From ad0b95f5215380aec9d453548d0eb4c9e38c81a7 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 18 Jan 2023 23:50:34 +0000 Subject: [PATCH 01/57] Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 7fa5835..4115eb2 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPLv2 @@ -199,6 +199,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jan 18 2023 Fedora Release Engineering - 4.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + * Wed Aug 31 2022 Miroslav Lichvar 4.3-1 - update to 4.3 From 95d7d27489b2d8bbe9a2bf7f26191a2ccf9be1a8 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 24 Jan 2023 16:22:40 +0100 Subject: [PATCH 02/57] convert license tag to SPDX --- chrony.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 4115eb2..8506a31 100644 --- a/chrony.spec +++ b/chrony.spec @@ -12,7 +12,7 @@ Version: 4.3 Release: 2%{?dist} Summary: An NTP client/server -License: GPLv2 +License: GPL-2.0-only URL: https://chrony.tuxfamily.org Source0: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}.tar.gz Source1: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}-tar-gz-asc.txt From 906e072deb3d572ce89d45a03812b7457a17decd Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 25 Jan 2023 15:16:13 +0100 Subject: [PATCH 03/57] add chronyd-restricted service for minimal NTP client configurations --- chrony-restricted.patch | 79 +++++++++++++++++++++++++++++++++++++++++ chrony.spec | 12 +++++-- 2 files changed, 88 insertions(+), 3 deletions(-) create mode 100644 chrony-restricted.patch diff --git a/chrony-restricted.patch b/chrony-restricted.patch new file mode 100644 index 0000000..930e814 --- /dev/null +++ b/chrony-restricted.patch @@ -0,0 +1,79 @@ +commit 6fba5a4a7fbe785849c0ec759e18bce0b7e234e4 +Author: Miroslav Lichvar +Date: Tue Jan 10 15:02:49 2023 +0100 + + examples: add chronyd-restricted.service + + This is a more restricted version of the chronyd service intended for + minimal NTP/NTS client configurations. The daemon is started without + root privileges and is allowed to write only to its own runtime, state, + and log directories. It cannot bind to privileged ports in order to + operate as an NTP server, or provide monitoring access over IPv4/IPv6. + It cannot use reference clocks, HW timestamping, RTC tracking, and other + features. + +diff --git a/examples/chronyd-restricted.service b/examples/chronyd-restricted.service +new file mode 100644 +index 00000000..50998338 +--- /dev/null ++++ b/examples/chronyd-restricted.service +@@ -0,0 +1,59 @@ ++# This is a more restricted version of the chronyd service intended for ++# minimal NTP/NTS client configurations. The daemon is started without root ++# privileges and is allowed to write only to its own runtime, state, and log ++# directories. It cannot bind to privileged ports in order to operate as an ++# NTP server, or provide monitoring access over IPv4/IPv6. It cannot use ++# reference clocks, HW timestamping, RTC tracking, and other features. ++[Unit] ++Description=NTP client (restricted) ++Documentation=man:chronyd(8) man:chrony.conf(5) ++After=chronyd.service ntpdate.service sntp.service ntpd.service ++Conflicts=chronyd.service ntpd.service systemd-timesyncd.service ++ConditionCapability=CAP_SYS_TIME ++ ++[Service] ++Type=forking ++PIDFile=/run/chrony/chronyd.pid ++EnvironmentFile=-/etc/sysconfig/chronyd ++ExecStart=/usr/sbin/chronyd -U $OPTIONS ++ ++User=chrony ++LogsDirectory=chrony ++LogsDirectoryMode=0750 ++RuntimeDirectory=chrony ++RuntimeDirectoryMode=0750 ++RuntimeDirectoryPreserve=restart ++StateDirectory=chrony ++StateDirectoryMode=0750 ++ ++AmbientCapabilities=CAP_SYS_TIME ++CapabilityBoundingSet=CAP_SYS_TIME ++DevicePolicy=closed ++LockPersonality=yes ++MemoryDenyWriteExecute=yes ++NoNewPrivileges=yes ++PrivateDevices=yes ++PrivateTmp=yes ++# This breaks adjtimex() ++#PrivateUsers=yes ++ProcSubset=pid ++ProtectControlGroups=yes ++ProtectHome=yes ++ProtectHostname=yes ++ProtectKernelLogs=yes ++ProtectKernelModules=yes ++ProtectKernelTunables=yes ++ProtectProc=invisible ++ProtectSystem=strict ++RemoveIPC=yes ++RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX ++RestrictNamespaces=yes ++RestrictRealtime=yes ++RestrictSUIDSGID=yes ++SystemCallArchitectures=native ++SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io ++SystemCallFilter=~@reboot @resources @swap ++UMask=0077 ++ ++[Install] ++WantedBy=multi-user.target diff --git a/chrony.spec b/chrony.spec index 8506a31..01f924d 100644 --- a/chrony.spec +++ b/chrony.spec @@ -25,6 +25,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch +# add chronyd-restricted service +Patch2: chrony-restricted.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -56,6 +58,7 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp +%patch2 -p1 -b .restricted %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -68,6 +71,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 2b81c60c020626165ac655b2633608eb examples/chrony.nm-dispatcher.onoffline 677ad16d6439daa369da44a1b75d1772 examples/chronyd.service + f092f965dc61f691ca838958eeeb3377 examples/chronyd-restricted.service EOF # don't allow packaging without vendor zone @@ -130,6 +134,8 @@ install -m 644 -p examples/chrony.logrotate \ install -m 644 -p examples/chronyd.service \ $RPM_BUILD_ROOT%{_unitdir}/chronyd.service +install -m 644 -p examples/chronyd-restricted.service \ + $RPM_BUILD_ROOT%{_unitdir}/chronyd-restricted.service install -m 755 -p examples/chrony.nm-dispatcher.onoffline \ $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-onoffline install -m 755 -p examples/chrony.nm-dispatcher.dhcp \ @@ -169,13 +175,13 @@ if test -a %{_libexecdir}/chrony-helper; then sed 's|.*|server &|' < $f > /run/chrony-dhcp/"${f##*servers.}.sources" done 2> /dev/null fi -%systemd_post chronyd.service chrony-wait.service +%systemd_post chronyd.service chronyd-restricted.service chrony-wait.service %preun -%systemd_preun chronyd.service chrony-wait.service +%systemd_preun chronyd.service chronyd-restricted.service chrony-wait.service %postun -%systemd_postun_with_restart chronyd.service +%systemd_postun_with_restart chronyd.service chronyd-restricted.service %files %{!?_licensedir:%global license %%doc} From f078395411559297198a1ec8987715161a42c797 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 25 Jan 2023 16:42:23 +0100 Subject: [PATCH 04/57] drop default chrony.keys config (#2104918) --- chrony-keyaccess.patch | 191 +++++++++++++++++++++++++++++++++++++++++ chrony.spec | 13 ++- 2 files changed, 197 insertions(+), 7 deletions(-) create mode 100644 chrony-keyaccess.patch diff --git a/chrony-keyaccess.patch b/chrony-keyaccess.patch new file mode 100644 index 0000000..4beedd8 --- /dev/null +++ b/chrony-keyaccess.patch @@ -0,0 +1,191 @@ +commit 9cba9c8585bc5ebf19bafece118fb2362090547c +Author: Miroslav Lichvar +Date: Thu Jan 19 16:09:40 2023 +0100 + + keys+nts: warn if loading world-readable/writable key + + Log a warning message if the file specified by the keyfile or + ntsserverkey directive is world-readable or writable, which is likely + an insecure misconfiguration. There is no check of directories + containing the file. + +diff --git a/keys.c b/keys.c +index 11f8b761..9225e6cd 100644 +--- a/keys.c ++++ b/keys.c +@@ -182,6 +182,9 @@ KEY_Reload(void) + if (!key_file) + return; + ++ if (!UTI_CheckFilePermissions(key_file, 0771)) ++ ; ++ + in = UTI_OpenFile(NULL, key_file, NULL, 'r', 0); + if (!in) { + LOG(LOGS_WARN, "Could not open keyfile %s", key_file); +diff --git a/nts_ke_session.c b/nts_ke_session.c +index dfcd18ab..2ae1e915 100644 +--- a/nts_ke_session.c ++++ b/nts_ke_session.c +@@ -667,6 +667,8 @@ create_credentials(const char **certs, const char **keys, int n_certs_keys, + assert(0); + + for (i = 0; i < n_certs_keys; i++) { ++ if (!UTI_CheckFilePermissions(keys[i], 0771)) ++ ; + r = gnutls_certificate_set_x509_key_file(credentials, certs[i], keys[i], + GNUTLS_X509_FMT_PEM); + if (r < 0) +diff --git a/util.c b/util.c +index 064292ce..4b9d30ee 100644 +--- a/util.c ++++ b/util.c +@@ -1248,6 +1248,29 @@ UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid) + + /* ================================================== */ + ++int ++UTI_CheckFilePermissions(const char *path, mode_t perm) ++{ ++ mode_t extra_perm; ++ struct stat buf; ++ ++ if (stat(path, &buf) < 0 || !S_ISREG(buf.st_mode)) { ++ /* Not considered an error */ ++ return 1; ++ } ++ ++ extra_perm = (buf.st_mode & 0777) & ~perm; ++ if (extra_perm != 0) { ++ LOG(LOGS_WARN, "%s permissions on %s", extra_perm & 0006 ? ++ (extra_perm & 0004 ? "World-readable" : "World-writable") : "Wrong", path); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++/* ================================================== */ ++ + static int + join_path(const char *basedir, const char *name, const char *suffix, + char *buffer, size_t length, LOG_Severity severity) +diff --git a/util.h b/util.h +index 4655e537..6844798c 100644 +--- a/util.h ++++ b/util.h +@@ -196,6 +196,10 @@ extern int UTI_CreateDirAndParents(const char *path, mode_t mode, uid_t uid, gid + permissions and its uid/gid must match the specified values. */ + extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid); + ++/* Check and log a warning message if a file has more permissions than ++ specified. It does not return error if it is not an accessible file. */ ++extern int UTI_CheckFilePermissions(const char *path, mode_t perm); ++ + /* Open a file. The full path of the file is constructed from the basedir + (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL). + Created files have specified permissions (umasked). Returns NULL on error. + +commit 883b0dde946105e0910456a0bebb24d57fecb0fc +Author: Miroslav Lichvar +Date: Wed Jan 25 14:29:06 2023 +0100 + + conf: warn if not having read-only access to keys + + After dropping root privileges, log a warning message if chronyd + doesn't have read access or has (unnecessary) write access to the + files containing symmetric and server NTS keys. + +diff --git a/conf.c b/conf.c +index 9f42a426..0597836d 100644 +--- a/conf.c ++++ b/conf.c +@@ -1774,6 +1774,19 @@ CNF_CreateDirs(uid_t uid, gid_t gid) + + /* ================================================== */ + ++void ++CNF_CheckReadOnlyAccess(void) ++{ ++ unsigned int i; ++ ++ if (keys_file) ++ UTI_CheckReadOnlyAccess(keys_file); ++ for (i = 0; i < ARR_GetSize(nts_server_key_files); i++) ++ UTI_CheckReadOnlyAccess(*(char **)ARR_GetElement(nts_server_key_files, i)); ++} ++ ++/* ================================================== */ ++ + void + CNF_AddInitSources(void) + { +diff --git a/conf.h b/conf.h +index 11fd11df..d7acb4fd 100644 +--- a/conf.h ++++ b/conf.h +@@ -44,6 +44,8 @@ extern void CNF_ParseLine(const char *filename, int number, char *line); + + extern void CNF_CreateDirs(uid_t uid, gid_t gid); + ++extern void CNF_CheckReadOnlyAccess(void); ++ + extern void CNF_AddInitSources(void); + extern void CNF_AddSources(void); + extern void CNF_AddBroadcasts(void); +diff --git a/main.c b/main.c +index c40b5e4b..31e3c8f0 100644 +--- a/main.c ++++ b/main.c +@@ -637,9 +637,13 @@ int main + } + + /* Drop root privileges if the specified user has a non-zero UID */ +- if (!geteuid() && (pw->pw_uid || pw->pw_gid)) ++ if (!geteuid() && (pw->pw_uid || pw->pw_gid)) { + SYS_DropRoot(pw->pw_uid, pw->pw_gid, SYS_MAIN_PROCESS); + ++ /* Warn if missing read access or having write access to keys */ ++ CNF_CheckReadOnlyAccess(); ++ } ++ + if (!geteuid()) + LOG(LOGS_WARN, "Running with root privileges"); + +diff --git a/util.c b/util.c +index 4b9d30ee..0321720e 100644 +--- a/util.c ++++ b/util.c +@@ -1271,6 +1271,17 @@ UTI_CheckFilePermissions(const char *path, mode_t perm) + + /* ================================================== */ + ++void ++UTI_CheckReadOnlyAccess(const char *path) ++{ ++ if (access(path, R_OK) != 0 && errno != ENOENT) ++ LOG(LOGS_WARN, "Missing read access to %s : %s", path, strerror(errno)); ++ if (access(path, W_OK) == 0) ++ LOG(LOGS_WARN, "Having write access to %s", path); ++} ++ ++/* ================================================== */ ++ + static int + join_path(const char *basedir, const char *name, const char *suffix, + char *buffer, size_t length, LOG_Severity severity) +diff --git a/util.h b/util.h +index 6844798c..d8e25dee 100644 +--- a/util.h ++++ b/util.h +@@ -200,6 +200,10 @@ extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid + specified. It does not return error if it is not an accessible file. */ + extern int UTI_CheckFilePermissions(const char *path, mode_t perm); + ++/* Log a warning message if not having read access or having write access ++ to a file/directory */ ++extern void UTI_CheckReadOnlyAccess(const char *path); ++ + /* Open a file. The full path of the file is constructed from the basedir + (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL). + Created files have specified permissions (umasked). Returns NULL on error. diff --git a/chrony.spec b/chrony.spec index 01f924d..3744814 100644 --- a/chrony.spec +++ b/chrony.spec @@ -27,6 +27,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c Patch1: chrony-nm-dispatcher-dhcp.patch # add chronyd-restricted service Patch2: chrony-restricted.patch +# warn if keys are world-accessible or chronyd doesn't have read-only access +Patch3: chrony-keyaccess.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -59,6 +61,7 @@ service to other computers in the network. %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp %patch2 -p1 -b .restricted +%patch3 -p1 -b .keyaccess %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -66,7 +69,6 @@ service to other computers in the network. md5sum -c <<-EOF | (! grep -v 'OK$') b40117b4aac846d31e4ad196dc44cda3 examples/chrony-wait.service 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 - 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 2b81c60c020626165ac655b2633608eb examples/chrony.nm-dispatcher.onoffline @@ -80,11 +82,9 @@ test -n "%{vendorzone}" # use example chrony.conf as the default config with some modifications: # - use our vendor zone (2.*pool.ntp.org names include IPv6 addresses) # - enable leapsectz to get TAI-UTC offset and leap seconds from tzdata -# - enable keyfile # - use NTP servers from DHCP sed -e 's|^\(pool \)\(pool.ntp.org\)|\12.%{vendorzone}\2|' \ -e 's|#\(leapsectz\)|\1|' \ - -e 's|#\(keyfile\)|\1|' \ -e 's|^pool.*pool.ntp.org.*|&\n\n# Use NTP servers from DHCP.\nsourcedir /run/chrony-dhcp|' \ < examples/chrony.conf.example2 > chrony.conf @@ -125,8 +125,6 @@ mkdir -p $RPM_BUILD_ROOT{%{_unitdir},%{_prefix}/lib/systemd/ntp-units.d} install -m 644 -p chrony.conf $RPM_BUILD_ROOT%{_sysconfdir}/chrony.conf -install -m 640 -p examples/chrony.keys.example \ - $RPM_BUILD_ROOT%{_sysconfdir}/chrony.keys install -m 755 -p %{SOURCE3} \ $RPM_BUILD_ROOT%{_sysconfdir}/dhcp/dhclient.d/chrony.sh install -m 644 -p examples/chrony.logrotate \ @@ -150,6 +148,7 @@ cat > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/chronyd < \ @@ -186,9 +185,9 @@ fi %files %{!?_licensedir:%global license %%doc} %license COPYING -%doc FAQ NEWS README +%doc FAQ NEWS README examples/chrony.keys.example %config(noreplace) %{_sysconfdir}/chrony.conf -%config(noreplace) %verify(not md5 size mtime) %attr(640,root,chrony) %{_sysconfdir}/chrony.keys +%ghost %config %attr(640,root,chrony) %{_sysconfdir}/chrony.keys %config(noreplace) %{_sysconfdir}/logrotate.d/chrony %config(noreplace) %{_sysconfdir}/sysconfig/chronyd %{_sysconfdir}/dhcp/dhclient.d/chrony.sh From e8775477fe6c92fa7220b09b29b253f2f3763bcf Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 25 Jan 2023 16:47:23 +0100 Subject: [PATCH 05/57] 4.3-3 --- chrony.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 3744814..532f6ef 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.3 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -204,6 +204,11 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jan 25 2023 Miroslav Lichvar 4.3-3 +- drop default chrony.keys config (#2104918) +- add chronyd-restricted service for minimal NTP client configurations +- convert license tag to SPDX + * Wed Jan 18 2023 Fedora Release Engineering - 4.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild From 08a5b8042dc6d97cdefea10382e2c162abdf8a91 Mon Sep 17 00:00:00 2001 From: Ondrej Mejzlik Date: Mon, 17 Apr 2023 18:47:07 +0200 Subject: [PATCH 06/57] Adding fmf plans and gating --- ci.fmf | 1 + gating.yaml | 21 ++++++++++++++++----- plans/ci.fmf | 6 ------ plans/public.fmf | 6 ++++++ plans/tier1-internal.fmf | 12 ++++++++++++ 5 files changed, 35 insertions(+), 11 deletions(-) create mode 100644 ci.fmf delete mode 100644 plans/ci.fmf create mode 100644 plans/public.fmf create mode 100644 plans/tier1-internal.fmf diff --git a/ci.fmf b/ci.fmf new file mode 100644 index 0000000..c5aa0e0 --- /dev/null +++ b/ci.fmf @@ -0,0 +1 @@ +resultsdb-testcase: separate diff --git a/gating.yaml b/gating.yaml index f458db9..de5c323 100644 --- a/gating.yaml +++ b/gating.yaml @@ -1,16 +1,27 @@ --- !Policy product_versions: - fedora-* -decision_contexts: [bodhi_update_push_testing] +decision_context: bodhi_update_push_testing subject_type: koji_build rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/public.functional} -# rawhide +#Rawhide --- !Policy product_versions: - fedora-* -decision_contexts: [bodhi_update_push_stable] +decision_context: bodhi_update_push_stable subject_type: koji_build rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/public.functional} + +#gating rhel +--- !Policy +product_versions: + - rhel-* +decision_context: osci_compose_gate +rules: + - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional} + - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation} + - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional} + - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/public.functional} diff --git a/plans/ci.fmf b/plans/ci.fmf deleted file mode 100644 index 7834d37..0000000 --- a/plans/ci.fmf +++ /dev/null @@ -1,6 +0,0 @@ -summary: Test plan that runs all tests from tests repo. -discover: - how: fmf - url: https://src.fedoraproject.org/tests/chrony.git -execute: - how: tmt diff --git a/plans/public.fmf b/plans/public.fmf new file mode 100644 index 0000000..cff1391 --- /dev/null +++ b/plans/public.fmf @@ -0,0 +1,6 @@ +summary: Test plan with all Fedora tests +discover: + how: fmf + url: https://src.fedoraproject.org/tests/chrony.git +execute: + how: tmt diff --git a/plans/tier1-internal.fmf b/plans/tier1-internal.fmf new file mode 100644 index 0000000..9714336 --- /dev/null +++ b/plans/tier1-internal.fmf @@ -0,0 +1,12 @@ +summary: CI plan, picks internal Tier1 tests, runs in beakerlib. +discover: + - name: rhel + how: fmf + filter: 'tier: 1' + url: git://pkgs.devel.redhat.com/tests/chrony +execute: + how: tmt +adjust: + enabled: false + when: distro == centos-stream, fedora + because: They don't have access to internal repos. From e3bd39f52e4418bee9f0d3c1abcebe592b09d458 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 10 May 2023 15:51:12 +0200 Subject: [PATCH 07/57] update to 4.4-pre1 --- .gitignore | 6 +- chrony-keyaccess.patch | 191 ---------------------------------------- chrony-restricted.patch | 79 ----------------- chrony.spec | 13 +-- sources | 6 +- 5 files changed, 10 insertions(+), 285 deletions(-) delete mode 100644 chrony-keyaccess.patch delete mode 100644 chrony-restricted.patch diff --git a/.gitignore b/.gitignore index 57bb59a..b393483 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.3.tar.gz -/chrony-4.3-tar-gz-asc.txt -/clknetsim-f00531.tar.gz +/chrony-4.4-pre1.tar.gz +/chrony-4.4-pre1-tar-gz-asc.txt +/clknetsim-13b0a5.tar.gz diff --git a/chrony-keyaccess.patch b/chrony-keyaccess.patch deleted file mode 100644 index 4beedd8..0000000 --- a/chrony-keyaccess.patch +++ /dev/null @@ -1,191 +0,0 @@ -commit 9cba9c8585bc5ebf19bafece118fb2362090547c -Author: Miroslav Lichvar -Date: Thu Jan 19 16:09:40 2023 +0100 - - keys+nts: warn if loading world-readable/writable key - - Log a warning message if the file specified by the keyfile or - ntsserverkey directive is world-readable or writable, which is likely - an insecure misconfiguration. There is no check of directories - containing the file. - -diff --git a/keys.c b/keys.c -index 11f8b761..9225e6cd 100644 ---- a/keys.c -+++ b/keys.c -@@ -182,6 +182,9 @@ KEY_Reload(void) - if (!key_file) - return; - -+ if (!UTI_CheckFilePermissions(key_file, 0771)) -+ ; -+ - in = UTI_OpenFile(NULL, key_file, NULL, 'r', 0); - if (!in) { - LOG(LOGS_WARN, "Could not open keyfile %s", key_file); -diff --git a/nts_ke_session.c b/nts_ke_session.c -index dfcd18ab..2ae1e915 100644 ---- a/nts_ke_session.c -+++ b/nts_ke_session.c -@@ -667,6 +667,8 @@ create_credentials(const char **certs, const char **keys, int n_certs_keys, - assert(0); - - for (i = 0; i < n_certs_keys; i++) { -+ if (!UTI_CheckFilePermissions(keys[i], 0771)) -+ ; - r = gnutls_certificate_set_x509_key_file(credentials, certs[i], keys[i], - GNUTLS_X509_FMT_PEM); - if (r < 0) -diff --git a/util.c b/util.c -index 064292ce..4b9d30ee 100644 ---- a/util.c -+++ b/util.c -@@ -1248,6 +1248,29 @@ UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid) - - /* ================================================== */ - -+int -+UTI_CheckFilePermissions(const char *path, mode_t perm) -+{ -+ mode_t extra_perm; -+ struct stat buf; -+ -+ if (stat(path, &buf) < 0 || !S_ISREG(buf.st_mode)) { -+ /* Not considered an error */ -+ return 1; -+ } -+ -+ extra_perm = (buf.st_mode & 0777) & ~perm; -+ if (extra_perm != 0) { -+ LOG(LOGS_WARN, "%s permissions on %s", extra_perm & 0006 ? -+ (extra_perm & 0004 ? "World-readable" : "World-writable") : "Wrong", path); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+/* ================================================== */ -+ - static int - join_path(const char *basedir, const char *name, const char *suffix, - char *buffer, size_t length, LOG_Severity severity) -diff --git a/util.h b/util.h -index 4655e537..6844798c 100644 ---- a/util.h -+++ b/util.h -@@ -196,6 +196,10 @@ extern int UTI_CreateDirAndParents(const char *path, mode_t mode, uid_t uid, gid - permissions and its uid/gid must match the specified values. */ - extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid); - -+/* Check and log a warning message if a file has more permissions than -+ specified. It does not return error if it is not an accessible file. */ -+extern int UTI_CheckFilePermissions(const char *path, mode_t perm); -+ - /* Open a file. The full path of the file is constructed from the basedir - (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL). - Created files have specified permissions (umasked). Returns NULL on error. - -commit 883b0dde946105e0910456a0bebb24d57fecb0fc -Author: Miroslav Lichvar -Date: Wed Jan 25 14:29:06 2023 +0100 - - conf: warn if not having read-only access to keys - - After dropping