Merge ~paelzer/ubuntu/+source/chrony:merge-disco-3.4 into ubuntu/+source/chrony:debian/sid
- Git
- lp:~paelzer/ubuntu/+source/chrony
- merge-disco-3.4
- Merge into debian/sid
Status: | Merged | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Merge reported by: | Christian Ehrhardt | ||||||||||||||||
Merged at revision: | 7985b12f4b9631af536d163775cfcf54585f46ac | ||||||||||||||||
Proposed branch: | ~paelzer/ubuntu/+source/chrony:merge-disco-3.4 | ||||||||||||||||
Merge into: | ubuntu/+source/chrony:debian/sid | ||||||||||||||||
Diff against target: |
516 lines (+374/-5) 11 files modified
debian/README.container (+60/-0) debian/changelog (+193/-0) debian/chrony.conf (+18/-1) debian/chrony.default (+4/-0) debian/chrony.service (+2/-2) debian/chronyd-starter.sh (+70/-0) debian/control (+4/-1) debian/docs (+1/-0) debian/install (+1/-0) debian/links (+5/-0) debian/postrm (+16/-1) |
||||||||||||||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Andreas Hasenack | Approve | ||
Canonical Server | Pending | ||
git-ubuntu developers | Pending | ||
Review via email: mp+358631@code.launchpad.net |
Commit message
Description of the change
Christian Ehrhardt (paelzer) wrote : | # |
Christian Ehrhardt (paelzer) wrote : | # |
Pushed merge tags for review
* [new tag] lp1802886/
* [new tag] lp1802886/
* [new tag] lp1802886/
* [new tag] lp1802886/
* [new tag] lp1802886/
* [new tag] lp1802886/
Christian Ehrhardt (paelzer) wrote : | # |
Tests on the Bileto ticket fail for Disco not being fully available yet :-/
I'd appreciate a review still as it looks rather normal this time (no huge changes).
Christian Ehrhardt (paelzer) wrote : | # |
The pidfile is actually configured - I missed that.
I need to rework it a bit.
Christian Ehrhardt (paelzer) wrote : | # |
Ok, fortunately I just needed to drop two commits to clean that up
Andreas Hasenack (ahasenack) wrote : | # |
Bileto should work with disco shortly:
<ahasenack> looks like all we need is one package in that ppa built for disco
<xnox> ahasenack, that is fixable.
<xnox> ahasenack, not built =) _copied_
* xnox does that
You might want to upload a ~ppa2 or something to trigger a new run.
Andreas Hasenack (ahasenack) wrote : | # |
Some changelog entries under "remaining changes" have incorrect indentation, namely:
- debian/
- debian/control: add new dependency libcap2-bin for capsh (usually
installed anyway, but make them explicit to be sure).
- debian/
(Default off).
- debian/
and if CAP_SYS_TIME is missing. Effectively allows to run NTP server in
containers on a default installation and avoid failing to sync time (or
if allowed to sync, avoid multiple containers to fight over it by
accident).
- debian/install: make chronyd-starter.sh available on install.
- debian/docs, debian/
handling of this case.
and
- d/links: link dispatcher script to networkd-dispatcher events routable
and off
- d/control: set Recommends to networkd-dispatcher
- d/p/lp-
Andreas Hasenack (ahasenack) wrote : | # |
commit 9a45945013355c5
Author: Christian Ehrhardt <email address hidden>
Date: Thu Mar 15 09:31:48 2018 +0100
- debian/
That also touched debian/
Andreas Hasenack (ahasenack) wrote : | # |
In my comment about the indentation of d/changelog, the second "hunk" that starts with "- d/links:...", is correct as it is, indented below "Notify chrony ...". My mistake.
Andreas Hasenack (ahasenack) wrote : | # |
And I just realized that everything in the first "hunk" of that comment is also related to the parent line, so indentation is also correct. Sorry.
Andreas Hasenack (ahasenack) wrote : | # |
Sorry about the confusing review.
I guess my only comment is about that d/chronyd-
commit bb17fdf9967601d
Author: Christian Ehrhardt <email address hidden>
Date: Thu Mar 15 09:31:48 2018 +0100
- debian/
Signed-off-by: Christian Ehrhardt <email address hidden>
No big deal, though.
