feat(chrony): introducing the chrony module

This new module relies on chrony to add support for NTP in the initrd. By
default, it also uses NTP sources from DHCP.

It provides two new kernel command line options:
- `rd.ntp`: it can be used multiple times to specify server, pool and peer time
sources.
- `rd.ntp.nodhcp`: it disables the use of NTP sources from DHCP.

In some environments, it's necessary to fetch live images from HTTPS URLs. The
problem is that the hardware clock may be off, so the validation of the SSL
certificates may fail if the time is out of sync. Also, some systems may not
have access to DHCP for security reasons, that's why we need a way to configure
them on the kernel command line.

Author: aafeijoo-suse

.github/labeler.yml

@@ -88,6 +88,10 @@ caps:
     - changed-files:
           - any-glob-to-any-file: 'modules.d/[0-9][0-9]caps/*'
 
+chrony:
+    - changed-files:
+          - any-glob-to-any-file: 'modules.d/[0-9][0-9]chrony/*'
+
 cifs:
     - changed-files:
           - any-glob-to-any-file: 'modules.d/[0-9][0-9]cifs/*'

doc_site/modules/ROOT/pages/modules/network.adoc

@@ -6,6 +6,9 @@
 |===
 | Module | Description
 
+| chrony
+| Adds support for synchronizing the internal clock via Network Time Protocol (NTP)
+
 | cifs
 | https://docs.kernel.org/admin-guide/cifs/index.html[CIFS], https://repology.org/project/cifs-utils[cifs-utils]
 

man/dracut.cmdline.7.adoc

@@ -729,6 +729,27 @@ interface name. Better name it "bootnet" or "bluesocket".
     list of physical (ethernet) interfaces. Bridge without parameters assumes
     bridge=br0:eth0
 