root privileges, log a warning message if chronyd - doesn't have read access or has (unnecessary) write access to the - files containing symmetric and server NTS keys. - -diff --git a/conf.c b/conf.c -index 9f42a426..0597836d 100644 ---- a/conf.c -+++ b/conf.c -@@ -1774,6 +1774,19 @@ CNF_CreateDirs(uid_t uid, gid_t gid) - - /* ================================================== */ - -+void -+CNF_CheckReadOnlyAccess(void) -+{ -+ unsigned int i; -+ -+ if (keys_file) -+ UTI_CheckReadOnlyAccess(keys_file); -+ for (i = 0; i < ARR_GetSize(nts_server_key_files); i++) -+ UTI_CheckReadOnlyAccess(*(char **)ARR_GetElement(nts_server_key_files, i)); -+} -+ -+/* ================================================== */ -+ - void - CNF_AddInitSources(void) - { -diff --git a/conf.h b/conf.h -index 11fd11df..d7acb4fd 100644 ---- a/conf.h -+++ b/conf.h -@@ -44,6 +44,8 @@ extern void CNF_ParseLine(const char *filename, int number, char *line); - - extern void CNF_CreateDirs(uid_t uid, gid_t gid); - -+extern void CNF_CheckReadOnlyAccess(void); -+ - extern void CNF_AddInitSources(void); - extern void CNF_AddSources(void); - extern void CNF_AddBroadcasts(void); -diff --git a/main.c b/main.c -index c40b5e4b..31e3c8f0 100644 ---- a/main.c -+++ b/main.c -@@ -637,9 +637,13 @@ int main - } - - /* Drop root privileges if the specified user has a non-zero UID */ -- if (!geteuid() && (pw->pw_uid || pw->pw_gid)) -+ if (!geteuid() && (pw->pw_uid || pw->pw_gid)) { - SYS_DropRoot(pw->pw_uid, pw->pw_gid, SYS_MAIN_PROCESS); - -+ /* Warn if missing read access or having write access to keys */ -+ CNF_CheckReadOnlyAccess(); -+ } -+ - if (!geteuid()) - LOG(LOGS_WARN, "Running with root privileges"); - -diff --git a/util.c b/util.c -index 4b9d30ee..0321720e 100644 ---- a/util.c -+++ b/util.c -@@ -1271,6 +1271,17 @@ UTI_CheckFilePermissions(const char *path, mode_t perm) - - /* ================================================== */ - -+void -+UTI_CheckReadOnlyAccess(const char *path) -+{ -+ if (access(path, R_OK) != 0 && errno != ENOENT) -+ LOG(LOGS_WARN, "Missing read access to %s : %s", path, strerror(errno)); -+ if (access(path, W_OK) == 0) -+ LOG(LOGS_WARN, "Having write access to %s", path); -+} -+ -+/* ================================================== */ -+ - static int - join_path(const char *basedir, const char *name, const char *suffix, - char *buffer, size_t length, LOG_Severity severity) -diff --git a/util.h b/util.h -index 6844798c..d8e25dee 100644 ---- a/util.h -+++ b/util.h -@@ -200,6 +200,10 @@ extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid - specified. It does not return error if it is not an accessible file. */ - extern int UTI_CheckFilePermissions(const char *path, mode_t perm); - -+/* Log a warning message if not having read access or having write access -+ to a file/directory */ -+extern void UTI_CheckReadOnlyAccess(const char *path); -+ - /* Open a file. The full path of the file is constructed from the basedir - (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL). - Created files have specified permissions (umasked). Returns NULL on error. diff --git a/chrony-restricted.patch b/chrony-restricted.patch deleted file mode 100644 index 930e814..0000000 --- a/chrony-restricted.patch +++ /dev/null @@ -1,79 +0,0 @@ -commit 6fba5a4a7fbe785849c0ec759e18bce0b7e234e4 -Author: Miroslav Lichvar -Date: Tue Jan 10 15:02:49 2023 +0100 - - examples: add chronyd-restricted.service - - This is a more restricted version of the chronyd service intended for - minimal NTP/NTS client configurations. The daemon is started without - root privileges and is allowed to write only to its own runtime, state, - and log directories. It cannot bind to privileged ports in order to - operate as an NTP server, or provide monitoring access over IPv4/IPv6. - It cannot use reference clocks, HW timestamping, RTC tracking, and other - features. - -diff --git a/examples/chronyd-restricted.service b/examples/chronyd-restricted.service -new file mode 100644 -index 00000000..50998338 ---- /dev/null -+++ b/examples/chronyd-restricted.service -@@ -0,0 +1,59 @@ -+# This is a more restricted version of the chronyd service intended for -+# minimal NTP/NTS client configurations. The daemon is started without root -+# privileges and is allowed to write only to its own runtime, state, and log -+# directories. It cannot bind to privileged ports in order to operate as an -+# NTP server, or provide monitoring access over IPv4/IPv6. It cannot use -+# reference clocks, HW timestamping, RTC tracking, and other features. -+[Unit] -+Description=NTP client (restricted) -+Documentation=man:chronyd(8) man:chrony.conf(5) -+After=chronyd.service ntpdate.service sntp.service ntpd.service -+Conflicts=chronyd.service ntpd.service systemd-timesyncd.service -+ConditionCapability=CAP_SYS_TIME -+ -+[Service] -+Type=forking -+PIDFile=/run/chrony/chronyd.pid -+EnvironmentFile=-/etc/sysconfig/chronyd -+ExecStart=/usr/sbin/chronyd -U $OPTIONS -+ -+User=chrony -+LogsDirectory=chrony -+LogsDirectoryMode=0750 -+RuntimeDirectory=chrony -+RuntimeDirectoryMode=0750 -+RuntimeDirectoryPreserve=restart -+StateDirectory=chrony -+StateDirectoryMode=0750 -+ -+AmbientCapabilities=CAP_SYS_TIME -+CapabilityBoundingSet=CAP_SYS_TIME -+DevicePolicy=closed -+LockPersonality=yes -+MemoryDenyWriteExecute=yes -+NoNewPrivileges=yes -+PrivateDevices=yes -+PrivateTmp=yes -+# This breaks adjtimex() -+#PrivateUsers=yes -+ProcSubset=pid -+ProtectControlGroups=yes -+ProtectHome=yes -+ProtectHostname=yes -+ProtectKernelLogs=yes -+ProtectKernelModules=yes -+ProtectKernelTunables=yes -+ProtectProc=invisible -+ProtectSystem=strict -+RemoveIPC=yes -+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -+RestrictNamespaces=yes -+RestrictRealtime=yes -+RestrictSUIDSGID=yes -+SystemCallArchitectures=native -+SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io -+SystemCallFilter=~@reboot @resources @swap -+UMask=0077 -+ -+[Install] -+WantedBy=multi-user.target diff --git a/chrony.spec b/chrony.spec index 532f6ef..efe9f89 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver f00531 +%global clknetsim_ver 13b0a5 +%global prerelease -pre1 %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.3 +Version: 4.4 Release: 3%{?dist} Summary: An NTP client/server @@ -25,10 +26,6 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch -# add chronyd-restricted service -Patch2: chrony-restricted.patch -# warn if keys are world-accessible or chronyd doesn't have read-only access -Patch3: chrony-keyaccess.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -60,8 +57,6 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp -%patch2 -p1 -b .restricted -%patch3 -p1 -b .keyaccess %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -71,7 +66,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp - 2b81c60c020626165ac655b2633608eb examples/chrony.nm-dispatcher.onoffline + 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline 677ad16d6439daa369da44a1b75d1772 examples/chronyd.service f092f965dc61f691ca838958eeeb3377 examples/chronyd-restricted.service EOF diff --git a/sources b/sources index f352bac..73edab9 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.3.tar.gz) = 1394bac3ed684352fe89b7fef7da50e61f9f522abee807627ae1fc4c2dde891017bc8e5b13759fced028f3a1e875d5e4e5a4f85de65c63b5f83d0ca03bb4c5df -SHA512 (chrony-4.3-tar-gz-asc.txt) = 300b06f253ac3727edb86a1b7c337f9529ee752bbb471b266217b6a8ac5183e827264177a3210d436425d746673bf11fbdc41da145673213e28165197c6c76b7 -SHA512 (clknetsim-f00531.tar.gz) = a44f543574519d1d5b5778f91b88fc73a976de511b97011c8ff3bc61a7ebff868fe9c6b46947ff4b58b29bd45520ffa68147934b1d289b1ffada4a329c048df5 +SHA512 (chrony-4.4-pre1.tar.gz) = d251f822ff49be0ff691c41e08b2c68ca86c3c3b1896c11d8f72cb72c5d3fde38ec4609ffab2a737faf0824f603b6c36d56a827aacde3b296cadddca59ad7812 +SHA512 (chrony-4.4-pre1-tar-gz-asc.txt) = b03592f26603403eaff2140f640f88408a1bd5be3468cf91fdd221fc9579611bdd475017a5803d7a5b1db08b11e20f260a4af91ee0a4d3b33ae6232b81a109fe +SHA512 (clknetsim-13b0a5.tar.gz) = e23b90bd0650502856ce472489d9ea0274aab7c1bd8945cac460f3a12338a509cad76133c60ccc2c7c31375496ec55b42c62008250109453f237ceb750bee03a From 55b6de12265b76d0f989c382c0058dbffb783f49 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 10 May 2023 15:51:46 +0200 Subject: [PATCH 08/57] switch from patchX to patch -P X --- chrony.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/chrony.spec b/chrony.spec index efe9f89..e6d0be8 100644 --- a/chrony.spec +++ b/chrony.spec @@ -55,8 +55,8 @@ service to other computers in the network. %prep %{gpgverify} --keyring=%{SOURCE2} --signature=%{SOURCE1} --data=%{SOURCE0} %setup -q -n %{name}-%{version}%{?prerelease} -a 10 -%{?gitpatch:%patch0 -p1} -%patch1 -p1 -b .nm-dispatcher-dhcp +%{?gitpatch:%patch -P 0 -p1} +%patch -P 1 -p1 -b .nm-dispatcher-dhcp %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} From 014a45966ecf6abe66f489916f6d8f1e7ebbfbe5 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 10 May 2023 15:55:45 +0200 Subject: [PATCH 09/57] 4.4-0.1.pre1 --- chrony.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index e6d0be8..19bbcb2 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.4 -Release: 3%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -199,6 +199,10 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed May 10 2023 Miroslav Lichvar 4.4-0.1.pre1 +- update to 4.4-pre1 +- switch from patchX to patch -P X + * Wed Jan 25 2023 Miroslav Lichvar 4.3-3 - drop default chrony.keys config (#2104918) - add chronyd-restricted service for minimal NTP client configurations From cf4057bdecb7a430406dbc26aa7ac4e017ea6996 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 6 Jun 2023 13:08:16 +0200 Subject: [PATCH 10/57] 4.4-0.2.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 19bbcb2..90bcec0 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.4 -Release: 0.1.pre1%{?dist} +Release: 0.2.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -199,6 +199,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Jun 06 2023 Miroslav Lichvar 4.4-0.2.pre1 +- rebuild for AES-GCM-SIV in new nettle + * Wed May 10 2023 Miroslav Lichvar 4.4-0.1.pre1 - update to 4.4-pre1 - switch from patchX to patch -P X From dd472d8c34c2eeb10b4e2bddd3304ae4af48f5d4 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 21 Jun 2023 11:03:16 +0200 Subject: [PATCH 11/57] set selinux context in chronyd-restricted service (#2169949) --- chrony.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/chrony.spec b/chrony.spec index 90bcec0..fe057df 100644 --- a/chrony.spec +++ b/chrony.spec @@ -85,6 +85,10 @@ sed -e 's|^\(pool \)\(pool.ntp.org\)|\12.