Merge ~paelzer/ubuntu/+source/chrony:merge-disco-3.4 into ubuntu/+source/chrony:debian/sid
- Git
- lp:~paelzer/ubuntu/+source/chrony
- merge-disco-3.4
- Merge into debian/sid
Status: | Merged | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Merge reported by: | Christian Ehrhardt | ||||||||||||||||
Merged at revision: | 7985b12f4b9631af536d163775cfcf54585f46ac | ||||||||||||||||
Proposed branch: | ~paelzer/ubuntu/+source/chrony:merge-disco-3.4 | ||||||||||||||||
Merge into: | ubuntu/+source/chrony:debian/sid | ||||||||||||||||
Diff against target: |
516 lines (+374/-5) 11 files modified
debian/README.container (+60/-0) debian/changelog (+193/-0) debian/chrony.conf (+18/-1) debian/chrony.default (+4/-0) debian/chrony.service (+2/-2) debian/chronyd-starter.sh (+70/-0) debian/control (+4/-1) debian/docs (+1/-0) debian/install (+1/-0) debian/links (+5/-0) debian/postrm (+16/-1) |
||||||||||||||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Andreas Hasenack | Approve | ||
Canonical Server | Pending | ||
git-ubuntu developers | Pending | ||
Review via email: mp+358631@code.launchpad.net |
Commit message
Description of the change
Christian Ehrhardt (paelzer) wrote : | # |
Christian Ehrhardt (paelzer) wrote : | # |
Pushed merge tags for review
* [new tag] lp1802886/
* [new tag] lp1802886/
* [new tag] lp1802886/
* [new tag] lp1802886/
* [new tag] lp1802886/
* [new tag] lp1802886/
Christian Ehrhardt (paelzer) wrote : | # |
Tests on the Bileto ticket fail for Disco not being fully available yet :-/
I'd appreciate a review still as it looks rather normal this time (no huge changes).
Christian Ehrhardt (paelzer) wrote : | # |
The pidfile is actually configured - I missed that.
I need to rework it a bit.
Christian Ehrhardt (paelzer) wrote : | # |
Ok, fortunately I just needed to drop two commits to clean that up
Andreas Hasenack (ahasenack) wrote : | # |
Bileto should work with disco shortly:
<ahasenack> looks like all we need is one package in that ppa built for disco
<xnox> ahasenack, that is fixable.
<xnox> ahasenack, not built =) _copied_
* xnox does that
You might want to upload a ~ppa2 or something to trigger a new run.
Andreas Hasenack (ahasenack) wrote : | # |
Some changelog entries under "remaining changes" have incorrect indentation, namely:
- debian/
- debian/control: add new dependency libcap2-bin for capsh (usually
installed anyway, but make them explicit to be sure).
- debian/
(Default off).
- debian/
and if CAP_SYS_TIME is missing. Effectively allows to run NTP server in
containers on a default installation and avoid failing to sync time (or
if allowed to sync, avoid multiple containers to fight over it by
accident).
- debian/install: make chronyd-starter.sh available on install.
- debian/docs, debian/
handling of this case.
and
- d/links: link dispatcher script to networkd-dispatcher events routable
and off
- d/control: set Recommends to networkd-dispatcher
- d/p/lp-
Andreas Hasenack (ahasenack) wrote : | # |
commit 9a45945013355c5
Author: Christian Ehrhardt <email address hidden>
Date: Thu Mar 15 09:31:48 2018 +0100
- debian/
That also touched debian/
Andreas Hasenack (ahasenack) wrote : | # |
In my comment about the indentation of d/changelog, the second "hunk" that starts with "- d/links:...", is correct as it is, indented below "Notify chrony ...". My mistake.
Andreas Hasenack (ahasenack) wrote : | # |
And I just realized that everything in the first "hunk" of that comment is also related to the parent line, so indentation is also correct. Sorry.
Andreas Hasenack (ahasenack) wrote : | # |
Sorry about the confusing review.
I guess my only comment is about that d/chronyd-
commit bb17fdf9967601d
Author: Christian Ehrhardt <email address hidden>
Date: Thu Mar 15 09:31:48 2018 +0100
- debian/
Signed-off-by: Christian Ehrhardt <email address hidden>
No big deal, though.
Logical, drops, and added change are good. delta carried forward as expected. Would be cool to see a new dep8 run after bileto was fixed today to work with disco (hopefully).
Christian Ehrhardt (paelzer) wrote : | # |
The indents are meant that way.
It is not meant to me misread as you did only to then realize it is right.
That means my CL is bad, so I replaced the - with a + to make clear that it is intentionally an extra level.
Thanks for the catch
Updated the commit message on 9a4594 (changelog was ok)
I'll use the fixed thing for a new bileto upload.
If it works fine, otherwise I might go on still.
