dracut-ng · aafeijoo-suse · Apr 17, 2026 · May 14, 2026 · Apr 30, 2026 · May 12, 2026
@@ -88,6 +88,10 @@ caps:
     - changed-files:
           - any-glob-to-any-file: 'modules.d/[0-9][0-9]caps/*'
 
+chrony:
+    - changed-files:
+          - any-glob-to-any-file: 'modules.d/[0-9][0-9]chrony/*'
+
 cifs:
     - changed-files:
           - any-glob-to-any-file: 'modules.d/[0-9][0-9]cifs/*'

@@ -39,6 +39,7 @@ jobs:
                 test:
                     - "31"
                     - "60"
+                    - "61"
                 exclude:
                     - container: arch:latest
                       architecture: {runner: 'ubuntu-24.04-arm', tag: 'arm'}
@@ -47,6 +48,17 @@ jobs:
                     # https://github.com/dracut-ng/dracut-ng/issues/1988
                     - container: debian:sid
                       architecture: {runner: 'ubuntu-24.04-arm', tag: 'arm'}
+                    # In Debian/Ubuntu both chrony and systemd-timesyncd provide
+                    # the virtual package time-daemon, so systemd-timesyncd
+                    # would have to be removed, breaking test 41.
+                    - container: debian:latest
+                      test: "61"
+                    - container: debian:sid
+                      test: "61"
+                    - container: ubuntu:devel
+                      test: "61"
+                    - container: ubuntu:rolling
+                      test: "61"
         container:
             image: ghcr.io/dracut-ng/${{ matrix.container }}
             options: '--device=/dev/kvm --privileged'

@@ -189,6 +189,13 @@ jobs:
                 test:
                     - "31"
                     - "60"
+                    - "61"
+                exclude:
+                    # In Debian/Ubuntu both chrony and systemd-timesyncd provide
+                    # the virtual package time-daemon, so systemd-timesyncd
+                    # would have to be removed, breaking test 41.
+                    - container: ubuntu:devel
+                      test: "61"
         container:
             image: ghcr.io/dracut-ng/${{ matrix.container }}
             options: '--device=/dev/kvm'

@@ -6,6 +6,9 @@
 |===
 | Module | Description
 
+| chrony
+| Adds support for synchronizing the internal clock via Network Time Protocol (NTP)
+
 | cifs
 | https://docs.kernel.org/admin-guide/cifs/index.html[CIFS], https://repology.org/project/cifs-utils[cifs-utils]
 

@@ -729,6 +729,27 @@ interface name. Better name it "bootnet" or "bluesocket".
     list of physical (ethernet) interfaces. Bridge without parameters assumes
     bridge=br0:eth0
 