%{vendorzone}\2|' \ touch -r examples/chrony.conf.example2 chrony.conf +# set selinux context in chronyd-restricted service +sed -i '/^ExecStart/a SELinuxContext=system_u:system_r:chronyd_restricted_t:s0' \ + examples/chronyd-restricted.service + # regenerate the file from getdate.y rm -f getdate.c From 9d4dc9b2d9f09ade23f84cbcfa5ad702b8fd9a81 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 21 Jun 2023 14:32:30 +0200 Subject: [PATCH 12/57] update to 4.4-pre2 --- .gitignore | 4 ++-- chrony.spec | 10 +++++----- sources | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index b393483..62aad8b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.4-pre1.tar.gz -/chrony-4.4-pre1-tar-gz-asc.txt +/chrony-4.4-pre2.tar.gz +/chrony-4.4-pre2-tar-gz-asc.txt /clknetsim-13b0a5.tar.gz diff --git a/chrony.spec b/chrony.spec index fe057df..c8ffc8f 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,6 @@ %global _hardened_build 1 %global clknetsim_ver 13b0a5 -%global prerelease -pre1 +%global prerelease -pre2 %bcond_without debug %bcond_without nts @@ -62,13 +62,13 @@ service to other computers in the network. # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') - b40117b4aac846d31e4ad196dc44cda3 examples/chrony-wait.service + 5530d6e60f84b76c27495485d2510bac examples/chrony-wait.service 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline - 677ad16d6439daa369da44a1b75d1772 examples/chronyd.service - f092f965dc61f691ca838958eeeb3377 examples/chronyd-restricted.service + c11159b78b89684eca773db6236a9855 examples/chronyd.service + 46fa3e2d42c8eb9c42e71095686c90ed examples/chronyd-restricted.service EOF # don't allow packaging without vendor zone @@ -155,7 +155,7 @@ echo 'chronyd.service' > \ %check # set random seed to get deterministic results -export CLKNETSIM_RANDOM_SEED=24505 +export CLKNETSIM_RANDOM_SEED=24508 %make_build -C test/simulation/clknetsim make quickcheck diff --git a/sources b/sources index 73edab9..02f0816 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.4-pre1.tar.gz) = d251f822ff49be0ff691c41e08b2c68ca86c3c3b1896c11d8f72cb72c5d3fde38ec4609ffab2a737faf0824f603b6c36d56a827aacde3b296cadddca59ad7812 -SHA512 (chrony-4.4-pre1-tar-gz-asc.txt) = b03592f26603403eaff2140f640f88408a1bd5be3468cf91fdd221fc9579611bdd475017a5803d7a5b1db08b11e20f260a4af91ee0a4d3b33ae6232b81a109fe +SHA512 (chrony-4.4-pre2.tar.gz) = 4919cdbafa18f9cfc5d1ef0253373445c78f66480d3bfda2b58441d7abd2f330a2cd00ef7c498d733b74a0e3f02cb4c39b6ef2d054aed1648625e206f71888ad +SHA512 (chrony-4.4-pre2-tar-gz-asc.txt) = fe74013a75c143a651f9e3844ab231df8166bac24b919a0850d822430fbca81b17f2d9b0d2c17fe0edf3a7dc33a93718e5bbb892c3551d8d52bcc75c38cecc57 SHA512 (clknetsim-13b0a5.tar.gz) = e23b90bd0650502856ce472489d9ea0274aab7c1bd8945cac460f3a12338a509cad76133c60ccc2c7c31375496ec55b42c62008250109453f237ceb750bee03a From c2ad1d7c433d155d1950b5c6be2c8e51b11cd0ad Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 21 Jun 2023 14:39:06 +0200 Subject: [PATCH 13/57] 4.4-0.3.pre2 --- chrony.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index c8ffc8f..f431e5f 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.4 -Release: 0.2.pre1%{?dist} +Release: 0.3.pre2%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -203,6 +203,10 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jun 21 2023 Miroslav Lichvar 4.4-0.3.pre2 +- update to 4.4-pre2 +- set selinux context in chronyd-restricted service (#2169949) + * Tue Jun 06 2023 Miroslav Lichvar 4.4-0.2.pre1 - rebuild for AES-GCM-SIV in new nettle From 133e764afbd6c68e3b7d3e913deed91416ba21a5 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 19 Jul 2023 15:38:23 +0000 Subject: [PATCH 14/57] Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index f431e5f..abc71e4 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.4 -Release: 0.3.pre2%{?dist} +Release: 0.4.pre2%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -203,6 +203,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jul 19 2023 Fedora Release Engineering - 4.4-0.4.pre2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + * Wed Jun 21 2023 Miroslav Lichvar 4.4-0.3.pre2 - update to 4.4-pre2 - set selinux context in chronyd-restricted service (#2169949) From 0b020ff4e00e98543a1f4975ddbaf9bec9615472 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 29 Jun 2023 13:04:00 +0200 Subject: [PATCH 15/57] require tzdata (#2218368) --- chrony.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/chrony.spec b/chrony.spec index abc71e4..d35a2cb 100644 --- a/chrony.spec +++ b/chrony.spec @@ -35,6 +35,9 @@ BuildRequires: gcc gcc-c++ make bison systemd gnupg2 %{?systemd_requires} %{?sysusers_requires_compat} +# Needed by the leapsectz directive in default chrony.conf +Requires: tzdata + # Old NetworkManager expects the dispatcher scripts in a different place Conflicts: NetworkManager < 1.20 From 5782cfd640fc9f3bf45a0fdaf281c81ebd3d81f5 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 9 Aug 2023 16:38:03 +0200 Subject: [PATCH 16/57] update to 4.4 --- .gitignore | 6 +++--- chrony.spec | 11 +++++------ sources | 6 +++--- 3 files changed, 11 insertions(+), 12 deletions(-) diff --git a/.gitignore b/.gitignore index 62aad8b..57ee54b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.4-pre2.tar.gz -/chrony-4.4-pre2-tar-gz-asc.txt -/clknetsim-13b0a5.tar.gz +/chrony-4.4.tar.gz +/chrony-4.4-tar-gz-asc.txt +/clknetsim-ef2a7a.tar.gz diff --git a/chrony.spec b/chrony.spec index d35a2cb..a214149 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,5 @@ %global _hardened_build 1 -%global clknetsim_ver 13b0a5 -%global prerelease -pre2 +%global clknetsim_ver ef2a7a %bcond_without debug %bcond_without nts @@ -14,10 +13,10 @@ Release: 0.4.pre2%{?dist} Summary: An NTP client/server License: GPL-2.0-only -URL: https://chrony.tuxfamily.org -Source0: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}.tar.gz -Source1: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}-tar-gz-asc.txt -Source2: https://chrony.tuxfamily.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc +URL: https://chrony-project.org +Source0: https://chrony-project.org/releases/chrony-%{version}%{?prerelease}.tar.gz +Source1: https://chrony-project.org/releases/chrony-%{version}%{?prerelease}-tar-gz-asc.txt +Source2: https://chrony-project.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc Source3: chrony.dhclient Source4: chrony.sysusers # simulator for test suite diff --git a/sources b/sources index 02f0816..1c8d2e0 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.4-pre2.tar.gz) = 4919cdbafa18f9cfc5d1ef0253373445c78f66480d3bfda2b58441d7abd2f330a2cd00ef7c498d733b74a0e3f02cb4c39b6ef2d054aed1648625e206f71888ad -SHA512 (chrony-4.4-pre2-tar-gz-asc.txt) = fe74013a75c143a651f9e3844ab231df8166bac24b919a0850d822430fbca81b17f2d9b0d2c17fe0edf3a7dc33a93718e5bbb892c3551d8d52bcc75c38cecc57 -SHA512 (clknetsim-13b0a5.tar.gz) = e23b90bd0650502856ce472489d9ea0274aab7c1bd8945cac460f3a12338a509cad76133c60ccc2c7c31375496ec55b42c62008250109453f237ceb750bee03a +SHA512 (chrony-4.4.tar.gz) = 45e060eb0c5892552f28dc436429e5823409cc93533127af27b64d08ff9c769fdc72694272232114f5ca1884c2bc8b5e842fae7956dc457358e937bcd3dda4d7 +SHA512 (chrony-4.4-tar-gz-asc.txt) = bb795b428567434937cbf3a12c559b549b89abe65010d04eed0fbdcfde35e7266771ea01c2c5581f3e5fae993f1782fff5a62c5ae09259d2b65dab9473d756a3 +SHA512 (clknetsim-ef2a7a.tar.gz) = 55196099d975d635fcba7dce9e1bc42efe0aee25777c9ff0bc996e300922e70542ea784a78814dc888c2f7f281e9d7db68c893e2d3138e92fbc3fb1e64e7e2b6 From 271a50e6c18ca9e7d6fb5795753ca0777a4e0a19 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 9 Aug 2023 16:38:34 +0200 Subject: [PATCH 17/57] 4.4-1 --- chrony.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index a214149..0a0bb92 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.4 -Release: 0.4.pre2%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,10 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Aug 09 2023 Miroslav Lichvar 4.4-1 +- update to 4.4 +- require tzdata (#2218368) + * Wed Jul 19 2023 Fedora Release Engineering - 4.4-0.4.pre2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild From a1d483c64b6fc9223f0098a9cd31463d02d8274d Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 22 Nov 2023 14:44:06 +0100 Subject: [PATCH 18/57] update to 4.5-pre1 --- .gitignore | 6 +++--- chrony.spec | 5 +++-- sources | 6 +++--- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index 57ee54b..9b297b0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.4.tar.gz -/chrony-4.4-tar-gz-asc.txt -/clknetsim-ef2a7a.tar.gz +/chrony-4.5-pre1-tar-gz-asc.txt +/chrony-4.5-pre1.tar.gz +/clknetsim-5d1dc0.tar.gz diff --git a/chrony.spec b/chrony.spec index 0a0bb92..c72af99 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver ef2a7a +%global clknetsim_ver 5d1dc0 +%global prerelease -pre1 %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.4 +Version: 4.5 Release: 1%{?dist} Summary: An NTP client/server diff --git a/sources b/sources index 1c8d2e0..7493175 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.4.tar.gz) = 45e060eb0c5892552f28dc436429e5823409cc93533127af27b64d08ff9c769fdc72694272232114f5ca1884c2bc8b5e842fae7956dc457358e937bcd3dda4d7 -SHA512 (chrony-4.4-tar-gz-asc.txt) = bb795b428567434937cbf3a12c559b549b89abe65010d04eed0fbdcfde35e7266771ea01c2c5581f3e5fae993f1782fff5a62c5ae09259d2b65dab9473d756a3 -SHA512 (clknetsim-ef2a7a.tar.gz) = 55196099d975d635fcba7dce9e1bc42efe0aee25777c9ff0bc996e300922e70542ea784a78814dc888c2f7f281e9d7db68c893e2d3138e92fbc3fb1e64e7e2b6 +SHA512 (chrony-4.5-pre1-tar-gz-asc.txt) = 60030c572957afe2289ca3f20efaf92267d3f6eca1e8c220f9b24bcfacbfc830304151d47c048bdcb1972a6ed9c84e7e435fafd4276080ecb253b991087ce20f +SHA512 (chrony-4.5-pre1.tar.gz) = 1be4beb1257baf08a6c35613a5c547837f63aeab0f06b87dff1acdd912a49f79b276f376af7737c6d44bf6ba974829dddddee5e9153828abf90f828e749d8f6e +SHA512 (clknetsim-5d1dc0.tar.gz) = 76889da425dc9d63ba78811661d78ffa922a63c4f83aeb809fef02c866f64a97b09dd4b0906ccfd1e20cee5091d8b886aadfce54cd338d3bf597b0e976a78927 From 69e59ad695b88de1b38afb618e91cdff12e9989a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 22 Nov 2023 14:45:44 +0100 Subject: [PATCH 19/57] 4.5-0.1.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index c72af99..e13c68d 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.5 -Release: 1%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -206,6 +206,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Nov 22 2023 Miroslav Lichvar 4.5-0.1.pre1 +- update to 4.5-pre1 + * Wed Aug 09 2023 Miroslav Lichvar 4.4-1 - update to 4.4 - require tzdata (#2218368) From 9bca6ebe57a0846ff27e7495ad4ea1fa4d5a0c2b Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 5 Dec 2023 15:20:20 +0100 Subject: [PATCH 20/57] update to 4.5 --- .gitignore | 4 ++-- chrony.spec | 1 - sources | 4 ++-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 9b297b0..ca5815e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.5-pre1-tar-gz-asc.txt -/chrony-4.5-pre1.tar.gz +/chrony-4.5.tar.gz +/chrony-4.5-tar-gz-asc.txt /clknetsim-5d1dc0.tar.gz diff --git a/chrony.spec b/chrony.spec index e13c68d..a151383 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,5 @@ %global _hardened_build 1 %global clknetsim_ver 5d1dc0 -%global prerelease -pre1 %bcond_without debug %bcond_without nts diff --git a/sources b/sources index 7493175..0f64136 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.5-pre1-tar-gz-asc.txt) = 60030c572957afe2289ca3f20efaf92267d3f6eca1e8c220f9b24bcfacbfc830304151d47c048bdcb1972a6ed9c84e7e435fafd4276080ecb253b991087ce20f -SHA512 (chrony-4.5-pre1.tar.gz) = 1be4beb1257baf08a6c35613a5c547837f63aeab0f06b87dff1acdd912a49f79b276f376af7737c6d44bf6ba974829dddddee5e9153828abf90f828e749d8f6e +SHA512 (chrony-4.5.tar.gz) = 58a449e23186da799064b16ab16f799c1673296984b152b43e87c620d86e272c55365e83439d410fc89e4e0ba0befd7d5c625eac78a6665813b7ea75444f71b5 +SHA512 (chrony-4.5-tar-gz-asc.txt) = 05470e6cc34524fdab494f70cee71d46172b38bdd4acd8173ac79fdec12178239248880db474437690094aae7909002113289ac7f9305130c5e0a1d9364122cb SHA512 (clknetsim-5d1dc0.tar.gz) = 76889da425dc9d63ba78811661d78ffa922a63c4f83aeb809fef02c866f64a97b09dd4b0906ccfd1e20cee5091d8b886aadfce54cd338d3bf597b0e976a78927 From 17bd1206e37eb9f6eefa18fe8102b2752eb3e15e Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 5 Dec 2023 15:23:50 +0100 Subject: [PATCH 21/57] 4.5-1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index a151383..e4e6820 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.5 -Release: 0.1.