From c1261a6581497dc311135b699d88a70e60b77b24 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Thu, 21 Mar 2024 11:05:09 +0000 Subject: [PATCH 01/15] sys-kernel/coreos-modules: Sort config symbols Signed-off-by: Jeremi Piotrowski --- .../sys-kernel/coreos-modules/files/commonconfig-6.6 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6 index 1d99ee9d60d..aee647d5416 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6 @@ -125,14 +125,12 @@ CONFIG_CPU_FREQ_GOV_USERSPACE=m CONFIG_CPU_FREQ_STAT=y # CONFIG_CROSS_MEMORY_ATTACH is not set CONFIG_CRYPTO_CTS=m +CONFIG_CRYPTO_DES=m CONFIG_CRYPTO_FIPS=y CONFIG_CRYPTO_GCM=m CONFIG_CRYPTO_HMAC=y -CONFIG_CRYPTO_LZO=m -# CONFIG_RPCSEC_GSS_KRB5 requires some older crypto modules CONFIG_CRYPTO_LIB_DES=m -CONFIG_CRYPTO_DES=m -CONFIG_RPCSEC_GSS_KRB5=m +CONFIG_CRYPTO_LZO=m # CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set CONFIG_CRYPTO_SHA1=y CONFIG_CRYPTO_USER_API_HASH=m @@ -280,8 +278,8 @@ CONFIG_INFINIBAND_MTHCA=m CONFIG_INFINIBAND_OCRDMA=m CONFIG_INFINIBAND_SRP=m CONFIG_INFINIBAND_USER_MAD=m -CONFIG_INIT_STACK_NONE=y CONFIG_INITRAMFS_COMPRESSION_ZSTD=y +CONFIG_INIT_STACK_NONE=y CONFIG_INPUT_EVDEV=m CONFIG_INPUT_MISC=y CONFIG_INPUT_MOUSEDEV=m @@ -772,6 +770,8 @@ CONFIG_RDS_TCP=m CONFIG_REALTEK_PHY=m CONFIG_REGULATOR=y CONFIG_REGULATOR_FIXED_VOLTAGE=y +# CONFIG_RPCSEC_GSS_KRB5 requires some older crypto modules +CONFIG_RPCSEC_GSS_KRB5=m CONFIG_RTC_CLASS=y CONFIG_RT_GROUP_SCHED=y CONFIG_S2IO=m From ca9dc796164331d96c3f721fe1472e24d71a10e3 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Mon, 25 Mar 2024 11:17:39 +0000 Subject: [PATCH 02/15] Import net-misc/chrony ebuild from Gentoo Signed-off-by: Jeremi Piotrowski --- .../portage-stable/net-misc/chrony/Manifest | 10 + .../net-misc/chrony/chrony-4.5.ebuild | 261 ++++++++++++++++++ .../net-misc/chrony/chrony-9999.ebuild | 261 ++++++++++++++++++ .../chrony/files/chrony-2.4-r1.logrotate | 7 + .../files/chrony-3.5-pool-vendor-gentoo.patch | 16 ++ .../files/chrony-4.2-systemd-gentoo.patch | 13 + .../net-misc/chrony/files/chronyd.conf-r3 | 12 + .../net-misc/chrony/files/chronyd.init-r2 | 70 +++++ .../net-misc/chrony/metadata.xml | 44 +++ 9 files changed, 694 insertions(+) create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/chrony/Manifest create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/chrony/chrony-4.5.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/chrony/chrony-9999.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chrony-2.4-r1.logrotate create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chrony-3.5-pool-vendor-gentoo.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chrony-4.2-systemd-gentoo.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chronyd.conf-r3 create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chronyd.init-r2 create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/chrony/metadata.xml diff --git a/sdk_container/src/third_party/portage-stable/net-misc/chrony/Manifest b/sdk_container/src/third_party/portage-stable/net-misc/chrony/Manifest new file mode 100644 index 00000000000..c4c1b3f1dbe --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/chrony/Manifest @@ -0,0 +1,10 @@ +AUX chrony-2.4-r1.logrotate 131 BLAKE2B 4e649ce1c126639ea73c4e03d42175d1715b1c321544376ff2e48d67ee13bebcf04a8fea56326bf5efe66f568913dc92ff7f16a641ffb39a456e9cdac6004a6c SHA512 e6febb744476be6c83ac086f2054dc2c190b6e1abd2cf20d4187f222b2485817f06c4ad62b8d40fcea3e18a771cf21899fe0a1dafbfb31f5c99da9092d24d79b +AUX chrony-3.5-pool-vendor-gentoo.patch 544 BLAKE2B 5ef7fcea43c59d1da8f3b3a735f1e70565a8437f142f317abe81531c31e934af05eda5e3043f7874bc9b4592d44579ae1827ddba06c514b4b8124c899931ed0f SHA512 0a109e1b8367def620f5089b3fcb92d84e592eb1a2fced2b60f6c9295159a605d9605e837a06e118c8ba8095208da68592fb9cd537937a153d6eecfa0eb35eb4 +AUX chrony-4.2-systemd-gentoo.patch 538 BLAKE2B 70d3bb2a190aa2401ff566dd88d1cace1d3573261819d082863fe310bb16507fcc1497fd31ec24033cb9dbe8356aef416d91b36df6067fd37f4273e59bc4e330 SHA512 62e54e1c16380812b3cf11a84091e134401341a4a64dda806af1a52dfa4158912adc4c2524388956f67a44e095e893ed714a2eee15650080c38ce44d2bc279ec +AUX chronyd.conf-r3 390 BLAKE2B aa193e6bcf62cc305620139b7c198d39358feea7106356083cf1a20bdb8fd4b85bd8cce8cf20ce6839e8788fedc1f94e912ec512193988f83283ceef86d6cfc7 SHA512 ab0bbd07c17e391d068c5a37d5f8d9c8fc2c42add2700869217a95784666bd3f23bebd70942cf11b42c124e0947f68c101153998e89bc61ccb71b30a0187cf0c +AUX chronyd.init-r2 1694 BLAKE2B 5ee55954c8afc2df09291dd7df4c3f1b3a01f97079ae19799a87c0217118c02b24ace0422b1f355fb67d1a0224eacf2104f3b984035f4ac9fa6b41624187d009 SHA512 63d9816017bb13b57c28de4a9d5b8061139d4aea1db5800ec7a4d9e8b2a8f5c5109b556ae5bec5c6d1cc7c4839bd49f12a0046c74fe4d1d11049ead00f1407da +DIST chrony-4.5.tar.gz 620287 BLAKE2B e89665e6ff700805b41f89e9349d280579aebab31a30817512a165da939c8f39dc55ef9a17a50e3d7e298015620667638ab119901a71868a9188093606a95d32 SHA512 58a449e23186da799064b16ab16f799c1673296984b152b43e87c620d86e272c55365e83439d410fc89e4e0ba0befd7d5c625eac78a6665813b7ea75444f71b5 +DIST chrony-4.5.tar.gz.asc 833 BLAKE2B 7d680a4f5d86335b067b95cb900761615180701cabae5978d6f924063f7a43748534bb2e4f23cd9cd2e6919ed005014db6d396330fbfb5aa6d5f1c46f3c0c3a0 SHA512 05470e6cc34524fdab494f70cee71d46172b38bdd4acd8173ac79fdec12178239248880db474437690094aae7909002113289ac7f9305130c5e0a1d9364122cb +EBUILD chrony-4.5.ebuild 6814 BLAKE2B 392707d5e5dd672eb18159911ad19645ff132cb25ca6ddd102eb17974e492c6370d87b6994ce40dc0191c74b184feba3ac5fe52dd28fe1fd545320841eb02a77 SHA512 699d6e4a24f6b5f0f7c1bcfdce728c3db694ae17684a91ad45d6360c71257db012d24d12bcd83ae3eb0df09c0cfbc23cbf113074894937cef3730baa2c935f43 +EBUILD chrony-9999.ebuild 6822 BLAKE2B 38c6b067e7f07b2045865b83c5064c9b26b02357d1718a8b1e67cb7cbafafac4b1f7425fb957d439c9793b34af4135c5d7d7fe6875394e06ed4c6f9e2f62df35 SHA512 2a2c83c5520ed3d38e9535898aeb6134a9ecda752c8ba5d7a71bea014403b7af758a35f546fd192b3b09b6d5769e9e1fd2eef1d8be9c6b44d34a966a75732e98 +MISC metadata.xml 2353 BLAKE2B c5a7458f2aabf443f01e670cf1e1a578c6d1095b607df07a6a979610f8446ad8fbbbc2b86ca79f8f06b49cfeba1a31cd05b2748c46e2d283863fd43d0b8e7a3a SHA512 1ec4023f55368e03158535d45239572e6bd160d94c85126d3c7d1ddd02fd5743d65ee9ea2bf2e6fbde5b010483928432b5d5848bed03bcc78e9f6924ee189b42 diff --git a/sdk_container/src/third_party/portage-stable/net-misc/chrony/chrony-4.5.