Merge pull request #13816 from mlichvar/chrony-improvements

chrony: improve configuration and hotplug script

net/chrony/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=chrony
 PKG_VERSION:=4.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://download.tuxfamily.org/chrony/

net/chrony/files/chrony.conf

@@ -1,4 +1,8 @@
-# This file is included from config file generated from /etc/config/chrony
+# Load UCI configuration
+confdir /var/etc/chrony.d
+
+# Load NTP servers from DHCP if enabled in UCI
+sourcedir /var/run/chrony-dhcp
 
 # Log clock errors above 0.5 seconds
 logchange 0.5
@@ -6,5 +10,11 @@ logchange 0.5
 # Don't log client accesses
 noclientlog
 
-# set the system clock else the kernel will always stay in UNSYNC state
+# Mark the system clock as synchronized
 rtcsync
+
+# Record the clock's drift
+driftfile /var/run/chrony/drift
+
+# Save NTS keys and cookies
+ntsdumpdir /var/run/chrony

net/chrony/files/chrony.config

@@ -5,6 +5,7 @@ config pool
 
 config dhcp_ntp_server
 	option iburst 'yes'
+	option disabled 'no'
 
 config allow
 	option interface 'lan'
@@ -12,3 +13,7 @@ config allow
 config makestep
 	option threshold '1.0'
 	option limit '3'
+
+config nts
+	option rtccheck 'yes'
+	option systemcerts 'yes'

net/chrony/files/chrony.hotplug

@@ -1,20 +1,18 @@
 #!/bin/sh
 # Set chronyd online/offline status, allow NTP access and add servers from DHCP
 
-[ "$ACTION" = ifup -o "$ACTION" = ifdown ] || exit 0
+SOURCEFILE="/var/run/chrony-dhcp/$INTERFACE.sources"
 
 run_command() {
 	/usr/bin/chronyc -n "$*" > /dev/null 2>&1
 }
 
-run_command tracking || exit 0
+run_command onoffline
 
-. /lib/functions/network.sh
+if [ "$ACTION" = ifdown ] && [ -f "$SOURCEFILE" ]; then
-
+	rm -f "$SOURCEFILE"
-network_find_wan iface4
+	run_command reload sources
-network_find_wan6 iface6
+fi
-run_command $([ -n "$iface4" ] && echo online || echo offline) 0.0.0.0/0.0.0.0
-run_command $([ -n "$iface6" ] && echo online || echo offline) ::/0
 
 [ "$ACTION" = ifup ] || exit 0
 
@@ -32,13 +30,16 @@ done
 
 . /usr/share/libubox/jshn.sh
 
-for iface in $iface4 $iface6; do
+json_load "$(ifstatus "$INTERFACE")"
-	json_load "$(ifstatus $iface)"
 json_select data
 json_get_var dhcp_ntp_servers ntpserver
 
-	for server in $dhcp_ntp_servers; do
+[ -z "$dhcp_ntp_servers" ] && exit 0
-		run_command add $(NTP_SOURCE_HOSTNAME=$server config_foreach \
+
-				handle_source dhcp_ntp_server server)
+mkdir -p "$(dirname "$SOURCEFILE")"
-	done
+
-done
+for NTP_SOURCE_HOSTNAME in $dhcp_ntp_servers; do
+	config_foreach handle_source dhcp_ntp_server server
+done > "$SOURCEFILE"
+
+run_command reload sources

net/chrony/files/chronyd.init

@@ -4,23 +4,28 @@
 START=15
 USE_PROCD=1
 PROG=/usr/sbin/chronyd
-CONFIGFILE=/var/etc/chrony.conf
+CONFIGFILE=/etc/chrony/chrony.conf
-INCLUDEFILE=/etc/chrony/chrony.conf
+INCLUDEFILE=/var/etc/chrony.d/10-uci.conf
+RTCDEVICE=/dev/rtc0
 
 handle_source() {
-	local cfg=$1 sourcetype=$2 hostname minpoll maxpoll iburst
+	local cfg=$1 sourcetype=$2 disabled hostname minpoll maxpoll iburst nts
 
+	config_get_bool disabled "$cfg" disabled 0
+	[ "$disabled" = "1" ] && return
 	hostname=$NTP_SOURCE_HOSTNAME
 	[ -z "$hostname" ] && config_get hostname "$cfg" hostname
 	[ -z "$hostname" ] && return
 	config_get minpoll "$cfg" minpoll
 	config_get maxpoll "$cfg" maxpoll
 	config_get_bool iburst "$cfg" iburst 0
+	config_get_bool nts "$cfg" nts 0
 	echo $(
 		echo $sourcetype $hostname
 		[ -n "$minpoll" ] && echo minpoll $minpoll
 		[ -n "$maxpoll" ] && echo maxpoll $maxpoll
 		[ "$iburst" = "1" ] && echo iburst
+		[ "$nts" = "1" ] && echo nts
 	)
 }
 
@@ -53,24 +58,36 @@ handle_makestep() {
 	echo makestep $threshold $limit
 }
 
+handle_nts() {
+	local cfg=$1 threshold limit
+
+	config_get_bool rtccheck "$cfg" rtccheck 0
+	config_get_bool systemcerts "$cfg" systemcerts 1
+	config_get trustedcerts "$cfg" trustedcerts
+	# Disable certificate time checks if no RTC is present
+	[ "$rtccheck" = "1" ] && ! [ -c $RTCDEVICE ] && echo nocerttimecheck 1
+	[ "$systemcerts" = "0" ] && echo nosystemcert
+	[ -n "$trustedcerts" ] && echo ntstrustedcerts "$trustedcerts"
+}
+
 start_service() {
 	. /lib/functions/network.sh
 
 	procd_open_instance
-	procd_set_param command $PROG -n -f $CONFIGFILE
+	procd_set_param command $PROG -n
 	procd_set_param file $CONFIGFILE
 	procd_set_param file $INCLUDEFILE
 	procd_close_instance
 
 	config_load chrony
-	mkdir -p $(dirname $CONFIGFILE)
+	mkdir -p $(dirname $INCLUDEFILE)
 
 	(
-		echo include $INCLUDEFILE
 		config_foreach handle_source server server
 		config_foreach handle_source pool pool
 		config_foreach handle_source peer peer
 		config_foreach handle_allow allow
 		config_foreach handle_makestep makestep
-	) > $CONFIGFILE
+		config_foreach handle_nts nts
+	) > $INCLUDEFILE
 }