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Dec 05 2023 Miroslav Lichvar 4.5-1 +- update to 4.5 + * Wed Nov 22 2023 Miroslav Lichvar 4.5-0.1.pre1 - update to 4.5-pre1 From 396d15c284b65cc88840488e2b72ca4696159ed8 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 9 Jan 2024 16:50:44 +0100 Subject: [PATCH 22/57] update clknetsim source --- chrony.spec | 4 ++-- sources | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/chrony.spec b/chrony.spec index e4e6820..b160209 100644 --- a/chrony.spec +++ b/chrony.spec @@ -20,7 +20,7 @@ Source2: https://chrony-project.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B Source3: chrony.dhclient Source4: chrony.sysusers # simulator for test suite -Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz +Source10: https://gitlab.com/chrony/clknetsim/-/archive/master/clknetsim-%{clknetsim_ver}.tar.gz %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz} # add distribution-specific bits to DHCP dispatcher @@ -94,7 +94,7 @@ sed -i '/^ExecStart/a SELinuxContext=system_u:system_r:chronyd_restricted_t:s0' # regenerate the file from getdate.y rm -f getdate.c -mv clknetsim-%{clknetsim_ver}* test/simulation/clknetsim +mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim %build %configure \ diff --git a/sources b/sources index 0f64136..970d87e 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (chrony-4.5.tar.gz) = 58a449e23186da799064b16ab16f799c1673296984b152b43e87c620d86e272c55365e83439d410fc89e4e0ba0befd7d5c625eac78a6665813b7ea75444f71b5 SHA512 (chrony-4.5-tar-gz-asc.txt) = 05470e6cc34524fdab494f70cee71d46172b38bdd4acd8173ac79fdec12178239248880db474437690094aae7909002113289ac7f9305130c5e0a1d9364122cb -SHA512 (clknetsim-5d1dc0.tar.gz) = 76889da425dc9d63ba78811661d78ffa922a63c4f83aeb809fef02c866f64a97b09dd4b0906ccfd1e20cee5091d8b886aadfce54cd338d3bf597b0e976a78927 +SHA512 (clknetsim-5d1dc0.tar.gz) = 7d542443d7d9334d900cee821207fab1ee87e57fda6580a9d894f65fb36d265fdc4a72022b4293134d54cdeffba7e84d2f68f732f4b228b84d846d8668b314b2 From 9cedf747bf723bba78cec22f32b236a1b3b4aa87 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 19 Jan 2024 15:25:29 +0000 Subject: [PATCH 23/57] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index b160209..c806558 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.5 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Fri Jan 19 2024 Fedora Release Engineering - 4.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Tue Dec 05 2023 Miroslav Lichvar 4.5-1 - update to 4.5 From 2484d4001eaa7d8378f1a4f97171ac58a01b68c4 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 23 Jan 2024 01:36:12 +0000 Subject: [PATCH 24/57] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index c806558..51a9c3a 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.5 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Jan 23 2024 Fedora Release Engineering - 4.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Fri Jan 19 2024 Fedora Release Engineering - 4.5-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From 5d030eca6da200ac89e44d66728a7623b8b8ad15 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 17 Jul 2024 19:17:25 +0000 Subject: [PATCH 25/57] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 51a9c3a..5401be6 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.5 -Release: 3%{?dist} +Release: 4%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jul 17 2024 Fedora Release Engineering - 4.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + * Tue Jan 23 2024 Fedora Release Engineering - 4.5-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From 2aac4c014b2cb70255833115cbfb4bc759ea8eb2 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 30 Jul 2024 14:52:18 +0200 Subject: [PATCH 26/57] update to 4.6-pre1 --- .gitignore | 6 +++--- chrony.spec | 13 +++++++------ sources | 6 +++--- 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/.gitignore b/.gitignore index ca5815e..55c253a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.5.tar.gz -/chrony-4.5-tar-gz-asc.txt -/clknetsim-5d1dc0.tar.gz +/chrony-4.6-pre1.tar.gz +/chrony-4.6-pre1-tar-gz-asc.txt +/clknetsim-633a0b.tar.gz diff --git a/chrony.spec b/chrony.spec index 5401be6..d43f3be 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver 5d1dc0 +%global clknetsim_ver 633a0b +%global prerelease -pre1 %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.5 +Version: 4.6 Release: 4%{?dist} Summary: An NTP client/server @@ -34,7 +35,7 @@ BuildRequires: gcc gcc-c++ make bison systemd gnupg2 %{?systemd_requires} %{?sysusers_requires_compat} -# Needed by the leapsectz directive in default chrony.conf +# Needed by the leapseclist directive in default chrony.conf Requires: tzdata # Old NetworkManager expects the dispatcher scripts in a different place @@ -65,7 +66,7 @@ service to other computers in the network. # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') 5530d6e60f84b76c27495485d2510bac examples/chrony-wait.service - 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 + 826354a2d467d6147e412d43bfe07484 examples/chrony.conf.example2 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline @@ -78,10 +79,10 @@ test -n "%{vendorzone}" # use example chrony.conf as the default config with some modifications: # - use our vendor zone (2.*pool.ntp.org names include IPv6 addresses) -# - enable leapsectz to get TAI-UTC offset and leap seconds from tzdata +# - enable leapseclist to get TAI-UTC offset and leap seconds # - use NTP servers from DHCP sed -e 's|^\(pool \)\(pool.ntp.org\)|\12.%{vendorzone}\2|' \ - -e 's|#\(leapsectz\)|\1|' \ + -e 's|#\(leapseclist\)|\1|' \ -e 's|^pool.*pool.ntp.org.*|&\n\n# Use NTP servers from DHCP.\nsourcedir /run/chrony-dhcp|' \ < examples/chrony.conf.example2 > chrony.conf diff --git a/sources b/sources index 970d87e..e895b1c 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.5.tar.gz) = 58a449e23186da799064b16ab16f799c1673296984b152b43e87c620d86e272c55365e83439d410fc89e4e0ba0befd7d5c625eac78a6665813b7ea75444f71b5 -SHA512 (chrony-4.5-tar-gz-asc.txt) = 05470e6cc34524fdab494f70cee71d46172b38bdd4acd8173ac79fdec12178239248880db474437690094aae7909002113289ac7f9305130c5e0a1d9364122cb -SHA512 (clknetsim-5d1dc0.tar.gz) = 7d542443d7d9334d900cee821207fab1ee87e57fda6580a9d894f65fb36d265fdc4a72022b4293134d54cdeffba7e84d2f68f732f4b228b84d846d8668b314b2 +SHA512 (chrony-4.6-pre1.tar.gz) = 9d978b359ac4a6d6859f0fb2d3b6d3ed455838c2dc31d3db1b15b360a62d4f2d8dce71d1e67648658407121020880cd545a4eeb69d0df88475db778851c15cb4 +SHA512 (chrony-4.6-pre1-tar-gz-asc.txt) = c6c7147e63fc19153e230fa81e6207a08b66da39a2156dd1d26d2435abb530210d4effcd8273ee6f3eede5ef0e29d33a601190ac41881f2d65a84a51e9070211 +SHA512 (clknetsim-633a0b.tar.gz) = 6fd8f5b0f3fc74e6dcaf64fc8058ef49806b1d010c8f76223715dd87286871e6bfc1c21be9b8379d9fddbd989490a98226f550805614c4b66c3ee0477acd6b59 From 02f36b402e2900050abfea5a93e23c49c3d31672 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 30 Jul 2024 14:52:53 +0200 Subject: [PATCH 27/57] 4.6-0.1.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index d43f3be..6e86955 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.6 -Release: 4%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -206,6 +206,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Jul 30 2024 Miroslav Lichvar 4.6-0.1.pre1 +- update to 4.6-pre1 + * Wed Jul 17 2024 Fedora Release Engineering - 4.5-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From 60a3986f3a58bac2d6cb7956d790103a52d858cd Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 2 Sep 2024 15:15:35 +0200 Subject: [PATCH 28/57] update to 4.6 --- .gitignore | 4 ++-- chrony.spec | 1 - sources | 4 ++-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 55c253a..bde5491 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.6-pre1.tar.gz -/chrony-4.6-pre1-tar-gz-asc.txt +/chrony-4.6.tar.gz +/chrony-4.6-tar-gz-asc.txt /clknetsim-633a0b.tar.gz diff --git a/chrony.spec b/chrony.spec index 6e86955..03a40e9 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,5 @@ %global _hardened_build 1 %global clknetsim_ver 633a0b -%global prerelease -pre1 %bcond_without debug %bcond_without nts diff --git a/sources b/sources index e895b1c..5265d98 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.6-pre1.tar.gz) = 9d978b359ac4a6d6859f0fb2d3b6d3ed455838c2dc31d3db1b15b360a62d4f2d8dce71d1e67648658407121020880cd545a4eeb69d0df88475db778851c15cb4 -SHA512 (chrony-4.6-pre1-tar-gz-asc.txt) = c6c7147e63fc19153e230fa81e6207a08b66da39a2156dd1d26d2435abb530210d4effcd8273ee6f3eede5ef0e29d33a601190ac41881f2d65a84a51e9070211 +SHA512 (chrony-4.6.tar.gz) = 84926b6c9eb90824ab98333412b001b18de9342dacb898d195ee8de52868b1945700a8b161de6b603c231460d290e02df6712c1dcb7f034ba45754b38466c8bd +SHA512 (chrony-4.6-tar-gz-asc.txt) = f735c1d52f1474d2af656e55d3a9abfd33b4ed706b983a393c7e3852b766b5179fe4098425ee7f32bb5db4a2e4170e8c5930cf63d20884be6c0eac338a3d26db SHA512 (clknetsim-633a0b.tar.gz) = 6fd8f5b0f3fc74e6dcaf64fc8058ef49806b1d010c8f76223715dd87286871e6bfc1c21be9b8379d9fddbd989490a98226f550805614c4b66c3ee0477acd6b59 From 0ba6e157c2d66353426798a3ca7938a29d10dcb8 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 2 Sep 2024 15:16:32 +0200 Subject: [PATCH 29/57] 4.6-1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 03a40e9..62acd40 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.6 -Release: 0.1.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Mon Sep 02 2024 Miroslav Lichvar 4.6-1 +- update to 4.6 + * Tue Jul 30 2024 Miroslav Lichvar 4.6-0.1.pre1 - update to 4.6-pre1 From bf7e96a93b94fecec55462ce210d8c1458b11ea6 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 2 Sep 2024 16:28:18 +0200 Subject: [PATCH 30/57] update clknetsim to fix %check on i686 --- .gitignore | 2 +- chrony.spec | 2 +- sources | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index bde5491..c02a352 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ /chrony-4.6.tar.gz /chrony-4.6-tar-gz-asc.txt -/clknetsim-633a0b.tar.gz +/clknetsim-64df92.tar.gz diff --git a/chrony.spec b/chrony.spec index 62acd40..98445d3 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,5 @@ %global _hardened_build 1 -%global clknetsim_ver 633a0b +%global clknetsim_ver 64df92 %bcond_without debug %bcond_without nts diff --git a/sources b/sources index 5265d98..d1a6a50 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (chrony-4.6.tar.gz) = 84926b6c9eb90824ab98333412b001b18de9342dacb898d195ee8de52868b1945700a8b161de6b603c231460d290e02df6712c1dcb7f034ba45754b38466c8bd SHA512 (chrony-4.6-tar-gz-asc.txt) = f735c1d52f1474d2af656e55d3a9abfd33b4ed706b983a393c7e3852b766b5179fe4098425ee7f32bb5db4a2e4170e8c5930cf63d20884be6c0eac338a3d26db -SHA512 (clknetsim-633a0b.tar.gz) = 6fd8f5b0f3fc74e6dcaf64fc8058ef49806b1d010c8f76223715dd87286871e6bfc1c21be9b8379d9fddbd989490a98226f550805614c4b66c3ee0477acd6b59 +SHA512 (clknetsim-64df92.tar.gz) = 3253e6823b66f23f63203aad0ea22c25cf9d1f5af789722662f4d383111cb2c1816cb23d2fa06171a65b102ae82a5371376becb029d7c9b163b0aee710374c02 From 73179b1fbd3f2e049997a996781663b4ecb1ad87 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 