Christian Ehrhardt (paelzer) wrote : | # |
Tests are good now: https:/
So we are complete, I'll upload
Preview Diff
1 | diff --git a/debian/README.container b/debian/README.container | |||
2 | 0 | new file mode 100644 | 0 | new file mode 100644 |
3 | index 0000000..16f2618 | |||
4 | --- /dev/null | |||
5 | +++ b/debian/README.container | |||
6 | @@ -0,0 +1,60 @@ | |||
7 | 1 | Chrony in Containers | ||
8 | 2 | -------------------- | ||
9 | 3 | |||
10 | 4 | Currently in in 99.9+% of the cases syncing the local clock in a container | ||
11 | 5 | is wrong. Most of the time it will be unable to do so, because it is lacking | ||
12 | 6 | CAP_SYS_TIME. Or worse, if the CAP_SYS_TIME privilege is granted, multiple | ||
13 | 7 | containers could fight over the system's time, because the Linux kernel does | ||
14 | 8 | not provide time namespaces (yet). | ||
15 | 9 | |||
16 | 10 | There are two things a user installing chrony usually wants: | ||
17 | 11 | 1. synchronize my time (NTP client) | ||
18 | 12 | 2. serve NTP (NTP server) | ||
19 | 13 | |||
20 | 14 | In a container the first makes (usually) no sense, so by default we enable -x | ||
21 | 15 | there (as it would only crash otherwise). | ||
22 | 16 | This will disable the control of the system clock. | ||
23 | 17 | See `man chronyd` for more details on the -x option. | ||
24 | 18 | |||
25 | 19 | Formerly, the check for Condition=CAP_SYS_TIME in the systemd service avoided | ||
26 | 20 | the crash of the NTP client portion, but that means the server use case will | ||
27 | 21 | not work by default in containers. It is still not recommended to use a | ||
28 | 22 | container as an NTP server, but if the host clock is synchronised via NTP, | ||
29 | 23 | adding the -x option to chronyd instances running in containers will allow | ||
30 | 24 | them to function as NTP servers which do not adjust the system clock. | ||
31 | 25 | The Condition=CAP_SYS_TIME check was a silent, no-log-entry stealing away | ||
32 | 26 | leaving users often unclear what happened - especially if they were more after | ||
33 | 27 | the NTP server than the NTP client. | ||
34 | 28 | |||
35 | 29 | One could argue that someone who installs chrony expects the system time to be | ||
36 | 30 | synchronised, so it should fail if it is not able to do so. On the other hand | ||
37 | 31 | it could be argued that someone who installs chrony expects time to be served | ||
38 | 32 | over the network via NTP. | ||
39 | 33 | We can't know which expectation is applicable, so we assume that time should | ||
40 | 34 | be synchronised unless chronyd is running in a container (or is without | ||
41 | 35 | CAP_SYS_TIME in any other environment). | ||
42 | 36 | |||
43 | 37 | To make things worse recent container implementations will offer CAP_SYS_TIME | ||
44 | 38 | to the container. Since from the container's point of view, this capability is | ||
45 | 39 | available for the container's user namespace. Just later on adjtimex and similar | ||
46 | 40 | are actually evaluated against the host kernel where they will fail. Due to | ||
47 | 41 | that without further precaution running chrony in Ubuntu in the future will | ||
48 | 42 | likely have the service start (as Condition=CAP_SYS_TIME will be true) but | ||
49 | 43 | then immediately fail. | ||
50 | 44 | This will depend on the environment e.g. versions and types of containers and | ||
51 | 45 | thereby feel just 'unreliable' from users point of view. | ||
52 | 46 | Furthermore it will affect upgrades as the service has to be restarted for a | ||
53 | 47 | package upgrade to be considered complete. | ||
54 | 48 | |||
55 | 49 | Due to all of that Ubuntu decided (LP: #1589780) to default to -x (do not | ||
56 | 50 | set the system clock) in containers. | ||
57 | 51 | |||
58 | 52 | If one really wants to (try to) sync time in a container or CAP_SYS_TIME-less | ||
59 | 53 | environment set SYNC_IN_CONTAINER="yes" in /etc/default/chrony to disable | ||
60 | 54 | this special handling. | ||
61 | 55 | |||
62 | 56 | It is important to mention that as soon as upstream provides a way to provide | ||
63 | 57 | a default config working in those cases Ubuntu intends to use that and drop | ||
64 | 58 | the current workaround. | ||
65 | 59 | |||
66 | 60 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Mar 2018 12:25:44 +0100 | ||
