony.git + name: /plans/others/public diff --git a/plans/public.fmf b/plans/public.fmf deleted file mode 100644 index cff1391..0000000 --- a/plans/public.fmf +++ /dev/null @@ -1,6 +0,0 @@ -summary: Test plan with all Fedora tests -discover: - how: fmf - url: https://src.fedoraproject.org/tests/chrony.git -execute: - how: tmt diff --git a/plans/tier1-internal.fmf b/plans/tier1-internal.fmf deleted file mode 100644 index 9714336..0000000 --- a/plans/tier1-internal.fmf +++ /dev/null @@ -1,12 +0,0 @@ -summary: CI plan, picks internal Tier1 tests, runs in beakerlib. -discover: - - name: rhel - how: fmf - filter: 'tier: 1' - url: git://pkgs.devel.redhat.com/tests/chrony -execute: - how: tmt -adjust: - enabled: false - when: distro == centos-stream, fedora - because: They don't have access to internal repos. From 8f77afe47e9dd596174ba2ed6a4914efea889189 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 21 May 2025 14:45:46 +0200 Subject: [PATCH 116/137] update to 4.7-pre1 --- .gitignore | 6 +++--- chrony.spec | 9 +++++---- sources | 6 +++--- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/.gitignore b/.gitignore index 04fffa0..96c8228 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.6.1.tar.gz -/chrony-4.6.1-tar-gz-asc.txt -/clknetsim-64df92.tar.gz +/chrony-4.7-pre1-tar-gz-asc.txt +/chrony-4.7-pre1.tar.gz +/clknetsim-d60afc.tar.gz diff --git a/chrony.spec b/chrony.spec index 3a4449a..063693c 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver 64df92 +%global clknetsim_ver d60afc +%global prerelease -pre1 %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.6.1 +Version: 4.7 Release: 2%{?dist} Summary: An NTP client/server @@ -69,8 +70,8 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline - c11159b78b89684eca773db6236a9855 examples/chronyd.service - 46fa3e2d42c8eb9c42e71095686c90ed examples/chronyd-restricted.service + 274a44cd51981d6d4d3a44dfc92c94ab examples/chronyd.service + 5ddbb8a8055f587cb6b0b462ca73ea46 examples/chronyd-restricted.service EOF # don't allow packaging without vendor zone diff --git a/sources b/sources index a3dab97..4931309 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.6.1.tar.gz) = 646ae08f2587366236796f2399d8ab3eb570979e0d82f5d13f5cec49939054c876cc93dc20c8d38e105fd3500e1720d05a223a15076783cd882d0de43afd9c7e -SHA512 (chrony-4.6.1-tar-gz-asc.txt) = 992b706636bf3a7eb6d502562a4990c9d8e20e5f3011d2cdb2ceb32220e9a1c2bfa6eca767212cee49b811823872602dc33f9e7201a7f9a93cc9c90e81b1db49 -SHA512 (clknetsim-64df92.tar.gz) = 3253e6823b66f23f63203aad0ea22c25cf9d1f5af789722662f4d383111cb2c1816cb23d2fa06171a65b102ae82a5371376becb029d7c9b163b0aee710374c02 +SHA512 (chrony-4.7-pre1-tar-gz-asc.txt) = 6180dfede6bc2d11b4b8a9f2708b306faecdf2f6c92552c52c222b8fe09210aa770ec28c9272a1105ea6716e66553e606dbb00077bce061c6faaf65e1ce2bbf9 +SHA512 (chrony-4.7-pre1.tar.gz) = 9f83887d9771a409edd812046a4b1b7e11966d02a99806d48442a52441ee41a7043a75987e29414b04ddb8ff82dedd0b7646135961f6532cc173c52c01c600c1 +SHA512 (clknetsim-d60afc.tar.gz) = 9fff0dc7c089169158926741860c933fa4fc6eda68c100a54ead137b294ec94b0a6fccb0e3f86abfed274b38621e89b49f3e1ad96fd9bed48a79fabcc0d0ba5f From 3b9d8b1213423834a2e59e5831b2ee429216961a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 21 May 2025 14:47:16 +0200 Subject: [PATCH 117/137] 4.7-0.1.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 063693c..144ff7c 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.7 -Release: 2%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -206,6 +206,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed May 21 2025 Miroslav Lichvar 4.7-0.1.pre1 +- update to 4.7-pre1 + * Thu Jan 16 2025 Fedora Release Engineering - 4.6.