2 Sep 2024 16:29:00 +0200 Subject: [PATCH 31/57] 4.6-1 From 9999104b0943393d25de12a148cbdb03d8b4d649 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 8 Oct 2024 15:39:55 +0200 Subject: [PATCH 32/57] update to 4.6.1 --- .gitignore | 4 ++-- chrony.spec | 2 +- sources | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index c02a352..04fffa0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.6.tar.gz -/chrony-4.6-tar-gz-asc.txt +/chrony-4.6.1.tar.gz +/chrony-4.6.1-tar-gz-asc.txt /clknetsim-64df92.tar.gz diff --git a/chrony.spec b/chrony.spec index 98445d3..125cc4a 100644 --- a/chrony.spec +++ b/chrony.spec @@ -8,7 +8,7 @@ %endif Name: chrony -Version: 4.6 +Version: 4.6.1 Release: 1%{?dist} Summary: An NTP client/server diff --git a/sources b/sources index d1a6a50..a3dab97 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.6.tar.gz) = 84926b6c9eb90824ab98333412b001b18de9342dacb898d195ee8de52868b1945700a8b161de6b603c231460d290e02df6712c1dcb7f034ba45754b38466c8bd -SHA512 (chrony-4.6-tar-gz-asc.txt) = f735c1d52f1474d2af656e55d3a9abfd33b4ed706b983a393c7e3852b766b5179fe4098425ee7f32bb5db4a2e4170e8c5930cf63d20884be6c0eac338a3d26db +SHA512 (chrony-4.6.1.tar.gz) = 646ae08f2587366236796f2399d8ab3eb570979e0d82f5d13f5cec49939054c876cc93dc20c8d38e105fd3500e1720d05a223a15076783cd882d0de43afd9c7e +SHA512 (chrony-4.6.1-tar-gz-asc.txt) = 992b706636bf3a7eb6d502562a4990c9d8e20e5f3011d2cdb2ceb32220e9a1c2bfa6eca767212cee49b811823872602dc33f9e7201a7f9a93cc9c90e81b1db49 SHA512 (clknetsim-64df92.tar.gz) = 3253e6823b66f23f63203aad0ea22c25cf9d1f5af789722662f4d383111cb2c1816cb23d2fa06171a65b102ae82a5371376becb029d7c9b163b0aee710374c02 From efe2d99a073e9515ac7fe6145f33c9247539b432 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 8 Oct 2024 15:42:45 +0200 Subject: [PATCH 33/57] 4.6.1-1 --- chrony.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/chrony.spec b/chrony.spec index 125cc4a..391bff2 100644 --- a/chrony.spec +++ b/chrony.spec @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Oct 08 2024 Miroslav Lichvar 4.6.1-1 +- update to 4.6.1 + * Mon Sep 02 2024 Miroslav Lichvar 4.6-1 - update to 4.6 From 0aae5f7bf1ce7d871adec9ab714299a69b03ad57 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 16 Jan 2025 13:43:18 +0000 Subject: [PATCH 34/57] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 391bff2..3a4449a 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.6.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Jan 16 2025 Fedora Release Engineering - 4.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + * Tue Oct 08 2024 Miroslav Lichvar 4.6.1-1 - update to 4.6.1 From 18b59b582787633bac1fe86ec032536c38485d0c Mon Sep 17 00:00:00 2001 From: Ondrej Mejzlik Date: Tue, 1 Oct 2024 12:13:30 +0200 Subject: [PATCH 35/57] Update plans and gating --- gating.yaml | 14 +++++------- plans.fmf | 47 ++++++++++++++++++++++++++++++++++++++++ plans/public.fmf | 6 ----- plans/tier1-internal.fmf | 12 ---------- 4 files changed, 53 insertions(+), 26 deletions(-) create mode 100644 plans.fmf delete mode 100644 plans/public.fmf delete mode 100644 plans/tier1-internal.fmf diff --git a/gating.yaml b/gating.yaml index de5c323..1b16508 100644 --- a/gating.yaml +++ b/gating.yaml @@ -4,8 +4,8 @@ product_versions: decision_context: bodhi_update_push_testing subject_type: koji_build rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/public.functional} - + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional} + #Rawhide --- !Policy product_versions: @@ -13,15 +13,13 @@ product_versions: decision_context: bodhi_update_push_stable subject_type: koji_build rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/public.functional} - + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional} + #gating rhel --- !Policy product_versions: - rhel-* decision_context: osci_compose_gate rules: - - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional} - - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation} - - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional} - - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/public.functional} + - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-public.functional} + - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional} \ No newline at end of file diff --git a/plans.fmf b/plans.fmf new file mode 100644 index 0000000..661c046 --- /dev/null +++ b/plans.fmf @@ -0,0 +1,47 @@ +/tier1-internal: + plan: + import: + url: https://src.fedoraproject.org/tests/chrony.git + name: /plans/tier1/internal + adjust: + enabled: false + when: distro == centos-stream, fedora + because: They don't have access to internal repos. + +/tier1-public: + plan: + import: + url: https://src.fedoraproject.org/tests/chrony.git + name: /plans/tier1/public + +/tier2-tier3-internal: + plan: + import: + url: https://src.fedoraproject.org/tests/chrony.git + name: /plans/tier2-tier3/internal + adjust: + enabled: false + when: distro == centos-stream, fedora + because: They don't have access to internal repos. + +/tier2-tier3-public: + plan: + import: + url: https://src.fedoraproject.org/tests/chrony.git + name: /plans/tier2-tier3/public + +/others-internal: + plan: + import: + url: https://src.fedoraproject.org/tests/chrony.git + name: /plans/others/internal + adjust: + enabled: false + when: distro == centos-stream, fedora + because: They don't have access to internal repos. + +/others-public: + plan: + import: + url: https://src.fedoraproject.org/tests/chrony.git + name: /plans/others/public diff --git a/plans/public.fmf b/plans/public.fmf deleted file mode 100644 index cff1391..0000000 --- a/plans/public.fmf +++ /dev/null @@ -1,6 +0,0 @@ -summary: Test plan with all Fedora tests -discover: - how: fmf - url: https://src.fedoraproject.org/tests/chrony.git -execute: - how: tmt diff --git a/plans/tier1-internal.fmf b/plans/tier1-internal.fmf deleted file mode 100644 index 9714336..0000000 --- a/plans/tier1-internal.fmf +++ /dev/null @@ -1,12 +0,0 @@ -summary: CI plan, picks internal Tier1 tests, runs in beakerlib. -discover: - - name: rhel - how: fmf - filter: 'tier: 1' - url: git://pkgs.devel.redhat.com/tests/chrony -execute: - how: tmt -adjust: - enabled: false - when: distro == centos-stream, fedora - because: They don't have access to internal repos. From 8f77afe47e9dd596174ba2ed6a4914efea889189 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 21 May 2025 14:45:46 +0200 Subject: [PATCH 36/57] update to 4.7-pre1 --- .gitignore | 6 +++--- chrony.spec | 9 +++++---- sources | 6 +++--- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/.gitignore b/.gitignore index 04fffa0..96c8228 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.6.1.tar.gz -/chrony-4.6.1-tar-gz-asc.txt -/clknetsim-64df92.tar.gz +/chrony-4.7-pre1-tar-gz-asc.txt +/chrony-4.7-pre1.tar.gz +/clknetsim-d60afc.tar.gz diff --git a/chrony.spec b/chrony.spec index 3a4449a..063693c 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver 64df92 +%global clknetsim_ver d60afc +%global prerelease -pre1 %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.6.1 +Version: 4.7 Release: 2%{?dist} Summary: An NTP client/server @@ -69,8 +70,8 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline - c11159b78b89684eca773db6236a9855 examples/chronyd.service - 46fa3e2d42c8eb9c42e71095686c90ed examples/chronyd-restricted.service + 274a44cd51981d6d4d3a44dfc92c94ab examples/chronyd.service + 5ddbb8a8055f587cb6b0b462ca73ea46 examples/chronyd-restricted.service EOF # don't allow packaging without vendor zone diff --git a/sources b/sources index a3dab97..4931309 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.6.1.tar.gz) = 646ae08f2587366236796f2399d8ab3eb570979e0d82f5d13f5cec49939054c876cc93dc20c8d38e105fd3500e1720d05a223a15076783cd882d0de43afd9c7e -SHA512 (chrony-4.6.1-tar-gz-asc.txt) = 992b706636bf3a7eb6d502562a4990c9d8e20e5f3011d2cdb2ceb32220e9a1c2bfa6eca767212cee49b811823872602dc33f9e7201a7f9a93cc9c90e81b1db49 -SHA512 (clknetsim-64df92.tar.gz) = 3253e6823b66f23f63203aad0ea22c25cf9d1f5af789722662f4d383111cb2c1816cb23d2fa06171a65b102ae82a5371376becb029d7c9b163b0aee710374c02 +SHA512 (chrony-4.7-pre1-tar-gz-asc.txt) = 6180dfede6bc2d11b4b8a9f2708b306faecdf2f6c92552c52c222b8fe09210aa770ec28c9272a1105ea6716e66553e606dbb00077bce061c6faaf65e1ce2bbf9 +SHA512 (chrony-4.7-pre1.tar.gz) = 9f83887d9771a409edd812046a4b1b7e11966d02a99806d48442a52441ee41a7043a75987e29414b04ddb8ff82dedd0b7646135961f6532cc173c52c01c600c1 +SHA512 (clknetsim-d60afc.tar.gz) = 9fff0dc7c089169158926741860c933fa4fc6eda68c100a54ead137b294ec94b0a6fccb0e3f86abfed274b38621e89b49f3e1ad96fd9bed48a79fabcc0d0ba5f From 3b9d8b1213423834a2e59e5831b2ee429216961a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 21 May 2025 14:47:16 +0200 Subject: [PATCH 37/57] 4.7-0.1.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 063693c..144ff7c 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.7 -Release: 2%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -206,6 +206,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed May 21 2025 Miroslav Lichvar 4.7-0.1.pre1 +- update to 4.7-pre1 + * Thu Jan 16 2025 Fedora Release Engineering - 4.6.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From 5d99ee337f23f4e09fa4f7f669fa007629176ad9 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 22 May 2025 14:40:19 +0200 Subject: [PATCH 38/57] add workaround for broken build on aarch64 --- chrony.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/chrony.spec b/chrony.spec index 144ff7c..1f023cb 100644 --- a/chrony.spec +++ b/chrony.spec @@ -98,6 +98,10 @@ rm -f getdate.c mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim %build +%ifarch aarch64 +# workaround for bug #2367978 +CFLAGS="$RPM_OPT_FLAGS -fno-inline" +%endif %configure \ %{?with_debug: --enable-debug} \ --enable-ntp-signd \ From 969143e1d65cdfd02a88360aed91f0f6adc6c324 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 22 May 2025 14:40:43 +0200 Subject: [PATCH 39/57] 4.7-0.2.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 1f023cb..34ffc37 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.7 -Release: 0.1.pre1%{?dist} +Release: 0.2.