* [Buildroot] [PATCH v1] package/ntpsec: new package
@ 2021-10-25 21:25 Peter Seiderer
2021-10-28 21:01 ` Peter Seiderer
2021-12-12 20:07 ` [Buildroot] [PATCH 1/1] " guillaume.bressaix
0 siblings, 2 replies; 11+ messages in thread
From: Peter Seiderer @ 2021-10-25 21:25 UTC (permalink / raw)
To: buildroot; +Cc: Yann E . MORIN
- set 'CC=gcc' to avoid cross-compile failure (see [1]):
/bin/sh: line 1: .../build/ntpsec-1_2_0/build/host/ntpd/keyword-gen: cannot execute binary file: Exec format error
Waf: Leaving directory `.../build/ntpsec-1_2_0/build/host'
Build failed
-> task in 'ntp_keyword.h' failed with exit status 126 (run with -v to display more information)
- set '-std=gnu99"' to avoid compile failure with old compilers
- explicit set PYTHON_CONFIG
- add patch 001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch to
fix ntptime jfmt5/ofmt5 jfmt6/ofmt6 related compile failure
- add SYSV init file (S49ntp)
- add example ntpd.conf (with legacy option enabled and provide skeleton
for NTS configuration)
- add config option for NTS support
- depend on python3 (omit python2 to reduce test effort)
- add ntp user/group and run ntpd as restricted user
- add libcap dependency (compile time optional but needed for droproot
support)
[1] https://gitlab.com/NTPsec/ntpsec/-/issues/694
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
---
DEVELOPERS | 1 +
package/Config.in | 1 +
...5-ofmt5-jfmt6-ofmt6-related-compile-.patch | 61 ++++++++++++++++
package/ntpsec/Config.in | 31 ++++++++
package/ntpsec/S49ntp | 58 +++++++++++++++
package/ntpsec/ntpd.etc.conf | 33 +++++++++
package/ntpsec/ntpsec.hash | 4 ++
package/ntpsec/ntpsec.mk | 71 +++++++++++++++++++
8 files changed, 260 insertions(+)
create mode 100644 package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
create mode 100644 package/ntpsec/Config.in
create mode 100644 package/ntpsec/S49ntp
create mode 100644 package/ntpsec/ntpd.etc.conf
create mode 100644 package/ntpsec/ntpsec.hash
create mode 100644 package/ntpsec/ntpsec.mk
diff --git a/DEVELOPERS b/DEVELOPERS
index 771519fd9b..593526e61f 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -2167,6 +2167,7 @@ F: package/iwd/
F: package/libevdev/
F: package/libuev/
F: package/log4cplus/
+F: package/ntpsec/
F: package/postgresql/
F: package/python-colorzero/
F: package/python-flask-wtf/
diff --git a/package/Config.in b/package/Config.in
index d40eb9dabc..842e555342 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2256,6 +2256,7 @@ endif
source "package/nmap/Config.in"
source "package/noip/Config.in"
source "package/ntp/Config.in"
+ source "package/ntpsec/Config.in"
source "package/nuttcp/Config.in"
source "package/odhcp6c/Config.in"
source "package/odhcploc/Config.in"
diff --git a/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch b/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
new file mode 100644
index 0000000000..c2838fe8e0
--- /dev/null
+++ b/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
@@ -0,0 +1,61 @@
+From 4015a1183d2f79dad6dd675ca5e0d329825f3fa3 Mon Sep 17 00:00:00 2001
+From: Peter Seiderer <ps.report@gmx.net>
+Date: Mon, 4 Oct 2021 22:25:58 +0200
+Subject: [PATCH] ntptime: fix jfmt5/ofmt5 jfmt6/ofmt6 related compile failure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use same define guard for definiton as for usage ('HAVE_STRUCT_NTPTIMEVAL_TAI'
+instead of 'NTP_API && NTP_API > 3').
+
+Fixes:
+
+ ../../ntptime/ntptime.c: In function ‘main’:
+ ../../ntptime/ntptime.c:349:17: error: ‘jfmt5’ undeclared (first use in this function); did you mean ‘jfmt6’?
+ 349 | printf(json ? jfmt5 : ofmt5, (long)ntv.tai);
+ | ^~~~~
+ | jfmt6
+ ../../ntptime/ntptime.c:349:17: note: each undeclared identifier is reported only once for each function it appears in
+ ../../ntptime/ntptime.c:349:25: error: ‘ofmt5’ undeclared (first use in this function); did you mean ‘ofmt6’?
