rootfs: Sync time with NTP using chrony

By default, *dhcpcd* generates a "complete" `chrony.conf` file using the
NTP servers specified in the DHCP lease, and then restarts the Chrony
daemon.  This is unnecessary, as *chrony* can reload its list of
sources without restarting, and also problematic in our case.  For one
thing, *dhcpcd* tries to write to `/etc/chrony.conf` directly, which is
obviously impossible when the root filesystem is immutable.
Fortunately, it is flexible enough to be configured to leave
`/etc/chrony.conf` alone and generate a different file and then tell
*chrony* to reread it.

The *chrony-wait.service* unit introduces a delay into the system
startup that allows follow-up units to wait until the system time is
confirmed correct.  The unit file itself was derived from the one
included in the *chrony* package for Fedora.

configs/jenkinsagent_defconfig

@@ -28,6 +28,7 @@ BR2_PACKAGE_OPENJDK=y
 BR2_PACKAGE_LIBCURL=y
 BR2_PACKAGE_LIBCURL_CURL=y
 # BR2_PACKAGE_LIBCURL_EXTRA_PROTOCOLS_FEATURES is not set
+BR2_PACKAGE_CHRONY=y
 BR2_PACKAGE_DHCPCD=y
 # BR2_PACKAGE_IFUPDOWN_SCRIPTS is not set
 BR2_PACKAGE_IPROUTE2=y
@@ -43,6 +44,8 @@ BR2_PACKAGE_RSYSLOG=y
 # BR2_PACKAGE_SYSTEMD_HWDB is not set
 # BR2_PACKAGE_SYSTEMD_NETWORKD is not set
 # BR2_PACKAGE_SYSTEMD_RESOLVED is not set
+# BR2_PACKAGE_SYSTEMD_TIMEDATED is not set
+# BR2_PACKAGE_SYSTEMD_TIMESYNCD is not set
 BR2_PACKAGE_UTIL_LINUX_LOGIN=y
 BR2_TARGET_ROOTFS_SQUASHFS=y
 BR2_TARGET_ROOTFS_SQUASHFS4_LZ4=y

rootfs/overlay/etc/chrony.conf

@@ -0,0 +1,2 @@
+sourcedir /run/chrony-dhcp
+makestep 0.1 10

rootfs/overlay/etc/dhcpcd.conf

@@ -32,7 +32,7 @@ option interface_mtu
 option host_name
 
 # Most distributions have NTP support.
-#option ntp_servers
+option ntp_servers
 
 # Rapid commit support.
 # Safe to enable by default because it requires the equivalent option set
@@ -48,3 +48,6 @@ require dhcp_server_identifier
 slaac private
 
 denyinterfaces dummy*
+
+env NTP_CONF=/run/chrony-dhcp/dhcpcd.sources
+env ntp_restart_cmd=/usr/bin/chronyc reload sources

rootfs/overlay/usr/lib/systemd/system/chrony-wait.service

@@ -0,0 +1,47 @@
+[Unit]
+Description=Wait for chrony to synchronize system clock
+Documentation=man:chronyc(1)
+After=chrony.service
+Requires=chrony.service
+Before=time-sync.target
+Wants=time-sync.target
+
+[Service]
+Type=oneshot
+# Wait for chronyd to update the clock and the remaining
+# correction to be less than 0.1 seconds
+ExecStart=/usr/bin/chronyc -h 127.0.0.1,::1 waitsync 0 0.1 0.0 1
+# Wait for at most 3 minutes
+TimeoutStartSec=180
+RemainAfterExit=yes
+StandardOutput=null
+
+CapabilityBoundingSet=
+DevicePolicy=closed
+DynamicUser=yes
+IPAddressAllow=localhost
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+PrivateUsers=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0777
+
+[Install]
+WantedBy=multi-user.target

rootfs/overlay/usr/lib/tmpfiles.d/chrony.conf

@@ -0,0 +1 @@
+d /run/chrony-dhcp 0755 root root