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From 5d99ee337f23f4e09fa4f7f669fa007629176ad9 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 22 May 2025 14:40:19 +0200 Subject: [PATCH 118/137] add workaround for broken build on aarch64 --- chrony.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/chrony.spec b/chrony.spec index 144ff7c..1f023cb 100644 --- a/chrony.spec +++ b/chrony.spec @@ -98,6 +98,10 @@ rm -f getdate.c mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim %build +%ifarch aarch64 +# workaround for bug #2367978 +CFLAGS="$RPM_OPT_FLAGS -fno-inline" +%endif %configure \ %{?with_debug: --enable-debug} \ --enable-ntp-signd \ From 969143e1d65cdfd02a88360aed91f0f6adc6c324 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 22 May 2025 14:40:43 +0200 Subject: [PATCH 119/137] 4.7-0.2.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 1f023cb..34ffc37 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.7 -Release: 0.1.pre1%{?dist} +Release: 0.2.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -210,6 +210,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu May 22 2025 Miroslav Lichvar 4.7-0.2.pre1 +- add workaround for broken build on aarch64 + * Wed May 21 2025 Miroslav Lichvar 4.7-0.1.pre1 - update to 4.7-pre1 From d17bcd6d55f045f7ea7924dcd6d4c9b060bbf9e2 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 11 Jun 2025 15:46:31 +0200 Subject: [PATCH 120/137] update to 4.7 --- .gitignore | 6 +++--- chrony.spec | 5 ++--- sources | 6 +++--- 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index 96c8228..2414820 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.7-pre1-tar-gz-asc.txt -/chrony-4.7-pre1.tar.gz -/clknetsim-d60afc.tar.gz +/chrony-4.7.tar.gz +/chrony-4.7-tar-gz-asc.txt +/clknetsim-83cf9c.tar.gz diff --git a/chrony.spec b/chrony.spec index 34ffc37..440c600 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,5 @@ %global _hardened_build 1 -%global clknetsim_ver d60afc -%global prerelease -pre1 +%global clknetsim_ver 83cf9c %bcond_without debug %bcond_without nts @@ -66,7 +65,7 @@ service to other computers in the network. # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') 5530d6e60f84b76c27495485d2510bac examples/chrony-wait.service - 826354a2d467d6147e412d43bfe07484 examples/chrony.conf.example2 + 3f2ddca6065c3e8f4565d7422739795a examples/chrony.conf.example2 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline diff --git a/sources b/sources index 4931309..f03173e 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.7-pre1-tar-gz-asc.txt) = 6180dfede6bc2d11b4b8a9f2708b306faecdf2f6c92552c52c222b8fe09210aa770ec28c9272a1105ea6716e66553e606dbb00077bce061c6faaf65e1ce2bbf9 -SHA512 (chrony-4.7-pre1.tar.gz) = 9f83887d9771a409edd812046a4b1b7e11966d02a99806d48442a52441ee41a7043a75987e29414b04ddb8ff82dedd0b7646135961f6532cc173c52c01c600c1 -SHA512 (clknetsim-d60afc.tar.gz) = 9fff0dc7c089169158926741860c933fa4fc6eda68c100a54ead137b294ec94b0a6fccb0e3f86abfed274b38621e89b49f3e1ad96fd9bed48a79fabcc0d0ba5f +SHA512 (chrony-4.7.tar.gz) = 419594ab8ff0fd42acaf6e4ca1a011d5cf87c8d90ab040e90bb004b43570888329531593f073fb7c5a1093b5754d61c1ae6034d0b86660e4dc37d42ee0f30623 +SHA512 (chrony-4.7-tar-gz-asc.txt) = c2351e6e624f60e82973bddd5cb1d84c90ee5e862d7d24dfc2b7a8f60a6a948f7446c9b7d68c5e72be4afccbd5d8f572141a4e0bde9cfeefc59aebb7e4fc74e1 +SHA512 (clknetsim-83cf9c.tar.gz) = 2ffef556fc1edc3e19d44773ca550e9ac87889951a0162828238eab7dbd0586b46d16708d6a95a56aae8485acade1db5d16f7463362da00cb1d40cff394364e9 From fcb1dcbf532fec8ef5dbd6d3492125d233863e3b Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 11 Jun 2025 15:51:50 +0200 Subject: [PATCH 121/137] 4.7-1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 440c600..775150a 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.7 -Release: 0.2.