feat(chrony): introducing the chrony module#2397
Conversation
github-actions
Bot
added
modules
|
Would it be reasonable to add test case for this new dracut module ?
Does this happen already on the CI ? Can we trigger it with some test ? |
Upstream has 143 modules and 24 tests. There is already a module providing NTP without a test (well,
I don't think so. The real use case for this module is an OS installer image, downloaded remotely from the initrd. We need a way to specify NTP in the initrd before fetching the image over HTTPS, otherwise, in isolated systems with an out of sync clock the fetch may fail and the OS could not be installed.
I guess an HTTPS server with an expired certificate could be simulated. But... I'm not sure if it makes sense to test this in the CI. |
None of these dracut modules maintain a dedicated .service file - they all just copy the .service file that is maintained by other project. This PR however introducing a new .service file (and .conf file) that this project would have to maintain. Could we pick up the .service file and .conf file from the host instead ?
This PR suggests that dracut would now maintain distribution-independent service file without a test. |
And that does not mean that they work with dracut, usually because dracut is not installing all required dependencies, binaries, kernel modules, configuration... Also, there are some dracut modules that install modified versions of systemd services via
No, we can't, for the reasons explained in the notes of the PR description, plus although the systemd services were the same on the host in all distros, they are not implemented to work in the initrd (the Install section cannot be overridden and it has a
I don't see why that is a big deal here, most of the merged code is not being tested. But anyway, I'll add one test if that is the only objection to this PR. |
|
I would prefer some tests for this module, please. |
|
I would like to see code tested as well: either get those services upstream and test it there; or add a test case in dracut. |
aafeijoo-suse
force-pushed
the
chrony-feat
branch
from
db511bd to
b368532
Compare
|
Draft until the CI has #2418 |
aafeijoo-suse
force-pushed
the
chrony-feat
branch
from
b368532 to
0e526e4
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
aafeijoo-suse
force-pushed
the
chrony-feat
branch
2 times, most recently
from
75bc0be to
3bf6088
Compare
I think this is not the case as TEST-41 includes |
jsc#PED-16110 (cherry picked from dracut-ng#2397)
jsc#PED-16110 (cherry picked from dracut-ng#2397)
This new module relies on chrony to add support for NTP in the initrd. By default, it also uses NTP sources from DHCP. It provides two new kernel command line options: - `rd.ntp`: it can be used multiple times to specify server, pool and peer time sources. - `rd.ntp.nodhcp`: it disables the use of NTP sources from DHCP. In some environments, it's necessary to fetch live images from HTTPS URLs. The problem is that the hardware clock may be off, so the validation of the SSL certificates may fail if the time is out of sync. Also, some systems may not have access to DHCP for security reasons, that's why we need a way to configure them on the kernel command line. jsc#PED-16110 (cherry picked from dracut-ng#2397)
jsc#PED-16110 (cherry picked from dracut-ng/dracut#2397)
This new module relies on chrony to add support for NTP in the initrd. By default, it also uses NTP sources from DHCP. It provides two new kernel command line options: - `rd.ntp`: it can be used multiple times to specify server, pool and peer time sources. - `rd.ntp.nodhcp`: it disables the use of NTP sources from DHCP. In some environments, it's necessary to fetch live images from HTTPS URLs. The problem is that the hardware clock may be off, so the validation of the SSL certificates may fail if the time is out of sync. Also, some systems may not have access to DHCP for security reasons, that's why we need a way to configure them on the kernel command line. jsc#PED-16110 (cherry picked from dracut-ng/dracut#2397)
aafeijoo-suse
force-pushed
the
chrony-feat
branch
from
3105c6a to
3602109
Compare
jsc#PED-16110 (cherry picked from dracut-ng#2397)
This new module relies on chrony to add support for NTP in the initrd. By default, it also uses NTP sources from DHCP. It provides two new kernel command line options: - `rd.ntp`: it can be used multiple times to specify server, pool and peer time sources. - `rd.ntp.nodhcp`: it disables the use of NTP sources from DHCP. In some environments, it's necessary to fetch live images from HTTPS URLs. The problem is that the hardware clock may be off, so the validation of the SSL certificates may fail if the time is out of sync. Also, some systems may not have access to DHCP for security reasons, that's why we need a way to configure them on the kernel command line. jsc#PED-16110 (cherry picked from dracut-ng#2397)