Logical, drops, and added change are good. delta carried forward as expected. Would be cool to see a new dep8 run after bileto was fixed today to work with disco (hopefully).
Christian Ehrhardt (paelzer) wrote : | # |
The indents are meant that way.
It is not meant to me misread as you did only to then realize it is right.
That means my CL is bad, so I replaced the - with a + to make clear that it is intentionally an extra level.
Thanks for the catch
Updated the commit message on 9a4594 (changelog was ok)
I'll use the fixed thing for a new bileto upload.
If it works fine, otherwise I might go on still.
Christian Ehrhardt (paelzer) wrote : | # |
Tests are good now: https:/
So we are complete, I'll upload
Preview Diff
1 | diff --git a/debian/README.container b/debian/README.container |
2 | new file mode 100644 |
3 | index 0000000..16f2618 |
4 | --- /dev/null |
5 | +++ b/debian/README.container |
6 | @@ -0,0 +1,60 @@ |
7 | +Chrony in Containers |
8 | +-------------------- |
9 | + |
10 | +Currently in in 99.9+% of the cases syncing the local clock in a container |
11 | +is wrong. Most of the time it will be unable to do so, because it is lacking |
12 | +CAP_SYS_TIME. Or worse, if the CAP_SYS_TIME privilege is granted, multiple |
13 | +containers could fight over the system's time, because the Linux kernel does |
14 | +not provide time namespaces (yet). |
15 | + |
16 | +There are two things a user installing chrony usually wants: |
17 | +1. synchronize my time (NTP client) |
18 | +2. serve NTP (NTP server) |
19 | + |
20 | +In a container the first makes (usually) no sense, so by default we enable -x |
21 | +there (as it would only crash otherwise). |
22 | +This will disable the control of the system clock. |
23 | +See `man chronyd` for more details on the -x option. |
24 | + |
25 | +Formerly, the check for Condition=CAP_SYS_TIME in the systemd service avoided |
26 | +the crash of the NTP client portion, but that means the server use case will |
27 | +not work by default in containers. It is still not recommended to use a |
28 | +container as an NTP server, but if the host clock is synchronised via NTP, |
29 | +adding the -x option to chronyd instances running in containers will allow |
30 | +them to function as NTP servers which do not adjust the system clock. |
31 | +The Condition=CAP_SYS_TIME check was a silent, no-log-entry stealing away |
32 | +leaving users often unclear what happened - especially if they were more after |
33 | +the NTP server than the NTP client. |
34 | + |
35 | +One could argue that someone who installs chrony expects the system time to be |
36 | +synchronised, so it should fail if it is not able to do so. On the other hand |
37 | +it could be argued that someone who installs chrony expects time to be served |
38 | +over the network via NTP. |
39 | +We can't know which expectation is applicable, so we assume that time should |
40 | +be synchronised unless chronyd is running in a container (or is without |
41 | +CAP_SYS_TIME in any other environment). |
42 | + |
43 | +To make things worse recent container implementations will offer CAP_SYS_TIME |
44 | +to the container. Since from the container's point of view, this capability is |
45 | +available for the container's user namespace. Just later on adjtimex and similar |
46 | +are actually evaluated against the host kernel where they will fail. Due to |
47 | +that without further precaution running chrony in Ubuntu in the future will |
48 | +likely have the service start (as Condition=CAP_SYS_TIME will be true) but |
49 | +then immediately fail. |
50 | +This will depend on the environment e.g. versions and types of containers and |
51 | +thereby feel just 'unreliable' from users point of view. |