+ 349 | printf(json ? jfmt5 : ofmt5, (long)ntv.tai);
+ | ^~~~~
+ | ofmt6
+ ../../ntptime/ntptime.c:321:15: warning: unused variable ‘jfmt6’ [-Wunused-variable]
+ 321 | const char *jfmt6 = "";
+ | ^~~~~
+ ../../ntptime/ntptime.c:311:15: warning: unused variable ‘ofmt6’ [-Wunused-variable]
+ 311 | const char *ofmt6 = "\n";
+ | ^~~~~
+
+[Upstream: https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1245]
+Signed-off-by: Peter Seiderer <ps.report@gmx.net>
+---
+ ntptime/ntptime.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ntptime/ntptime.c b/ntptime/ntptime.c
+index ff861cb..5d58593 100644
+--- a/ntptime/ntptime.c
++++ b/ntptime/ntptime.c
+@@ -305,7 +305,7 @@ main(
+ const char *ofmt2 = " time %s, (.%0*d),\n";
+ const char *ofmt3 = " maximum error %lu us, estimated error %lu us";
+ const char *ofmt4 = " ntptime=%x.%x unixtime=%x.%0*d %s";
+-#if defined NTP_API && NTP_API > 3
++#if defined(HAVE_STRUCT_NTPTIMEVAL_TAI)
+ const char *ofmt5 = ", TAI offset %ld\n";
+ #else
+ const char *ofmt6 = "\n";
+@@ -315,7 +315,7 @@ main(
+ const char *jfmt2 = "\"time\":\"%s\",\"fractional-time\":\".%0*d\",";
+ const char *jfmt3 = "\"maximum-error\":%lu,\"estimated-error\":%lu,";
+ const char *jfmt4 = "\"raw-ntp-time\":\"%x.%x\",\"raw-unix-time\":\"%x.%0*d %s\",";
+-#if defined NTP_API && NTP_API > 3
++#if defined(HAVE_STRUCT_NTPTIMEVAL_TAI)
+ const char *jfmt5 = "\"TAI-offset\":%d,";
+ #else
+ const char *jfmt6 = "";
+--
+2.33.0
+
diff --git a/package/ntpsec/Config.in b/package/ntpsec/Config.in
new file mode 100644
index 0000000000..7275533d26
--- /dev/null
+++ b/package/ntpsec/Config.in
@@ -0,0 +1,31 @@
+config BR2_PACKAGE_NTPSEC
+ bool "ntpsec"
+ depends on BR2_PACKAGE_PYTHON3
+ select BR2_PACKAGE_LIBCAP
+ select BR2_PACKAGE_OPENSSL
+ help
+ NTPsec project - a secure, hardened, and improved
+ implementation of Network Time Protocol derived
+ from NTP Classic, Dave Mills’s original.
+
+ Provides things like ntpd, ntpdate, ntpq, etc...
+
+ https://www.ntpsec.org/
+
+if BR2_PACKAGE_NTPSEC
+
+config BR2_PACKAGE_NTPSEC_CLASSIC_MODE
+ bool "classic-mode"
+ help
+ Enable strict configuration and log-format compatibility
+ with NTP Classic.
+
+config BR2_PACKAGE_NTPSEC_NTS
+ bool "NTS support"
+ help
+ Enable Network Time Security (NTS) support.
+
+endif
+
+comment "ntpsec depens on Pyhton3"
+ depends on !BR2_PACKAGE_PYTHON3
diff --git a/package/ntpsec/S49ntp b/package/ntpsec/S49ntp
new file mode 100644
index 0000000000..f3db51418e
--- /dev/null
+++ b/package/ntpsec/S49ntp
@@ -0,0 +1,58 @@
+#!/bin/sh
+#
+# Starts Network Time Protocol daemon
+#
+
+DAEMON="ntpd"
+PIDFILE="/var/run/$DAEMON.pid"
+
+NTPD_ARGS="-g -u ntp:ntp -s /var/run/ntp"
+
+# shellcheck source=/dev/null
+[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
+
+mkdir -p /var/run/ntp && chown ntp:ntp /var/run/ntp
+
+start() {
+ printf 'Starting %s: ' "$DAEMON"
+ # shellcheck disable=SC2086 # we need the word splitting
+ start-stop-daemon -S -q -p "$PIDFILE" -x "/usr/sbin/$DAEMON" \
+ -- $NTPD_ARGS -p "$PIDFILE"
+ status=$?
+ if [ "$status" -eq 0 ]; then
+ echo "OK"
+ else
+ echo "FAIL"
+ fi
+ return "$status"
+}
+
+stop() {
+ printf 'Stopping %s: ' "$DAEMON"
+ start-stop-daemon -K -q -p "$PIDFILE"
+ status=$?
+ if [ "$status" -eq 0 ]; then
+ rm -f "$PIDFILE"
+ echo "OK"
+ else
+ echo "FAIL"
+ fi
+ return "$status"
+}
+
+restart() {
+ stop
+ sleep 1
+ start
+}
+
+case "$1" in
+ start|stop|restart)
+ "$1";;
+ reload)
+ # Restart, since there is no true "reload" feature.
+ restart;;
+ *)
+ echo "Usage: $0 {start|stop|restart|reload}"
+ exit 1
+esac
diff --git a/package/ntpsec/ntpd.etc.conf b/package/ntpsec/ntpd.etc.conf
new file mode 100644
index 0000000000..e0f45c1438
--- /dev/null
+++ b/package/ntpsec/ntpd.etc.conf
@@ -0,0 +1,33 @@
+#
+# legacy NTP configuration
+#
+pool 0.pool.ntp.org iburst
+pool 1.pool.ntp.org iburst
+pool 2.pool.ntp.org iburst
+pool 3.pool.ntp.org iburst
+
+#
+# NTS configuration
+#
+# Notes:
+# - uncomment the following lines to enable NTS support (but
+# make sure the initial clock is up-to-date (otherwise the
+# NTS certificate validation will fail with 'NTSc: certificate invalid:
+# 9=>certificate is not yet valid' as on boards without RTC support)
+# and/or keep at least one line from the legacy NTP lines
+# - enable BR2_PACKAGE_CA_CERTIFICATES to gain access to the certificate
+# files
+#
+# server time.cloudflare.com nts # Global, anycast
+# server nts.ntp.se:4443 nts # Sweden
+# server ntpmon.dcs1.biz nts # Singapore
+# server ntp1.glypnod.com nts # San Francisco
+# server ntp2.glypnod.com nts # London
+#
+# ca /usr/share/ca-certificates/mozilla
+
+# Allow only time queries, at a limited rate, sending KoD when in excess.