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/chrony/chrony-4.5.ebuild new file mode 100644 index 00000000000..f6d81c3f64f --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/chrony/chrony-4.5.ebuild @@ -0,0 +1,261 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit edo systemd tmpfiles toolchain-funcs + +DESCRIPTION="NTP client and server programs" +HOMEPAGE="https://chrony-project.org/" + +if [[ ${PV} == 9999 ]] ; then + EGIT_REPO_URI="https://gitlab.com/chrony/chrony.git" + inherit git-r3 +else + VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/mlichvar.asc + inherit verify-sig + + SRC_URI="https://chrony-project.org/releases/${P/_/-}.tar.gz" + SRC_URI+=" verify-sig? ( https://chrony-project.org/releases/${P/_/-}-tar-gz-asc.txt -> ${P/_/-}.tar.gz.asc )" + + if [[ ${PV} != *_pre* ]] ; then + KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv sparc x86" + fi +fi + +S="${WORKDIR}/${P/_/-}" + +LICENSE="GPL-2" +SLOT="0" +IUSE="+caps +cmdmon debug html libtomcrypt +nettle nss +ntp +nts +phc pps +readline +refclock +rtc samba +seccomp +sechash selinux" +# nettle > nss > libtomcrypt in configure +REQUIRED_USE=" + sechash? ( || ( nettle nss libtomcrypt ) ) + nettle? ( !nss ) + nss? ( !nettle ) + libtomcrypt? ( !nettle !nss ) + !sechash? ( !nss ) + !sechash? ( !nts? ( !nettle ) ) +" + +DEPEND=" + caps? ( + acct-group/ntp + acct-user/ntp + sys-libs/libcap + ) + libtomcrypt? ( dev-libs/libtomcrypt:= ) + nettle? ( dev-libs/nettle:= ) + nss? ( dev-libs/nss:= ) + nts? ( net-libs/gnutls:= ) + pps? ( net-misc/pps-tools ) + readline? ( dev-libs/libedit ) + seccomp? ( sys-libs/libseccomp ) +" +RDEPEND=" + ${DEPEND} + selinux? ( sec-policy/selinux-chronyd ) +" +BDEPEND=" + html? ( dev-ruby/asciidoctor ) + nts? ( virtual/pkgconfig ) + sechash? ( + nettle? ( virtual/pkgconfig ) + nss? ( virtual/pkgconfig ) + ) +" + +if [[ ${PV} == 9999 ]] ; then + # Needed for doc generation in 9999 + REQUIRED_USE+=" html" + BDEPEND+=" + app-alternatives/yacc + virtual/w3m + " +else + BDEPEND+=" verify-sig? ( >=sec-keys/openpgp-keys-mlichvar-20210513 )" +fi + +PATCHES=( + "${FILESDIR}"/${PN}-3.5-pool-vendor-gentoo.patch + "${FILESDIR}"/${PN}-4.2-systemd-gentoo.patch +) + +src_prepare() { + default + + sed -i \ + -e 's:/etc/chrony\.conf:/etc/chrony/chrony.conf:g' \ + doc/* examples/* || die + + cp "${FILESDIR}"/chronyd.conf-r3 "${T}"/chronyd.conf || die +} + +src_configure() { + if ! use caps ; then + sed -i \ + -e 's/ -u ntp//' \ + "${T}"/chronyd.conf examples/chronyd.service || die + fi + + if ! use seccomp ; then + sed -i \ + -e 's/ -F 2//' \ + "${T}"/chronyd.conf examples/chronyd.service || die + fi + + tc-export CC PKG_CONFIG + + # Update from time to time with output from "date +%s" + # on a system that is time-synced. + export SOURCE_DATE_EPOCH=1607976314 + + # Not an autotools generated script + local myconf=( + $(use_enable seccomp scfilter) + + $(usev !caps '--disable-linuxcaps') + $(usev !cmdmon '--disable-cmdmon') + $(usev debug '--enable-debug') + + # USE=readline here means "readline-like functionality" + # chrony only supports libedit in terms of the library providing + # it. + $(usev !readline '--without-editline --disable-readline') + + $(usev !libtomcrypt '--without-tomcrypt') + $(usev !nettle '--without-nettle') + $(usev !nss '--without-nss') + $(usev !ntp '--disable-ntp') + $(usev !nts '--disable-nts') + $(usev !nts '--without-gnutls') + $(usev !phc '--disable-phc') + $(usev !pps '--disable-pps') + $(usev !refclock '--disable-refclock') + $(usev !rtc '--disable-rtc') + $(usev samba '--enable-ntp-signd') + $(usev !sechash '--disable-sechash') + + --chronysockdir="${EPREFIX}/run/chrony" + --docdir="${EPREFIX}/usr/share/doc/${PF}" + --mandir="${EPREFIX}/usr/share/man" + --prefix="${EPREFIX}/usr" + --sysconfdir="${EPREFIX}/etc/chrony" + --with-hwclockfile="${EPREFIX}/etc/adjtime" + --with-pidfile="${EPREFIX}/run/chrony/chronyd.pid" + + ${EXTRA_ECONF} + ) + + # Print the ./configure call + edo ./configure "${myconf[@]}" || die +} + +src_compile() { + if [[ ${PV} == 9999 ]] ; then + # Uses w3m + emake -C doc man txt + fi + + emake all docs $(usev !html 'ADOC=true') +} + +src_install() { + default + + # Compatibility with other distributions who install to /etc/chrony.conf (bug #835461) + dosym -r /etc/chrony/chrony.conf /etc/chrony.conf + + newinitd "${FILESDIR}"/chronyd.init-r2 chronyd + newconfd "${T}"/chronyd.conf chronyd + + insinto /etc/${PN} + newins examples/chrony.conf.example1 chrony.conf + + docinto examples + dodoc examples/*.example* + + newtmpfiles - chronyd.conf <<<"d /run/chrony 0750 $(usex caps 'ntp ntp' 'root root')" + + if use html ; then + docinto html + dodoc doc/*.html + fi + + keepdir /var/{lib,log}/chrony + + if use caps ; then + # Prepare a directory for the chrony.drift file (a la ntpsec) + # Ensures the environment is sane on new installs + # bug #711058 + fowners -R ntp:ntp /var/{lib,log}/chrony + fperms -R 770 /var/lib/chrony + fi + + insinto /etc/logrotate.d + newins "${FILESDIR}"/chrony-2.4-r1.logrotate chrony + + systemd_dounit examples/chronyd.service + systemd_dounit examples/chrony-wait.service + systemd_enable_ntpunit 50-chrony chronyd.service +} + +pkg_preinst() { + HAD_CAPS=0 + HAD_SECCOMP=0 + HAD_PRE_NEW_SECCOMP_LEVEL=0 + + # See https://dev.gentoo.org/~zmedico/portage/doc/portage.html#package-ebuild-phases-after-2.1.5 + # in "Ebuild Phases" for an explanation of why we need to save the variable beforehand + if has_version 'net-misc/chrony[caps]' ; then + HAD_CAPS=1 + fi + + if has_version 'net-misc/chrony[seccomp]' ; then + HAD_SECCOMP=1 + fi + + if has_version '>=net-misc/chrony-4.1[seccomp]' ; then + # This version introduced a new filter level: -F 2 + # It's a limited set of seccomp filters designed to be 'bare minimum' + HAD_PRE_NEW_SECCOMP_LEVEL=1 + fi +} + +pkg_postinst() { + tmpfiles_process chronyd.conf + + if [[ -n "${REPLACING_VERSIONS}" ]] ; then + if use caps && ! [[ ${HAD_CAPS} -eq 1 ]] ; then + # bug #719876 + ewarn "Please adjust permissions on ${EROOT}/var/{lib,log}/chrony to be owned by ntp:ntp" + ewarn "e.g. chown -R ntp:ntp ${EROOT}/var/{lib,log}/chrony" + ewarn "This is necessary for chrony to drop privileges" + elif ! use caps && [[ ${HAD_CAPS} -eq 0 ]] ; then + ewarn "Please adjust permissions on ${EROOT}/var/{lib,log}/chrony to be owned by root:root" + fi + fi + + # See bug #783915 for general discussion on enabling seccomp filtering + # by default. + local show_seccomp_enable_msg=0 + + # Was seccomp disabled before and now enabled? + if [[ ${HAD_SECCOMP} -eq 0 ]] && use seccomp ; then + show_seccomp_enable_msg=1 + fi + + # Are we coming from an old version without the new 'minimal' filter? + # (-F 2) + if [[ ${HAD_PRE_NEW_SECCOMP_LEVEL} -eq 0 ]] ; then + show_seccomp_enable_msg=1 + fi + + if [[ ${show_seccomp_enable_msg} -eq 1 ]] ; then + elog "To enable seccomp in a stricter mode, please modify:" + elog "- ${EROOT}/etc/conf.d/chronyd for OpenRC" + elog "- systemctl edit chronyd for systemd" + elog "to use -F 1 or -F -1 instead of -F 2 (see man chronyd)" + elog "By default, we now use -F 2 which is a baseline/minimal filter." + fi +} diff --git a/sdk_container/src/third_party/portage-stable/net-misc/chrony/chrony-9999.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/chrony/chrony-9999.ebuild new file mode 100644 index 00000000000..13628d6f3fc --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/chrony/chrony-9999.ebuild @@ -0,0 +1,261 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit edo systemd tmpfiles toolchain-funcs + +DESCRIPTION="NTP client and server programs" +HOMEPAGE="https://chrony-project.org/" + +if [[ ${PV} == 9999 ]] ; then + EGIT_REPO_URI="https://gitlab.com/chrony/chrony.git" + inherit git-r3 +else + VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/mlichvar.asc + inherit verify-sig + + SRC_URI="https://chrony-project.org/releases/${P/_/-}.tar.gz" + SRC_URI+=" verify-sig? ( https://chrony-project.org/releases/${P/_/-}-tar-gz-asc.txt -> ${P/_/-}.tar.gz.asc )" + + if [[ ${PV} != *_pre* ]] ; then + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" + fi +fi + +S="${WORKDIR}/${P/_/-}" + +LICENSE="GPL-2" +SLOT="0" +IUSE="+caps +cmdmon debug html libtomcrypt +nettle nss +ntp +nts +phc pps +readline +refclock +rtc samba +seccomp +sechash selinux" +# nettle > nss > libtomcrypt in configure +REQUIRED_USE=" + sechash? ( || ( nettle nss libtomcrypt ) ) + nettle? ( !nss ) + nss? ( !nettle ) + libtomcrypt? ( !nettle !nss ) + !sechash? ( !nss ) + !sechash? ( !nts? ( !nettle ) ) +" + +DEPEND=" + caps? ( + acct-group/ntp + acct-user/ntp + sys-libs/libcap + ) + libtomcrypt? ( dev-libs/libtomcrypt:= ) + nettle? ( dev-libs/nettle:= ) + nss? ( dev-libs/nss:= ) + nts? ( net-libs/gnutls:= ) + pps? ( net-misc/pps-tools ) + readline? ( dev-libs/libedit ) + seccomp? ( sys-libs/libseccomp ) +" +RDEPEND=" + ${DEPEND} + selinux? ( sec-policy/selinux-chronyd ) +" +BDEPEND=" + html? ( dev-ruby/asciidoctor ) + nts? ( virtual/pkgconfig ) + sechash? ( + nettle? ( virtual/pkgconfig ) + nss? ( virtual/pkgconfig ) + ) +" + +if [[ ${PV} == 9999 ]] ; then + # Needed for doc generation in 9999 + REQUIRED_USE+=" html" + BDEPEND+=" + app-alternatives/yacc + virtual/w3m + " +else + BDEPEND+=" verify-sig? ( >=sec-keys/openpgp-keys-mlichvar-20210513 )" +fi + +PATCHES=( + "${FILESDIR}"/${PN}-3.5-pool-vendor-gentoo.patch + "${FILESDIR}"/${PN}-4.2-systemd-gentoo.patch +) + +src_prepare() { + default + + sed -i \ + -e 's:/etc/chrony\.conf:/etc/chrony/chrony.conf:g' \ + doc/* examples/* || die + + cp "${FILESDIR}"/chronyd.conf-r3 "${T}"/chronyd.conf || die +} + +src_configure() { + if ! use caps ; then + sed -i \ + -e 's/ -u ntp//' \ + "${T}"/chronyd.conf examples/chronyd.service || die + fi + + if ! use seccomp ; then + sed -i \ + -e 's/ -F 2//' \ + "${T}"/chronyd.conf examples/chronyd.service || die + fi + + tc-export CC PKG_CONFIG + + # Update from time to time with output from "date +%s" + # on a system that is time-synced. + export SOURCE_DATE_EPOCH=1607976314 + + # Not an autotools generated script + local myconf=( + $(use_enable seccomp scfilter) + + $(usev !caps '--disable-linuxcaps') + $(usev !cmdmon '--disable-cmdmon') + $(usev debug '--enable-debug') + + # USE=readline here means "readline-like functionality" + # chrony only supports libedit in terms of the library providing + # it. + $(usev !readline '--without-editline --disable-readline') + + $(usev !libtomcrypt '--without-tomcrypt') + $(usev !nettle '--without-nettle') + $(usev !nss '--without-nss') + $(usev !ntp '--disable-ntp') + $(usev !nts '--disable-nts') + $(usev !nts '--without-gnutls') + $(usev !phc '--disable-phc') + $(usev !pps '--disable-pps') + $(usev !refclock '--disable-refclock') + $(usev !rtc '--disable-rtc') + $(usev samba '--enable-ntp-signd') + $(usev !sechash '--disable-sechash') + + --chronysockdir="${EPREFIX}/run/chrony" + --docdir="${EPREFIX}/usr/share/doc/${PF}" + --mandir="${EPREFIX}/usr/share/man" + --prefix="${EPREFIX}/usr" + --sysconfdir="${EPREFIX}/etc/chrony" + --with-hwclockfile="${EPREFIX}/etc/adjtime" + --with-pidfile="${EPREFIX}/run/chrony/chronyd.pid" + + ${EXTRA_ECONF} + ) + + # Print the ./configure call + edo ./configure "${myconf[@]}" || die +} + +src_compile() { + if [[ ${PV} == 9999 ]] ; then + # Uses w3m + emake -C doc man txt + fi + + emake all docs $(usev !html 'ADOC=true') +} + +src_install() { + default + + # Compatibility with other distributions who install to /etc/chrony.conf (bug #835461) + dosym -r /etc/chrony/chrony.conf /etc/chrony.conf + + newinitd "${FILESDIR}"/chronyd.init-r2 chronyd + newconfd "${T}"/chronyd.conf chronyd + + insinto /etc/${PN} + newins examples/chrony.conf.example1 chrony.conf + + docinto examples + dodoc examples/*.example* + + newtmpfiles - chronyd.conf <<<"d /run/chrony 0750 $(usex caps 'ntp ntp' 'root root')" + + if use html ; then + docinto html + dodoc doc/*.html + fi + + keepdir /var/{lib,log}/chrony + + if use caps ; then + # Prepare a directory for the chrony.drift file (a la ntpsec) + # Ensures the environment is sane on new installs + # bug #711058 + fowners -R ntp:ntp /var/{lib,log}/chrony + fperms -R 770 /var/lib/chrony + fi + + insinto /etc/logrotate.d + newins "${FILESDIR}"/chrony-2.4-r1.logrotate chrony + + systemd_dounit examples/chronyd.service + systemd_dounit examples/chrony-wait.service + systemd_enable_ntpunit 50-chrony chronyd.service +} + +pkg_preinst() { + HAD_CAPS=0 + HAD_SECCOMP=0 + HAD_PRE_NEW_SECCOMP_LEVEL=0 + + # See https://dev.gentoo.org/~zmedico/portage/doc/portage.html#package-ebuild-phases-after-2.1.5 + # in "Ebuild Phases" for an explanation of why we need to save the variable beforehand + if has_version 'net-misc/chrony[caps]' ; then + HAD_CAPS=1 + fi + + if has_version 'net-misc/chrony[seccomp]' ; then + HAD_SECCOMP=1 + fi + + if has_version '>=net-misc/chrony-4.1[seccomp]' ; then + # This version introduced a new filter level: -F 2 + # It's a limited set of seccomp filters designed to be 'bare minimum' + HAD_PRE_NEW_SECCOMP_LEVEL=1 + fi +} + +pkg_postinst() { + tmpfiles_process chronyd.conf + + if [[ -n "${REPLACING_VERSIONS}" ]] ; then + if use caps && ! [[ ${HAD_CAPS} -eq 1 ]] ; then + # bug #719876 + ewarn "Please adjust permissions on ${EROOT}/var/{lib,log}/chrony to be owned by ntp:ntp" + ewarn "e.g. chown -R ntp:ntp ${EROOT}/var/{lib,log}/chrony" + ewarn "This is necessary for chrony to drop privileges" + elif ! use caps && [[ ${HAD_CAPS} -eq 0 ]] ; then + ewarn "Please adjust permissions on ${EROOT}/var/{lib,log}/chrony to be owned by root:root" + fi + fi + + # See bug #783915 for general discussion on enabling seccomp filtering + # by default. + local show_seccomp_enable_msg=0 + + # Was seccomp disabled before and now enabled? + if [[ ${HAD_SECCOMP} -eq 0 ]] && use seccomp ; then + show_seccomp_enable_msg=1 + fi + + # Are we coming from an old version without the new 'minimal' filter? + # (-F 2) + if [[ ${HAD_PRE_NEW_SECCOMP_LEVEL} -eq 0 ]] ; then + show_seccomp_enable_msg=1 + fi + + if [[ ${show_seccomp_enable_msg} -eq 1 ]] ; then + elog "To enable seccomp in a stricter mode, please modify:" + elog "- ${EROOT}/etc/conf.d/chronyd for OpenRC" + elog "- systemctl edit chronyd for systemd" + elog "to use -F 1 or -F -1 instead of -F 2 (see man chronyd)" + elog "By default, we now use -F 2 which is a baseline/minimal filter." + fi +} diff --git a/sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chrony-2.4-r1.logrotate b/sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chrony-2.4-r1.logrotate new file mode 100644 index 00000000000..a2cf8feb5b7 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chrony-2.4-r1.logrotate @@ -0,0 +1,7 @@ +/var/log/chrony/*.log { + missingok + sharedscripts + postrotate + /usr/bin/chronyc cyclelogs |grep -v '^200 OK'; exit 0 + endscript +} diff --git a/sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chrony-3.5-pool-vendor-gentoo.patch b/sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chrony-3.5-pool-vendor-gentoo.patch new file mode 100644 index 00000000000..817a4106738 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chrony-3.5-pool-vendor-gentoo.patch @@ -0,0 +1,16 @@ +- Use the Gentoo pool +- Use the server directive instead of the pool directive so we get four time + sources and not twelve. + +--- a/examples/chrony.conf.example1 ++++ b/examples/chrony.conf.example1 +@@ -1,5 +1,8 @@ + # Use public NTP servers from the pool.ntp.org project. +-pool pool.ntp.org iburst ++server 0.gentoo.pool.ntp.org iburst ++server 1.gentoo.pool.ntp.org iburst ++server 2.gentoo.pool.ntp.org iburst ++server 3.gentoo.pool.ntp.org iburst + + # Record the rate at which the system clock gains/losses time. + driftfile /var/lib/chrony/drift diff --git a/sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chrony-4.2-systemd-gentoo.patch b/sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chrony-4.2-systemd-gentoo.patch new file mode 100644 index 00000000000..1852cdeb92e --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chrony-4.2-systemd-gentoo.patch @@ -0,0 +1,13 @@ +diff --git a/examples/chronyd.service b/examples/chronyd.service +index 4fb930e..8df627a 100644 +--- a/examples/chronyd.service ++++ b/examples/chronyd.service +@@ -9,7 +9,7 @@ ConditionCapability=CAP_SYS_TIME + Type=forking + PIDFile=/run/chrony/chronyd.pid + EnvironmentFile=-/etc/sysconfig/chronyd +-ExecStart=/usr/sbin/chronyd $OPTIONS ++ExecStart=/usr/sbin/chronyd $OPTIONS -u ntp -F 2 + + CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE + CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE diff --git a/sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chronyd.conf-r3 b/sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chronyd.conf-r3 new file mode 100644 index 00000000000..25a4758954e --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chronyd.conf-r3 @@ -0,0 +1,12 @@ +# /etc/conf.d/chronyd + +CFGFILE="/etc/chrony/chrony.conf" + +# Configuration dependant options : +# -s - Set system time from RTC if rtcfile directive present +# -r - Reload sample histories if dumponexit directive present +# +# The combination of "-s -r" allows chronyd to perform long term averaging of +# the gain or loss rate across system reboots and shutdowns. + +ARGS=" -u ntp -F 2" diff --git a/sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chronyd.init-r2 b/sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chronyd.init-r2 new file mode 100644 index 00000000000..4892a57b163 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chronyd.init-r2 @@ -0,0 +1,70 @@ +#!/sbin/openrc-run +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +depend() { + use dns +} + +checkconfig() { + # Note that /etc/chrony/chrony.keys is *NOT* checked. This + # is because the user may have specified another key + # file, and we don't want to force the user to use that + # exact name for the key file. + if [ ! -f "${CFGFILE}" ] ; then + eerror "Please create ${CFGFILE} and the" + eerror "chrony key file (usually /etc/chrony/chrony.keys)" + eerror "by using the" + eerror "" + eerror " chrony.conf.example" + eerror " chrony.keys.example" + eerror "" + eerror "files (from the documentation directory)" + eerror "as templates." + return 1 + else + # Actually, I tried it, and chrony seems to ignore the pidfile + # option. I'm going to leave it here anyway, since you never + # know if it might be handy + PIDFILE=`awk '/^ *pidfile/{print $2}' "${CFGFILE}"` + [ -z "${PIDFILE}" ] && PIDFILE=/run/chrony/chronyd.pid + fi + return 0 +} + +setxtrarg() { + if [ -c /dev/rtc ]; then + grep -q '^rtcfile' "${CFGFILE}" && ARGS="${ARGS} -s" + fi + grep -q '^dumponexit$' "${CFGFILE}" && ARGS="${ARGS} -r" + return 0 +} + +start() { + checkconfig || return $? + setxtrarg + + [ -n "${PIDFILE}" ] || PIDFILE=/run/chronyd.pid + + ebegin "Starting chronyd" + start-stop-daemon \ + --start \ + --quiet \ + --exec /usr/sbin/chronyd \ + --pidfile "${PIDFILE}" \ + -- -f "${CFGFILE}" ${ARGS} + eend $? "Failed to start chronyd" +} + +stop() { + checkconfig || return $? + + [ -n "${PIDFILE}" ] || PIDFILE=/run/chronyd.pid + + ebegin "Stopping chronyd" + start-stop-daemon \ + --stop \ + --quiet \ + --pidfile "${PIDFILE}" + eend $? "Failed to stop chronyd" +} diff --git a/sdk_container/src/third_party/portage-stable/net-misc/chrony/metadata.xml b/sdk_container/src/third_party/portage-stable/net-misc/chrony/metadata.xml new file mode 100644 index 00000000000..33ac8a4febd --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/chrony/metadata.xml @@ -0,0 +1,44 @@ + + + + + sam@gentoo.org + Sam James + + + base-system@gentoo.org + Gentoo Base System + + + Chrony is a pair of programs (chronyd and chronyc) which are used to maintain + the accuracy of the system clock on a computer. chronyd has been specifically + written to work well for systems which have only an intermittent (e.g. dial-up) + connection to the network where the NTP servers are. It still works well + in a "permanently connected" mode. + + + Chrony はコンピュータのシステム・クロックの精度を保つために使われるプログラムの + ペア(chronyd と chronyc)です。chronyd は NTP サーバがあるネットワークと断続的な + 接続(e.g. dial-up)しか持たないシステムで機能するよう書かれています。ですが永続的 + な接続でも機能します。 + + + Support for command and monitoring + Get DEBUG_LOG output from chronyd when passing -dd parameter + Install HTML documentation + Use dev-libs/nettle for hash functions or nts + Use dev-libs/nss for hash functions + Support for the Network Time Protocol (NTP) + Support for Network Time Security (NTS). Uses net-libs/gnutls + Support for the PTP (Precision Time Protocol) Hardware Clock (PHC) interface + Support for the Linux Pulse Per Second (PPS) interface + Support for reference clocks + Support for the Linux Real Time Clock interface + Enable support for hashes other than MD5 + Support different hashes via dev-libs/libtomcrypt + + + cpe:/a:chrony_project:chrony + chrony/chrony + + From 2a33badb2ab93419ed537097706776b082812eaf Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Mon, 25 Mar 2024 11:19:36 +0000 Subject: [PATCH 03/15] sys-kernel/coreos-modules: Switch PTP support to modules PTP_1588_CLOCK defaults to =y, make it =m explicitly. Switch PTP_1588_CLOCK_KVM to module as well, so tath it doesn't load on non-KVM platforms. Enable PTP_1588_CLOCK_VMW so that PTP timesync to the host is available there as well. We don't need PTP support to be compiled into the kernel, it is not essential for system boot. Signed-off-by: Jeremi Piotrowski --- .../sys-kernel/coreos-modules/files/amd64_defconfig-6.6 | 1 + .../sys-kernel/coreos-modules/files/commonconfig-6.6 | 2 ++ 2 files changed, 3 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-6.6 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-6.6 index ccb11c0dbaa..62ab9e73909 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-6.6 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-6.6 @@ -96,6 +96,7 @@ CONFIG_PMIC_OPREGION=y # CONFIG_PNP_DEBUG_MESSAGES is not set CONFIG_POWERCAP=y CONFIG_PREEMPT_VOLUNTARY=y +CONFIG_PTP_1588_CLOCK_VMW=m CONFIG_PVPANIC=y CONFIG_PVPANIC_MMIO=m CONFIG_SCHED_TRACER=y diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6 index aee647d5416..c676bdc88e9 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6 @@ -749,6 +749,8 @@ CONFIG_PROC_KCORE=y CONFIG_PROFILING=y CONFIG_PSI=y # CONFIG_PSI_DEFAULT_DISABLED is not set +CONFIG_PTP_1588_CLOCK=m +CONFIG_PTP_1588_CLOCK_KVM=m CONFIG_QED=m CONFIG_QEDE=m CONFIG_QEDF=m From 2814c32bbf2577683875530dcafe5663129f5cf1 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Mon, 25 Mar 2024 11:29:04 +0000 Subject: [PATCH 04/15] profiles: Disable readline support for chrony by default We don't care too much for readline support and this avoids pulling libedit into a sysext that wants to ship chrony. Signed-off-by: Jeremi Piotrowski --- .../coreos-overlay/profiles/coreos/targets/generic/package.use | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use index 44fb7c95888..742eca0fb24 