67 | diff --git a/debian/changelog b/debian/changelog | |||
68 | index 513307a..2ea28a0 100644 | |||
69 | --- a/debian/changelog | |||
70 | +++ b/debian/changelog | |||
71 | @@ -1,3 +1,45 @@ | |||
72 | 1 | chrony (3.4-1ubuntu1) disco; urgency=medium | ||
73 | 2 | |||
74 | 3 | * Merge with Debian unstable (LP: #1802886). Remaining changes: | ||
75 | 4 | - d/chrony.conf: use ubuntu ntp pool and server (LP 1744664) | ||
76 | 5 | - Set -x as default if unable to set time (e.g. in containers) (LP: 1589780) | ||
77 | 6 | Chrony is a single service which acts as both NTP client (i.e. syncing the | ||
78 | 7 | local clock) and NTP server (i.e. providing NTP services to the network), | ||
79 | 8 | and that is both desired and expected in the vast majority of cases. | ||
80 | 9 | But in containers syncing the local clock is usually impossible, but this | ||
81 | 10 | shall not break the providing of NTP services to the network. | ||
82 | 11 | To some extent this makes chrony's default config more similar to 'ntpd', | ||
83 | 12 | which complained in syslog but still provided NTP server service in those | ||
84 | 13 | cases. | ||
85 | 14 | - debian/chrony.service: allow the service to run without CAP_SYS_TIME | ||
86 | 15 | - debian/control: add new dependency libcap2-bin for capsh (usually | ||
87 | 16 | installed anyway, but make them explicit to be sure). | ||
88 | 17 | - debian/chrony.default: new option SYNC_IN_CONTAINER to not fall back | ||
89 | 18 | (Default off). | ||
90 | 19 | - debian/chronyd-starter.sh: wrapper to handle special cases in containers | ||
91 | 20 | and if CAP_SYS_TIME is missing. Effectively allows to run NTP server in | ||
92 | 21 | containers on a default installation and avoid failing to sync time (or | ||
93 | 22 | if allowed to sync, avoid multiple containers to fight over it by | ||
94 | 23 | accident). | ||
95 | 24 | - debian/install: make chronyd-starter.sh available on install. | ||
96 | 25 | - debian/docs, debian/README.container: provide documentation about the | ||
97 | 26 | handling of this case. | ||
98 | 27 | - d/postrm: re-establish systemd-timesyncd on removal (LP: 1764357) | ||
99 | 28 | - Notify chrony to update sources in response to systemd-networkd | ||
100 | 29 | events (LP: 1718227) | ||
101 | 30 | - d/links: link dispatcher script to networkd-dispatcher events routable | ||
102 | 31 | and off | ||
103 | 32 | - d/control: set Recommends to networkd-dispatcher | ||
104 | 33 | * Dropped Changes (upstream): | ||
105 | 34 | - d/p/lp-1718227-nm-dispatcher-for-networkd.patch | ||
106 | 35 | - d/p/lp-1787366-fall-back-to-urandom.patch: avoid hangs when starting | ||
107 | 36 | the service on newer kernels by falling back to urandom. (LP: 1787366) | ||
108 | 37 | * Added Changes: | ||
109 | 38 | - d/postrm: respect policy-rc.d when restoring systemd-timesyncd | ||
110 | 39 | (LP: #1771994) | ||
111 | 40 | |||
112 | 41 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 12 Nov 2018 11:39:08 +0100 | ||
113 | 42 | |||
114 | 1 | chrony (3.4-1) unstable; urgency=medium | 43 | chrony (3.4-1) unstable; urgency=medium |
115 | 2 | 44 | ||
116 | 3 | * Import upstream version 3.4: | 45 | * Import upstream version 3.4: |
117 | @@ -74,6 +116,66 @@ chrony (3.3-3) unstable; urgency=medium | |||
118 | 74 | 116 | ||
119 | 75 | -- Vincent Blut <vincent.debian@free.fr> Sat, 18 Aug 2018 16:23:19 +0200 | 117 | -- Vincent Blut <vincent.debian@free.fr> Sat, 18 Aug 2018 16:23:19 +0200 |
120 | 76 | 118 | ||
121 | 119 | chrony (3.3-2ubuntu2) cosmic; urgency=medium | ||
122 | 120 | |||
123 | 121 | * - d/p/lp-1787366-fall-back-to-urandom.patch: avoid hangs when starting | ||
124 | 122 | the service on newer kernels by falling back to urandom. | ||
125 | 123 | (LP: #1787366, Closes: #906276) | ||
126 | 124 | |||
127 | 125 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 16 Aug 2018 11:48:38 +0200 | ||
128 | 126 | |||
129 | 127 | chrony (3.3-2ubuntu1) cosmic; urgency=medium | ||
130 | 128 | |||
131 | 129 | * Merge with Debian unstable (LP: #1771061). Remaining changes: | ||
132 | 130 | - d/chrony.conf: use ubuntu ntp pool and server (LP 1744664) | ||
133 | 131 | - Set -x as default if unable to set time (e.g. in containers) (LP: 1589780) | ||
134 | 132 | Chrony is a single service which acts as both NTP client (i.e. syncing the | ||
135 | 133 | local clock) and NTP server (i.e. providing NTP services to the network), | ||