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -209,6 +209,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jun 11 2025 Miroslav Lichvar 4.7-1 +- update to 4.7 + * Thu May 22 2025 Miroslav Lichvar 4.7-0.2.pre1 - add workaround for broken build on aarch64 From 0de03083074a9787d1848551e5c44d0dd9db6814 Mon Sep 17 00:00:00 2001 From: Ondrej Mejzlik Date: Wed, 18 Jun 2025 20:38:17 +0200 Subject: [PATCH 122/137] Testing moves to RH gitlab centos-stream space --- plans.fmf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/plans.fmf b/plans.fmf index 661c046..c28aa6f 100644 --- a/plans.fmf +++ b/plans.fmf @@ -1,7 +1,7 @@ /tier1-internal: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/tier1/internal adjust: enabled: false @@ -11,13 +11,13 @@ /tier1-public: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/tier1/public /tier2-tier3-internal: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/tier2-tier3/internal adjust: enabled: false @@ -27,13 +27,13 @@ /tier2-tier3-public: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/tier2-tier3/public /others-internal: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/others/internal adjust: enabled: false @@ -43,5 +43,5 @@ /others-public: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/others/public From 70a42e2391e14b3a9294e7f7c3cd162a6c244b1d Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 10 Jul 2025 11:49:16 +0200 Subject: [PATCH 123/137] drop old conflict with NetworkManager --- chrony.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/chrony.spec b/chrony.spec index 775150a..e7467b5 100644 --- a/chrony.spec +++ b/chrony.spec @@ -37,9 +37,6 @@ BuildRequires: gcc gcc-c++ make bison systemd gnupg2 # Needed by the leapseclist directive in default chrony.conf Requires: tzdata -# Old NetworkManager expects the dispatcher scripts in a different place -Conflicts: NetworkManager < 1.20 - # suggest drivers for hardware reference clocks Suggests: ntp-refclock From 53321f84b8e15e39e3483fcc5f396bc4e4244e42 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 10 Jul 2025 13:22:54 +0200 Subject: [PATCH 124/137] let systemd create /var/lib/chrony and /var/log/chrony (#2372944) Specify the directories in the chronyd unit file, so they don't have to exist before starting the service and rpm doesn't need to create any non-root directories/files. --- chrony-servicedirs.patch | 18 ++++++++++++++++++ chrony.spec | 9 ++++++--- 2 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 chrony-servicedirs.patch diff --git a/chrony-servicedirs.patch b/chrony-servicedirs.patch new file mode 100644 index 0000000..e806dc9 --- /dev/null +++ b/chrony-servicedirs.patch @@ -0,0 +1,18 @@ +diff -up chrony-4.7/examples/chronyd.service.servicedirs chrony-4.7/examples/chronyd.service +--- chrony-4.7/examples/chronyd.service.servicedirs 2025-06-11 15:06:19.000000000 +0200 ++++ chrony-4.7/examples/chronyd.service 2025-07-10 12:06:57.354215498 +0200 +@@ -10,7 +10,13 @@ Type=notify + PIDFile=/run/chrony/chronyd.pid + Environment="OPTIONS=" + EnvironmentFile=-/etc/sysconfig/chronyd +-ExecStart=/usr/sbin/chronyd -n $OPTIONS ++ExecStart=!