52 | +Furthermore it will affect upgrades as the service has to be restarted for a |
53 | +package upgrade to be considered complete. |
54 | + |
55 | +Due to all of that Ubuntu decided (LP: #1589780) to default to -x (do not |
56 | +set the system clock) in containers. |
57 | + |
58 | +If one really wants to (try to) sync time in a container or CAP_SYS_TIME-less |
59 | +environment set SYNC_IN_CONTAINER="yes" in /etc/default/chrony to disable |
60 | +this special handling. |
61 | + |
62 | +It is important to mention that as soon as upstream provides a way to provide |
63 | +a default config working in those cases Ubuntu intends to use that and drop |
64 | +the current workaround. |
65 | + |
66 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Mar 2018 12:25:44 +0100 |
67 | diff --git a/debian/changelog b/debian/changelog |
68 | index 513307a..2ea28a0 100644 |
69 | --- a/debian/changelog |
70 | +++ b/debian/changelog |
71 | @@ -1,3 +1,45 @@ |
72 | +chrony (3.4-1ubuntu1) disco; urgency=medium |
73 | + |
74 | + * Merge with Debian unstable (LP: #1802886). Remaining changes: |
75 | + - d/chrony.conf: use ubuntu ntp pool and server (LP 1744664) |
76 | + - Set -x as default if unable to set time (e.g. in containers) (LP: 1589780) |
77 | + Chrony is a single service which acts as both NTP client (i.e. syncing the |
78 | + local clock) and NTP server (i.e. providing NTP services to the network), |
79 | + and that is both desired and expected in the vast majority of cases. |
80 | + But in containers syncing the local clock is usually impossible, but this |
81 | + shall not break the providing of NTP services to the network. |
82 | + To some extent this makes chrony's default config more similar to 'ntpd', |
83 | + which complained in syslog but still provided NTP server service in those |
84 | + cases. |
85 | + - debian/chrony.service: allow the service to run without CAP_SYS_TIME |
86 | + - debian/control: add new dependency libcap2-bin for capsh (usually |
87 | + installed anyway, but make them explicit to be sure). |
88 | + - debian/chrony.default: new option SYNC_IN_CONTAINER to not fall back |
89 | + (Default off). |
90 | + - debian/chronyd-starter.sh: wrapper to handle special cases in containers |
91 | + and if CAP_SYS_TIME is missing. Effectively allows to run NTP server in |
92 | + containers on a default installation and avoid failing to sync time (or |
93 | + if allowed to sync, avoid multiple containers to fight over it by |
94 | + accident). |
95 | + - debian/install: make chronyd-starter.sh available on install. |
96 | + - debian/docs, debian/README.container: provide documentation about the |
97 | + handling of this case. |
98 | + - d/postrm: re-establish systemd-timesyncd on removal (LP: 1764357) |
99 | + - Notify chrony to update sources in response to systemd-networkd |
100 | + events (LP: 1718227) |
101 | + - d/links: link dispatcher script to networkd-dispatcher events routable |
102 | + and off |
103 | + - d/control: set Recommends to networkd-dispatcher |
104 | + * Dropped Changes (upstream): |
105 | + - d/p/lp-1718227-nm-dispatcher-for-networkd.patch |
106 | + - d/p/lp-1787366-fall-back-to-urandom.patch: avoid hangs when starting |
107 | + the service on newer kernels by falling back to urandom. (LP: 1787366) |
108 | + * Added Changes: |
109 | + - d/postrm: respect policy-rc.d when restoring systemd-timesyncd |
110 | + (LP: #1771994) |
111 | + |
112 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 12 Nov 2018 11:39:08 +0100 |
113 | + |
114 | chrony (3.4-1) unstable; urgency=medium |
115 | |
116 | * Import upstream version 3.4: |
117 | @@ -74,6 +116,66 @@ chrony (3.3-3) unstable; urgency=medium |