+# Allow all local queries (IPv4, IPv6)
+restrict default nomodify nopeer noquery limited kod
+restrict 127.0.0.1
+restrict [::1]
diff --git a/package/ntpsec/ntpsec.hash b/package/ntpsec/ntpsec.hash
new file mode 100644
index 0000000000..9c30605cbd
--- /dev/null
+++ b/package/ntpsec/ntpsec.hash
@@ -0,0 +1,4 @@
+# Locally calculated
+sha256 80e5b4c07dc1f8f7dc90851662c72a80a4111477c48040ae9e1f2e56f893251d ntpsec-NTPsec_1_2_0.tar.bz2
+sha256 b4db4de3317c3b0554ed91eb692968800bdfd6ad2c16ffbeee8ce4895ed91da4 LICENSE.adoc
+sha256 d3b21470adadd9abd9c6d675378f8c371ac5a4ea6dbec91859e02fadca3c0856 docs/copyright.adoc
diff --git a/package/ntpsec/ntpsec.mk b/package/ntpsec/ntpsec.mk
new file mode 100644
index 0000000000..c62077dce6
--- /dev/null
+++ b/package/ntpsec/ntpsec.mk
@@ -0,0 +1,71 @@
+################################################################################
+#
+# ntpsec
+#
+################################################################################
+
+NTPSEC_VERSION_MAJOR = 1
+NTPSEC_VERSION_MINOR = 2
+NTPSEC_VERSION_POINT = 0
+NTPSEC_VERSION = $(NTPSEC_VERSION_MAJOR)_$(NTPSEC_VERSION_MINOR)_$(NTPSEC_VERSION_POINT)
+NTPSEC_SOURCE = ntpsec-NTPsec_$(NTPSEC_VERSION).tar.bz2
+NTPSEC_SITE = https://gitlab.com/NTPsec/ntpsec/-/archive/NTPsec_$(NTPSEC_VERSION)
+NTPSEC_LICENSE = BSD-2-Clause NTP BSD-3-Clause MIT
+NTPSEC_LICENSE_FILES = LICENSE.adoc docs/copyright.adoc
+
+NTPSEC_CPE_ID_VENDOR = ntpsec
+NTPSEC_CPE_ID_VERSION = $(NTPSEC_VERSION_MAJOR).$(NTPSEC_VERSION_MINOR)
+NTPSEC_CPE_ID_UPDATE = $(NTPSEC_VERSION_POINT)
+
+NTPSEC_DEPENDENCIES = \
+ host-pkgconf \
+ $(if $(BR2_PACKAGE_PYTHON),python,python3) \
+ libcap \
+ openssl
+
+NTPSEC_CONF_OPTS = \
+ CC=gcc \
+ PYTHON_CONFIG="$(STAGING_DIR)/usr/bin/$(if $(BR2_PACKAGE_PYTHON),python,python3)-config" \
+ --cross-compiler="$(TARGET_CC)" \
+ --cross-cflags="$(TARGET_CFLAGS) -std=gnu99" \
+ --cross-ldflags="$(TARGET_LDFLAGS)" \
+ --notests \
+ --enable-early-droproot \
+ --disable-mdns-registration \
+ --enable-pylib=ffi \
+ --nopyc \
+ --nopyo \
+ --nopycache \
+ --disable-doc \
+ --disable-manpage
+
+ifeq ($(BR2_PACKAGE_NTPSEC_CLASSIC_MODE),y)
+NTPSEC_CONF_OPTS += --enable-classic-mode
+endif
+
+ifeq ($(BR2_PACKAGE_NTPSEC_NTS),y)
+#NTPSEC_CONF_OPTS += --enable-nts
+else
+NTPSEC_CONF_OPTS += --disable-nts
+endif
+
+# add a link to libntpc.so where python searches for it
+define NTPSEC_LIBNTPC_LINK
+ ln -sf /usr/lib/ntp/libntpc.so $(TARGET_DIR)/usr/lib/libntpc.so
+endef
+NTPSEC_POST_INSTALL_TARGET_HOOKS += NTPSEC_LIBNTPC_LINK
+
+define NTPSEC_INSTALL_NTPSEC_CONF
+ $(INSTALL) -m 644 package/ntpsec/ntpd.etc.conf $(TARGET_DIR)/etc/ntp.conf
+endef
+NTPSEC_POST_INSTALL_TARGET_HOOKS += NTPSEC_INSTALL_NTPSEC_CONF
+
+define NTPSEC_INSTALL_INIT_SYSV
+ $(INSTALL) -D -m 755 package/ntpsec/S49ntp $(TARGET_DIR)/etc/init.d/S49ntp
+endef
+
+define NTPSEC_USERS
+ ntp -1 ntp -1 * - - - ntpd user
+endef
+
+$(eval $(waf-package))
--
2.33.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [Buildroot] [PATCH v1] package/ntpsec: new package
2021-10-25 21:25 [Buildroot] [PATCH v1] package/ntpsec: new package Peter Seiderer
@ 2021-10-28 21:01 ` Peter Seiderer
2021-10-30 22:56 ` [Buildroot] [uclibc-ng-devel] " Waldemar Brodkorb
2021-12-12 20:07 ` [Buildroot] [PATCH 1/1] " guillaume.bressaix
1 sibling, 1 reply; 11+ messages in thread
From: Peter Seiderer @ 2021-10-28 21:01 UTC (permalink / raw)
To: buildroot; +Cc: devel, Yann E . MORIN
Hello Waldemar, *,
On Mon, 25 Oct 2021 23:25:41 +0200, Peter Seiderer <ps.report@gmx.net> wrote:
> - set 'CC=gcc' to avoid cross-compile failure (see [1]):
>
> /bin/sh: line 1: .../build/ntpsec-1_2_0/build/host/ntpd/keyword-gen: cannot execute binary file: Exec format error
>
> Waf: Leaving directory `.../build/ntpsec-1_2_0/build/host'
> Build failed
> -> task in 'ntp_keyword.h' failed with exit status 126 (run with -v to display more information)
>
> - set '-std=gnu99"' to avoid compile failure with old compilers
>
> - explicit set PYTHON_CONFIG
>
> - add patch 001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch to
> fix ntptime jfmt5/ofmt5 jfmt6/ofmt6 related compile failure
>
> - add SYSV init file (S49ntp)
>
> - add example ntpd.conf (with legacy option enabled and provide skeleton
> for NTS configuration)
>
> - add config option for NTS support
>
> - depend on python3 (omit python2 to reduce test effort)
>
> - add ntp user/group and run ntpd as restricted user
>
> - add libcap dependency (compile time optional but needed for droproot
> support)
>
> [1] https://gitlab.com/NTPsec/ntpsec/-/issues/694
>
> Signed-off-by: Peter Seiderer <ps.report@gmx.net>
> ---
> DEVELOPERS | 1 +