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use @@ -47,3 +47,6 @@ app-emulation/open-vm-tools -fuse fuse3 -icu pam -resolutionkms # no suid binaries, please sys-fs/fuse -suid + +# skip dependency for this sysext package +net-misc/chrony -readline From c5efeec607884112f468747cca3638d4be14af6b Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Mon, 25 Mar 2024 11:30:56 +0000 Subject: [PATCH 05/15] coreos-devel/board-packages: Add chrony to RDEPENDS Add chrony to RDEPENDS so that it is built for the board sysroot and can be included into a sysext. Signed-off-by: Jeremi Piotrowski --- .../coreos-devel/board-packages/board-packages-0.0.1.ebuild | 1 + 1 file changed, 1 insertion(+) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild index d2aa9fa7106..5e24ad96daf 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild @@ -34,5 +34,6 @@ RDEPEND=" coreos-base/coreos coreos-base/coreos-dev coreos-base/flatcar-eks + net-misc/chrony sys-fs/zfs " From 3c0283f74a6ebd0f7148db829532a76bdf951ae3 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Mon, 25 Mar 2024 11:35:04 +0000 Subject: [PATCH 06/15] sys-apps/systemd: Add hook to ensure timesyncd starts after sysexts Sysexts can includes services that have a Conflicts=systemd-timesyncd entry. To ensure that this takes effect, start timesyncd after the ensure-sysext.service. Signed-off-by: Jeremi Piotrowski --- .../coreos/config/env/sys-apps/systemd | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd new file mode 100644 index 00000000000..3806da9f578 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd @@ -0,0 +1,13 @@ +cros_post_src_install_timesync() { + local dir="${D}$(systemd_get_systemunitdir)/systemd-timesyncd.service.d" + mkdir -p "${dir}" + pushd "${dir}" + cat <flatcar.conf || die +# Allow sysexts to ship timesyncd replacements which can have +# a Conflicts=systemd-timesyncd directive that would result +# in systemd-timesyncd not being started. +[Unit] +After=ensure-sysext.service +EOF + popd +} From 9d065d1cf5807abf0c5e1fbb36700c3aa6a5a070 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Mon, 25 Mar 2024 13:18:13 +0000 Subject: [PATCH 07/15] coreos-base/oem-azure: Add chrony to sysext Along with configuration, tmpfiles setup and service dependencies. The files are added through normal ebuild mechanisms. The config file is based on what Ubuntu ships on Azure. Signed-off-by: Jeremi Piotrowski --- .../coreos-base/oem-azure/files/chrony.conf | 65 +++++++++++++++++++ .../oem-azure/files/etc-chrony.conf | 3 + .../coreos-base/oem-azure/files/manglefs.sh | 4 +- .../oem-azure/files/var-chrony.conf | 1 + .../oem-azure/oem-azure-2.9.1.1-r1.ebuild | 13 ++++ 5 files changed, 84 insertions(+), 2 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/chrony.conf create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/etc-chrony.conf create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/var-chrony.conf diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/chrony.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/chrony.conf new file mode 100644 index 00000000000..b5714071aff --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/chrony.conf @@ -0,0 +1,65 @@ +# CLOUD_IMG: This file was created/modified by the Cloud Image build process +# Welcome to the chrony configuration file. See chrony.conf(5) for more +# information about usable directives. + +# Include configuration files found in /etc/chrony/conf.d. +confdir /etc/chrony/conf.d + +# This will use (up to): +# - 2 sources from 2.ubuntu.pool.ntp.org which is ipv6 enabled as well +# - 1 source from [013].ubuntu.pool.ntp.org each (ipv4 only atm) +# This means by default, up to 2 dual-stack and up to 3 additional IPv4-only +# sources will be used. +# At the same time it retains some protection against one of the entries being +# down (compare to just using one of the lines). +# +# See http://www.pool.ntp.org/join.html for more information. +#pool 0.flatcar.pool.ntp.org iburst maxsources 1 +#pool 1.flatcar.pool.ntp.org iburst maxsources 1 +#pool 2.flatcar.pool.ntp.org iburst maxsources 2 +#pool 3.flatcar.pool.ntp.org iburst maxsources 1 + +# Use time sources from DHCP. +sourcedir /run/chrony-dhcp + +# Use NTP sources found in /etc/chrony/sources.d. +sourcedir /etc/chrony/sources.d + +# This directive specify the location of the file containing ID/key pairs for +# NTP authentication. +#keyfile /etc/chrony/chrony.keys + +# This directive specify the file into which chronyd will store the rate +# information. +driftfile /var/lib/chrony/chrony.drift + +# Save NTS keys and cookies. +ntsdumpdir /var/lib/chrony + +# Uncomment the following line to turn logging on. +#log tracking measurements statistics + +# Log files location. +#logdir /var/log/chrony + +# Stop bad estimates upsetting machine clock. +maxupdateskew 100.0 + +# This directive enables kernel synchronisation (every 11 minutes) of the +# real-time clock. Note that it can't be used along with the 'rtcfile' directive. +rtcsync + +# Step the system clock instead of slewing it if the adjustment is larger than +# one second, but only in the first three clock updates. +makestep 1.0 -1 + +# Get TAI-UTC offset and leap seconds from the system tz database. +# This directive must be commented out when using time sources serving +# leap-smeared time. +leapsectz right/UTC + +# Azure hosts are synchronized to internal Microsoft time servers +# that take their time from Microsoft-owned Stratum 1 devices. +# The Hyper-V drivers surface this time source as a PTP-based +# time source in the guest. This configures chrony to use it. +refclock PHC /dev/ptp_hyperv poll 3 dpoll -2 offset 0 stratum 2 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/etc-chrony.