118 | |
119 | -- Vincent Blut <vincent.debian@free.fr> Sat, 18 Aug 2018 16:23:19 +0200 |
120 | |
121 | +chrony (3.3-2ubuntu2) cosmic; urgency=medium |
122 | + |
123 | + * - d/p/lp-1787366-fall-back-to-urandom.patch: avoid hangs when starting |
124 | + the service on newer kernels by falling back to urandom. |
125 | + (LP: #1787366, Closes: #906276) |
126 | + |
127 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 16 Aug 2018 11:48:38 +0200 |
128 | + |
129 | +chrony (3.3-2ubuntu1) cosmic; urgency=medium |
130 | + |
131 | + * Merge with Debian unstable (LP: #1771061). Remaining changes: |
132 | + - d/chrony.conf: use ubuntu ntp pool and server (LP 1744664) |
133 | + - Set -x as default if unable to set time (e.g. in containers) (LP: 1589780) |
134 | + Chrony is a single service which acts as both NTP client (i.e. syncing the |
135 | + local clock) and NTP server (i.e. providing NTP services to the network), |
136 | + and that is both desired and expected in the vast majority of cases. |
137 | + But in containers syncing the local clock is usually impossible, but this |
138 | + shall not break the providing of NTP services to the network. |
139 | + To some extent this makes chrony's default config more similar to 'ntpd', |
140 | + which complained in syslog but still provided NTP server service in those |
141 | + cases. |
142 | + - debian/chrony.service: allow the service to run without CAP_SYS_TIME |
143 | + - debian/control: add new dependency libcap2-bin for capsh (usually |
144 | + installed anyway, but make them explicit to be sure). |
145 | + - debian/chrony.default: new option SYNC_IN_CONTAINER to not fall back |
146 | + (Default off). |
147 | + - debian/chronyd-starter.sh: wrapper to handle special cases in containers |
148 | + and if CAP_SYS_TIME is missing. Effectively allows to run NTP server in |
149 | + containers on a default installation and avoid failing to sync time (or |
150 | + if allowed to sync, avoid multiple containers to fight over it by |
151 | + accident). |
152 | + - debian/install: make chronyd-starter.sh available on install. |
153 | + - debian/docs, debian/README.container: provide documentation about the |
154 | + handling of this case. |
155 | + - d/postrm: re-establish systemd-timesyncd on removal (LP: 1764357) |
156 | + - Notify chrony to update sources in response to systemd-networkd |
157 | + events (LP: 1718227) |
158 | + - d/links: link dispatcher script to networkd-dispatcher events routable |
159 | + and off |
160 | + - d/control: set Recommends to networkd-dispatcher |
161 | + - d/p/lp-1718227-nm-dispatcher-for-networkd.patch |
162 | + * Dropped changes |
163 | + - debian/usr.sbin.chronyd: ensure RTC/GPS usage isn't blocked by apparmor |
164 | + (LP: 1751241) (in Debian now) |
165 | + - debian/usr.sbin.chronyd: add cap net_admin for hwtimestamp (LP: 1761327) |
166 | + (in Debian now) |
167 | + - d/p/lp1589780-sys_linux-don-t-keep-CAP_SYS_TIME-with-x-option.patch: |
168 | + When dropping the root privileges, don't try to keep the CAP_SYS_TIME |
169 | + capability if the -x option was enabled. This allows chronyd to be |
170 | + started without the capability (e.g. in containers) and also drop the |
171 | + root privileges (This is upstream now). |
172 | + - d/p/lp-1718227-ignore-non-up-down-events-in-nm-dispatcher.patch (This is |
173 | + upstream now). |
174 | + - d/control: switch to nss instead of tomcrypt (Debian switched to nettle |
175 | + which is in main, so we can drop this) |
176 | + * Added changes |
177 | + - debian/README.container: fix typos |
178 | + |
179 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 14 May 2018 09:06:01 +0200 |
180 | + |
