Miroslav Lichvar [Wed, 21 Apr 2021 07:37:40 +0000 (09:37 +0200)]
nts: handle negotiated server as FQDN
The NTS RFC requires the recipient of the Server Negotiation NTS-KE
record to handle the name as a fully qualified domain name. Add a
trailing dot if not present to force the name to be resolved as one.
sys_timex: remove workaround for broken ntp_adjtime on macOS
Early beta releases of macOS Big Sur had a signed/unsigned error in
Apple's implementation of ntp_adjtime. Apple have since fixed this error
and the workaround is no longer required.
Miroslav Lichvar [Thu, 15 Apr 2021 07:43:01 +0000 (09:43 +0200)]
conf: require sourcedir files to be terminated by newline
When reading a *.sources file require that each line is termined by the
newline character to avoid processing an unfinished line, e.g. due to an
unexpected call of the reload command when the file is being written in
place.
Miroslav Lichvar [Wed, 14 Apr 2021 13:58:51 +0000 (15:58 +0200)]
ntp: add copy option
When separate client and server instances of chronyd are running on one
computer (e.g. for security or performance reasons) and are synchronized
to each other, the server instance provides a reference ID based on the
local address used for synchronization of its NTP clock, which breaks
detection of synchronization loops for its own clients.
Add a "copy" option to specify that the server and client are closely
related, no loop can form between them, and the client should assume the
reference ID and stratum of the server to fix detection of loops between
the server and clients of the client.
The LOG_FATAL macro expands to (emitting the message and then) exit(1).
So a return after LOG_FATAL isn't reached. Drop all those to simplify
the code a bit.
sys_linux: allow setsockopt(SOL_IP, IP_TOS) in seccomp
This system call is required by the DSCP marking feature introduced in commit 6a5665ca5877 ("conf: add dscp directive").
Before this change, enabling seccomp filtering (chronyd -F 1) and specifying a
custom DSCP value in the configuration (for example "dscp 46") caused the
process to be killed by seccomp due to IP_TOS not being allowed by the filter.
Tested before and after the change on Ubuntu 21.04, kernel 5.11.0-13-generic.
IP_TOS is available since Linux 1.0, so I didn't add any ifdefs for it.
Miroslav Lichvar [Thu, 18 Mar 2021 10:49:08 +0000 (11:49 +0100)]
refclock: increase PPS lock limit
Increase the maximum acceptable offset of the PPS lock reference from
20% to 40% of the PPS interval to not require the refclock offset to be
specified in configuration so accurately, or enable operation with a
highly unstable reference clock.
Kamil Dudka [Mon, 15 Mar 2021 09:27:40 +0000 (10:27 +0100)]
configure: use well-known file name conftest.c
... for configuration checks. Compiler wrappers check for this name
in order to skip any instrumentation of the build that is intended
for regular source files only.
Instead of selectively suspending logging by redirecting messages to
/dev/null, increase the default minimum log severity to FATAL. In the
debug mode, all messages are printed.
Check if the name passed to DNS_Name2IPAddress() is an IP address
before calling getaddrinfo(), which can be much slower and work
differently on different systems.
cmdmon: fix responding to IPv4 addresses on FreeBSD
On FreeBSD, the source address cannot be specified when sending a
message on a socket bound to a non-any IPv4 address, e.g. in default
configuration 127.0.0.1. In this case, make the address unspecified.
This is similar to commit 6af39d63aa93 ("ntp: don't use IP_SENDSRCADDR
on bound socket").
Fixes: f06c1cfa97f8 ("cmdmon: respond from same address")
Miroslav Lichvar [Thu, 25 Feb 2021 16:04:01 +0000 (17:04 +0100)]
main: warn if running with root privileges
Log a warning message if the main process has not dropped the root
privileges, i.e. when the compiled-in user or user specified by the user
directive or -u option is root.
Miroslav Lichvar [Wed, 24 Feb 2021 12:04:27 +0000 (13:04 +0100)]
ntp: restart resolving on online command
If the online command is received when the resolver is running, start
it again as soon as it finishes instead of waiting for the timer.
This should reduce the time needed to get all sources resolved on boot
if chronyd is started before the network is online and the chronyc
online command is issued before the first round of resolving can finish,
e.g. due to an unreachable DNS server in resolv.conf.
sys_linux: allow statx and fstatat64 in seccomp filter
With glibc 2.33 on armhf statx and fstatat64 are triggered.
Allow this call to un-break chrony on such platforms.
Without this e.g. test 005-scfilter fails and with ltrace -rTS reports:
a)
0.001684 SYS_397(11, 0xf75def08, 6144, 2047 <no return ...>
0.759239 +++ killed by SIGSYS +++
b)
0.003749 SYS_327(-100, 0xffdbcc3c, 0xffdbcb50, 0)
0.000821 --- SIGSYS (Bad system call) ---
Current armhf syscalls from:
https://github.com/torvalds/linux/blob/v5.10/arch/arm/tools/syscall.tbl
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Miroslav Lichvar [Wed, 10 Feb 2021 12:21:37 +0000 (13:21 +0100)]
ntp: limit number of sources
Don't rely on assertions and running out of memory to terminate if
an extremely large number of sources is added. Set the maximum number
to 65536 to have a practical limit where chronyd still has a chance to
appear functional with some operations having a quadratic time
complexity.