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -210,6 +210,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu May 22 2025 Miroslav Lichvar 4.7-0.2.pre1 +- add workaround for broken build on aarch64 + * Wed May 21 2025 Miroslav Lichvar 4.7-0.1.pre1 - update to 4.7-pre1 From d17bcd6d55f045f7ea7924dcd6d4c9b060bbf9e2 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 11 Jun 2025 15:46:31 +0200 Subject: [PATCH 40/57] update to 4.7 --- .gitignore | 6 +++--- chrony.spec | 5 ++--- sources | 6 +++--- 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index 96c8228..2414820 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.7-pre1-tar-gz-asc.txt -/chrony-4.7-pre1.tar.gz -/clknetsim-d60afc.tar.gz +/chrony-4.7.tar.gz +/chrony-4.7-tar-gz-asc.txt +/clknetsim-83cf9c.tar.gz diff --git a/chrony.spec b/chrony.spec index 34ffc37..440c600 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,5 @@ %global _hardened_build 1 -%global clknetsim_ver d60afc -%global prerelease -pre1 +%global clknetsim_ver 83cf9c %bcond_without debug %bcond_without nts @@ -66,7 +65,7 @@ service to other computers in the network. # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') 5530d6e60f84b76c27495485d2510bac examples/chrony-wait.service - 826354a2d467d6147e412d43bfe07484 examples/chrony.conf.example2 + 3f2ddca6065c3e8f4565d7422739795a examples/chrony.conf.example2 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline diff --git a/sources b/sources index 4931309..f03173e 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.7-pre1-tar-gz-asc.txt) = 6180dfede6bc2d11b4b8a9f2708b306faecdf2f6c92552c52c222b8fe09210aa770ec28c9272a1105ea6716e66553e606dbb00077bce061c6faaf65e1ce2bbf9 -SHA512 (chrony-4.7-pre1.tar.gz) = 9f83887d9771a409edd812046a4b1b7e11966d02a99806d48442a52441ee41a7043a75987e29414b04ddb8ff82dedd0b7646135961f6532cc173c52c01c600c1 -SHA512 (clknetsim-d60afc.tar.gz) = 9fff0dc7c089169158926741860c933fa4fc6eda68c100a54ead137b294ec94b0a6fccb0e3f86abfed274b38621e89b49f3e1ad96fd9bed48a79fabcc0d0ba5f +SHA512 (chrony-4.7.tar.gz) = 419594ab8ff0fd42acaf6e4ca1a011d5cf87c8d90ab040e90bb004b43570888329531593f073fb7c5a1093b5754d61c1ae6034d0b86660e4dc37d42ee0f30623 +SHA512 (chrony-4.7-tar-gz-asc.txt) = c2351e6e624f60e82973bddd5cb1d84c90ee5e862d7d24dfc2b7a8f60a6a948f7446c9b7d68c5e72be4afccbd5d8f572141a4e0bde9cfeefc59aebb7e4fc74e1 +SHA512 (clknetsim-83cf9c.tar.gz) = 2ffef556fc1edc3e19d44773ca550e9ac87889951a0162828238eab7dbd0586b46d16708d6a95a56aae8485acade1db5d16f7463362da00cb1d40cff394364e9 From fcb1dcbf532fec8ef5dbd6d3492125d233863e3b Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 11 Jun 2025 15:51:50 +0200 Subject: [PATCH 41/57] 4.7-1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 440c600..775150a 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.7 -Release: 0.2.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -209,6 +209,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jun 11 2025 Miroslav Lichvar 4.7-1 +- update to 4.7 + * Thu May 22 2025 Miroslav Lichvar 4.7-0.2.pre1 - add workaround for broken build on aarch64 From 0de03083074a9787d1848551e5c44d0dd9db6814 Mon Sep 17 00:00:00 2001 From: Ondrej Mejzlik Date: Wed, 18 Jun 2025 20:38:17 +0200 Subject: [PATCH 42/57] Testing moves to RH gitlab centos-stream space --- plans.fmf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/plans.fmf b/plans.fmf index 661c046..c28aa6f 100644 --- a/plans.fmf +++ b/plans.fmf @@ -1,7 +1,7 @@ /tier1-internal: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/tier1/internal adjust: enabled: false @@ -11,13 +11,13 @@ /tier1-public: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/tier1/public /tier2-tier3-internal: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/tier2-tier3/internal adjust: enabled: false @@ -27,13 +27,13 @@ /tier2-tier3-public: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/tier2-tier3/public /others-internal: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/others/internal adjust: enabled: false @@ -43,5 +43,5 @@ /others-public: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/others/public From 70a42e2391e14b3a9294e7f7c3cd162a6c244b1d Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 10 Jul 2025 11:49:16 +0200 Subject: [PATCH 43/57] drop old conflict with NetworkManager --- chrony.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/chrony.spec b/chrony.spec index 775150a..e7467b5 100644 --- a/chrony.spec +++ b/chrony.spec @@ -37,9 +37,6 @@ BuildRequires: gcc gcc-c++ make bison systemd gnupg2 # Needed by the leapseclist directive in default chrony.conf Requires: tzdata -# Old NetworkManager expects the dispatcher scripts in a different place -Conflicts: NetworkManager < 1.20 - # suggest drivers for hardware reference clocks Suggests: ntp-refclock From 53321f84b8e15e39e3483fcc5f396bc4e4244e42 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 10 Jul 2025 13:22:54 +0200 Subject: [PATCH 44/57] let systemd create /var/lib/chrony and /var/log/chrony (#2372944) Specify the directories in the chronyd unit file, so they don't have to exist before starting the service and rpm doesn't need to create any non-root directories/files. --- chrony-servicedirs.patch | 18 ++++++++++++++++++ chrony.spec | 9 ++++++--- 2 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 chrony-servicedirs.patch diff --git a/chrony-servicedirs.patch b/chrony-servicedirs.patch new file mode 100644 index 0000000..e806dc9 --- /dev/null +++ b/chrony-servicedirs.patch @@ -0,0 +1,18 @@ +diff -up chrony-4.7/examples/chronyd.service.servicedirs chrony-4.7/examples/chronyd.service +--- chrony-4.7/examples/chronyd.service.servicedirs 2025-06-11 15:06:19.000000000 +0200 ++++ chrony-4.7/examples/chronyd.service 2025-07-10 12:06:57.354215498 +0200 +@@ -10,7 +10,13 @@ Type=notify + PIDFile=/run/chrony/chronyd.pid + Environment="OPTIONS=" + EnvironmentFile=-/etc/sysconfig/chronyd +-ExecStart=/usr/sbin/chronyd -n $OPTIONS ++ExecStart=!/usr/sbin/chronyd -n $OPTIONS ++ ++User=chrony ++LogsDirectory=chrony ++LogsDirectoryMode=0750 ++StateDirectory=chrony ++StateDirectoryMode=0750 + + CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE + CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE diff --git a/chrony.spec b/chrony.spec index e7467b5..c038549 100644 --- a/chrony.spec +++ b/chrony.spec @@ -25,6 +25,8 @@ Source10: https://gitlab.com/chrony/clknetsim/-/archive/master/clknetsim-% # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch +# let systemd create /var/lib/chrony and /var/log/chrony +Patch2: chrony-servicedirs.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -56,6 +58,7 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch -P 0 -p1} %patch -P 1 -p1 -b .nm-dispatcher-dhcp +%patch -P 2 -p1 -b .servicedirs %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -66,7 +69,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline - 274a44cd51981d6d4d3a44dfc92c94ab examples/chronyd.service + 607c82f56639486f52c31105632909eb examples/chronyd.service 5ddbb8a8055f587cb6b0b462ca73ea46 examples/chronyd-restricted.service EOF @@ -200,10 +203,10 @@ fi %{_unitdir}/chrony*.service %{_sysusersdir}/chrony.conf %{_mandir}/man[158]/%{name}*.[158]* -%dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony +%ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/drift %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/rtc -%dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony +%ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog * Wed Jun 11 2025 Miroslav Lichvar 4.7-1 From 98c501e504b72d90c688982295bfb850f955d74a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 10 Jul 2025 14:02:11 +0200 Subject: [PATCH 45/57] drop workaround for broken build on aarch64 --- chrony.spec | 4 ---- 1 file changed, 4 deletions(-) diff --git a/chrony.spec b/chrony.spec index c038549..6d8a713 100644 --- a/chrony.spec +++ b/chrony.spec @@ -97,10 +97,6 @@ rm -f getdate.c mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim %build -%ifarch aarch64 -# workaround for bug #2367978 -CFLAGS="$RPM_OPT_FLAGS -fno-inline" -%endif %configure \ %{?with_debug: --enable-debug} \ --enable-ntp-signd \ From 58b9f12d345dde8b0eca270f97325b4e1f6df115 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 10 Jul 2025 14:02:56 +0200 Subject: [PATCH 46/57] 4.7-2 --- chrony.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 6d8a713..887c864 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.7 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,11 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Jul 10 2025 Miroslav Lichvar 4.7-2 +- let systemd create /var/lib/chrony and /var/log/chrony (#2372944) +- drop workaround for broken build on aarch64 +- drop old conflict with NetworkManager + * Wed Jun 11 2025 Miroslav Lichvar 4.7-1 - update to 4.7 From 71344384222ce47b080842ea020f1124d066ef7c Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 23 Jul 2025 18:17:48 +0000 Subject: [PATCH 47/57] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 887c864..410ce4b 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.7 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jul 23 2025 Fedora Release Engineering - 4.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + * Thu Jul 10 2025 Miroslav Lichvar 4.7-2 - let systemd create /var/lib/chrony and /var/log/chrony (#2372944) - drop workaround for broken build on aarch64 From 1db87bbe8dd549a2b29a496f63b5cb39a2000ac8 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 14 Aug 2025 16:32:02 +0200 Subject: [PATCH 48/57] update to 4.8-pre1 --- .gitignore | 6 +++--- chrony.spec | 5 +++-- sources | 6 +++--- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index 2414820..bdfdbf2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.7.tar.gz -/chrony-4.7-tar-gz-asc.txt -/clknetsim-83cf9c.tar.gz +/chrony-4.8-pre1-tar-gz-asc.txt +/chrony-4.8-pre1.tar.gz +/clknetsim-a2eb0b258f8b.tar.gz diff --git a/chrony.spec b/chrony.spec index 410ce4b..aa51417 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver 83cf9c +%global prerelease -pre1 +%global clknetsim_ver a2eb0b258f8b %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.7 +Version: 4.8 Release: 3%{?dist} Summary: An NTP client/server diff --git a/sources b/sources index f03173e..bdf667b 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.7.tar.gz) = 419594ab8ff0fd42acaf6e4ca1a011d5cf87c8d90ab040e90bb004b43570888329531593f073fb7c5a1093b5754d61c1ae6034d0b86660e4dc37d42ee0f30623 -SHA512 (chrony-4.7-tar-gz-asc.txt) = c2351e6e624f60e82973bddd5cb1d84c90ee5e862d7d24dfc2b7a8f60a6a948f7446c9b7d68c5e72be4afccbd5d8f572141a4e0bde9cfeefc59aebb7e4fc74e1 -SHA512 (clknetsim-83cf9c.tar.gz) = 2ffef556fc1edc3e19d44773ca550e9ac87889951a0162828238eab7dbd0586b46d16708d6a95a56aae8485acade1db5d16f7463362da00cb1d40cff394364e9 +SHA512 (chrony-4.8-pre1-tar-gz-asc.txt) = 0daafd987e46d720c42bbe4de13f5a293feabb3e239c9caf90146197b8444504cf45efc2078f431e745fae52e222937f9d48da496b091372fe4301a3f8726983 +SHA512 (chrony-4.8-pre1.tar.gz) = 2e76fd523fbeaa31bcbecbe2a16105e4fa103751753f0d05e2d2fcfaed62dbd4e023b559e97a44b28756b3ae7bc5d0873a787f09eb760da6a00d8184eedc03ad +SHA512 (clknetsim-a2eb0b258f8b.tar.gz) = 88996d4652b73b603caf9387b030c8406e7bc015443bb4b348c4a626882a0b42398dbcefa971fc8ba02dcdc0a79171ea63cadc13c518961b66901fecbee7c8e3 From 283f2dad2f7e8f492a7582b83106c8bec90aa9e0 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 14 Aug 2025 16:33:01 +0200 Subject: [PATCH 49/57] 4.8-0.1.