+NTP
+~~~
+Requires the dracut 'chrony' module.
+
+**rd.ntp=**__{server|pool|peer}__:__<hostname-or-ip>__[:__<option>__[,<option>...]]::
+    This parameter can be specified multiple times.
+    IPv6 addresses have to be put in brackets.
+    See man:chrony.conf[5,external] for more information about server, pool and
+    peer options.
++
+[listing]
+.Examples
+--
+    rd.ntp=pool:2.europe.pool.ntp.org:iburst
+    rd.ntp=server:185.177.150.95:iburst,prefer
+    rd.ntp=server:[2600:1f18:631e:db00:363d:d9d7:5c80:d560]:iburst,maxdelay,0.3
+--
+
+**rd.ntp.nodhcp**::
+    Disable using NTP sources from DHCP.
+
 NFS
 ~~~
 Requires the dracut 'nfs' module.

modules.d/74chrony/chrony-ntp-source.sh

@@ -0,0 +1,32 @@
+#!/bin/sh
+
+command -v getargbool > /dev/null || . /lib/dracut-lib.sh
+
+if getargbool 0 rd.ntp.nodhcp; then
+    info "rd.ntp.nodhcp=1: not adding NTP sources from DHCP."
+    return 0
+fi
+
+_ifname=$1
+[ -n "$_ifname" ] || return 0
+
+_dhcpopts_file="/tmp/dhclient.$_ifname.dhcpopts"
+[ -s "$_dhcpopts_file" ] || return 0
+
+(
+    # shellcheck disable=SC1090
+    . "$_dhcpopts_file"
+    [ -n "$new_ntp_servers" ] || [ -n "$new_dhcp6_ntp_servers" ] || return 0
+
+    info "Adding NTP sources from DHCP ($_ifname)."
+
+    [ -d /run/chrony-dhcp ] || mkdir -p /run/chrony-dhcp
+    for _srv in $new_ntp_servers $new_dhcp6_ntp_servers; do
+        echo "server $_srv iburst" >> "/run/chrony-dhcp/$_ifname.sources"
+    done
+
+    chronyc reload sources > /dev/null 2>&1 \
+        || warn "chronyc failed to reload NTP sources"
+)
+
+unset _ifname _dhcpopts_file

modules.d/74chrony/chrony-wait.service

@@ -0,0 +1,44 @@
+[Unit]
+Description=Wait for chrony to synchronize system clock (initrd)
+AssertPathExists=/etc/initrd-release
+DefaultDependencies=no
+After=chronyd.service
+Requires=chronyd.service
+Before=time-sync.target
+Wants=time-sync.target
+
+[Service]
+Type=oneshot
+# Wait for chronyd to update the clock and the remaining
+# correction to be less than 0.1 seconds
+ExecStart=/usr/bin/chronyc -h 127.0.0.1,::1 waitsync 0 0.1 0.0 1
+# Wait for at most 3 minutes
+TimeoutStartSec=180
+RemainAfterExit=yes
+StandardOutput=null
+
+CapabilityBoundingSet=
+DevicePolicy=closed
+DynamicUser=yes
+IPAddressAllow=localhost
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+PrivateUsers=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0777

modules.d/74chrony/chrony.conf

@@ -0,0 +1,24 @@
+# This file is part of dracut chrony module.
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+# Record the rate at which the system clock gains/losses time.
+driftfile /run/chrony/drift
+
+# Allow the system clock to be stepped in the first three updates
+# if its offset is larger than 1 second.
+makestep 1.0 3
+
+# Enable kernel synchronization of the real-time clock (RTC).
+rtcsync
+
+# Save NTS keys and cookies.
+ntsdumpdir /run/chrony
+
+# Specify directory for log files.
+logdir /run/chrony/log
+
+# First, use NTP sources parsed by dracut from the kernel command line.
+sourcedir /run/chrony/dracut.sources.d
+
+# Second, use NTP sources from DHCP.
+sourcedir /run/chrony-dhcp

modules.d/74chrony/chronyd.service

@@ -0,0 +1,44 @@
+[Unit]
+Description=NTP client/server (initrd)
+AssertPathExists=/etc/initrd-release
+DefaultDependencies=no
+After=dracut-cmdline.service network.target nss-lookup.target
+Before=time-sync.target
+Conflicts=ntpd.service systemd-timesyncd.service
+Wants=network.target time-sync.target
+ConditionCapability=CAP_SYS_TIME
+
+[Service]
+Type=notify
+PIDFile=/run/chrony/chronyd.pid
+Environment="OPTIONS="
+EnvironmentFile=-/etc/sysconfig/chronyd
+ExecStart=/usr/sbin/chronyd -n $OPTIONS
+
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
+DeviceAllow=char-pps rw
+DeviceAllow=char-ptp rw
+DeviceAllow=char-rtc rw
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/run
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap

modules.d/74chrony/module-setup.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+check() {
+    require_binaries \
+        chronyd \
+        || return 1
+
+    return 255
+}
+
+depends() {
+    echo systemd network
+    return 0
+}
+
+install() {
+    # openSUSE/Fedora: chrony
+    # Ubuntu: _chrony