Miroslav Lichvar [Wed, 10 Feb 2021 15:15:15 +0000 (16:15 +0100)]
nts: reset NTP address/port if removed in NTS-KE
When an NTS-KE server stops providing the NTP address or port, change
them to the original values to avoid the client getting stuck
with a non-responding address/port.
In the NTS-NTP client instance, maintain a local copy of the NTP address
instead of using a pointer to the NCR's address, which may change at
unexpected times.
Also, change the NNC_CreateInstance() to accept only the NTP port to
make it clear the initial NTP address is the same as the NTS-KE address
and to make it consistent with NNC_ChangeAddress(), which accepts only
one address.
Allow NSR_UpdateSourceNtpAddress() to be (indirectly) called from
NCR_CreateInstance() and NCR_ChangeRemoteAddress(). In these cases, save
the addresses and make the update later when the function calls return.
After loading the dump files with the -r option, immediately perform a
source selection with forced setting of the reference. This shortens the
interval when a restarted server doesn't respond with synchronized time.
It no longer needs to wait for the first measurement from the best
source (which had to pass all the filters).
sources: improve handling of dump files and their format
Check for write errors when saving dump files. Don't save files with no
samples. Add more sanity checks for loaded data.
Extend the file format to include an identifier, the reachability
register, leap status, name, and authentication flag. Avoid loading
unauthenticated data after switching authentication on. Change format
and order of some fields to simplify parsing. Drop fields that were kept
only for compatibility.
The dump files now contain all information needed to perform the source
selection and update the reference.
There is no support kept for the old file format. Loading of old dump
files will fail after upgrading to new version.
Remove stratum from the NTP sample and update it together with the leap
status. This enables a faster update when samples are dropped by the NTP
filters.
Miroslav Lichvar [Thu, 14 Jan 2021 13:12:54 +0000 (14:12 +0100)]
ntp: allow replacement of sources specified by IP address
For sources specified by an IP address, keep the original address as the
source's name and pass it to the NCR instance. Allow the sources to go
through the replacement process if their address has changed.
This will be useful with NTS-KE negotiation.
The IP-based source names are now provided via cmdmon. This means
chronyc -n and -N can show two different addresses for a source.
Miroslav Lichvar [Wed, 13 Jan 2021 15:25:08 +0000 (16:25 +0100)]
test: make 120-selectoptions more reliable
Remove packet interval checks with long delays as the tests are much
more likely to end when the client is waiting for a response. Increase
the base delay to make selection with two sources more reliable.
Reported-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Miroslav Lichvar [Wed, 13 Jan 2021 12:36:13 +0000 (13:36 +0100)]
socket: check length of received control messages
Make sure each processed control messages has the expected length.
Beside improved safety, this should prevent potential issues with broken
timestamps on systems that support both 64-bit and 32-bit time_t.
Miroslav Lichvar [Wed, 13 Jan 2021 11:32:38 +0000 (12:32 +0100)]
sched: improve infinite loop detection
The "infinite loop in scheduling" fatal error was observed on a system
running out of memory. Presumably, the execution of the process slowed
down due to memory thrashing so much that the dispatching loop wasn't
able to break with a single server polled at a 16-second interval.
To allow recovery in such a case, require for the error more than
20 handled timeouts and a rate higher than 100 per second.
Fortunately, the Linux kernel can be built with software emulation of
these hardware requests, by enabling the following config variable:
CONFIG_RTC_INTF_DEV_UIE_EMUL
Provides an emulation for RTC_UIE if the underlying rtc chip
driver does not expose RTC_UIE ioctls. Those requests generate
once-per-second update interrupts, used for synchronization.
The emulation code will read the time from the hardware
clock several times per second, please enable this option
only if you know that you really need it.
This commit records these facts for the benefit of the user.
If ntsdumpdir is specified and the server NTS keys are not reloaded from
the file, save the generated keys on start instead of waiting for the
first rotation or exit. This allows the keys to be shared with another
server without having to use the dump command.
In the initial resolving of pool sources try to assign each address only
once. If it fails, it means the address is already used (DNS provided
the same address) or the address is not connectable. The same result can
be expected for other unresolved sources of the pool as they don't have
a real address yet.
The NTS-KE helper doesn't need to bind sockets or adjust the clock.
Don't start the privops helper, or keep the capabilities, when dropping
root privileges in its context.
Update the monotonic time before the timestamps are corrected for
unexpected jumps, e.g. due to the computer being suspended and resumed,
and switch to the raw timestamps. This should allow the NTS refresh
interval to better follow real time, but it will not be corrected for
a frequency offset if the clock is not synchronized (e.g. with -x).
Even if a received message will not be returned to the caller (e.g.
because it is truncated), process its control messages to avoid leaking
received descriptors.
Fixes: f231efb811ee ("socket: add support for sending and receiving descriptors")
projects / thirdparty / chrony.git / log