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/etc-chrony.conf new file mode 100644 index 00000000000..95e91665358 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/etc-chrony.conf @@ -0,0 +1,3 @@ +d /etc/chrony 0755 root root - - +d /etc/chrony/conf.d 0755 root root - - +L /etc/chrony/chrony.conf - - - - ../../usr/share/oem-azure/chrony.conf diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/manglefs.sh b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/manglefs.sh index 03518b71693..29331dde04b 100755 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/manglefs.sh +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/manglefs.sh @@ -18,5 +18,5 @@ ln -sf /usr/bin/true "${rootfs}/usr/bin/eject" # At runtime we need the agent to write systemd.service to /etc but during # package creation it needs to be /usr/lib. waagent uses the same function in # both cases, so mangle manually. -mkdir -p "${rootfs}"/usr/lib/systemd -mv "${rootfs}"/{etc,usr/lib}/systemd/system +mkdir -p "${rootfs}"/usr/lib/systemd/system +cp -a "${rootfs}"/{etc,usr/lib}/systemd/system/. diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/var-chrony.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/var-chrony.conf new file mode 100644 index 00000000000..09fd5a1a8e8 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/var-chrony.conf @@ -0,0 +1 @@ +d /var/lib/chrony 0770 ntp ntp - - diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/oem-azure-2.9.1.1-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/oem-azure-2.9.1.1-r1.ebuild index 2deb8188405..8bb270c30dc 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/oem-azure-2.9.1.1-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/oem-azure-2.9.1.1-r1.ebuild @@ -3,6 +3,8 @@ EAPI=8 +inherit systemd tmpfiles + DESCRIPTION="OEM suite for Azure" HOMEPAGE="https://azure.microsoft.com/" SRC_URI="" @@ -14,7 +16,18 @@ IUSE="" RDEPEND=" ~app-emulation/wa-linux-agent-${PV} + net-misc/chrony " # for coreos-base/common-oem-files OEM_NAME="Microsoft Azure" + +S="${WORKDIR}" + +src_install() { + systemd_enable_service multi-user.target chronyd.service + dotmpfiles "${FILESDIR}"/var-chrony.conf + dotmpfiles "${FILESDIR}"/etc-chrony.conf + insinto /usr/share/${PN} + doins "${FILESDIR}"/chrony.conf +} From f1188f4be62912a135b6cbe5601c54d6226f0d0f Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Mon, 25 Mar 2024 16:56:12 +0000 Subject: [PATCH 08/15] coreos-base/oem-azure: Add dropin to add chrony dependency on /dev/ptp_hyperv Inspired by https://github.com/microsoft/azurelinux/pull/6234, requires a udev rule to be shipped with the OS, since udev rules in sysexts don't quite work. Signed-off-by: Jeremi Piotrowski --- .../coreos-base/oem-azure/files/chrony-hyperv.conf | 4 ++++ .../coreos-base/oem-azure/oem-azure-2.9.1.1-r1.ebuild | 2 ++ 2 files changed, 6 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/chrony-hyperv.conf diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/chrony-hyperv.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/chrony-hyperv.conf new file mode 100644 index 00000000000..9e2fd604a58 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/chrony-hyperv.conf @@ -0,0 +1,4 @@ +# This should only be used when chronyd is configured to use the /dev/ptp_hyperv device +[Unit] +Wants=dev-ptp_hyperv.device +After=dev-ptp_hyperv.device diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/oem-azure-2.9.1.1-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/oem-azure-2.9.1.1-r1.ebuild index 8bb270c30dc..de93bdad652 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/oem-azure-2.9.1.1-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/oem-azure-2.9.1.1-r1.ebuild @@ -26,6 +26,8 @@ S="${WORKDIR}" src_install() { systemd_enable_service multi-user.target chronyd.service + insinto "$(systemd_get_systemunitdir)"/chronyd.service.d + doins "${FILESDIR}"/chrony-hyperv.conf dotmpfiles "${FILESDIR}"/var-chrony.conf dotmpfiles "${FILESDIR}"/etc-chrony.conf insinto /usr/share/${PN} From 81ca1495114eb0f5900a5b69325c6bb495caaee8 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 26 Mar 2024 15:04:49 +0100 Subject: [PATCH 09/15] coreos-base/oem-azure: Bump ebuild revision Signed-off-by: Jeremi Piotrowski --- .../{oem-azure-2.9.1.1-r1.ebuild => oem-azure-2.9.1.1-r2.ebuild} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/{oem-azure-2.9.1.1-r1.ebuild => oem-azure-2.9.1.1-r2.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/oem-azure-2.9.1.1-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/oem-azure-2.9.1.1-r2.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/oem-azure-2.9.1.1-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/oem-azure-2.9.1.1-r2.ebuild From d99606f1e99b5434158b7654230b5a33f8d9822e Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Mon, 25 Mar 2024 16:57:55 +0000 Subject: [PATCH 10/15] coreos-base/coreos-init: Bump commit for /dev/ptp_hyperv systemd unit rule Signed-off-by: Jeremi Piotrowski --- ...eos-init-0.0.1-r190.ebuild => coreos-init-0.0.1-r191.ebuild} | 0 .../coreos-base/coreos-init/coreos-init-9999.ebuild | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/{coreos-init-0.0.1-r190.ebuild => coreos-init-0.0.1-r191.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1-r190.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1-r191.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1-r190.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1-r191.