> package/Config.in | 1 +
> ...5-ofmt5-jfmt6-ofmt6-related-compile-.patch | 61 ++++++++++++++++
> package/ntpsec/Config.in | 31 ++++++++
> package/ntpsec/S49ntp | 58 +++++++++++++++
> package/ntpsec/ntpd.etc.conf | 33 +++++++++
> package/ntpsec/ntpsec.hash | 4 ++
> package/ntpsec/ntpsec.mk | 71 +++++++++++++++++++
> 8 files changed, 260 insertions(+)
> create mode 100644 package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
> create mode 100644 package/ntpsec/Config.in
> create mode 100644 package/ntpsec/S49ntp
> create mode 100644 package/ntpsec/ntpd.etc.conf
> create mode 100644 package/ntpsec/ntpsec.hash
> create mode 100644 package/ntpsec/ntpsec.mk
>
> diff --git a/DEVELOPERS b/DEVELOPERS
> index 771519fd9b..593526e61f 100644
> --- a/DEVELOPERS
> +++ b/DEVELOPERS
> @@ -2167,6 +2167,7 @@ F: package/iwd/
> F: package/libevdev/
> F: package/libuev/
> F: package/log4cplus/
> +F: package/ntpsec/
> F: package/postgresql/
> F: package/python-colorzero/
> F: package/python-flask-wtf/
> diff --git a/package/Config.in b/package/Config.in
> index d40eb9dabc..842e555342 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -2256,6 +2256,7 @@ endif
> source "package/nmap/Config.in"
> source "package/noip/Config.in"
> source "package/ntp/Config.in"
> + source "package/ntpsec/Config.in"
> source "package/nuttcp/Config.in"
> source "package/odhcp6c/Config.in"
> source "package/odhcploc/Config.in"
> diff --git a/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch b/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
> new file mode 100644
> index 0000000000..c2838fe8e0
> --- /dev/null
> +++ b/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
> @@ -0,0 +1,61 @@
> +From 4015a1183d2f79dad6dd675ca5e0d329825f3fa3 Mon Sep 17 00:00:00 2001
> +From: Peter Seiderer <ps.report@gmx.net>
> +Date: Mon, 4 Oct 2021 22:25:58 +0200
> +Subject: [PATCH] ntptime: fix jfmt5/ofmt5 jfmt6/ofmt6 related compile failure
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Use same define guard for definiton as for usage ('HAVE_STRUCT_NTPTIMEVAL_TAI'
> +instead of 'NTP_API && NTP_API > 3').
> +
> +Fixes:
> +
> + ../../ntptime/ntptime.c: In function ‘main’:
> + ../../ntptime/ntptime.c:349:17: error: ‘jfmt5’ undeclared (first use in this function); did you mean ‘jfmt6’?
> + 349 | printf(json ? jfmt5 : ofmt5, (long)ntv.tai);
> + | ^~~~~
> + | jfmt6
> + ../../ntptime/ntptime.c:349:17: note: each undeclared identifier is reported only once for each function it appears in
> + ../../ntptime/ntptime.c:349:25: error: ‘ofmt5’ undeclared (first use in this function); did you mean ‘ofmt6’?
> + 349 | printf(json ? jfmt5 : ofmt5, (long)ntv.tai);
> + | ^~~~~
> + | ofmt6
> + ../../ntptime/ntptime.c:321:15: warning: unused variable ‘jfmt6’ [-Wunused-variable]
> + 321 | const char *jfmt6 = "";
> + | ^~~~~
> + ../../ntptime/ntptime.c:311:15: warning: unused variable ‘ofmt6’ [-Wunused-variable]
> + 311 | const char *ofmt6 = "\n";
> + | ^~~~~
> +
> +[Upstream: https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1245]
> +Signed-off-by: Peter Seiderer <ps.report@gmx.net>
> +---
> + ntptime/ntptime.c | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/ntptime/ntptime.c b/ntptime/ntptime.c
> +index ff861cb..5d58593 100644
> +--- a/ntptime/ntptime.c
> ++++ b/ntptime/ntptime.c
> +@@ -305,7 +305,7 @@ main(
> + const char *ofmt2 = " time %s, (.%0*d),\n";
> + const char *ofmt3 = " maximum error %lu us, estimated error %lu us";
> + const char *ofmt4 = " ntptime=%x.%x unixtime=%x.%0*d %s";
> +-#if defined NTP_API && NTP_API > 3
> ++#if defined(HAVE_STRUCT_NTPTIMEVAL_TAI)
> + const char *ofmt5 = ", TAI offset %ld\n";
> + #else
> + const char *ofmt6 = "\n";
> +@@ -315,7 +315,7 @@ main(
> + const char *jfmt2 = "\"time\":\"%s\",\"fractional-time\":\".%0*d\",";
> + const char *jfmt3 = "\"maximum-error\":%lu,\"estimated-error\":%lu,";
> + const char *jfmt4 = "\"raw-ntp-time\":\"%x.%x\",\"raw-unix-time\":\"%x.%0*d %s\",";
> +-#if defined NTP_API && NTP_API > 3
> ++#if defined(HAVE_STRUCT_NTPTIMEVAL_TAI)
> + const char *jfmt5 = "\"TAI-offset\":%d,";
> + #else
> + const char *jfmt6 = "";
> +--
> +2.33.0
> +
> diff --git a/package/ntpsec/Config.in b/package/ntpsec/Config.in
> new file mode 100644
> index 0000000000..7275533d26
> --- /dev/null
> +++ b/package/ntpsec/Config.in
> @@ -0,0 +1,31 @@
> +config BR2_PACKAGE_NTPSEC
> + bool "ntpsec"
> + depends on BR2_PACKAGE_PYTHON3
> + select BR2_PACKAGE_LIBCAP
> + select BR2_PACKAGE_OPENSSL
> + help
> + NTPsec project - a secure, hardened, and improved
> + implementation of Network Time Protocol derived
> + from NTP Classic, Dave Mills’s original.