/usr/sbin/chronyd -n $OPTIONS ++ ++User=chrony ++LogsDirectory=chrony ++LogsDirectoryMode=0750 ++StateDirectory=chrony ++StateDirectoryMode=0750 + + CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE + CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE diff --git a/chrony.spec b/chrony.spec index e7467b5..c038549 100644 --- a/chrony.spec +++ b/chrony.spec @@ -25,6 +25,8 @@ Source10: https://gitlab.com/chrony/clknetsim/-/archive/master/clknetsim-% # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch +# let systemd create /var/lib/chrony and /var/log/chrony +Patch2: chrony-servicedirs.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -56,6 +58,7 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch -P 0 -p1} %patch -P 1 -p1 -b .nm-dispatcher-dhcp +%patch -P 2 -p1 -b .servicedirs %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -66,7 +69,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline - 274a44cd51981d6d4d3a44dfc92c94ab examples/chronyd.service + 607c82f56639486f52c31105632909eb examples/chronyd.service 5ddbb8a8055f587cb6b0b462ca73ea46 examples/chronyd-restricted.service EOF @@ -200,10 +203,10 @@ fi %{_unitdir}/chrony*.service %{_sysusersdir}/chrony.conf %{_mandir}/man[158]/%{name}*.[158]* -%dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony +%ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/drift %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/rtc -%dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony +%ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog * Wed Jun 11 2025 Miroslav Lichvar 4.7-1 From 98c501e504b72d90c688982295bfb850f955d74a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 10 Jul 2025 14:02:11 +0200 Subject: [PATCH 125/137] drop workaround for broken build on aarch64 --- chrony.spec | 4 ---- 1 file changed, 4 deletions(-) diff --git a/chrony.spec b/chrony.spec index c038549..6d8a713 100644 --- a/chrony.spec +++ b/chrony.spec @@ -97,10 +97,6 @@ rm -f getdate.c mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim %build -%ifarch aarch64 -# workaround for bug #2367978 -CFLAGS="$RPM_OPT_FLAGS -fno-inline" -%endif %configure \ %{?with_debug: --enable-debug} \ --enable-ntp-signd \ From 58b9f12d345dde8b0eca270f97325b4e1f6df115 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 10 Jul 2025 14:02:56 +0200 Subject: [PATCH 126/137] 4.7-2 --- chrony.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 6d8a713..887c864 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.7 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,11 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Jul 10 2025 Miroslav Lichvar 4.7-2 +- let systemd create /var/lib/chrony and /var/log/chrony (#2372944) +- drop workaround for broken build on aarch64 +- drop old conflict with NetworkManager + * Wed Jun 11 2025 Miroslav Lichvar 4.7-1 - update to 4.7 From 71344384222ce47b080842ea020f1124d066ef7c Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 23 Jul 2025 18:17:48 +0000 Subject: [PATCH 127/137] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 887c864..410ce4b 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.7 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jul 23 2025 Fedora Release Engineering - 4.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + * Thu Jul 10 2025 Miroslav Lichvar 4.7-2 - let systemd create /var/lib/chrony and /var/log/chrony (#2372944) - drop workaround for broken build on aarch64 From 1db87bbe8dd549a2b29a496f63b5cb39a2000ac8 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 14 Aug 2025 16:32:02 +0200 Subject: [PATCH 128/137] update to 4.8-pre1 --- .gitignore | 6 +++--- chrony.spec | 5 +++-- sources | 6 +++--- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index 2414820..bdfdbf2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.7.tar.gz -/chrony-4.7-tar-gz-asc.txt -/clknetsim-83cf9c.tar.gz +/chrony-4.8-pre1-tar-gz-asc.txt +/chrony-4.8-pre1.tar.gz +/clknetsim-a2eb0b258f8b.tar.gz diff --git a/chrony.spec b/chrony.spec index 410ce4b..aa51417 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver 83cf9c +%global prerelease -pre1 +%global clknetsim_ver a2eb0b258f8b %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.7 +Version: 4.8 Release: 3%{?dist} Summary: An NTP client/server diff --git a/sources b/sources index f03173e..bdf667b 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.7.tar.gz) = 419594ab8ff0fd42acaf6e4ca1a011d5cf87c8d90ab040e90bb004b43570888329531593f073fb7c5a1093b5754d61c1ae6034d0b86660e4dc37d42ee0f30623 -SHA512 (chrony-4.7-tar-gz-asc.txt) = c2351e6e624f60e82973bddd5cb1d84c90ee5e862d7d24dfc2b7a8f60a6a948f7446c9b7d68c5e72be4afccbd5d8f572141a4e0bde9cfeefc59aebb7e4fc74e1 -SHA512 (clknetsim-83cf9c.tar.gz) = 2ffef556fc1edc3e19d44773ca550e9ac87889951a0162828238eab7dbd0586b46d16708d6a95a56aae8485acade1db5d16f7463362da00cb1d40cff394364e9 +SHA512 (chrony-4.8-pre1-tar-gz-asc.txt) = 0daafd987e46d720c42bbe4de13f5a293feabb3e239c9caf90146197b8444504cf45efc2078f431e745fae52e222937f9d48da496b091372fe4301a3f8726983 +SHA512 (chrony-4.8-pre1.tar.gz) = 2e76fd523fbeaa31bcbecbe2a16105e4fa103751753f0d05e2d2fcfaed62dbd4e023b559e97a44b28756b3ae7bc5d0873a787f09eb760da6a00d8184eedc03ad +SHA512 (clknetsim-a2eb0b258f8b.tar.gz) = 88996d4652b73b603caf9387b030c8406e7bc015443bb4b348c4a626882a0b42398dbcefa971fc8ba02dcdc0a79171ea63cadc13c518961b66901fecbee7c8e3 From 283f2dad2f7e8f492a7582b83106c8bec90aa9e0 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 14 Aug 2025 16:33:01 +0200 Subject: [PATCH 129/137] 4.8-0.1.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index aa51417..c5d2aaa 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.8 -Release: 3%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -206,6 +206,9 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Aug 14 2025 Miroslav Lichvar 4.8-0.1.pre1 +- update to 4.8-pre1 + * Wed Jul 23 2025 Fedora Release Engineering - 4.7-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From b9e07af77919a639d95c7ae1b533c3865f6c1b9e Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 27 Aug 2025 14:47:58 +0200 Subject: [PATCH 130/137] update to 4.8 --- .gitignore | 6 +++--- chrony.spec | 3 +-- sources | 6 +++--- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index bdfdbf2..4d608e1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.8-pre1-tar-gz-asc.txt -/chrony-4.8-pre1.tar.gz -/clknetsim-a2eb0b258f8b.tar.gz +/chrony-4.8-tar-gz-asc.txt +/chrony-4.8.tar.gz +/clknetsim-6ee99f50dec8.tar.gz diff --git a/chrony.spec b/chrony.spec index c5d2aaa..708d57b 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,5 @@ %global _hardened_build 1 -%global prerelease -pre1 -%global clknetsim_ver a2eb0b258f8b +%global clknetsim_ver 6ee99f50dec8 %bcond_without debug %bcond_without nts diff --git a/sources b/sources index bdf667b..35a8415 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.8-pre1-tar-gz-asc.txt) = 0daafd987e46d720c42bbe4de13f5a293feabb3e239c9caf90146197b8444504cf45efc2078f431e745fae52e222937f9d48da496b091372fe4301a3f8726983 -SHA512 (chrony-4.8-pre1.tar.gz) = 2e76fd523fbeaa31bcbecbe2a16105e4fa103751753f0d05e2d2fcfaed62dbd4e023b559e97a44b28756b3ae7bc5d0873a787f09eb760da6a00d8184eedc03ad -SHA512 (clknetsim-a2eb0b258f8b.tar.gz) = 88996d4652b73b603caf9387b030c8406e7bc015443bb4b348c4a626882a0b42398dbcefa971fc8ba02dcdc0a79171ea63cadc13c518961b66901fecbee7c8e3 +SHA512 (chrony-4.8-tar-gz-asc.txt) = df7f4e06f74a4b8c9a49e8fe57ea02e0324c5683d036412c32192a09f08e08f33537609cef8df0b4302bfcd63332b3092f33f40c8d02857c93ecea13822b5b47 +SHA512 (chrony-4.8.tar.gz) = 949b796bb34db32a5c1b9e6b53be6a22e51c59f24a316d585b8a52a52ab1f61bdf0378dc58b282bb0ba4fac1f05e1e99fbe37cb4259aa2b359e7bf679c176aab +SHA512 (clknetsim-6ee99f50dec8.tar.gz) = 2621d1c44b84b42fcdf644f236ff90dab9f8a8407a138c8719c53dd9c4f21480db3b4ba598116aa1b9d6bd1fa02fc410d85a43baf55ddf8ad47fc09aba4c4477 From fbf4abe9539130145f2c6266b609cc388ed8eb42 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 27 Aug 2025 14:48:58 +0200 Subject: [PATCH 131/137] 4.8-1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 708d57b..afe2248 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.8 -Release: 0.1.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Aug 27 2025 Miroslav Lichvar 4.8-1 +- update to 4.8 + * Thu Aug 14 2025 Miroslav Lichvar 4.8-0.1.pre1 - update to 4.8-pre1 From 95665ab0604acc9eb35e821ae580d6af41236047 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 8 Sep 2025 10:06:24 +0200 Subject: [PATCH 132/137] drop root privileges in chronyc by default Use the new configure option added in chrony-4.8 to change the default chronyc user to chrony. If chronyc is started under root, it will switch to the chrony user automatically to minimize impact of potential security issues. This shouldn't be visible to the user, but if for some reason the original behavior is required, "-u root" can be added to the chronyc command line. --- chrony.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/chrony.spec b/chrony.spec index afe2248..02fc8a8 100644 --- a/chrony.spec +++ b/chrony.spec @@ -105,6 +105,7 @@ mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim --chronyrundir=/run/chrony \ --docdir=%{_docdir} \ --with-ntp-era=$(date -d '1970-01-01 00:00:00+00:00' +'%s') \ + --with-chronyc-user=chrony \ --with-user=chrony \ --with-hwclockfile=%{_sysconfdir}/adjtime \ --with-pidfile=/run/chrony/chronyd.pid \ From 9c685eb118a6f049a5a253cd9b76daf008a2dd3a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 8 Sep 2025 10:10:54 +0200 Subject: [PATCH 133/137] 4.8-2 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 02fc8a8..5da1033 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.8 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -206,6 +206,9 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Mon Sep 08 2025 Miroslav Lichvar 4.8-2 +- drop root privileges in chronyc by default + * Wed Aug 27 2025 Miroslav Lichvar 4.8-1 - update to 4.8 From 57f2f4a8c160f18d4a544be5ab0f216771368c1c Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 21 Oct 2025 14:26:44 +0200 Subject: [PATCH 134/137] update seccomp filter for new glibc (#2405310) --- chrony-seccomp.patch | 35 +++++++++++++++++++++++++++++++++++ chrony.spec | 3 +++ 2 files changed, 38 insertions(+) create mode 100644 chrony-seccomp.patch diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch new file mode 100644 index 0000000..af9f775 --- /dev/null +++ b/chrony-seccomp.patch @@ -0,0 +1,35 @@ +commit 03875f1ea5c4c0eeeb30a7d1fc5fdd53236f4ac2 +Author: Miroslav Lichvar +Date: Tue Oct 21 14:06:38 2025 +0200 + + sys_linux: allow ioctl(TCGETS2) in seccomp filter + + Add TCGETS2 to the list of allowed ioctls. It seems to be called by the + latest glibc version from isatty(), which is called from libpcsclite + used by gnutls in an NTS-KE session. + + Include the linux termios header instead of glibc header to get a usable + definition of TCGETS2. + +diff --git a/sys_linux.c b/sys_linux.c +index ca5540f2..e20e459d 100644 +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -48,7 +48,7 @@ + #ifdef FEAT_SCFILTER + #include + #include +-#include ++#include + #ifdef FEAT_PPS + #include + #endif +@@ -615,7 +615,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + const static int fcntls[] = { F_GETFD, F_SETFD, F_GETFL, F_SETFL }; + + const static unsigned long ioctls[] = { +- FIONREAD, TCGETS, TIOCGWINSZ, ++ FIONREAD, TCGETS, TCGETS2, TIOCGWINSZ, + #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING) + PTP_EXTTS_REQUEST, PTP_SYS_OFFSET, + #ifdef PTP_PIN_SETFUNC diff --git a/chrony.spec b/chrony.spec index 5da1033..78da102 100644 --- a/chrony.spec +++ b/chrony.spec @@ -27,6 +27,8 @@ Source10: https://gitlab.com/chrony/clknetsim/-/archive/master/clknetsim-% Patch1: chrony-nm-dispatcher-dhcp.patch # let systemd create /var/lib/chrony and /var/log/chrony Patch2: chrony-servicedirs.patch +# update seccomp filter for new glibc +Patch3: chrony-seccomp.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -59,6 +61,7 @@ service to other computers in the network. %{?gitpatch:%patch -P 0 -p1} %patch -P 1 -p1 -b .nm-dispatcher-dhcp %patch -P 2 -p1 -b .servicedirs +%patch -P 3 -p1 -b .seccomp %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} From ed7a59c023170d91a880b2bd979b5ac8e494e8d0 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 21 Oct 2025 14:34:19 +0200 Subject: [PATCH 135/137] 4.8-3 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 78da102..66a86d5 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.8 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -209,6 +209,9 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Oct 21 2025 Miroslav Lichvar 4.8-3 +- update seccomp filter for new glibc (#2405310) + * Mon Sep 08 2025 Miroslav Lichvar 4.8-2 - drop root privileges in chronyc by default From d146c7faa536a1a15e65bcf4270e0f098cb5fdbf Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 22 Oct 2025 14:15:13 +0200 Subject: [PATCH 136/137] fix seccomp fix to build on ppc64 --- chrony-seccomp.patch | 159 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 159 insertions(+) diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch index af9f775..c8f79ae 100644 --- a/chrony-seccomp.patch +++ b/chrony-seccomp.patch @@ -33,3 +33,162 @@ index ca5540f2..e20e459d 100644 #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING) PTP_EXTTS_REQUEST, PTP_SYS_OFFSET, #ifdef PTP_PIN_SETFUNC +commit 3c39afa13c769452d4c340bfc987e229b7c9caeb +Author: Miroslav Lichvar +Date: Wed Oct 22 10:53:11 2025 +0200 + + sys_linux: fix building with older compilers and some archs + + The recent replacement of with to get + TCGETS2 seems to work only with compilers (or C standards) that allow + the same structure to be defined multiple times. There is a conflict + between and . + + Another problem is that TCGETS2 is not used on some archs like ppc64. + + Switch back to and move TCGETS2 to a list in a separate + file where it can be compiled without . + + Fixes: 03875f1ea5c4 ("sys_linux: allow ioctl(TCGETS2) in seccomp filter") + +diff --git a/configure b/configure +index 195b1ed7..ca64475d 100755 +--- a/configure ++++ b/configure +@@ -808,6 +808,7 @@ then + # a time and the async resolver would block the main thread + priv_ops="NAME2IPADDRESS RELOADDNS" + EXTRA_LIBS="$EXTRA_LIBS -lseccomp" ++ EXTRA_OBJECTS="$EXTRA_OBJECTS sys_linux_scmp.o" + fi + + if [ "x$priv_ops" != "x" ]; then +diff --git a/sys_linux.c b/sys_linux.c +index e20e459d..89eec950 100644 +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -48,7 +48,7 @@ + #ifdef FEAT_SCFILTER + #include + #include +-#include ++#include + #ifdef