+NTP
+~~~
+Requires the dracut 'chrony' module.
+
+**rd.ntp=**__{server|pool|peer}__:__<hostname-or-ip>__[:__<option>__[,<option>...]]::
+    This parameter can be specified multiple times.
+    IPv6 addresses have to be put in brackets.
+    See man:chrony.conf[5,external] for more information about server, pool and
+    peer options.
++
+[listing]
+.Examples
+--
+    rd.ntp=pool:2.europe.pool.ntp.org:iburst
+    rd.ntp=server:185.177.150.95:iburst,prefer
+    rd.ntp=server:[2600:1f18:631e:db00:363d:d9d7:5c80:d560]:iburst,maxdelay,0.3
+--
+
+**rd.ntp.nodhcp**::
+    Disable using NTP sources from DHCP.
+
 NFS
 ~~~
 Requires the dracut 'nfs' module.

@@ -22,7 +22,7 @@ check() {
 depends() {
 
     # This module has external dependency on other module(s).
-    echo net-lib kernel-network-modules systemd-sysusers systemd initqueue
+    echo bash net-lib kernel-network-modules systemd-sysusers systemd initqueue
     # Return 0 to include the dependent module(s) in the initramfs.
     return 0
 

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 command -v source_hook > /dev/null || . /lib/dracut-lib.sh
 
@@ -16,6 +16,30 @@ for ifpath in /sys/class/net/*; do
                 | sed -e "s/NEXT_SERVER=/new_next_server='/" \
                     -e "s/ROOT_PATH=/new_root_path='/" \
                     -e "s/$/'/" > "$dhcpopts_file" || true
+
+            # systemd-networkd mixes IPv4 and IPv6 addresses under
+            # the same NTP= property, but dhclient has two properties
+            # for that: new_ntp_servers and new_dhcp6_ntp_servers
+            ntp_ipv4=
+            ntp_ipv6=
+            ntp_servers=$(sed -n "s/^NTP=\(.*\)/\1/p" "$leases_file")
+            for i in $ntp_servers; do
+                case "$i" in
+                    *.*.*.*)
+                        ntp_ipv4="$ntp_ipv4${ntp_ipv4:+ }$i"
+                        ;;
+                    *)
+                        # hostnames are only allowed in DHCPv6
+                        ntp_ipv6="$ntp_ipv6${ntp_ipv6:+ }$i"
+                        ;;
+                esac
+            done
+            if [ -n "$ntp_ipv4" ]; then
+                printf "new_ntp_servers=%s\n" "$(printf '%q' "$ntp_ipv4")" >> "$dhcpopts_file"
+            fi
+            if [ -n "$ntp_ipv6" ]; then
+                printf "new_dhcp6_ntp_servers=%s\n" "$(printf '%q' "$ntp_ipv6")" >> "$dhcpopts_file"
+            fi
         fi
 
         source_hook initqueue/online "$ifname"

@@ -53,6 +53,8 @@ dhcpopts_create() {
     kf_parse root-path new_root_path < "$1"
     kf_parse next-server new_next_server < "$1"
     kf_parse dhcp-bootfile filename < "$1"
+    kf_parse dhcp4.ntp_servers new_ntp_servers < "$1"
+    kf_parse dhcp6.ntp_servers new_dhcp6_ntp_servers < "$1"
 }
 
 for _i in /sys/class/net/*; do

@@ -0,0 +1,32 @@
+#!/bin/sh
+
+command -v getargbool > /dev/null || . /lib/dracut-lib.sh
+
+if getargbool 0 rd.ntp.nodhcp; then
+    info "rd.ntp.nodhcp=1: not adding NTP sources from DHCP."
+    return 0
+fi
+
+_ifname=$1
+[ -n "$_ifname" ] || return 0
+
+_dhcpopts_file="/tmp/dhclient.$_ifname.dhcpopts"
+[ -s "$_dhcpopts_file" ] || return 0
+
+(
+    # shellcheck disable=SC1090
+    . "$_dhcpopts_file"
+    [ -n "$new_ntp_servers" ] || [ -n "$new_dhcp6_ntp_servers" ] || return 0
+
+    info "Adding NTP sources from DHCP ($_ifname)."
+
+    [ -d /run/chrony-dhcp ] || mkdir -p /run/chrony-dhcp
+    for _srv in $new_ntp_servers $new_dhcp6_ntp_servers; do
+        echo "server $_srv iburst" >> "/run/chrony-dhcp/$_ifname.sources"
+    done
+
+    chronyc reload sources > /dev/null 2>&1 \
+        || warn "chronyc failed to reload NTP sources"
+)
+
+unset _ifname _dhcpopts_file
@@ -0,0 +1,44 @@
+[Unit]
+Description=Wait for chrony to synchronize system clock (initrd)
+AssertPathExists=/etc/initrd-release
+DefaultDependencies=no
+After=chronyd.service
+Requires=chronyd.service
+Before=time-sync.target
+Wants=time-sync.target
+
+[Service]
+Type=oneshot
+# Wait for chronyd to update the clock and the remaining
+# correction to be less than 0.1 seconds
+ExecStart=/usr/bin/chronyc -h 127.0.0.1,::1 waitsync 0 0.1 0.0 1
+# Wait for at most 3 minutes
+TimeoutStartSec=180
+RemainAfterExit=yes
+StandardOutput=null
+
+CapabilityBoundingSet=
+DevicePolicy=closed
+DynamicUser=yes
+IPAddressAllow=localhost
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+PrivateUsers=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0777
@@ -0,0 +1,24 @@
+# This file is part of dracut chrony module.