> +
> + Provides things like ntpd, ntpdate, ntpq, etc...
> +
> + https://www.ntpsec.org/
> +
> +if BR2_PACKAGE_NTPSEC
> +
> +config BR2_PACKAGE_NTPSEC_CLASSIC_MODE
> + bool "classic-mode"
> + help
> + Enable strict configuration and log-format compatibility
> + with NTP Classic.
> +
> +config BR2_PACKAGE_NTPSEC_NTS
> + bool "NTS support"
> + help
> + Enable Network Time Security (NTS) support.
> +
> +endif
> +
> +comment "ntpsec depens on Pyhton3"
> + depends on !BR2_PACKAGE_PYTHON3
> diff --git a/package/ntpsec/S49ntp b/package/ntpsec/S49ntp
> new file mode 100644
> index 0000000000..f3db51418e
> --- /dev/null
> +++ b/package/ntpsec/S49ntp
> @@ -0,0 +1,58 @@
> +#!/bin/sh
> +#
> +# Starts Network Time Protocol daemon
> +#
> +
> +DAEMON="ntpd"
> +PIDFILE="/var/run/$DAEMON.pid"
> +
> +NTPD_ARGS="-g -u ntp:ntp -s /var/run/ntp"
> +
> +# shellcheck source=/dev/null
> +[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
> +
> +mkdir -p /var/run/ntp && chown ntp:ntp /var/run/ntp
> +
> +start() {
> + printf 'Starting %s: ' "$DAEMON"
> + # shellcheck disable=SC2086 # we need the word splitting
> + start-stop-daemon -S -q -p "$PIDFILE" -x "/usr/sbin/$DAEMON" \
> + -- $NTPD_ARGS -p "$PIDFILE"
> + status=$?
> + if [ "$status" -eq 0 ]; then
> + echo "OK"
> + else
> + echo "FAIL"
> + fi
> + return "$status"
> +}
> +
> +stop() {
> + printf 'Stopping %s: ' "$DAEMON"
> + start-stop-daemon -K -q -p "$PIDFILE"
> + status=$?
> + if [ "$status" -eq 0 ]; then
> + rm -f "$PIDFILE"
> + echo "OK"
> + else
> + echo "FAIL"
> + fi
> + return "$status"
> +}
> +
> +restart() {
> + stop
> + sleep 1
> + start
> +}
> +
> +case "$1" in
> + start|stop|restart)
> + "$1";;
> + reload)
> + # Restart, since there is no true "reload" feature.
> + restart;;
> + *)
> + echo "Usage: $0 {start|stop|restart|reload}"
> + exit 1
> +esac
> diff --git a/package/ntpsec/ntpd.etc.conf b/package/ntpsec/ntpd.etc.conf
> new file mode 100644
> index 0000000000..e0f45c1438
> --- /dev/null
> +++ b/package/ntpsec/ntpd.etc.conf
> @@ -0,0 +1,33 @@
> +#
> +# legacy NTP configuration
> +#
> +pool 0.pool.ntp.org iburst
> +pool 1.pool.ntp.org iburst
> +pool 2.pool.ntp.org iburst
> +pool 3.pool.ntp.org iburst
> +
> +#
> +# NTS configuration
> +#
> +# Notes:
> +# - uncomment the following lines to enable NTS support (but
> +# make sure the initial clock is up-to-date (otherwise the
> +# NTS certificate validation will fail with 'NTSc: certificate invalid:
> +# 9=>certificate is not yet valid' as on boards without RTC support)
> +# and/or keep at least one line from the legacy NTP lines
> +# - enable BR2_PACKAGE_CA_CERTIFICATES to gain access to the certificate
> +# files
> +#
> +# server time.cloudflare.com nts # Global, anycast
> +# server nts.ntp.se:4443 nts # Sweden
> +# server ntpmon.dcs1.biz nts # Singapore
> +# server ntp1.glypnod.com nts # San Francisco
> +# server ntp2.glypnod.com nts # London
> +#
> +# ca /usr/share/ca-certificates/mozilla
> +
> +# Allow only time queries, at a limited rate, sending KoD when in excess.
