diff --git a/.gitignore b/.gitignore index 4d608e1..2414820 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.8-tar-gz-asc.txt -/chrony-4.8.tar.gz -/clknetsim-6ee99f50dec8.tar.gz +/chrony-4.7.tar.gz +/chrony-4.7-tar-gz-asc.txt +/clknetsim-83cf9c.tar.gz diff --git a/chrony-defconfig.patch b/chrony-defconfig.patch new file mode 100644 index 0000000..5145656 --- /dev/null +++ b/chrony-defconfig.patch @@ -0,0 +1,57 @@ +commit 4a8da7e02dc1b882d33cfbb7301d29bdb5ea915f +Author: Miroslav Lichvar +Date: Wed Jun 11 14:53:47 2025 +0200 + + examples: improve chrony.conf examples + + Add a note that three servers is the generally recommended minimum for + an NTP client to be able to detect a falseticker. Mention that the pool + directive uses four servers. Update the links to the pool join page and + list of public servers. + +diff --git a/examples/chrony.conf.example1 b/examples/chrony.conf.example1 +index 5e93ea75..f822813b 100644 +--- a/examples/chrony.conf.example1 ++++ b/examples/chrony.conf.example1 +@@ -1,4 +1,4 @@ +-# Use public NTP servers from the pool.ntp.org project. ++# Use four public NTP servers from the pool.ntp.org project. + pool pool.ntp.org iburst + + # Record the rate at which the system clock gains/losses time. +diff --git a/examples/chrony.conf.example2 b/examples/chrony.conf.example2 +index 03e7d47b..a257f54c 100644 +--- a/examples/chrony.conf.example2 ++++ b/examples/chrony.conf.example2 +@@ -1,5 +1,10 @@ +-# Use public servers from the pool.ntp.org project. +-# Please consider joining the pool (https://www.pool.ntp.org/join.html). ++# Note: The general recommendation for an NTP client is to have at least ++# three NTP servers to be able to detect one server providing incorrect ++# time (falseticker). ++ ++# Use four public NTP servers from the pool.ntp.org project. If this ++# host has a static public IP address, please consider joining the pool: ++# https://www.ntppool.org/join.html + pool pool.ntp.org iburst + + # Record the rate at which the system clock gains/losses time. +diff --git a/examples/chrony.conf.example3 b/examples/chrony.conf.example3 +index 8d895d04..01eaff1c 100644 +--- a/examples/chrony.conf.example3 ++++ b/examples/chrony.conf.example3 +@@ -21,10 +21,12 @@ + ####################################################################### + ### SPECIFY YOUR NTP SERVERS + # Most computers using chrony will send measurement requests to one or +-# more 'NTP servers'. You will probably find that your Internet Service ++# more NTP servers. The general recommendation is to have at least ++# three NTP servers to be able to detect one server providing incorrect ++# time (falseticker). You will probably find that your Internet Service + # Provider or company have one or more NTP servers that you can specify. + # Failing that, there are a lot of public NTP servers. There is a list +-# you can access at http://support.ntp.org/bin/view/Servers/WebHome or ++# you can access at https://support.ntp.org/bin/view/Servers/WebHome or + # you can use servers from the pool.ntp.org project. + + ! server ntp1.example.net iburst diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch deleted file mode 100644 index c8f79ae..0000000 --- a/chrony-seccomp.patch +++ /dev/null @@ -1,194 +0,0 @@ -commit 03875f1ea5c4c0eeeb30a7d1fc5fdd53236f4ac2 -Author: Miroslav Lichvar -Date: Tue Oct 21 14:06:38 2025 +0200 - - sys_linux: allow ioctl(TCGETS2) in seccomp filter - - Add TCGETS2 to the list of allowed ioctls. It seems to be called by the - latest glibc version from isatty(), which is called from libpcsclite - used by gnutls in an NTS-KE session. - - Include the linux termios header instead of glibc header to get a usable - definition of TCGETS2. - -diff --git a/sys_linux.c b/sys_linux.c -index ca5540f2..e20e459d 100644 ---- a/sys_linux.c -+++ b/sys_linux.c -@@ -48,7 +48,7 @@ - #ifdef FEAT_SCFILTER - #include - #include --#include -+#include - #ifdef FEAT_PPS - #include - #endif -@@ -615,7 +615,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) - const static int fcntls[] = { F_GETFD, F_SETFD, F_GETFL, F_SETFL }; - - const static unsigned long ioctls[] = { -- FIONREAD, TCGETS, TIOCGWINSZ, -+ FIONREAD, TCGETS, TCGETS2, TIOCGWINSZ, - #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING) - PTP_EXTTS_REQUEST, PTP_SYS_OFFSET, - #ifdef PTP_PIN_SETFUNC -commit 3c39afa13c769452d4c340bfc987e229b7c9caeb -Author: Miroslav Lichvar -Date: Wed Oct 22 10:53:11 2025 +0200 - - sys_linux: fix building with older compilers and some archs - - The recent replacement of with to get - TCGETS2 seems to work only with compilers (or C standards) that allow - the same structure to be defined multiple times. There is a conflict - between and . - - Another problem is that TCGETS2 is not used on some archs like ppc64. - - Switch back to and move TCGETS2 to a list in a separate - file where it can be compiled without . - - Fixes: 03875f1ea5c4 ("sys_linux: allow ioctl(TCGETS2) in seccomp filter") - -diff --git a/configure b/configure -index 195b1ed7..ca64475d 100755 ---- a/configure -+++ b/configure -@@ -808,6 +808,7 @@ then - # a time and the async resolver would block the main thread - priv_ops="NAME2IPADDRESS RELOADDNS" - EXTRA_LIBS="$EXTRA_LIBS -lseccomp" -+ EXTRA_OBJECTS="$EXTRA_OBJECTS sys_linux_scmp.o" - fi - - if [ "x$priv_ops" != "x" ]; then -diff --git a/sys_linux.c b/sys_linux.c -index e20e459d..89eec950 100644 ---- a/sys_linux.c -+++ b/sys_linux.c -@@ -48,7 +48,7 @@ - #ifdef FEAT_SCFILTER - #include - #include --#include -+#include - #ifdef FEAT_PPS - #include - #endif -@@ -63,6 +63,7 @@ - #endif - - #include "sys_linux.h" -+#include "sys_linux_scmp.h" - #include "sys_timex.h" - #include "conf.h" - #include "local.h" -@@ -615,7 +616,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) - const static int fcntls[] = { F_GETFD, F_SETFD, F_GETFL, F_SETFL }; - - const static unsigned long ioctls[] = { -- FIONREAD, TCGETS, TCGETS2, TIOCGWINSZ, -+ FIONREAD, TCGETS, TIOCGWINSZ, - #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING) - PTP_EXTTS_REQUEST, PTP_SYS_OFFSET, - #ifdef PTP_PIN_SETFUNC -@@ -728,6 +729,14 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) - SCMP_A1(SCMP_CMP_EQ, ioctls[i])) < 0) - goto add_failed; - } -+ -+ /* Allow selected ioctls that need to be specified in a separate -+ file to avoid conflicting headers (e.g. TCGETS2) */ -+ for (i = 0; SYS_Linux_GetExtraScmpIoctl(i) != 0; i++) { -+ if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1, -+ SCMP_A1(SCMP_CMP_EQ, SYS_Linux_GetExtraScmpIoctl(i))) < 0) -+ goto add_failed; -+ } - } - - if (seccomp_load(ctx) < 0) -diff --git a/sys_linux_scmp.c b/sys_linux_scmp.c -new file mode 100644 -index 00000000..a907a97d ---- /dev/null -+++ b/sys_linux_scmp.c -@@ -0,0 +1,44 @@ -+/* -+ chronyd/chronyc - Programs for keeping computer clocks accurate. -+ -+ ********************************************************************** -+ * Copyright (C) Miroslav Lichvar 2025 -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of version 2 of the GNU General Public License as -+ * published by the Free Software Foundation. -+ * -+ * This program is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License along -+ * with this program; if not, write to the Free Software Foundation, Inc., -+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ * -+ ********************************************************************** -+ -+ ======================================================================= -+ -+ Lists of values that are needed in seccomp filters but need to -+ be compiled separately from sys_linux.c due to conflicting headers. -+ */ -+ -+#include -+ -+#include "sys_linux_scmp.h" -+ -+unsigned long -+SYS_Linux_GetExtraScmpIoctl(int index) -+{ -+ const unsigned long ioctls[] = { -+#ifdef TCGETS2 -+ /* Conflict between and */ -+ TCGETS2, -+#endif -+ 0 -+ }; -+ -+ return ioctls[index]; -+} -diff --git a/sys_linux_scmp.h b/sys_linux_scmp.h -new file mode 100644 -index 00000000..62a9d548 ---- /dev/null -+++ b/sys_linux_scmp.h -@@ -0,0 +1,28 @@ -+/* -+ chronyd/chronyc - Programs for keeping computer clocks accurate. -+ -+ ********************************************************************** -+ * Copyright (C) Miroslav Lichvar 2025 -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of version 2 of the GNU General Public License as -+ * published by the Free Software Foundation. -+ * -+ * This program is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License along -+ * with this program; if not, write to the Free Software Foundation, Inc., -+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ * -+ ********************************************************************** -+ -+ ======================================================================= -+ -+ Header file for lists that are needed in seccomp filters but need to -+ be compiled separately from sys_linux.c due to conflicting headers. -+ */ -+ -+extern unsigned long SYS_Linux_GetExtraScmpIoctl(int index); diff --git a/chrony-servicedirs.patch b/chrony-servicedirs.patch deleted file mode 100644 index e806dc9..0000000 --- a/chrony-servicedirs.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff -up chrony-4.7/examples/chronyd.service.servicedirs chrony-4.7/examples/chronyd.service ---- chrony-4.7/examples/chronyd.service.servicedirs 2025-06-11 15:06:19.000000000 +0200 -+++ chrony-4.7/examples/chronyd.service 2025-07-10 12:06:57.354215498 +0200 -@@ -10,7 +10,13 @@ Type=notify - PIDFile=/run/chrony/chronyd.pid - Environment="OPTIONS=" - EnvironmentFile=-/etc/sysconfig/chronyd --ExecStart=/usr/sbin/chronyd -n $OPTIONS -+ExecStart=!/usr/sbin/chronyd -n $OPTIONS -+ -+User=chrony -+LogsDirectory=chrony -+LogsDirectoryMode=0750 -+StateDirectory=chrony -+StateDirectoryMode=0750 - - CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE - CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE diff --git a/chrony.spec b/chrony.spec index 66a86d5..af7a45b 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,5 @@ %global _hardened_build 1 -%global clknetsim_ver 6ee99f50dec8 +%global clknetsim_ver 83cf9c %bcond_without debug %bcond_without nts @@ -8,8 +8,8 @@ %endif Name: chrony -Version: 4.8 -Release: 3%{?dist} +Version: 4.7 +Release: 1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -25,10 +25,8 @@ Source10: https://gitlab.com/chrony/clknetsim/-/archive/master/clknetsim-% # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch -# let systemd create /var/lib/chrony and /var/log/chrony -Patch2: chrony-servicedirs.patch -# update seccomp filter for new glibc -Patch3: chrony-seccomp.patch +# revert upstream changes in default config +Patch2: chrony-defconfig.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -41,6 +39,9 @@ BuildRequires: gcc gcc-c++ make bison systemd gnupg2 # Needed by the leapseclist directive in default chrony.conf Requires: tzdata +# Old NetworkManager expects the dispatcher scripts in a different place +Conflicts: NetworkManager < 1.20 + # suggest drivers for hardware reference clocks Suggests: ntp-refclock @@ -60,19 +61,18 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch -P 0 -p1} %patch -P 1 -p1 -b .nm-dispatcher-dhcp -%patch -P 2 -p1 -b .servicedirs -%patch -P 3 -p1 -b .seccomp +%patch -P 2 -p1 -R -b .defconfig %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') 5530d6e60f84b76c27495485d2510bac examples/chrony-wait.service - 3f2ddca6065c3e8f4565d7422739795a examples/chrony.conf.example2 + 826354a2d467d6147e412d43bfe07484 examples/chrony.conf.example2 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline - 607c82f56639486f52c31105632909eb examples/chronyd.service + 274a44cd51981d6d4d3a44dfc92c94ab examples/chronyd.service 5ddbb8a8055f587cb6b0b462ca73ea46 examples/chronyd-restricted.service EOF @@ -100,6 +100,10 @@ rm -f getdate.c mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim %build +%ifarch aarch64 +# workaround for bug #2367978 +CFLAGS="$RPM_OPT_FLAGS -fno-inline" +%endif %configure \ %{?with_debug: --enable-debug} \ --enable-ntp-signd \ @@ -108,7 +112,6 @@ mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim --chronyrundir=/run/chrony \ --docdir=%{_docdir} \ --with-ntp-era=$(date -d '1970-01-01 00:00:00+00:00' +'%s') \ - --with-chronyc-user=chrony \ --with-user=chrony \ --with-hwclockfile=%{_sysconfdir}/adjtime \ --with-pidfile=/run/chrony/chronyd.pid \ @@ -203,33 +206,13 @@ fi %{_unitdir}/chrony*.service %{_sysusersdir}/chrony.conf %{_mandir}/man[158]/%{name}*.