From c972de572ccb464a6f5bef340eaa4a2ba5737baa Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 12 Mar 2022 16:14:05 -0600 Subject: [PATCH] rootfs: Sync time with NTP using chrony By default, *dhcpcd* generates a "complete" `chrony.conf` file using the NTP servers specified in the DHCP lease, and then restarts the Chrony daemon. This is unnecessary, as *chrony* can reload its list of sources without restarting, and also problematic in our case. For one thing, *dhcpcd* tries to write to `/etc/chrony.conf` directly, which is obviously impossible when the root filesystem is immutable. Fortunately, it is flexible enough to be configured to leave `/etc/chrony.conf` alone and generate a different file and then tell *chrony* to reread it. The *chrony-wait.service* unit introduces a delay into the system startup that allows follow-up units to wait until the system time is confirmed correct. The unit file itself was derived from the one included in the *chrony* package for Fedora. --- configs/jenkinsagent_defconfig | 3 ++ rootfs/overlay/etc/chrony.conf | 2 + rootfs/overlay/etc/dhcpcd.conf | 5 +- .../lib/systemd/system/chrony-wait.service | 47 +++++++++++++++++++ rootfs/overlay/usr/lib/tmpfiles.d/chrony.conf | 1 + 5 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 rootfs/overlay/etc/chrony.conf create mode 100644 rootfs/overlay/usr/lib/systemd/system/chrony-wait.service create mode 100644 rootfs/overlay/usr/lib/tmpfiles.d/chrony.conf diff --git a/configs/jenkinsagent_defconfig b/configs/jenkinsagent_defconfig index 8cfc5e2..068e200 100644 --- a/configs/jenkinsagent_defconfig +++ b/configs/jenkinsagent_defconfig @@ -28,6 +28,7 @@ BR2_PACKAGE_OPENJDK=y BR2_PACKAGE_LIBCURL=y BR2_PACKAGE_LIBCURL_CURL=y # BR2_PACKAGE_LIBCURL_EXTRA_PROTOCOLS_FEATURES is not set +BR2_PACKAGE_CHRONY=y BR2_PACKAGE_DHCPCD=y # BR2_PACKAGE_IFUPDOWN_SCRIPTS is not set BR2_PACKAGE_IPROUTE2=y @@ -43,6 +44,8 @@ BR2_PACKAGE_RSYSLOG=y # BR2_PACKAGE_SYSTEMD_HWDB is not set # BR2_PACKAGE_SYSTEMD_NETWORKD is not set # BR2_PACKAGE_SYSTEMD_RESOLVED is not set +# BR2_PACKAGE_SYSTEMD_TIMEDATED is not set +# BR2_PACKAGE_SYSTEMD_TIMESYNCD is not set BR2_PACKAGE_UTIL_LINUX_LOGIN=y BR2_TARGET_ROOTFS_SQUASHFS=y BR2_TARGET_ROOTFS_SQUASHFS4_LZ4=y diff --git a/rootfs/overlay/etc/chrony.conf b/rootfs/overlay/etc/chrony.conf new file mode 100644 index 0000000..fac102a --- /dev/null +++ b/rootfs/overlay/etc/chrony.conf @@ -0,0 +1,2 @@ +sourcedir /run/chrony-dhcp +makestep 0.1 10 diff --git a/rootfs/overlay/etc/dhcpcd.conf b/rootfs/overlay/etc/dhcpcd.conf index 8715283..7ee8c1a 100644 --- a/rootfs/overlay/etc/dhcpcd.conf +++ b/rootfs/overlay/etc/dhcpcd.conf @@ -32,7 +32,7 @@ option interface_mtu option host_name # Most distributions have NTP support. -#option ntp_servers +option ntp_servers # Rapid commit support. # Safe to enable by default because it requires the equivalent option set @@ -48,3 +48,6 @@ require dhcp_server_identifier slaac private denyinterfaces dummy* + +env NTP_CONF=/run/chrony-dhcp/dhcpcd.sources +env ntp_restart_cmd=/usr/bin/chronyc reload sources diff --git a/rootfs/overlay/usr/lib/systemd/system/chrony-wait.service b/rootfs/overlay/usr/lib/systemd/system/chrony-wait.service new file mode 100644 index 0000000..f06283a --- /dev/null +++ b/rootfs/overlay/usr/lib/systemd/system/chrony-wait.service @@ -0,0 +1,47 @@ +[Unit] +Description=Wait for chrony to synchronize system clock +Documentation=man:chronyc(1) +After=chrony.service +Requires=chrony.service +Before=time-sync.target +Wants=time-sync.target + +[Service] +Type=oneshot +# Wait for chronyd to update the clock and the remaining +# correction to be less than 0.1 seconds +ExecStart=/usr/bin/chronyc -h 127.0.0.1,::1 waitsync 0 0.1 0.0 1 +# Wait for at most 3 minutes +TimeoutStartSec=180 +RemainAfterExit=yes +StandardOutput=null + +CapabilityBoundingSet= +DevicePolicy=closed +DynamicUser=yes +IPAddressAllow=localhost +IPAddressDeny=any +LockPersonality=yes +MemoryDenyWriteExecute=yes +PrivateDevices=yes +PrivateUsers=yes +ProcSubset=pid +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +UMask=0777 + +[Install] +WantedBy=multi-user.target diff --git a/rootfs/overlay/usr/lib/tmpfiles.d/chrony.conf b/rootfs/overlay/usr/lib/tmpfiles.d/chrony.conf new file mode 100644 index 0000000..431a045 --- /dev/null +++ b/rootfs/overlay/usr/lib/tmpfiles.d/chrony.conf @@ -0,0 +1 @@ +d /run/chrony-dhcp 0755 root root