aafeijoo-suse
force-pushed
the
chrony-feat
branch
from
3602109 to
dbe2579
Compare
jsc#PED-16110 (cherry picked from dracut-ng#2397)
This new module relies on chrony to add support for NTP in the initrd. By default, it also uses NTP sources from DHCP. It provides two new kernel command line options: - `rd.ntp`: it can be used multiple times to specify server, pool and peer time sources. - `rd.ntp.nodhcp`: it disables the use of NTP sources from DHCP. In some environments, it's necessary to fetch live images from HTTPS URLs. The problem is that the hardware clock may be off, so the validation of the SSL certificates may fail if the time is out of sync. Also, some systems may not have access to DHCP for security reasons, that's why we need a way to configure them on the kernel command line. jsc#PED-16110 (cherry picked from dracut-ng#2397)
aafeijoo-suse
force-pushed
the
chrony-feat
branch
from
dbe2579 to
8c775d4
Compare
jsc#PED-16110 (cherry picked from dracut-ng#2397)
This new module relies on chrony to add support for NTP in the initrd. By default, it also uses NTP sources from DHCP. It provides two new kernel command line options: - `rd.ntp`: it can be used multiple times to specify server, pool and peer time sources. - `rd.ntp.nodhcp`: it disables the use of NTP sources from DHCP. In some environments, it's necessary to fetch live images from HTTPS URLs. The problem is that the hardware clock may be off, so the validation of the SSL certificates may fail if the time is out of sync. Also, some systems may not have access to DHCP for security reasons, that's why we need a way to configure them on the kernel command line. jsc#PED-16110 (cherry picked from dracut-ng#2397)
This new module relies on chrony to add support for NTP in the initrd. By default, it also uses NTP sources from DHCP. It provides two new kernel command line options: - `rd.ntp`: it can be used multiple times to specify server, pool and peer time sources. - `rd.ntp.nodhcp`: it disables the use of NTP sources from DHCP. In some environments, it's necessary to fetch live images from HTTPS URLs. The problem is that the hardware clock may be off, so the validation of the SSL certificates may fail if the time is out of sync. Also, some systems may not have access to DHCP for security reasons, that's why we need a way to configure them on the kernel command line. jsc#PED-16110 (cherry picked from dracut-ng#2397)
> [!NOTE] > It is still a work in progress. This PR introduces support for reading setting the NTP configuration through kernel command-line option. 1. Adds the new [chrony dracut module](dracut-ng/dracut#2397). 2. Reads the time sources from dracut (located in `/run/chrony/dracut.sources.d/dracut.sources`). They will be included as part of the "extended configuration" (just like we do with the `inst.register_url` argument). ## Testing - [x] Added a new unit test - [x] Tested manually
The first argument will define the server type: HTTP or HTTPS. The second argument will get the name of the certificate required for HTTPS.
This new module relies on chrony to add support for NTP in the initrd. By default, it also uses NTP sources from DHCP. It provides two new kernel command line options: - `rd.ntp`: it can be used multiple times to specify server, pool and peer time sources. - `rd.ntp.nodhcp`: it disables the use of NTP sources from DHCP. In some environments, it's necessary to fetch live images from HTTPS URLs. The problem is that the hardware clock may be off, so the validation of the SSL certificates may fail if the time is out of sync. Also, some systems may not have access to DHCP for security reasons, that's why we need a way to configure them on the kernel command line.
aafeijoo-suse
force-pushed
the
chrony-feat
branch
from
8c775d4 to
c14efe1
Compare
5 participants
This new module relies on chrony to add support for NTP in the initrd. By default, it also uses NTP sources from DHCP.
It provides two new kernel command line options:
rd.ntp: it can be used multiple times to specify server, pool and peer time sources.rd.ntp.nodhcp: it disables the use of NTP sources from DHCP.In some environments, it's necessary to fetch live images from HTTPS URLs. The problem is that the hardware clock may be off, so the validation of the SSL certificates may fail if the time is out of sync. Also, some systems may not have access to DHCP for security reasons, that's why we need a way to configure them on the kernel command line.
Notes:
Checklist