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+# Record the rate at which the system clock gains/losses time.
+driftfile /run/chrony/drift
+
+# Allow the system clock to be stepped in the first three updates
+# if its offset is larger than 1 second.
+makestep 1.0 3
+
+# Enable kernel synchronization of the real-time clock (RTC).
+rtcsync
+
+# Save NTS keys and cookies.
+ntsdumpdir /run/chrony
+
+# Specify directory for log files.
+logdir /run/chrony/log
+
+# First, use NTP sources parsed by dracut from the kernel command line.
+sourcedir /run/chrony/dracut.sources.d
+
+# Second, use NTP sources from DHCP.
+sourcedir /run/chrony-dhcp
@@ -0,0 +1,46 @@
+[Unit]
+Description=NTP client/server (initrd)
+AssertPathExists=/etc/initrd-release
+DefaultDependencies=no
+After=dracut-cmdline.service network.target nss-lookup.target
+Before=time-sync.target
+Conflicts=ntpd.service systemd-timesyncd.service
+Wants=network.target time-sync.target
+ConditionCapability=CAP_SYS_TIME
+
+[Service]
+Type=notify
+PIDFile=/run/chrony/chronyd.pid
+Environment="OPTIONS="
+EnvironmentFile=-/etc/sysconfig/chronyd
+# The default location for chrony.conf can be set at build with the
+# --sysconfdir configuration option, so force /etc/chrony.conf with -f
+ExecStart=/usr/sbin/chronyd -f /etc/chrony.conf -n $OPTIONS
+
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
+DeviceAllow=char-pps rw
+DeviceAllow=char-ptp rw
+DeviceAllow=char-rtc rw
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/run
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap
@@ -0,0 +1,75 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+check() {
+    require_binaries \
+        chronyd \
+        || return 1
+
+    return 255
+}
+
+depends() {
+    echo systemd network
+    return 0
+}
+
+install() {
+    # openSUSE/Fedora: chrony
+    # Ubuntu: _chrony
+    grep -s -E '^(_chrony|chrony):' "${dracutsysrootdir-}"/etc/passwd \
+        | sed 's/\/var\/lib\/chrony/\/run\/chrony/' >> "$initdir/etc/passwd"
+    grep -s -E '^(_chrony|chrony):' "${dracutsysrootdir-}"/etc/group >> "$initdir/etc/group"
+
+    inst_hook cmdline 01 "$moddir/parse-ntp.sh"
+    inst_hook initqueue/online 01 "$moddir/chrony-ntp-source.sh"
+
+    inst_multiple -o \
+        "$systemdntpunits"/50-chronyd.list \
+        "$systemdsystemunitdir"/time-sync.target \
+        chronyd chronyc mkdir chown
+
+    inst_simple "$moddir/chrony.conf" /etc/chrony.conf
+
+    for i in \
+        chronyd.service \
+        chrony-wait.service; do
+        inst_simple "$moddir/$i" "$systemdsystemunitdir/$i"
+        $SYSTEMCTL -q --root "$initdir" add-wants initrd.target "$i"
+    done
+
+    if [[ $hostonly ]]; then
+        local _i _directives _keyfile _source_dirs=()
+
+        # Install the file pointed by the "keyfile" directive, used for NTP
+        # authentication. This directive is intended to be unique, chrony would
+        # end up using the last one processed.
+        readarray -t _directives < <(grep -r -h '^keyfile ' "${dracutsysrootdir-}"/etc/chrony*)
+        if ((${#_directives[@]})); then
+            printf "\n# Specify file containing keys for NTP authentication.\n%s\n" "${_directives[-1]}" >> "$initdir/etc/chrony.conf"
+            _keyfile="${_directives[-1]/#keyfile /}"
+        fi
+
+        # chrony allows to configure directories with .sources files using the
+        # "sourcedir" directive, used to specify NTP sources (server, pool, and
+        # peer directives).
+        readarray -t _directives < <(grep -r -h '^sourcedir /etc' "${dracutsysrootdir-}"/etc/chrony*)
+        if ((${#_directives[@]})); then
+            printf "\n# Use NTP sources configured on the host.\n" >> "$initdir/etc/chrony.conf"
+            for _i in "${_directives[@]}"; do
+                echo "$_i" >> "$initdir/etc/chrony.conf"
+                _source_dirs+=("$(echo "$_i" | sed -e 's/sourcedir //' -e 's/$/\/*.sources/')")
+            done
+        fi
+
+        # We do not want to include /etc/chrony.conf or ".conf" files specified
+        # with "include" or "confdir" directives from the host, because they
+        # can override "driftfile", "ntsdumpdir" or "logdir" directives,
+        # intended to point to /run in the initrd.
+
+        inst_multiple -H -o "$_keyfile" "${_source_dirs[@]}" \
+            /etc/sysconfig/chronyd \
+            "$systemdsystemconfdir"/time-sync.target \
+            "$systemdsystemconfdir/time-sync.target.wants/*.target"
+    fi
+}