136 | 134 | and that is both desired and expected in the vast majority of cases. | ||
137 | 135 | But in containers syncing the local clock is usually impossible, but this | ||
138 | 136 | shall not break the providing of NTP services to the network. | ||
139 | 137 | To some extent this makes chrony's default config more similar to 'ntpd', | ||
140 | 138 | which complained in syslog but still provided NTP server service in those | ||
141 | 139 | cases. | ||
142 | 140 | - debian/chrony.service: allow the service to run without CAP_SYS_TIME | ||
143 | 141 | - debian/control: add new dependency libcap2-bin for capsh (usually | ||
144 | 142 | installed anyway, but make them explicit to be sure). | ||
145 | 143 | - debian/chrony.default: new option SYNC_IN_CONTAINER to not fall back | ||
146 | 144 | (Default off). | ||
147 | 145 | - debian/chronyd-starter.sh: wrapper to handle special cases in containers | ||
148 | 146 | and if CAP_SYS_TIME is missing. Effectively allows to run NTP server in | ||
149 | 147 | containers on a default installation and avoid failing to sync time (or | ||
150 | 148 | if allowed to sync, avoid multiple containers to fight over it by | ||
151 | 149 | accident). | ||
152 | 150 | - debian/install: make chronyd-starter.sh available on install. | ||
153 | 151 | - debian/docs, debian/README.container: provide documentation about the | ||
154 | 152 | handling of this case. | ||
155 | 153 | - d/postrm: re-establish systemd-timesyncd on removal (LP: 1764357) | ||
156 | 154 | - Notify chrony to update sources in response to systemd-networkd | ||
157 | 155 | events (LP: 1718227) | ||
158 | 156 | - d/links: link dispatcher script to networkd-dispatcher events routable | ||
159 | 157 | and off | ||
160 | 158 | - d/control: set Recommends to networkd-dispatcher | ||
161 | 159 | - d/p/lp-1718227-nm-dispatcher-for-networkd.patch | ||
162 | 160 | * Dropped changes | ||
163 | 161 | - debian/usr.sbin.chronyd: ensure RTC/GPS usage isn't blocked by apparmor | ||
164 | 162 | (LP: 1751241) (in Debian now) | ||
165 | 163 | - debian/usr.sbin.chronyd: add cap net_admin for hwtimestamp (LP: 1761327) | ||
166 | 164 | (in Debian now) | ||
167 | 165 | - d/p/lp1589780-sys_linux-don-t-keep-CAP_SYS_TIME-with-x-option.patch: | ||
168 | 166 | When dropping the root privileges, don't try to keep the CAP_SYS_TIME | ||
169 | 167 | capability if the -x option was enabled. This allows chronyd to be | ||
170 | 168 | started without the capability (e.g. in containers) and also drop the | ||
171 | 169 | root privileges (This is upstream now). | ||
172 | 170 | - d/p/lp-1718227-ignore-non-up-down-events-in-nm-dispatcher.patch (This is | ||
173 | 171 | upstream now). | ||
174 | 172 | - d/control: switch to nss instead of tomcrypt (Debian switched to nettle | ||
175 | 173 | which is in main, so we can drop this) | ||
176 | 174 | * Added changes | ||
177 | 175 | - debian/README.container: fix typos | ||
178 | 176 | |||
179 | 177 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 14 May 2018 09:06:01 +0200 | ||
180 | 178 | |||
181 | 77 | chrony (3.3-2) unstable; urgency=medium | 179 | chrony (3.3-2) unstable; urgency=medium |
182 | 78 | 180 | ||
183 | 79 | * debian/chrony.service: | 181 | * debian/chrony.service: |
184 | @@ -129,6 +231,76 @@ chrony (3.2-5) unstable; urgency=medium | |||
185 | 129 | 231 | ||
186 | 130 | -- Vincent Blut <vincent.debian@free.fr> Wed, 28 Feb 2018 17:31:08 +0100 | 232 | -- Vincent Blut <vincent.debian@free.fr> Wed, 28 Feb 2018 17:31:08 +0100 |
187 | 131 | 233 | ||
188 | 234 | chrony (3.2-4ubuntu4) bionic; urgency=medium | ||
189 | 235 | |||
190 | 236 | * d/postrm: re-establish systemd-timesyncd on removal (LP: #1764357) | ||
191 | 237 | * Notify chrony to update sources in response to systemd-networkd | ||
192 | 238 | events (LP: #1718227) | ||
193 | 239 | - d/links: link dispatcher script to networkd-dispatcher events routable | ||
194 | 240 | and off | ||
195 | 241 | - d/control: set Recommends to networkd-dispatcher | ||
196 | 242 | - d/p/lp-1718227-ignore-non-up-down-events-in-nm-dispatcher.patch | ||
197 | 243 | - d/p/lp-1718227-nm-dispatcher-for-networkd.patch | ||
198 | 244 | |||
199 | 245 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 16 Apr 2018 17:04:06 +0200 | ||
200 | 246 | |||
201 | 247 | chrony (3.2-4ubuntu3) bionic; urgency=medium | ||
202 | 248 | |||