181 | chrony (3.3-2) unstable; urgency=medium |
182 | |
183 | * debian/chrony.service: |
184 | @@ -129,6 +231,76 @@ chrony (3.2-5) unstable; urgency=medium |
185 | |
186 | -- Vincent Blut <vincent.debian@free.fr> Wed, 28 Feb 2018 17:31:08 +0100 |
187 | |
188 | +chrony (3.2-4ubuntu4) bionic; urgency=medium |
189 | + |
190 | + * d/postrm: re-establish systemd-timesyncd on removal (LP: #1764357) |
191 | + * Notify chrony to update sources in response to systemd-networkd |
192 | + events (LP: #1718227) |
193 | + - d/links: link dispatcher script to networkd-dispatcher events routable |
194 | + and off |
195 | + - d/control: set Recommends to networkd-dispatcher |
196 | + - d/p/lp-1718227-ignore-non-up-down-events-in-nm-dispatcher.patch |
197 | + - d/p/lp-1718227-nm-dispatcher-for-networkd.patch |
198 | + |
199 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 16 Apr 2018 17:04:06 +0200 |
200 | + |
201 | +chrony (3.2-4ubuntu3) bionic; urgency=medium |
202 | + |
203 | + * debian/usr.sbin.chronyd: add cap net_admin for hwtimestamp (LP: #1761327) |
204 | + |
205 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 05 Apr 2018 09:38:10 +0200 |
206 | + |
207 | +chrony (3.2-4ubuntu2) bionic; urgency=medium |
208 | + |
209 | + * Set -x as default if unable to set time (e.g. in containers) (LP: #1589780) |
210 | + Chrony is a single service which acts as both NTP client (i.e. syncing the |
211 | + local clock) and NTP server (i.e. providing NTP services to the network), |
212 | + and that is both desired and expected in the vast majority of cases. |
213 | + But in containers syncing the local clock is usually impossible, but this |
214 | + shall not break the providing of NTP services to the network. |
215 | + To some extent this makes chrony's default config more similar to 'ntpd', |
216 | + which complained in syslog but still provided NTP server service in those |
217 | + cases. |
218 | + - d/p/lp1589780-sys_linux-don-t-keep-CAP_SYS_TIME-with-x-option.patch: |
219 | + When dropping the root privileges, don't try to keep the CAP_SYS_TIME |
220 | + capability if the -x option was enabled. This allows chronyd to be |
221 | + started without the capability (e.g. in containers) and also drop the |
222 | + root privileges. |
223 | + - debian/chrony.service: allow the service to run without CAP_SYS_TIME |
224 | + - debian/control: add new dependency libcap2-bin for capsh (usually |
225 | + installed anyway, but make them explicit to be sure). |
226 | + - debian/chrony.default: new option SYNC_IN_CONTAINER to not fall back |
227 | + (Default off). |
228 | + - debian/chronyd-starter.sh: wrapper to handle special cases in containers |
229 | + and if CAP_SYS_TIME is missing. Effectively allows to run NTP server in |
230 | + containers on a default installation and avoid failing to sync time (or |
231 | + if allowed to sync, avoid multiple containers to fight over it by |
232 | + accident). |
233 | + - debian/install: make chronyd-starter.sh available on install. |
234 | + - debian/docs, debian/README.container: provide documentation about the |
235 | + handling of this case. |
236 | + * debian/chrony.conf: update default chrony.conf to not violate the policy |
237 | + of pool.ntp.org (to use no more than four of their servers) and to provide |
238 | + more ipv6 capable sources by default (LP: #1754358) |
239 | + |
240 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Mar 2018 12:25:44 +0100 |
241 | + |
242 | +chrony (3.2-4ubuntu1) bionic; urgency=medium |
243 | + |
244 | + * Merge with Debian unstable. Remaining changes: |
245 | + - d/control: switch to nss instead of tomcrypt (nss is in main) |
246 | + - d/chrony.conf: use ubuntu ntp pool and server (LP 1744664) |