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild index f7550920990..bfd0d498295 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild @@ -10,7 +10,7 @@ CROS_WORKON_REPO="https://github.com" if [[ "${PV}" == 9999 ]]; then KEYWORDS="~amd64 ~arm ~arm64 ~x86" else - CROS_WORKON_COMMIT="7e30bf5baa1abc5113024f2238d9c235aedaf62e" # flatcar-master + CROS_WORKON_COMMIT="32982439c691b6de6446f82b8713edb09451d97b" # flatcar-master KEYWORDS="amd64 arm arm64 x86" fi From e35e22ea27afa5e1565a8f5a6c96748a660ea8c0 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Mon, 25 Mar 2024 16:59:53 +0000 Subject: [PATCH 11/15] coreos-base/misc-files: Add AWS/GPC time sync service to default ntp.conf The goal is to enable ntpd by default on AWS/GCP with using the cloud provided ntp endpoint. Enabling ntpd.service is the easy part. Enabling the correct ntp server is trickier. I would love to ship an OEM specific ntp.conf, but this might interfere with user modifications to either ntpd.service or ntp.conf. The safest way to implement this is to add the AWS/GCP time sync address (which are link-local address) to the default ntp.conf. This will work on AWS/GCP where ntpd will be enabled by default, and if a user on another platform enables ntpd they will simply have a non-responsive source in their server list - which is not a problem for ntpd. Signed-off-by: Jeremi Piotrowski --- .../coreos-base/misc-files/files/ntp/ntp.conf | 8 ++++++++ .../{misc-files-0-r4.ebuild => misc-files-0-r5.ebuild} | 0 2 files changed, 8 insertions(+) rename sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/{misc-files-0-r4.ebuild => misc-files-0-r5.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp/ntp.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp/ntp.conf index 9ed4dc176f3..cc9a441b7be 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp/ntp.conf +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp/ntp.conf @@ -10,6 +10,14 @@ # Common pool for random people #server pool.ntp.org +# AWS Time Sync Service. +server 169.254.169.123 prefer iburst minpoll 4 maxpoll 4 +# AWS Time Sync Service IPv6: +server fd00:ec2::123 prefer iburst minpoll 4 maxpoll 4 + +# GCP NTP Service +server metadata.google.internal prefer iburst + # Pools for Flatcar users server 0.flatcar.pool.ntp.org server 1.flatcar.pool.ntp.org diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r5.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r5.ebuild From cfc6d00a8a872796959f16b328c8862c8302adee Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Mon, 25 Mar 2024 17:03:29 +0000 Subject: [PATCH 12/15] coreos-base/oem-ami: Enable ntpd by default Signed-off-by: Jeremi Piotrowski --- .../{oem-ami-3.2.985.0.ebuild => oem-ami-3.2.985.0-r1.ebuild} | 1 + 1 file changed, 1 insertion(+) rename sdk_container/src/third_party/coreos-overlay/coreos-base/oem-ami/{oem-ami-3.2.985.0.ebuild => oem-ami-3.2.985.0-r1.ebuild} (91%) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-ami/oem-ami-3.2.985.0.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-ami/oem-ami-3.2.985.0-r1.ebuild similarity index 91% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/oem-ami/oem-ami-3.2.985.0.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/oem-ami/oem-ami-3.2.985.0-r1.ebuild index 35df1ad8d56..ef95036c9ff 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-ami/oem-ami-3.2.985.0.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-ami/oem-ami-3.2.985.0-r1.ebuild @@ -30,4 +30,5 @@ src_install() { insinto "$(systemd_get_systemunitdir)/multi-user.target.d" doins "${FILESDIR}/10-oem-ami.conf" + systemd_enable_service multi-user.target ntpd.service } From feb6a36a14cd35f5c564359086a3489d898978d6 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 26 Mar 2024 15:02:59 +0100 Subject: [PATCH 13/15] coreos-base/oem-gce: Enable ntpd by default Signed-off-by: Jeremi Piotrowski --- .../{oem-gce-20180823-r6.ebuild => oem-gce-20180823-r7.ebuild} | 1 + 1 file changed, 1 insertion(+) rename sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/{oem-gce-20180823-r6.ebuild => oem-gce-20180823-r7.ebuild} (94%) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r6.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild similarity index 94% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r6.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild index ca82fb0b21c..5baa71325b6 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r6.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild @@ -30,6 +30,7 @@ src_install() { systemd_dounit "${FILESDIR}/units/oem-gce-enable-oslogin.service" systemd_dounit "${FILESDIR}/units/setup-oem.service" systemd_install_dropin "multi-user.target" "${FILESDIR}/units/10-oem-gce.conf" + systemd_enable_service "multi-user.target" "ntpd.service" dobin "${FILESDIR}/bin/enable-oslogin" dobin "${FILESDIR}/bin/init.sh" From db12d276c73c05c38da534db157da638dae5d8f5 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Thu, 28 Mar 2024 12:08:38 +0100 Subject: [PATCH 14/15] .github: Add chrony to package sync list Signed-off-by: Jeremi Piotrowski --- .github/workflows/portage-stable-packages-list | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list index c2725ec2e17..691ce97415f 100644 --- a/.github/workflows/portage-stable-packages-list +++ b/.github/workflows/portage-stable-packages-list @@ -424,6 +424,7 @@ net-libs/nghttp2 net-libs/rpcsvc-proto net-misc/bridge-utils +net-misc/chrony net-misc/curl net-misc/ethertypes net-misc/iperf From d93f0807b06a238755695e027055610534cb8d83 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Thu, 28 Mar 2024 12:13:48 +0100 Subject: [PATCH 15/15] changelog: Add entry for PTP/NTP changes Signed-off-by: Jeremi Piotrowski --- changelog/changes/2024-03-28-ntp-chrony.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changelog/changes/2024-03-28-ntp-chrony.md diff --git a/changelog/changes/2024-03-28-ntp-chrony.md b/changelog/changes/2024-03-28-ntp-chrony.md new file mode 100644 index 00000000000..dd6c68e1d0f --- /dev/null +++ b/changelog/changes/2024-03-28-ntp-chrony.md @@ -0,0 +1,3 @@ +- Enabled ntpd by default on AWS & GCP, enabled chronyd by default on Azure. The native time sync source is used on each cloud. ([scripts#1792](https://github.com/flatcar/scripts/pull/1792)) +- Enabled the ptp_vmw module in the kernel. +- Switched ptp_kvm from kernel builtin to module.