203 | 249 | * debian/usr.sbin.chronyd: add cap net_admin for hwtimestamp (LP: #1761327) | ||
204 | 250 | |||
205 | 251 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 05 Apr 2018 09:38:10 +0200 | ||
206 | 252 | |||
207 | 253 | chrony (3.2-4ubuntu2) bionic; urgency=medium | ||
208 | 254 | |||
209 | 255 | * Set -x as default if unable to set time (e.g. in containers) (LP: #1589780) | ||
210 | 256 | Chrony is a single service which acts as both NTP client (i.e. syncing the | ||
211 | 257 | local clock) and NTP server (i.e. providing NTP services to the network), | ||
212 | 258 | and that is both desired and expected in the vast majority of cases. | ||
213 | 259 | But in containers syncing the local clock is usually impossible, but this | ||
214 | 260 | shall not break the providing of NTP services to the network. | ||
215 | 261 | To some extent this makes chrony's default config more similar to 'ntpd', | ||
216 | 262 | which complained in syslog but still provided NTP server service in those | ||
217 | 263 | cases. | ||
218 | 264 | - d/p/lp1589780-sys_linux-don-t-keep-CAP_SYS_TIME-with-x-option.patch: | ||
219 | 265 | When dropping the root privileges, don't try to keep the CAP_SYS_TIME | ||
220 | 266 | capability if the -x option was enabled. This allows chronyd to be | ||
221 | 267 | started without the capability (e.g. in containers) and also drop the | ||
222 | 268 | root privileges. | ||
223 | 269 | - debian/chrony.service: allow the service to run without CAP_SYS_TIME | ||
224 | 270 | - debian/control: add new dependency libcap2-bin for capsh (usually | ||
225 | 271 | installed anyway, but make them explicit to be sure). | ||
226 | 272 | - debian/chrony.default: new option SYNC_IN_CONTAINER to not fall back | ||
227 | 273 | (Default off). | ||
228 | 274 | - debian/chronyd-starter.sh: wrapper to handle special cases in containers | ||
229 | 275 | and if CAP_SYS_TIME is missing. Effectively allows to run NTP server in | ||
230 | 276 | containers on a default installation and avoid failing to sync time (or | ||
231 | 277 | if allowed to sync, avoid multiple containers to fight over it by | ||
232 | 278 | accident). | ||
233 | 279 | - debian/install: make chronyd-starter.sh available on install. | ||
234 | 280 | - debian/docs, debian/README.container: provide documentation about the | ||
235 | 281 | handling of this case. | ||
236 | 282 | * debian/chrony.conf: update default chrony.conf to not violate the policy | ||
237 | 283 | of pool.ntp.org (to use no more than four of their servers) and to provide | ||
238 | 284 | more ipv6 capable sources by default (LP: #1754358) | ||
239 | 285 | |||
240 | 286 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Mar 2018 12:25:44 +0100 | ||
241 | 287 | |||
242 | 288 | chrony (3.2-4ubuntu1) bionic; urgency=medium | ||
243 | 289 | |||
244 | 290 | * Merge with Debian unstable. Remaining changes: | ||
245 | 291 | - d/control: switch to nss instead of tomcrypt (nss is in main) | ||
246 | 292 | - d/chrony.conf: use ubuntu ntp pool and server (LP 1744664) | ||
247 | 293 | * Dropped changes (in Debian) | ||
248 | 294 | - d/chrony.default, d/chrony.service: support /etc/default/chrony | ||
249 | 295 | DAEMON_OPTS in systemd environment (LP: 1746081) | ||
250 | 296 | - d/chrony.service: properly start after networking (LP: 1746458) | ||
251 | 297 | - d/usr.sbin.chronyd: allow to create /run/chrony on demand (LP: 1746444) | ||
252 | 298 | * Added Changes: | ||
253 | 299 | - debian/usr.sbin.chronyd: ensure RTC/GPS usage isn't blocked by apparmor | ||
254 | 300 | (LP: #1751241, Closes: #891201) | ||
255 | 301 | |||
256 | 302 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 26 Feb 2018 14:44:54 +0100 | ||
257 | 303 | |||
258 | 132 | chrony (3.2-4) unstable; urgency=medium | 304 | chrony (3.2-4) unstable; urgency=medium |
259 | 133 | 305 | ||
260 | 134 | * debian/changelog: | 306 | * debian/changelog: |
261 | @@ -195,6 +367,27 @@ chrony (3.2-3) unstable; urgency=medium | |||
262 | 195 | 367 | ||
263 | 196 | -- Vincent Blut <vincent.debian@free.fr> Wed, 07 Feb 2018 21:27:09 +0100 | 368 | -- Vincent Blut <vincent.debian@free.fr> Wed, 07 Feb 2018 21:27:09 +0100 |
264 | 197 | 369 | ||
265 | 370 | chrony (3.2-2ubuntu3) bionic; urgency=medium | ||
266 | 371 | |||
267 | 372 | * Revert the changes of (LP 1746458) as in the follow on discussion | ||
