chrony: improve configuration
Extend configuration of NTP sources in UCI: - Add nts option to enable NTS - Add disabled option to allow inactive sources Add nts section to UCI with: - rtccheck option to disable certificate time checks on systems that don't have an RTC to avoid the chicken-and-egg problem (it is less secure, but still should be better than no NTS at all) - systemcerts option to disable system certificates - trustedcerts option to specify path to trusted certificates Save NTS keys and cookies by default to avoid unnecessary NTS-KE sessions when restarted or switching back to an already used NTS source. Also, save the drift to stabilize the clock after chronyd restart. Signed-off-by: Miroslav Lichvar <mlichvar0@gmail.com>
This commit is contained in:
parent
b9d6d6cdd0
commit
21c0f580f1
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=chrony
|
||||
PKG_VERSION:=4.0
|
||||
PKG_RELEASE:=1
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://download.tuxfamily.org/chrony/
|
||||
|
|
|
@ -10,5 +10,11 @@ logchange 0.5
|
|||
# Don't log client accesses
|
||||
noclientlog
|
||||
|
||||
# set the system clock else the kernel will always stay in UNSYNC state
|
||||
# Mark the system clock as synchronized
|
||||
rtcsync
|
||||
|
||||
# Record the clock's drift
|
||||
driftfile /var/run/chrony/drift
|
||||
|
||||
# Save NTS keys and cookies
|
||||
ntsdumpdir /var/run/chrony
|
||||
|
|
|
@ -5,6 +5,7 @@ config pool
|
|||
|
||||
config dhcp_ntp_server
|
||||
option iburst 'yes'
|
||||
option disabled 'no'
|
||||
|
||||
config allow
|
||||
option interface 'lan'
|
||||
|
@ -12,3 +13,7 @@ config allow
|
|||
config makestep
|
||||
option threshold '1.0'
|
||||
option limit '3'
|
||||
|
||||
config nts
|
||||
option rtccheck 'yes'
|
||||
option systemcerts 'yes'
|
||||
|
|
|
@ -6,21 +6,26 @@ USE_PROCD=1
|
|||
PROG=/usr/sbin/chronyd
|
||||
CONFIGFILE=/etc/chrony/chrony.conf
|
||||
INCLUDEFILE=/var/etc/chrony.d/10-uci.conf
|
||||
RTCDEVICE=/dev/rtc0
|
||||
|
||||
handle_source() {
|
||||
local cfg=$1 sourcetype=$2 hostname minpoll maxpoll iburst
|
||||
local cfg=$1 sourcetype=$2 disabled hostname minpoll maxpoll iburst nts
|
||||
|
||||
config_get_bool disabled "$cfg" disabled 0
|
||||
[ "$disabled" = "1" ] && return
|
||||
hostname=$NTP_SOURCE_HOSTNAME
|
||||
[ -z "$hostname" ] && config_get hostname "$cfg" hostname
|
||||
[ -z "$hostname" ] && return
|
||||
config_get minpoll "$cfg" minpoll
|
||||
config_get maxpoll "$cfg" maxpoll
|
||||
config_get_bool iburst "$cfg" iburst 0
|
||||
config_get_bool nts "$cfg" nts 0
|
||||
echo $(
|
||||
echo $sourcetype $hostname
|
||||
[ -n "$minpoll" ] && echo minpoll $minpoll
|
||||
[ -n "$maxpoll" ] && echo maxpoll $maxpoll
|
||||
[ "$iburst" = "1" ] && echo iburst
|
||||
[ "$nts" = "1" ] && echo nts
|
||||
)
|
||||
}
|
||||
|
||||
|
@ -53,6 +58,18 @@ handle_makestep() {
|
|||
echo makestep $threshold $limit
|
||||
}
|
||||
|
||||
handle_nts() {
|
||||
local cfg=$1 threshold limit
|
||||
|
||||
config_get_bool rtccheck "$cfg" rtccheck 0
|
||||
config_get_bool systemcerts "$cfg" systemcerts 1
|
||||
config_get trustedcerts "$cfg" trustedcerts
|
||||
# Disable certificate time checks if no RTC is present
|
||||
[ "$rtccheck" = "1" ] && ! [ -c $RTCDEVICE ] && echo nocerttimecheck 1
|
||||
[ "$systemcerts" = "0" ] && echo nosystemcert
|
||||
[ -n "$trustedcerts" ] && echo ntstrustedcerts "$trustedcerts"
|
||||
}
|
||||
|
||||
start_service() {
|
||||
. /lib/functions/network.sh
|
||||
|
||||
|
@ -71,5 +88,6 @@ start_service() {
|
|||
config_foreach handle_source peer peer
|
||||
config_foreach handle_allow allow
|
||||
config_foreach handle_makestep makestep
|
||||
config_foreach handle_nts nts
|
||||
) > $INCLUDEFILE
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue