cubixle/packages
1
0
Fork 0
mirror of https://github.com/novatiq/packages.git synced 2026-04-30 15:38:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

chrony: improve configuration

Browse Source 
Extend configuration of NTP sources in UCI:
- Add nts option to enable NTS
- Add disabled option to allow inactive sources

Add nts section to UCI with:
- rtccheck option to disable certificate time checks on systems that
  don't have an RTC to avoid the chicken-and-egg problem (it is less
  secure, but still should be better than no NTS at all)
- systemcerts option to disable system certificates
- trustedcerts option to specify path to trusted certificates

Save NTS keys and cookies by default to avoid unnecessary NTS-KE
sessions when restarted or switching back to an already used NTS source.
Also, save the drift to stabilize the clock after chronyd restart.

Signed-off-by: Miroslav Lichvar <mlichvar0@gmail.com>
This commit is contained in:
Miroslav Lichvar
2020-10-30 20:57:35 +01:00
parent b9d6d6cdd0
commit 21c0f580f1
4 changed files with 32 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
net/chrony/files/chronyd.init
+19 -1
View File
@@ -6,21 +6,26 @@ USE_PROCD=1
PROG=/usr/sbin/chronyd
CONFIGFILE=/etc/chrony/chrony.conf
INCLUDEFILE=/var/etc/chrony.d/10-uci.conf
RTCDEVICE=/dev/rtc0
handle_source() {
local cfg=$1 sourcetype=$2 hostname minpoll maxpoll iburst
local cfg=$1 sourcetype=$2 disabled hostname minpoll maxpoll iburst nts
config_get_bool disabled "$cfg" disabled 0
[ "$disabled" = "1" ] && return
hostname=$NTP_SOURCE_HOSTNAME
[ -z "$hostname" ] && config_get hostname "$cfg" hostname
[ -z "$hostname" ] && return
config_get minpoll "$cfg" minpoll
config_get maxpoll "$cfg" maxpoll
config_get_bool iburst "$cfg" iburst 0
config_get_bool nts "$cfg" nts 0
echo $(
echo $sourcetype $hostname
[ -n "$minpoll" ] && echo minpoll $minpoll
[ -n "$maxpoll" ] && echo maxpoll $maxpoll
[ "$iburst" = "1" ] && echo iburst
[ "$nts" = "1" ] && echo nts
)
}
@@ -53,6 +58,18 @@ handle_makestep() {
echo makestep $threshold $limit
}
handle_nts() {
local cfg=$1 threshold limit
config_get_bool rtccheck "$cfg" rtccheck 0
config_get_bool systemcerts "$cfg" systemcerts 1
config_get trustedcerts "$cfg" trustedcerts
# Disable certificate time checks if no RTC is present
[ "$rtccheck" = "1" ] && ! [ -c $RTCDEVICE ] && echo nocerttimecheck 1
[ "$systemcerts" = "0" ] && echo nosystemcert
[ -n "$trustedcerts" ] && echo ntstrustedcerts "$trustedcerts"
}
start_service() {
. /lib/functions/network.sh
@@ -71,5 +88,6 @@ start_service() {
config_foreach handle_source peer peer
config_foreach handle_allow allow
config_foreach handle_makestep makestep
config_foreach handle_nts nts
) > $INCLUDEFILE
}