268 | 373 | it became clear that we want it to start early (for example for an | ||
269 | 374 | early offset from drift file). iIf needed chrony will later on pick | ||
270 | 375 | up that servers are online via retries (augmented by hooks on network | ||
271 | 376 | events). | ||
272 | 377 | |||
273 | 378 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 08 Feb 2018 10:52:30 +0100 | ||
274 | 379 | |||
275 | 380 | chrony (3.2-2ubuntu2) bionic; urgency=medium | ||
276 | 381 | |||
277 | 382 | * d/control: use to nss instead of tomcrypt (in main) (LP: #1744072) | ||
278 | 383 | * d/chrony.conf: use ubuntu ntp pool and server (LP: #1744664) | ||
279 | 384 | * d/chrony.default, d/chrony.service: support /etc/default/chrony | ||
280 | 385 | DAEMON_OPTS in systemd environment (LP: #1746081) | ||
281 | 386 | * d/chrony.service: properly start after networking (LP: #1746458) | ||
282 | 387 | * d/usr.sbin.chronyd: allow to create /run/chrony on demand (LP: #1746444) | ||
283 | 388 | |||
284 | 389 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 19 Jan 2018 09:45:38 +0100 | ||
285 | 390 | |||
286 | 198 | chrony (3.2-2) unstable; urgency=medium | 391 | chrony (3.2-2) unstable; urgency=medium |
287 | 199 | 392 | ||
288 | 200 | * Initial AppArmor profile for chronyd. Thanks to Jamie | 393 | * Initial AppArmor profile for chronyd. Thanks to Jamie |
289 | diff --git a/debian/chrony.conf b/debian/chrony.conf | |||
290 | index 6c19767..d5a0b37 100644 | |||
291 | --- a/debian/chrony.conf | |||
292 | +++ b/debian/chrony.conf | |||
293 | @@ -1,6 +1,23 @@ | |||
294 | 1 | # Welcome to the chrony configuration file. See chrony.conf(5) for more | 1 | # Welcome to the chrony configuration file. See chrony.conf(5) for more |
295 | 2 | # information about usuable directives. | 2 | # information about usuable directives. |
297 | 3 | pool 2.debian.pool.ntp.org iburst | 3 | |
298 | 4 | # This will use (up to): | ||
299 | 5 | # - 4 sources from ntp.ubuntu.com which some are ipv6 enabled | ||
300 | 6 | # - 2 sources from 2.ubuntu.pool.ntp.org which is ipv6 enabled as well | ||
301 | 7 | # - 1 source from [01].ubuntu.pool.ntp.org each (ipv4 only atm) | ||
302 | 8 | # This means by default, up to 6 dual-stack and up to 2 additional IPv4-only | ||
303 | 9 | # sources will be used. | ||
304 | 10 | # At the same time it retains some protection against one of the entries being | ||
305 | 11 | # down (compare to just using one of the lines). See (LP: #1754358) for the | ||
306 | 12 | # discussion. | ||
307 | 13 | # | ||
308 | 14 | # About using servers from the NTP Pool Project in general see (LP: #104525). | ||
309 | 15 | # Approved by Ubuntu Technical Board on 2011-02-08. | ||
310 | 16 | # See http://www.pool.ntp.org/join.html for more information. | ||
311 | 17 | pool ntp.ubuntu.com iburst maxsources 4 | ||
312 | 18 | pool 0.ubuntu.pool.ntp.org iburst maxsources 1 | ||
313 | 19 | pool 1.ubuntu.pool.ntp.org iburst maxsources 1 | ||
314 | 20 | pool 2.ubuntu.pool.ntp.org iburst maxsources 2 | ||
315 | 4 | 21 | ||
316 | 5 | # This directive specify the location of the file containing ID/key pairs for | 22 | # This directive specify the location of the file containing ID/key pairs for |
317 | 6 | # NTP authentication. | 23 | # NTP authentication. |
318 | diff --git a/debian/chrony.default b/debian/chrony.default | |||
319 | index ae79e8a..b523f60 100644 | |||
320 | --- a/debian/chrony.default | |||
321 | +++ b/debian/chrony.default | |||
322 | @@ -4,3 +4,7 @@ | |||
323 | 4 | 4 | ||
324 | 5 | # Options to pass to chrony. | 5 | # Options to pass to chrony. |
325 | 6 | DAEMON_OPTS="" | 6 | DAEMON_OPTS="" |
326 | 7 | |||
327 | 8 | # Sync systecm clock in containers or without CAP_SYS_TIME (likely to fail) | ||
328 | 9 | # See /usr/share/doc/chrony/README.container for details. | ||
329 | 10 | SYNC_IN_CONTAINER="no" | ||
330 | diff --git a/debian/chrony.service b/debian/chrony.service | |||
331 | index 3e4451a..bb01a79 100644 | |||
332 | --- a/debian/chrony.service | |||
333 | +++ b/debian/chrony.service | |||
334 | @@ -3,13 +3,13 @@ Description=chrony, an NTP client/server | |||
335 | 3 | Documentation=man:chronyd(8) man:chronyc(1) man:chrony.conf(5) | 3 | Documentation=man:chronyd(8) man:chronyc(1) man:chrony.conf(5) |
336 | 4 | Conflicts=systemd-timesyncd.service openntpd.service ntp.service ntpsec.service | 4 | Conflicts=systemd-timesyncd.service openntpd.service ntp.service ntpsec.service |