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index aa51417..c5d2aaa 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.8 -Release: 3%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -206,6 +206,9 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Aug 14 2025 Miroslav Lichvar 4.8-0.1.pre1 +- update to 4.8-pre1 + * Wed Jul 23 2025 Fedora Release Engineering - 4.7-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From b9e07af77919a639d95c7ae1b533c3865f6c1b9e Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 27 Aug 2025 14:47:58 +0200 Subject: [PATCH 50/57] update to 4.8 --- .gitignore | 6 +++--- chrony.spec | 3 +-- sources | 6 +++--- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index bdfdbf2..4d608e1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.8-pre1-tar-gz-asc.txt -/chrony-4.8-pre1.tar.gz -/clknetsim-a2eb0b258f8b.tar.gz +/chrony-4.8-tar-gz-asc.txt +/chrony-4.8.tar.gz +/clknetsim-6ee99f50dec8.tar.gz diff --git a/chrony.spec b/chrony.spec index c5d2aaa..708d57b 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,5 @@ %global _hardened_build 1 -%global prerelease -pre1 -%global clknetsim_ver a2eb0b258f8b +%global clknetsim_ver 6ee99f50dec8 %bcond_without debug %bcond_without nts diff --git a/sources b/sources index bdf667b..35a8415 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.8-pre1-tar-gz-asc.txt) = 0daafd987e46d720c42bbe4de13f5a293feabb3e239c9caf90146197b8444504cf45efc2078f431e745fae52e222937f9d48da496b091372fe4301a3f8726983 -SHA512 (chrony-4.8-pre1.tar.gz) = 2e76fd523fbeaa31bcbecbe2a16105e4fa103751753f0d05e2d2fcfaed62dbd4e023b559e97a44b28756b3ae7bc5d0873a787f09eb760da6a00d8184eedc03ad -SHA512 (clknetsim-a2eb0b258f8b.tar.gz) = 88996d4652b73b603caf9387b030c8406e7bc015443bb4b348c4a626882a0b42398dbcefa971fc8ba02dcdc0a79171ea63cadc13c518961b66901fecbee7c8e3 +SHA512 (chrony-4.8-tar-gz-asc.txt) = df7f4e06f74a4b8c9a49e8fe57ea02e0324c5683d036412c32192a09f08e08f33537609cef8df0b4302bfcd63332b3092f33f40c8d02857c93ecea13822b5b47 +SHA512 (chrony-4.8.tar.gz) = 949b796bb34db32a5c1b9e6b53be6a22e51c59f24a316d585b8a52a52ab1f61bdf0378dc58b282bb0ba4fac1f05e1e99fbe37cb4259aa2b359e7bf679c176aab +SHA512 (clknetsim-6ee99f50dec8.tar.gz) = 2621d1c44b84b42fcdf644f236ff90dab9f8a8407a138c8719c53dd9c4f21480db3b4ba598116aa1b9d6bd1fa02fc410d85a43baf55ddf8ad47fc09aba4c4477 From fbf4abe9539130145f2c6266b609cc388ed8eb42 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 27 Aug 2025 14:48:58 +0200 Subject: [PATCH 51/57] 4.8-1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 708d57b..afe2248 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.8 -Release: 0.1.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Aug 27 2025 Miroslav Lichvar 4.8-1 +- update to 4.8 + * Thu Aug 14 2025 Miroslav Lichvar 4.8-0.1.pre1 - update to 4.8-pre1 From 95665ab0604acc9eb35e821ae580d6af41236047 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 8 Sep 2025 10:06:24 +0200 Subject: [PATCH 52/57] drop root privileges in chronyc by default Use the new configure option added in chrony-4.8 to change the default chronyc user to chrony. If chronyc is started under root, it will switch to the chrony user automatically to minimize impact of potential security issues. This shouldn't be visible to the user, but if for some reason the original behavior is required, "-u root" can be added to the chronyc command line. --- chrony.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/chrony.spec b/chrony.spec index afe2248..02fc8a8 100644 --- a/chrony.spec +++ b/chrony.spec @@ -105,6 +105,7 @@ mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim --chronyrundir=/run/chrony \ --docdir=%{_docdir} \ --with-ntp-era=$(date -d '1970-01-01 00:00:00+00:00' +'%s') \ + --with-chronyc-user=chrony \ --with-user=chrony \ --with-hwclockfile=%{_sysconfdir}/adjtime \ --with-pidfile=/run/chrony/chronyd.pid \ From 9c685eb118a6f049a5a253cd9b76daf008a2dd3a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 8 Sep 2025 10:10:54 +0200 Subject: [PATCH 53/57] 4.8-2 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 02fc8a8..5da1033 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.8 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -206,6 +206,9 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Mon Sep 08 2025 Miroslav Lichvar 4.8-2 +- drop root privileges in chronyc by default + * Wed Aug 27 2025 Miroslav Lichvar 4.8-1 - update to 4.8 From 57f2f4a8c160f18d4a544be5ab0f216771368c1c Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 21 Oct 2025 14:26:44 +0200 Subject: [PATCH 54/57] update seccomp filter for new glibc (#2405310) --- chrony-seccomp.patch | 35 +++++++++++++++++++++++++++++++++++ chrony.spec | 3 +++ 2 files changed, 38 insertions(+) create mode 100644 chrony-seccomp.patch diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch new file mode 100644 index 0000000..af9f775 --- /dev/null +++ b/chrony-seccomp.patch @@ -0,0 +1,35 @@ +commit 03875f1ea5c4c0eeeb30a7d1fc5fdd53236f4ac2 +Author: Miroslav Lichvar +Date: Tue Oct 21 14:06:38 2025 +0200 + + sys_linux: allow ioctl(TCGETS2) in seccomp filter + + Add TCGETS2 to the list of allowed ioctls. It seems to be called by the + latest glibc version from isatty(), which is called from libpcsclite + used by gnutls in an NTS-KE session. + + Include the linux termios header instead of glibc header to get a usable + definition of TCGETS2. + +diff --git a/sys_linux.c b/sys_linux.c +index ca5540f2..e20e459d 100644 +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -48,7 +48,7 @@ + #ifdef FEAT_SCFILTER + #include + #include +-#include ++#include + #ifdef FEAT_PPS + #include + #endif +@@ -615,7 +615,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + const static int fcntls[] = { F_GETFD, F_SETFD, F_GETFL, F_SETFL }; + + const static unsigned long ioctls[] = { +- FIONREAD, TCGETS, TIOCGWINSZ, ++ FIONREAD, TCGETS, TCGETS2, TIOCGWINSZ, + #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING) + PTP_EXTTS_REQUEST, PTP_SYS_OFFSET, + #ifdef PTP_PIN_SETFUNC diff --git a/chrony.spec b/chrony.spec index 5da1033..78da102 100644 --- a/chrony.spec +++ b/chrony.spec @@ -27,6 +27,8 @@ Source10: https://gitlab.com/chrony/clknetsim/-/archive/master/clknetsim-% Patch1: chrony-nm-dispatcher-dhcp.patch # let systemd create /var/lib/chrony and /var/log/chrony Patch2: chrony-servicedirs.patch +# update seccomp filter for new glibc +Patch3: chrony-seccomp.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -59,6 +61,7 @@ service to other computers in the network. %{?gitpatch:%patch -P 0 -p1} %patch -P 1 -p1 -b .nm-dispatcher-dhcp %patch -P 2 -p1 -b .servicedirs +%patch -P 3 -p1 -b .seccomp %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} From ed7a59c023170d91a880b2bd979b5ac8e494e8d0 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 21 Oct 2025 14:34:19 +0200 Subject: [PATCH 55/57] 4.8-3 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 78da102..66a86d5 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.8 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -209,6 +209,9 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Oct 21 2025 Miroslav Lichvar 4.8-3 +- update seccomp filter for new glibc (#2405310) + * Mon Sep 08 2025 Miroslav Lichvar 4.8-2 - drop root privileges in chronyc by default From d146c7faa536a1a15e65bcf4270e0f098cb5fdbf Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 22 Oct 2025 14:15:13 +0200 Subject: [PATCH 56/57] fix seccomp fix to build on ppc64 --- chrony-seccomp.patch | 159 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 159 insertions(+) diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch index af9f775..c8f79ae 100644 --- a/chrony-seccomp.patch +++ b/chrony-seccomp.patch @@ -33,3 +33,162 @@ index ca5540f2..e20e459d 100644 #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING) PTP_EXTTS_REQUEST, PTP_SYS_OFFSET, #ifdef PTP_PIN_SETFUNC +commit 3c39afa13c769452d4c340bfc987e229b7c9caeb +Author: Miroslav Lichvar +Date: Wed Oct 22 10:53:11 2025 +0200 + + sys_linux: fix building with older compilers and some archs + + The recent replacement of with to get + TCGETS2 seems to work only with compilers (or C standards) that allow + the same structure to be defined multiple times. There is a conflict + between and . + + Another problem is that TCGETS2 is not used on some archs like ppc64. + + Switch back to and move TCGETS2 to a list in a separate + file where it can be compiled without . + + Fixes: 03875f1ea5c4 ("sys_linux: allow ioctl(TCGETS2) in seccomp filter") + +diff --git a/configure b/configure +index 195b1ed7..ca64475d 100755 +--- a/configure ++++ b/configure +@@ -808,6 +808,7 @@ then + # a time and the async resolver would block the main thread + priv_ops="NAME2IPADDRESS RELOADDNS" + EXTRA_LIBS="$EXTRA_LIBS -lseccomp" ++ EXTRA_OBJECTS="$EXTRA_OBJECTS sys_linux_scmp.o" + fi + + if [ "x$priv_ops" != "x" ]; then +diff --git a/sys_linux.c b/sys_linux.c +index e20e459d..89eec950 100644 +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -48,7 +48,7 @@ + #ifdef FEAT_SCFILTER + #include + #include +-#include ++#include + #ifdef FEAT_PPS + #include + #endif +@@ -63,6 +63,7 @@ + #endif + + #include "sys_linux.h" ++#include "sys_linux_scmp.h" + #include "sys_timex.h" + #include "conf.h" + #include "local.h" +@@ -615,7 +616,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + const static int fcntls[] = { F_GETFD, F_SETFD, F_GETFL, F_SETFL }; + + const static unsigned long ioctls[] = { +- FIONREAD, TCGETS, TCGETS2, TIOCGWINSZ, ++ FIONREAD, TCGETS, TIOCGWINSZ, + #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING) + PTP_EXTTS_REQUEST, PTP_SYS_OFFSET, + #ifdef PTP_PIN_SETFUNC +@@ -728,6 +729,14 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + SCMP_A1(SCMP_CMP_EQ, ioctls[i])) < 0) + goto add_failed; + } ++ ++ /* Allow selected ioctls that need to be specified in a separate ++ file to avoid conflicting headers (e.g. TCGETS2) */ ++ for (i = 0; SYS_Linux_GetExtraScmpIoctl(i) != 0; i++) { ++ if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1, ++ SCMP_A1(SCMP_CMP_EQ, SYS_Linux_GetExtraScmpIoctl(i))) < 0) ++ goto add_failed; ++ } + } + + if (seccomp_load(ctx) < 0) +diff --git a/sys_linux_scmp.c b/sys_linux_scmp.c +new file mode 100644 +index 00000000..a907a97d +--- /dev/null ++++ b/sys_linux_scmp.c +@@ -0,0 +1,44 @@ ++/* ++ chronyd/chronyc - Programs for keeping computer clocks accurate. ++ ++ ********************************************************************** ++ * Copyright (C) Miroslav Lichvar 2025 ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of version 2 of the GNU General Public License as ++ * published by the Free Software Foundation. ++ * ++ * This program is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License along ++ * with this program; if not, write to the Free Software Foundation, Inc., ++ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ * ++ ********************************************************************** ++ ++ ======================================================================= ++ ++ Lists of values that are needed in seccomp filters but need to ++ be compiled separately from sys_linux.c due to conflicting headers. ++ */ ++ ++#include ++ ++#include "sys_linux_scmp.h" ++ ++unsigned long ++SYS_Linux_GetExtraScmpIoctl(int index) ++{ ++ const unsigned long ioctls[] = { ++#ifdef TCGETS2 ++ /* Conflict between and */ ++ TCGETS2, ++#endif ++ 0 ++ }; ++ ++ return ioctls[index]; ++} +diff --git a/sys_linux_scmp.h b/sys_linux_scmp.h +new file mode 100644 +index 00000000..62a9d548 +--- /dev/null ++++ b/sys_linux_scmp.h +@@ -0,0 +1,28 @@ ++/* ++ chronyd/chronyc - Programs for keeping computer clocks accurate. ++ ++ ********************************************************************** ++ * Copyright (C) Miroslav Lichvar 2025 ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of version 2 of the GNU General Public License as ++ * published by the Free Software Foundation. ++ * ++ * This program is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License along ++ * with this program; if not, write to the Free Software Foundation, Inc., ++ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ * ++ ********************************************************************** ++ ++ ======================================================================= ++ ++ Header file for lists that are needed in seccomp filters but need to ++ be compiled separately from sys_linux.c due to conflicting headers. ++ */ ++ ++extern unsigned long SYS_Linux_GetExtraScmpIoctl(int index); From f14345b7112621a85497b2e5e45176f6fa807ec9 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 22 Oct 2025 14:16:17 +0200 Subject: [PATCH 57/57] 4.8-3