> +# Allow all local queries (IPv4, IPv6)
> +restrict default nomodify nopeer noquery limited kod
> +restrict 127.0.0.1
> +restrict [::1]
> diff --git a/package/ntpsec/ntpsec.hash b/package/ntpsec/ntpsec.hash
> new file mode 100644
> index 0000000000..9c30605cbd
> --- /dev/null
> +++ b/package/ntpsec/ntpsec.hash
> @@ -0,0 +1,4 @@
> +# Locally calculated
> +sha256 80e5b4c07dc1f8f7dc90851662c72a80a4111477c48040ae9e1f2e56f893251d ntpsec-NTPsec_1_2_0.tar.bz2
> +sha256 b4db4de3317c3b0554ed91eb692968800bdfd6ad2c16ffbeee8ce4895ed91da4 LICENSE.adoc
> +sha256 d3b21470adadd9abd9c6d675378f8c371ac5a4ea6dbec91859e02fadca3c0856 docs/copyright.adoc
> diff --git a/package/ntpsec/ntpsec.mk b/package/ntpsec/ntpsec.mk
> new file mode 100644
> index 0000000000..c62077dce6
> --- /dev/null
> +++ b/package/ntpsec/ntpsec.mk
> @@ -0,0 +1,71 @@
> +################################################################################
> +#
> +# ntpsec
> +#
> +################################################################################
> +
> +NTPSEC_VERSION_MAJOR = 1
> +NTPSEC_VERSION_MINOR = 2
> +NTPSEC_VERSION_POINT = 0
> +NTPSEC_VERSION = $(NTPSEC_VERSION_MAJOR)_$(NTPSEC_VERSION_MINOR)_$(NTPSEC_VERSION_POINT)
> +NTPSEC_SOURCE = ntpsec-NTPsec_$(NTPSEC_VERSION).tar.bz2
> +NTPSEC_SITE = https://gitlab.com/NTPsec/ntpsec/-/archive/NTPsec_$(NTPSEC_VERSION)
> +NTPSEC_LICENSE = BSD-2-Clause NTP BSD-3-Clause MIT
> +NTPSEC_LICENSE_FILES = LICENSE.adoc docs/copyright.adoc
> +
> +NTPSEC_CPE_ID_VENDOR = ntpsec
> +NTPSEC_CPE_ID_VERSION = $(NTPSEC_VERSION_MAJOR).$(NTPSEC_VERSION_MINOR)
> +NTPSEC_CPE_ID_UPDATE = $(NTPSEC_VERSION_POINT)
> +
> +NTPSEC_DEPENDENCIES = \
> + host-pkgconf \
> + $(if $(BR2_PACKAGE_PYTHON),python,python3) \
> + libcap \
> + openssl
> +
> +NTPSEC_CONF_OPTS = \
> + CC=gcc \
> + PYTHON_CONFIG="$(STAGING_DIR)/usr/bin/$(if $(BR2_PACKAGE_PYTHON),python,python3)-config" \
> + --cross-compiler="$(TARGET_CC)" \
> + --cross-cflags="$(TARGET_CFLAGS) -std=gnu99" \
> + --cross-ldflags="$(TARGET_LDFLAGS)" \
> + --notests \
> + --enable-early-droproot \
> + --disable-mdns-registration \
> + --enable-pylib=ffi \
> + --nopyc \
> + --nopyo \
> + --nopycache \
> + --disable-doc \
> + --disable-manpage
> +
> +ifeq ($(BR2_PACKAGE_NTPSEC_CLASSIC_MODE),y)
> +NTPSEC_CONF_OPTS += --enable-classic-mode
> +endif
> +
> +ifeq ($(BR2_PACKAGE_NTPSEC_NTS),y)
> +#NTPSEC_CONF_OPTS += --enable-nts
> +else
> +NTPSEC_CONF_OPTS += --disable-nts
> +endif
> +
> +# add a link to libntpc.so where python searches for it
> +define NTPSEC_LIBNTPC_LINK
> + ln -sf /usr/lib/ntp/libntpc.so $(TARGET_DIR)/usr/lib/libntpc.so
> +endef
> +NTPSEC_POST_INSTALL_TARGET_HOOKS += NTPSEC_LIBNTPC_LINK
> +
> +define NTPSEC_INSTALL_NTPSEC_CONF
> + $(INSTALL) -m 644 package/ntpsec/ntpd.etc.conf $(TARGET_DIR)/etc/ntp.conf
> +endef
> +NTPSEC_POST_INSTALL_TARGET_HOOKS += NTPSEC_INSTALL_NTPSEC_CONF
> +
> +define NTPSEC_INSTALL_INIT_SYSV
> + $(INSTALL) -D -m 755 package/ntpsec/S49ntp $(TARGET_DIR)/etc/init.d/S49ntp
> +endef
> +
> +define NTPSEC_USERS
> + ntp -1 ntp -1 * - - - ntpd user
> +endef
> +
> +$(eval $(waf-package))
The resulting ntpd runs fine with the raspberrypi3_defconfig, but segfaults
when compiled/used with raspberrypi3_64_defconfig (uclibc, -Os):
$ /usr/sbin/ntpd -n -d -g
1970-01-01T00:04:18 ntpd[263]: INIT: ntpd ntpsec-1.2.0 2021-10-24T13:39:21Z: Starting
1970-01-01T00:04:18 ntpd[263]: INIT: Command line: /usr/sbin/ntpd -n -d
1970-01-01T00:04:18 ntpd[263]: INIT: precision = 7.291 usec (-17)
1970-01-01T00:04:18 ntpd[263]: INIT: successfully locked into RAM
1970-01-01T00:04:18 ntpd[263]: CONFIG: readconfig: parsing file: /etc/ntp.conf
1970-01-01T00:04:18 ntpd[263]: CONFIG: restrict nopeer ignored
1970-01-01T00:04:18 ntpd[263]: INIT: Using SO_TIMESTAMPNS
1970-01-01T00:04:18 ntpd[263]: IO: Listen and drop on 0 v6wildcard [::]:123
1970-01-01T00:04:18 ntpd[263]: IO: Listen and drop on 1 v4wildcard 0.0.0.0:123
1970-01-01T00:04:18 ntpd[263]: IO: Listen normally on 2 lo 127.0.0.1:123
1970-01-01T00:04:18 ntpd[263]: IO: Listen normally on 3 eth0 172.16.0.30:123
1970-01-01T00:04:18 ntpd[263]: IO: Listen normally on 4 lo [::1]:123
1970-01-01T00:04:18 ntpd[263]: IO: Listen normally on 5 eth0 [fe80::ba27:ebff:fea6:340%2]:123
1970-01-01T00:04:18 ntpd[263]: IO: Listening on routing socket on fd #22 for interface updates
1970-01-01T00:04:19 ntpd[263]: SYNC: Found 10 servers, suggest minsane at least 3
1970-01-01T00:04:19 ntpd[263]: INIT: MRU 10922 entries, 13 hash bits, 65536 bytes
1970-01-01T00:04:20 ntpd[263]: DNS: dns_probe: 0.pool.ntp.org, cast_flags:8, flags:101
Segmentation fault (core dumped)
With the following stacktrace:
$ ./host/bin/aarch64-buildroot-linux-uclibc-gdb build/ntpsec-1_2_0/build/main/ntpd/ntpd core
Program terminated with signal SIGSEGV, Segmentation fault.