337 | 5 | After=network.target | 5 | After=network.target |
338 | 6 | ConditionCapability=CAP_SYS_TIME | ||
339 | 7 | 6 | ||
340 | 8 | [Service] | 7 | [Service] |
341 | 9 | Type=forking | 8 | Type=forking |
342 | 10 | PIDFile=/run/chronyd.pid | 9 | PIDFile=/run/chronyd.pid |
343 | 11 | EnvironmentFile=-/etc/default/chrony | 10 | EnvironmentFile=-/etc/default/chrony |
345 | 12 | ExecStart=/usr/sbin/chronyd $DAEMON_OPTS | 11 | # Starter takes care of special cases mostly for containers |
346 | 12 | ExecStart=/usr/lib/systemd/scripts/chronyd-starter.sh $DAEMON_OPTS | ||
347 | 13 | ExecStartPost=-/usr/lib/chrony/chrony-helper update-daemon | 13 | ExecStartPost=-/usr/lib/chrony/chrony-helper update-daemon |
348 | 14 | PrivateTmp=yes | 14 | PrivateTmp=yes |
349 | 15 | ProtectHome=yes | 15 | ProtectHome=yes |
350 | diff --git a/debian/chronyd-starter.sh b/debian/chronyd-starter.sh | |||
351 | 16 | new file mode 100755 | 16 | new file mode 100755 |
352 | index 0000000..c175db5 | |||
353 | --- /dev/null | |||
354 | +++ b/debian/chronyd-starter.sh | |||
355 | @@ -0,0 +1,70 @@ | |||
356 | 1 | #!/bin/sh | ||
357 | 2 | set -ue | ||
358 | 3 | |||
359 | 4 | CONF="/etc/default/chrony" | ||
360 | 5 | DOC="/usr/share/doc/chrony/README.container" | ||
361 | 6 | CAP="cap_sys_time" | ||
362 | 7 | CMD="/usr/sbin/chronyd" | ||
363 | 8 | # Take any args passed, use none if nothing was specified | ||
364 | 9 | EFFECTIVE_DAEMON_OPTS=${@:-""} | ||
365 | 10 | |||
366 | 11 | if [ -f "${CONF}" ]; then | ||
367 | 12 | . "${CONF}" | ||
368 | 13 | else | ||
369 | 14 | echo "<4>Warning: ${CONF} is missing" | ||
370 | 15 | fi | ||
371 | 16 | # take from conffile if available, default to no otherwise | ||
372 | 17 | EFFECTIVE_SYNC_IN_CONTAINER=${SYNC_IN_CONTAINER:-"no"} | ||
373 | 18 | |||
374 | 19 | if [ ! -x "${CMD}" ]; then | ||
375 | 20 | echo "<3>Error: ${CMD} not executable" | ||
376 | 21 | # ugly, but works around https://github.com/systemd/systemd/issues/2913 | ||
377 | 22 | sleep 0.1 | ||
378 | 23 | exit 1 | ||
379 | 24 | fi | ||
380 | 25 | |||
381 | 26 | # Check if -x is already set manually, don't process further if that is the case | ||
382 | 27 | X_SET=0 | ||
383 | 28 | while getopts ":x" opt; do | ||
384 | 29 | case $opt in | ||
385 | 30 | x) | ||
386 | 31 | X_SET=1 | ||
387 | 32 | ;; | ||
388 | 33 | esac | ||
389 | 34 | done | ||
390 | 35 | |||
391 | 36 | if [ ${X_SET} -ne 1 ]; then | ||
392 | 37 | # Assume it is not in a container | ||
393 | 38 | IS_CONTAINER=0 | ||
394 | 39 | if [ -x /usr/bin/systemd-detect-virt ]; then | ||
395 | 40 | if /usr/bin/systemd-detect-virt --quiet --container; then | ||
396 | 41 | IS_CONTAINER=1 | ||
397 | 42 | fi | ||
398 | 43 | fi | ||
399 | 44 | |||
400 | 45 | |||
401 | 46 | # Assume it has the cap | ||
402 | 47 | HAS_CAP=1 | ||
403 | 48 | CAPSH="/sbin/capsh" | ||
404 | 49 | if [ -x "${CAPSH}" ]; then | ||
405 | 50 | ${CAPSH} --print | grep -q "^Current.*${CAP}" || HAS_CAP=0 | ||
406 | 51 | fi | ||
407 | 52 | |||
408 | 53 | if [ ${HAS_CAP} -eq 0 ]; then | ||
409 | 54 | echo "<4>Warning: Missing ${CAP}, syncing the system clock will fail" | ||
410 | 55 | fi | ||
411 | 56 | if [ ${IS_CONTAINER} -eq 1 ]; then | ||
412 | 57 | echo "<4>Warning: Running in a container, likely impossible and unintended to sync system clock" | ||
413 | 58 | fi | ||
414 | 59 | |||
415 | 60 | if [ ${HAS_CAP} -eq 0 -o ${IS_CONTAINER} -eq 1 ]; then | ||
416 | 61 | if [ "${EFFECTIVE_SYNC_IN_CONTAINER}" != "yes" ]; then | ||
417 | 62 | echo "<5>Adding -x as fallback disabling control of the system clock, see ${DOC} to override this behavior" | ||
418 | 63 | EFFECTIVE_DAEMON_OPTS="${EFFECTIVE_DAEMON_OPTS} -x" | ||
419 | 64 | else | ||
420 | 65 | echo "<5>Not falling back to disable control of the system clock, see ${DOC} to change this behavior" | ||
421 | 66 | fi | ||
422 | 67 | fi | ||
423 | 68 | fi | ||
424 | 69 | |||
425 | 70 | ${CMD} ${EFFECTIVE_DAEMON_OPTS} | ||
426 | diff --git a/debian/control b/debian/control | |||
427 | index a35df2d..c740cc9 100644 | |||
428 | --- a/debian/control | |||
429 | +++ b/debian/control | |||
430 | @@ -1,7 +1,8 @@ | |||
431 | 1 | Source: chrony | 1 | Source: chrony |
432 | 2 | Section: net | 2 | Section: net |
433 | 3 | Priority: optional | 3 | Priority: optional |
435 | 4 | Maintainer: Vincent Blut <vincent.debian@free.fr> | 4 | Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