247 | + * Dropped changes (in Debian) |
248 | + - d/chrony.default, d/chrony.service: support /etc/default/chrony |
249 | + DAEMON_OPTS in systemd environment (LP: 1746081) |
250 | + - d/chrony.service: properly start after networking (LP: 1746458) |
251 | + - d/usr.sbin.chronyd: allow to create /run/chrony on demand (LP: 1746444) |
252 | + * Added Changes: |
253 | + - debian/usr.sbin.chronyd: ensure RTC/GPS usage isn't blocked by apparmor |
254 | + (LP: #1751241, Closes: #891201) |
255 | + |
256 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 26 Feb 2018 14:44:54 +0100 |
257 | + |
258 | chrony (3.2-4) unstable; urgency=medium |
259 | |
260 | * debian/changelog: |
261 | @@ -195,6 +367,27 @@ chrony (3.2-3) unstable; urgency=medium |
262 | |
263 | -- Vincent Blut <vincent.debian@free.fr> Wed, 07 Feb 2018 21:27:09 +0100 |
264 | |
265 | +chrony (3.2-2ubuntu3) bionic; urgency=medium |
266 | + |
267 | + * Revert the changes of (LP 1746458) as in the follow on discussion |
268 | + it became clear that we want it to start early (for example for an |
269 | + early offset from drift file). iIf needed chrony will later on pick |
270 | + up that servers are online via retries (augmented by hooks on network |
271 | + events). |
272 | + |
273 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 08 Feb 2018 10:52:30 +0100 |
274 | + |
275 | +chrony (3.2-2ubuntu2) bionic; urgency=medium |
276 | + |
277 | + * d/control: use to nss instead of tomcrypt (in main) (LP: #1744072) |
278 | + * d/chrony.conf: use ubuntu ntp pool and server (LP: #1744664) |
279 | + * d/chrony.default, d/chrony.service: support /etc/default/chrony |
280 | + DAEMON_OPTS in systemd environment (LP: #1746081) |
281 | + * d/chrony.service: properly start after networking (LP: #1746458) |
282 | + * d/usr.sbin.chronyd: allow to create /run/chrony on demand (LP: #1746444) |
283 | + |
284 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 19 Jan 2018 09:45:38 +0100 |
285 | + |
286 | chrony (3.2-2) unstable; urgency=medium |
287 | |
288 | * Initial AppArmor profile for chronyd. Thanks to Jamie |
289 | diff --git a/debian/chrony.conf b/debian/chrony.conf |
290 | index 6c19767..d5a0b37 100644 |
291 | --- a/debian/chrony.conf |
292 | +++ b/debian/chrony.conf |
293 | @@ -1,6 +1,23 @@ |
294 | # Welcome to the chrony configuration file. See chrony.conf(5) for more |
295 | # information about usuable directives. |
296 | -pool 2.debian.pool.ntp.org iburst |
297 | + |
298 | +# This will use (up to): |
299 | +# - 4 sources from ntp.ubuntu.com which some are ipv6 enabled |
300 | +# - 2 sources from 2.ubuntu.pool.ntp.org which is ipv6 enabled as well |
301 | +# - 1 source from [01].ubuntu.pool.ntp.org each (ipv4 only atm) |
302 | +# This means by default, up to 6 dual-stack and up to 2 additional IPv4-only |
303 | +# sources will be used. |
304 | +# At the same time it retains some protection against one of the entries being |
305 | +# down (compare to just using one of the lines). See (LP: #1754358) for the |
306 | +# discussion. |
307 | +# |
308 | +# About using servers from the NTP Pool Project in general see (LP: #104525). |
309 | +# Approved by Ubuntu Technical Board on 2011-02-08. |
310 | +# See http://www.pool.ntp.org/join.html for more information. |
311 | +pool ntp.ubuntu.com iburst maxsources 4 |
312 | +pool 0.ubuntu.pool.ntp.org iburst maxsources 1 |
313 | +pool 1.ubuntu.pool.ntp.org iburst maxsources 1 |
314 | +pool 2.ubuntu.pool.ntp.org iburst maxsources 2 |
315 | |
316 | # This directive specify the location of the file containing ID/key pairs for |
317 | # NTP authentication. |
318 | diff --git a/debian/chrony.default b/debian/chrony.default |
319 | index ae79e8a..b523f60 100644 |