(gdb) where
#0 0x0000007fbbfa4150 in res_sync_func () at libc/inet/resolv.c:3356
#1 0x0000007fbbfa1468 in __open_nameservers () at libc/inet/resolv.c:949
#2 0x0000007fbbfa0498 in __dns_lookup (name=0x55a464a7f0 "0.pool.ntp.org",
type=1, outpacket=0x7fbbf16c48, a=0x7fbbf16c08) at libc/inet/resolv.c:1134
#3 0x0000007fbbfa2744 in __GI_gethostbyname_r (
name=0x55a464a7f0 "0.pool.ntp.org", result_buf=0x7fbbf17628,
buf=0x7fbbf16d90 "", buflen=992, result=0x7fbbf17670,
h_errnop=0x7fbbf17668) at libc/inet/resolv.c:1966
#4 0x0000007fbbfa29a0 in __GI_gethostbyname2_r (
name=0x55a464a7f0 "0.pool.ntp.org", family=2, result_buf=0x7fbbf17628,
buf=0x7fbbf16d70 "0.pool.ntp.org", buflen=1024, result=0x7fbbf17670,
h_errnop=0x7fbbf17668) at libc/inet/resolv.c:2065
#5 0x0000007fbbf9b924 in gaih_inet (name=0x55a464a7f0 "0.pool.ntp.org",
service=0x7fbbf17828, req=0x7fbbf17890, pai=0x7fbbf17838)
at libc/inet/getaddrinfo.c:596
#6 0x0000007fbbf9c624 in __GI_getaddrinfo (
name=0x55a464a7f0 "0.pool.ntp.org",
service=0x5576ad807d "\277\261\377\377A\215E\001I9\334r\263f\017\037D",
hints=0x7fbbf17890, pai=0x5576b00bd8) at libc/inet/getaddrinfo.c:957
#7 0x0000005576ac5698 in _start ()
(gdb) p _res
$1 = {options = 0, nsaddr_list = {{sin_family = 0, sin_port = 0, sin_addr = {
s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, {
sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0},
sin_zero = "\000\000\000\000\000\000\000"}, {sin_family = 0,
sin_port = 0, sin_addr = {s_addr = 0},
sin_zero = "\000\000\000\000\000\000\000"}}, dnsrch = {0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, nscount = 0 '\000', ndots = 0 '\000',
retrans = 0 '\000', retry = 0 '\000', defdname = '\000' <repeats 255 times>,
nsort = 0 '\000', pfcode = 0, id = 0, res_h_errno = 0, sort_list = {{addr = {
s_addr = 0}, mask = 0}, {addr = {s_addr = 0}, mask = 0}, {addr = {
s_addr = 0}, mask = 0}, {addr = {s_addr = 0}, mask = 0}, {addr = {
s_addr = 0}, mask = 0}, {addr = {s_addr = 0}, mask = 0}, {addr = {
s_addr = 0}, mask = 0}, {addr = {s_addr = 0}, mask = 0}, {addr = {
s_addr = 0}, mask = 0}, {addr = {s_addr = 0}, mask = 0}}, _u = {
_ext = {nsaddrs = {0x0, 0x0, 0x0}, nscount = 0 '\000', nstimes = {0, 0,
0}, nssocks = {0, 0, 0}, nscount6 = 0, nsinit = 0}}}
(gdb) p &_res
$2 = (struct __res_state *) 0x7fbc014d98 <_res>
(gdb) p rp
$3 = (struct __res_state *) 0x7fffffffff
And the following uclibc code at libc/inet/resolv.c:3356:
3345 static void res_sync_func(void)
3346 {
3347 struct __res_state *rp = &(_res);
3348 int n;
3349
3350 /* If we didn't get malloc failure earlier... */
3351 if (__nameserver != (void*) &__local_nameserver) {
3352 /* TODO:
3353 * if (__nameservers < rp->nscount) - try to grow __nameserver[]?
3354 */
3355 #ifdef __UCLIBC_HAS_IPV6__
3356 if (__nameservers > rp->_u._ext.nscount)
3357 __nameservers = rp->_u._ext.nscount;
3358 n = __nameservers;
The special thing about ntpsec is the DNS lookup in an extra thread
and/or the call to res_init(), see ntpsec-1_2_0/ntpd/ntp_dns.c:
69 msyslog(LOG_INFO, "DNS: dns_probe: %s, cast_flags:%x, flags:%x%s",
70 hostname, pp->cast_flags, pp->cfg.flags, busy);
71 if (NULL != active) /* normally redundant */
72 return false;
73
74 active = pp;
75
76 sigfillset(&block_mask);
77 pthread_sigmask(SIG_BLOCK, &block_mask, &saved_sig_mask);
78 rc = pthread_create(&worker, NULL, dns_lookup, pp);
and
165 static void* dns_lookup(void* arg)
166 {
167 struct peer *pp = (struct peer *) arg;
168 struct addrinfo hints;
169
170 #ifdef HAVE_SECCOMP_H
171 setup_SIGSYS_trap(); /* enable trap for this thread */
172 #endif
173
174 #ifdef HAVE_RES_INIT
175 /* Reload DNS servers from /etc/resolv.conf in case DHCP has updated it.