FEAT_PPS + #include + #endif +@@ -63,6 +63,7 @@ + #endif + + #include "sys_linux.h" ++#include "sys_linux_scmp.h" + #include "sys_timex.h" + #include "conf.h" + #include "local.h" +@@ -615,7 +616,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + const static int fcntls[] = { F_GETFD, F_SETFD, F_GETFL, F_SETFL }; + + const static unsigned long ioctls[] = { +- FIONREAD, TCGETS, TCGETS2, TIOCGWINSZ, ++ FIONREAD, TCGETS, TIOCGWINSZ, + #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING) + PTP_EXTTS_REQUEST, PTP_SYS_OFFSET, + #ifdef PTP_PIN_SETFUNC +@@ -728,6 +729,14 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + SCMP_A1(SCMP_CMP_EQ, ioctls[i])) < 0) + goto add_failed; + } ++ ++ /* Allow selected ioctls that need to be specified in a separate ++ file to avoid conflicting headers (e.g. TCGETS2) */ ++ for (i = 0; SYS_Linux_GetExtraScmpIoctl(i) != 0; i++) { ++ if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1, ++ SCMP_A1(SCMP_CMP_EQ, SYS_Linux_GetExtraScmpIoctl(i))) < 0) ++ goto add_failed; ++ } + } + + if (seccomp_load(ctx) < 0) +diff --git a/sys_linux_scmp.c b/sys_linux_scmp.c +new file mode 100644 +index 00000000..a907a97d +--- /dev/null ++++ b/sys_linux_scmp.c +@@ -0,0 +1,44 @@ ++/* ++ chronyd/chronyc - Programs for keeping computer clocks accurate. ++ ++ ********************************************************************** ++ * Copyright (C) Miroslav Lichvar 2025 ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of version 2 of the GNU General Public License as ++ * published by the Free Software Foundation. ++ * ++ * This program is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License along ++ * with this program; if not, write to the Free Software Foundation, Inc., ++ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ * ++ ********************************************************************** ++ ++ ======================================================================= ++ ++ Lists of values that are needed in seccomp filters but need to ++ be compiled separately from sys_linux.c due to conflicting headers. ++ */ ++ ++#include ++ ++#include "sys_linux_scmp.h" ++ ++unsigned long ++SYS_Linux_GetExtraScmpIoctl(int index) ++{ ++ const unsigned long ioctls[] = { ++#ifdef TCGETS2 ++ /* Conflict between and */ ++ TCGETS2, ++#endif ++ 0 ++ }; ++ ++ return ioctls[index]; ++} +diff --git a/sys_linux_scmp.h b/sys_linux_scmp.h +new file mode 100644 +index 00000000..62a9d548 +--- /dev/null ++++ b/sys_linux_scmp.h +@@ -0,0 +1,28 @@ ++/* ++ chronyd/chronyc - Programs for keeping computer clocks accurate. ++ ++ ********************************************************************** ++ * Copyright (C) Miroslav Lichvar 2025 ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of version 2 of the GNU General Public License as ++ * published by the Free Software Foundation. ++ * ++ * This program is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License along ++ * with this program; if not, write to the Free Software Foundation, Inc., ++ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ * ++ ********************************************************************** ++ ++ ======================================================================= ++ ++ Header file for lists that are needed in seccomp filters but need to ++ be compiled separately from sys_linux.c due to conflicting headers. ++ */ ++ ++extern unsigned long SYS_Linux_GetExtraScmpIoctl(int index); From f14345b7112621a85497b2e5e45176f6fa807ec9 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 22 Oct 2025 14:16:17 +0200 Subject: [PATCH 137/137] 4.8-3