[158]* -%ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony +%dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/drift %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/rtc -%ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony +%dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog -* Tue Oct 21 2025 Miroslav Lichvar 4.8-3 -- update seccomp filter for new glibc (#2405310) - -* Mon Sep 08 2025 Miroslav Lichvar 4.8-2 -- drop root privileges in chronyc by default - -* Wed Aug 27 2025 Miroslav Lichvar 4.8-1 -- update to 4.8 - -* Thu Aug 14 2025 Miroslav Lichvar 4.8-0.1.pre1 -- update to 4.8-pre1 - -* Wed Jul 23 2025 Fedora Release Engineering - 4.7-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild - -* Thu Jul 10 2025 Miroslav Lichvar 4.7-2 -- let systemd create /var/lib/chrony and /var/log/chrony (#2372944) -- drop workaround for broken build on aarch64 -- drop old conflict with NetworkManager - -* Wed Jun 11 2025 Miroslav Lichvar 4.7-1 +* Wed Jun 11 2025 Miroslav Lichvar 4.7-1.fc41 - update to 4.7 * Thu May 22 2025 Miroslav Lichvar 4.7-0.2.pre1 diff --git a/plans.fmf b/plans.fmf index c28aa6f..661c046 100644 --- a/plans.fmf +++ b/plans.fmf @@ -1,7 +1,7 @@ /tier1-internal: plan: import: - url: https://gitlab.com/redhat/centos-stream/tests/chrony.git + url: https://src.fedoraproject.org/tests/chrony.git name: /plans/tier1/internal adjust: enabled: false @@ -11,13 +11,13 @@ /tier1-public: plan: import: - url: https://gitlab.com/redhat/centos-stream/tests/chrony.git + url: https://src.fedoraproject.org/tests/chrony.git name: /plans/tier1/public /tier2-tier3-internal: plan: import: - url: https://gitlab.com/redhat/centos-stream/tests/chrony.git + url: https://src.fedoraproject.org/tests/chrony.git name: /plans/tier2-tier3/internal adjust: enabled: false @@ -27,13 +27,13 @@ /tier2-tier3-public: plan: import: - url: https://gitlab.com/redhat/centos-stream/tests/chrony.git + url: https://src.fedoraproject.org/tests/chrony.git name: /plans/tier2-tier3/public /others-internal: plan: import: - url: https://gitlab.com/redhat/centos-stream/tests/chrony.git + url: https://src.fedoraproject.org/tests/chrony.git name: /plans/others/internal adjust: enabled: false @@ -43,5 +43,5 @@ /others-public: plan: import: - url: https://gitlab.com/redhat/centos-stream/tests/chrony.git + url: https://src.fedoraproject.org/tests/chrony.git name: /plans/others/public diff --git a/sources b/sources index 35a8415..f03173e 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.8-tar-gz-asc.txt) = df7f4e06f74a4b8c9a49e8fe57ea02e0324c5683d036412c32192a09f08e08f33537609cef8df0b4302bfcd63332b3092f33f40c8d02857c93ecea13822b5b47 -SHA512 (chrony-4.8.tar.gz) = 949b796bb34db32a5c1b9e6b53be6a22e51c59f24a316d585b8a52a52ab1f61bdf0378dc58b282bb0ba4fac1f05e1e99fbe37cb4259aa2b359e7bf679c176aab -SHA512 (clknetsim-6ee99f50dec8.tar.gz) = 2621d1c44b84b42fcdf644f236ff90dab9f8a8407a138c8719c53dd9c4f21480db3b4ba598116aa1b9d6bd1fa02fc410d85a43baf55ddf8ad47fc09aba4c4477 +SHA512 (chrony-4.7.tar.gz) = 419594ab8ff0fd42acaf6e4ca1a011d5cf87c8d90ab040e90bb004b43570888329531593f073fb7c5a1093b5754d61c1ae6034d0b86660e4dc37d42ee0f30623 +SHA512 (chrony-4.7-tar-gz-asc.txt) = c2351e6e624f60e82973bddd5cb1d84c90ee5e862d7d24dfc2b7a8f60a6a948f7446c9b7d68c5e72be4afccbd5d8f572141a4e0bde9cfeefc59aebb7e4fc74e1 +SHA512 (clknetsim-83cf9c.tar.gz) = 2ffef556fc1edc3e19d44773ca550e9ac87889951a0162828238eab7dbd0586b46d16708d6a95a56aae8485acade1db5d16f7463362da00cb1d40cff394364e9