320 | --- a/debian/chrony.default |
321 | +++ b/debian/chrony.default |
322 | @@ -4,3 +4,7 @@ |
323 | |
324 | # Options to pass to chrony. |
325 | DAEMON_OPTS="" |
326 | + |
327 | +# Sync systecm clock in containers or without CAP_SYS_TIME (likely to fail) |
328 | +# See /usr/share/doc/chrony/README.container for details. |
329 | +SYNC_IN_CONTAINER="no" |
330 | diff --git a/debian/chrony.service b/debian/chrony.service |
331 | index 3e4451a..bb01a79 100644 |
332 | --- a/debian/chrony.service |
333 | +++ b/debian/chrony.service |
334 | @@ -3,13 +3,13 @@ Description=chrony, an NTP client/server |
335 | Documentation=man:chronyd(8) man:chronyc(1) man:chrony.conf(5) |
336 | Conflicts=systemd-timesyncd.service openntpd.service ntp.service ntpsec.service |
337 | After=network.target |
338 | -ConditionCapability=CAP_SYS_TIME |
339 | |
340 | [Service] |
341 | Type=forking |
342 | PIDFile=/run/chronyd.pid |
343 | EnvironmentFile=-/etc/default/chrony |
344 | -ExecStart=/usr/sbin/chronyd $DAEMON_OPTS |
345 | +# Starter takes care of special cases mostly for containers |
346 | +ExecStart=/usr/lib/systemd/scripts/chronyd-starter.sh $DAEMON_OPTS |
347 | ExecStartPost=-/usr/lib/chrony/chrony-helper update-daemon |
348 | PrivateTmp=yes |
349 | ProtectHome=yes |
350 | diff --git a/debian/chronyd-starter.sh b/debian/chronyd-starter.sh |
351 | new file mode 100755 |
352 | index 0000000..c175db5 |
353 | --- /dev/null |
354 | +++ b/debian/chronyd-starter.sh |
355 | @@ -0,0 +1,70 @@ |
356 | +#!/bin/sh |
357 | +set -ue |
358 | + |
359 | +CONF="/etc/default/chrony" |
360 | +DOC="/usr/share/doc/chrony/README.container" |
361 | +CAP="cap_sys_time" |
362 | +CMD="/usr/sbin/chronyd" |
363 | +# Take any args passed, use none if nothing was specified |
364 | +EFFECTIVE_DAEMON_OPTS=${@:-""} |
365 | + |
366 | +if [ -f "${CONF}" ]; then |
367 | + . "${CONF}" |
368 | +else |
369 | + echo "<4>Warning: ${CONF} is missing" |
370 | +fi |
371 | +# take from conffile if available, default to no otherwise |
372 | +EFFECTIVE_SYNC_IN_CONTAINER=${SYNC_IN_CONTAINER:-"no"} |
373 | + |
374 | +if [ ! -x "${CMD}" ]; then |
375 | + echo "<3>Error: ${CMD} not executable" |
376 | + # ugly, but works around https://github.com/systemd/systemd/issues/2913 |
377 | + sleep 0.1 |
378 | + exit 1 |
379 | +fi |
380 | + |
381 | +# Check if -x is already set manually, don't process further if that is the case |
382 | +X_SET=0 |
383 | +while getopts ":x" opt; do |
384 | + case $opt in |
385 | + x) |
386 | + X_SET=1 |
387 | + ;; |
388 | + esac |
389 | +done |
390 | + |
391 | +if [ ${X_SET} -ne 1 ]; then |
392 | + # Assume it is not in a container |
393 | + IS_CONTAINER=0 |
394 | + if [ -x /usr/bin/systemd-detect-virt ]; then |
395 | + if /usr/bin/systemd-detect-virt --quiet --container; then |
396 | + IS_CONTAINER=1 |
397 | + fi |
398 | + fi |
399 | + |
400 | + |
401 | + # Assume it has the cap |
402 | + HAS_CAP=1 |
403 | + CAPSH="/sbin/capsh" |
404 | + if [ -x "${CAPSH}" ]; then |
405 | + ${CAPSH} --print | grep -q "^Current.*${CAP}" || HAS_CAP=0 |
406 | + fi |
407 | + |
408 | + if [ ${HAS_CAP} -eq 0 ]; then |
409 | + echo "<4>Warning: Missing ${CAP}, syncing the system clock will fail" |
410 | + fi |
411 | + if [ ${IS_CONTAINER} -eq 1 ]; then |
412 | + echo "<4>Warning: Running in a container, likely impossible and unintended to sync system clock" |
413 | + fi |
414 | + |
415 | + if [ ${HAS_CAP} -eq 0 -o ${IS_CONTAINER} -eq 1 ]; then |
416 | + if [ "${EFFECTIVE_SYNC_IN_CONTAINER}" != "yes" ]; then |
417 | + echo "<5>Adding -x as fallback disabling control of the system clock, see ${DOC} to override this behavior" |
418 | + EFFECTIVE_DAEMON_OPTS="${EFFECTIVE_DAEMON_OPTS} -x" |
419 | + else |