+    grep -s -E '^(_chrony|chrony):' "${dracutsysrootdir-}"/etc/passwd \
+        | sed 's/\/var\/lib\/chrony/\/run\/chrony/' >> "$initdir/etc/passwd"
+    grep -s -E '^(_chrony|chrony):' "${dracutsysrootdir-}"/etc/group >> "$initdir/etc/group"
+
+    inst_hook cmdline 01 "$moddir/parse-ntp.sh"
+    inst_hook initqueue/online 01 "$moddir/chrony-ntp-source.sh"
+
+    inst_multiple -o \
+        "$systemdntpunits"/50-chronyd.list \
+        "$systemdsystemunitdir"/time-sync.target \
+        chronyd chronyc mkdir chown
+
+    inst_simple "$moddir/chrony.conf" /etc/chrony.conf
+
+    for i in \
+        chronyd.service \
+        chrony-wait.service; do
+        inst_simple "$moddir/$i" "$systemdsystemunitdir/$i"
+        $SYSTEMCTL -q --root "$initdir" add-wants initrd.target "$i"
+    done
+
+    if [[ $hostonly ]]; then
+        local _i _directives _keyfile _source_dirs=()
+
+        # Install the file pointed by the "keyfile" directive, used for NTP
+        # authentication. This directive is intended to be unique, chrony would
+        # end up using the last one processed.
+        readarray -t _directives < <(grep -r -h '^keyfile ' "${dracutsysrootdir-}"/etc/chrony*)
+        if ((${#_directives[@]})); then
+            printf "\n# Specify file containing keys for NTP authentication.\n%s\n" "${_directives[-1]}" >> "$initdir/etc/chrony.conf"
+            _keyfile="${_directives[-1]/#keyfile /}"
+        fi
+
+        # chrony allows to configure directories with .sources files using the
+        # "sourcedir" directive, used to specify NTP sources (server, pool, and
+        # peer directives).
+        readarray -t _directives < <(grep -r -h '^sourcedir /etc' "${dracutsysrootdir-}"/etc/chrony*)
+        if ((${#_directives[@]})); then
+            printf "\n# Use NTP sources configured on the host.\n" >> "$initdir/etc/chrony.conf"
+            for _i in "${_directives[@]}"; do
+                echo "$_i" >> "$initdir/etc/chrony.conf"
+                _source_dirs+=("$(echo "$_i" | sed -e 's/sourcedir //' -e 's/$/\/*.sources/')")
+            done
+        fi
+
+        # We do not want to include /etc/chrony.conf or ".conf" files specified
+        # with "include" or "confdir" directives from the host, because they
+        # can override "driftfile", "ntsdumpdir" or "logdir" directives,
+        # intended to point to /run in the initrd.
+
+        inst_multiple -H -o "$_keyfile" "${_source_dirs[@]}" \
+            /etc/sysconfig/chronyd \
+            "$systemdsystemconfdir"/time-sync.target \
+            "$systemdsystemconfdir/time-sync.target.wants/*.target"
+    fi
+}

modules.d/74chrony/parse-ntp.sh

@@ -0,0 +1,65 @@
+#!/bin/sh
+
+command -v getargs > /dev/null || . /lib/dracut-lib.sh
+
+# format: rd.ntp={server|pool|peer}:<hostname-or-ip>[:<option>[,<option>...]]
+parse_ntp_source() {
+    local v="${1}":
+    local i
+    local src addr opts
+
+    set --
+    while [ -n "$v" ]; do
+        if [ "${v#\[*:*:*\]:}" != "$v" ]; then
+            # handle IPv6 address
+            i="${v%%\]:*}"
+            i="${i##\[}"
+            set -- "$@" "$i"
+            v=${v#\["$i"\]:}
+        else
+            set -- "$@" "${v%%:*}"
+            v=${v#*:}
+        fi
+    done
+
+    if [ $# -lt 2 ]; then
+        warn "Failed to parse NTP time source"
+        return 1
+    fi
+
+    case "$1" in
+        server | pool | peer)
+            src=$1
+            ;;
+        *)
+            warn "Invalid time source '$1'. Valid options: server, pool, peer"
+            return 1
+            ;;
+    esac
+
+    [ -n "$2" ] && addr=$2
+    [ -n "$3" ] && opts="$(str_replace "$3" "," " ")"
+
+    echo "${src} ${addr}${opts:+ $opts}"
+    return 0
+}
+
+mkdir -p -m 0750 /run/chrony
+chown chrony: /run/chrony
+mkdir /run/chrony/dracut.sources.d
+
+for _i in $(getargs rd.ntp); do
+    _src=$(parse_ntp_source "$_i")
+    if [ -n "$_src" ]; then
+        echo "$_src" >> /run/chrony/dracut.sources.d/dracut.sources
+    fi
+done
+
+if [ "$(ls -A /run/chrony/dracut.sources.d)" ] && ! getargbool 0 rd.neednet; then
+    echo "rd.neednet=1" > /etc/cmdline.d/01-chrony.conf
+    if ! getarg "ip="; then
+        echo "ip=dhcp" >> /etc/cmdline.d/01-chrony.conf
+    fi
+fi
+
+unset _i _src