436 | 5 | XSBC-Original-Maintainer: Vincent Blut <vincent.debian@free.fr> | ||
437 | 5 | Uploaders: Joachim Wiedorn <joodebian@joonet.de> | 6 | Uploaders: Joachim Wiedorn <joodebian@joonet.de> |
438 | 6 | Standards-Version: 4.2.1 | 7 | Standards-Version: 4.2.1 |
439 | 7 | Build-Depends: asciidoctor (>= 1.5.3-1~), | 8 | Build-Depends: asciidoctor (>= 1.5.3-1~), |
440 | @@ -24,9 +25,11 @@ Architecture: linux-any | |||
441 | 24 | Depends: adduser, | 25 | Depends: adduser, |
442 | 25 | iproute2 [linux-any], | 26 | iproute2 [linux-any], |
443 | 26 | lsb-base, | 27 | lsb-base, |
444 | 28 | libcap2-bin, | ||
445 | 27 | ucf, | 29 | ucf, |
446 | 28 | ${misc:Depends}, | 30 | ${misc:Depends}, |
447 | 29 | ${shlibs:Depends} | 31 | ${shlibs:Depends} |
448 | 32 | Recommends: networkd-dispatcher (>= 1.7-0ubuntu3) | ||
449 | 30 | Suggests: dnsutils | 33 | Suggests: dnsutils |
450 | 31 | Conflicts: ntp, | 34 | Conflicts: ntp, |
451 | 32 | time-daemon | 35 | time-daemon |
452 | diff --git a/debian/docs b/debian/docs | |||
453 | index e12f653..3bfc9dc 100644 | |||
454 | --- a/debian/docs | |||
455 | +++ b/debian/docs | |||
456 | @@ -1,3 +1,4 @@ | |||
457 | 1 | FAQ | 1 | FAQ |
458 | 2 | NEWS | 2 | NEWS |
459 | 3 | README | 3 | README |
460 | 4 | debian/README.container | ||
461 | diff --git a/debian/install b/debian/install | |||
462 | index db2e305..abaa2f3 100644 | |||
463 | --- a/debian/install | |||
464 | +++ b/debian/install | |||
465 | @@ -2,3 +2,4 @@ debian/chrony-dnssrv@.* lib/systemd/system | |||
466 | 2 | debian/chrony-helper usr/lib/chrony | 2 | debian/chrony-helper usr/lib/chrony |
467 | 3 | debian/chrony.conf usr/share/chrony | 3 | debian/chrony.conf usr/share/chrony |
468 | 4 | debian/usr.sbin.chronyd etc/apparmor.d | 4 | debian/usr.sbin.chronyd etc/apparmor.d |
469 | 5 | debian/chronyd-starter.sh usr/lib/systemd/scripts/ | ||
470 | diff --git a/debian/links b/debian/links | |||
471 | 5 | new file mode 100644 | 6 | new file mode 100644 |
472 | index 0000000..71e2c52 | |||
473 | --- /dev/null | |||
474 | +++ b/debian/links | |||
475 | @@ -0,0 +1,5 @@ | |||
476 | 1 | # Update sources in response to systemd-networkd events (LP: #1718227). | ||
477 | 2 | # This is reusing the NetworkManager dispatch script which has no hard | ||
478 | 3 | # dependency to NetworkManager (not using any of its arguments) | ||
479 | 4 | etc/NetworkManager/dispatcher.d/20-chrony usr/lib/networkd-dispatcher/routable.d/chrony | ||
480 | 5 | etc/NetworkManager/dispatcher.d/20-chrony usr/lib/networkd-dispatcher/off.d/chrony | ||
481 | diff --git a/debian/postrm b/debian/postrm | |||
482 | index ed3bac1..a5fd9ba 100644 | |||
483 | --- a/debian/postrm | |||
484 | +++ b/debian/postrm | |||
485 | @@ -7,6 +7,15 @@ set -e | |||
486 | 7 | 7 | ||
487 | 8 | # targets: purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear | 8 | # targets: purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear |
488 | 9 | 9 | ||
489 | 10 | restore_timesyncd() { | ||
490 | 11 | # on next reboot it would start, but that would leave time | ||
491 | 12 | # unsynchronized until then. So as the Conflicts in the service file kill | ||
492 | 13 | # systemd-timesyncd re-establish it if it is enabled | ||
493 | 14 | if [ "$(systemctl is-enabled systemd-timesyncd 2>/dev/null)" = "enabled" ] ; then | ||
494 | 15 | deb-systemd-invoke start systemd-timesyncd | ||
495 | 16 | fi | ||
496 | 17 | } | ||
497 | 18 | |||
498 | 10 | case "$1" in | 19 | case "$1" in |
499 | 11 | purge) | 20 | purge) |
500 | 12 | rm -f /var/lib/chrony/* | 21 | rm -f /var/lib/chrony/* |
501 | @@ -30,9 +39,15 @@ case "$1" in | |||
502 | 30 | then | 39 | then |
503 | 31 | deluser --quiet --system _chrony > /dev/null 2>&1 || true | 40 | deluser --quiet --system _chrony > /dev/null 2>&1 || true |
504 | 32 | fi | 41 | fi |
505 | 42 | |||
506 | 43 | restore_timesyncd | ||
507 | 44 | ;; | ||
508 | 45 | |||
509 | 46 | remove) | ||
510 | 47 | restore_timesyncd | ||
511 | 33 | ;; | 48 | ;; |
512 | 34 | 49 | ||
514 | 35 | remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) | 50 | upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) |
515 | 36 | 51 | ||
516 | 37 | ;; | 52 | ;; |
517 | 38 | 53 |
Related PPA and ticket at /bileto. ubuntu. com/#/ticket/ 3512 /launchpad. net/~ci- train-ppa- service/ +archive/ ubuntu/ 3512
- https:/
- https:/