420 | + echo "<5>Not falling back to disable control of the system clock, see ${DOC} to change this behavior" |
421 | + fi |
422 | + fi |
423 | +fi |
424 | + |
425 | +${CMD} ${EFFECTIVE_DAEMON_OPTS} |
426 | diff --git a/debian/control b/debian/control |
427 | index a35df2d..c740cc9 100644 |
428 | --- a/debian/control |
429 | +++ b/debian/control |
430 | @@ -1,7 +1,8 @@ |
431 | Source: chrony |
432 | Section: net |
433 | Priority: optional |
434 | -Maintainer: Vincent Blut <vincent.debian@free.fr> |
435 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
436 | +XSBC-Original-Maintainer: Vincent Blut <vincent.debian@free.fr> |
437 | Uploaders: Joachim Wiedorn <joodebian@joonet.de> |
438 | Standards-Version: 4.2.1 |
439 | Build-Depends: asciidoctor (>= 1.5.3-1~), |
440 | @@ -24,9 +25,11 @@ Architecture: linux-any |
441 | Depends: adduser, |
442 | iproute2 [linux-any], |
443 | lsb-base, |
444 | + libcap2-bin, |
445 | ucf, |
446 | ${misc:Depends}, |
447 | ${shlibs:Depends} |
448 | +Recommends: networkd-dispatcher (>= 1.7-0ubuntu3) |
449 | Suggests: dnsutils |
450 | Conflicts: ntp, |
451 | time-daemon |
452 | diff --git a/debian/docs b/debian/docs |
453 | index e12f653..3bfc9dc 100644 |
454 | --- a/debian/docs |
455 | +++ b/debian/docs |
456 | @@ -1,3 +1,4 @@ |
457 | FAQ |
458 | NEWS |
459 | README |
460 | +debian/README.container |
461 | diff --git a/debian/install b/debian/install |
462 | index db2e305..abaa2f3 100644 |
463 | --- a/debian/install |
464 | +++ b/debian/install |
465 | @@ -2,3 +2,4 @@ debian/chrony-dnssrv@.* lib/systemd/system |
466 | debian/chrony-helper usr/lib/chrony |
467 | debian/chrony.conf usr/share/chrony |
468 | debian/usr.sbin.chronyd etc/apparmor.d |
469 | +debian/chronyd-starter.sh usr/lib/systemd/scripts/ |
470 | diff --git a/debian/links b/debian/links |
471 | new file mode 100644 |
472 | index 0000000..71e2c52 |
473 | --- /dev/null |
474 | +++ b/debian/links |
475 | @@ -0,0 +1,5 @@ |
476 | +# Update sources in response to systemd-networkd events (LP: #1718227). |
477 | +# This is reusing the NetworkManager dispatch script which has no hard |
478 | +# dependency to NetworkManager (not using any of its arguments) |
479 | +etc/NetworkManager/dispatcher.d/20-chrony usr/lib/networkd-dispatcher/routable.d/chrony |
480 | +etc/NetworkManager/dispatcher.d/20-chrony usr/lib/networkd-dispatcher/off.d/chrony |
481 | diff --git a/debian/postrm b/debian/postrm |
482 | index ed3bac1..a5fd9ba 100644 |
483 | --- a/debian/postrm |
484 | +++ b/debian/postrm |
485 | @@ -7,6 +7,15 @@ set -e |
486 | |
487 | # targets: purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear |
488 | |
489 | +restore_timesyncd() { |
490 | + # on next reboot it would start, but that would leave time |
491 | + # unsynchronized until then. So as the Conflicts in the service file kill |
492 | + # systemd-timesyncd re-establish it if it is enabled |
493 | + if [ "$(systemctl is-enabled systemd-timesyncd 2>/dev/null)" = "enabled" ] ; then |
494 | + deb-systemd-invoke start systemd-timesyncd |
495 | + fi |
496 | +} |
497 | + |
498 | case "$1" in |
499 | purge) |
500 | rm -f /var/lib/chrony/* |
501 | @@ -30,9 +39,15 @@ case "$1" in |
502 | then |
503 | deluser --quiet --system _chrony > /dev/null 2>&1 || true |
504 | fi |
505 | + |
506 | + restore_timesyncd |
507 | + ;; |
508 | + |
509 | + remove) |
510 | + restore_timesyncd |
511 | ;; |
512 | |
513 | - remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) |
514 | + upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) |
515 | |
516 | ;; |
517 |
Related PPA and ticket at /bileto. ubuntu. com/#/ticket/ 3512 /launchpad. net/~ci- train-ppa- service/ +archive/ ubuntu/ 3512
- https:/
- https:/