176 * We only need to do this occasionally, but it's not expensive
177 * and simpler to do it every time than it is to figure out when
178 * to do it.
179 * This res_init() covers NTS too.
180 */
181 res_init();
182 #endif
183
184 if (pp->cfg.flags & FLAG_NTS) {
185 #ifndef DISABLE_NTS
186 nts_probe(pp);
187 #endif
188 } else {
189 ZERO(hints);
190 hints.ai_protocol = IPPROTO_UDP;
191 hints.ai_socktype = SOCK_DGRAM;
192 hints.ai_family = AF(&pp->srcadr);
193 gai_rc = getaddrinfo(pp->hostname, NTP_PORTA, &hints, &answer);
194 }
The failure can be fixed/work-around with the following uClibc-ng-1.0.39 patch:
diff --git a/libc/inet/resolv.c b/libc/inet/resolv.c
index 8bbd7c7..cf170fb 100644
--- a/libc/inet/resolv.c
+++ b/libc/inet/resolv.c
@@ -3344,7 +3344,7 @@ libc_hidden_def(dn_skipname)
/* Will be called under __resolv_lock. */
static void res_sync_func(void)
{
- struct __res_state *rp = &(_res);
+ struct __res_state *rp = __res_state();
int n;
/* If we didn't get malloc failure earlier... */
@@ -3896,7 +3896,7 @@ res_ninit(res_state statp)
#endif /* L_res_init */
#ifdef L_res_state
-# if defined __UCLIBC_HAS_TLS__
+# if !defined __UCLIBC_HAS_TLS__
struct __res_state *
__res_state (void)
{
The first change is using the provided __res_state() method instead
of direct access, the second one changes the __res_state() implementation
to the one where the comment 'When threaded, _res may be a per-thread variable.'
indicates this should be used with threads/TLS enabled...
Not sure if this is the right fix and/or I figrue out enough of the uclibc
logic about the _res access vs. res_init() vs. thread/TLS logic...
Regards,
Peter
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [Buildroot] [uclibc-ng-devel] Re: [PATCH v1] package/ntpsec: new package
2021-10-28 21:01 ` Peter Seiderer
@ 2021-10-30 22:56 ` Waldemar Brodkorb
2021-11-04 20:30 ` Peter Seiderer
0 siblings, 1 reply; 11+ messages in thread
From: Waldemar Brodkorb @ 2021-10-30 22:56 UTC (permalink / raw)
To: Peter Seiderer; +Cc: devel, Yann E . MORIN, buildroot
Hi Peter,
Peter Seiderer wrote,
> Hello Waldemar, *,
>
> On Mon, 25 Oct 2021 23:25:41 +0200, Peter Seiderer <ps.report@gmx.net> wrote:
>
> The resulting ntpd runs fine with the raspberrypi3_defconfig, but segfaults
> when compiled/used with raspberrypi3_64_defconfig (uclibc, -Os):
>
> $ /usr/sbin/ntpd -n -d -g
> 1970-01-01T00:04:18 ntpd[263]: INIT: ntpd ntpsec-1.2.0 2021-10-24T13:39:21Z: Starting
> 1970-01-01T00:04:18 ntpd[263]: INIT: Command line: /usr/sbin/ntpd -n -d
> 1970-01-01T00:04:18 ntpd[263]: INIT: precision = 7.291 usec (-17)
> 1970-01-01T00:04:18 ntpd[263]: INIT: successfully locked into RAM
> 1970-01-01T00:04:18 ntpd[263]: CONFIG: readconfig: parsing file: /etc/ntp.conf
> 1970-01-01T00:04:18 ntpd[263]: CONFIG: restrict nopeer ignored
> 1970-01-01T00:04:18 ntpd[263]: INIT: Using SO_TIMESTAMPNS
> 1970-01-01T00:04:18 ntpd[263]: IO: Listen and drop on 0 v6wildcard [::]:123
> 1970-01-01T00:04:18 ntpd[263]: IO: Listen and drop on 1 v4wildcard 0.0.0.0:123
> 1970-01-01T00:04:18 ntpd[263]: IO: Listen normally on 2 lo 127.0.0.1:123
> 1970-01-01T00:04:18 ntpd[263]: IO: Listen normally on 3 eth0 172.16.0.30:123
> 1970-01-01T00:04:18 ntpd[263]: IO: Listen normally on 4 lo [::1]:123
> 1970-01-01T00:04:18 ntpd[263]: IO: Listen normally on 5 eth0 [fe80::ba27:ebff:fea6:340%2]:123
> 1970-01-01T00:04:18 ntpd[263]: IO: Listening on routing socket on fd #22 for interface updates
> 1970-01-01T00:04:19 ntpd[263]: SYNC: Found 10 servers, suggest minsane at least 3
> 1970-01-01T00:04:19 ntpd[263]: INIT: MRU 10922 entries, 13 hash bits, 65536 bytes
> 1970-01-01T00:04:20 ntpd[263]: DNS: dns_probe: 0.pool.ntp.org, cast_flags:8, flags:101
> Segmentation fault (core dumped)
Could you add a small C test program to uClibc-ng-test to trigger
the bug? That would help to find any regression to targets without
TLS support.
best regards
Waldemar
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Buildroot] [uclibc-ng-devel] Re: [PATCH v1] package/ntpsec: new package
2021-10-30 22:56 ` [Buildroot] [uclibc-ng-devel] " Waldemar Brodkorb
@ 2021-11-04 20:30 ` Peter Seiderer
2021-11-11 8:58 ` Waldemar Brodkorb
0 siblings, 1 reply; 11+ messages in thread
From: Peter Seiderer @ 2021-11-04 20:30 UTC (permalink / raw)
To: Waldemar Brodkorb; +Cc: devel, Yann E . MORIN, buildroot
Hello Waldemar,
On Sun, 31 Oct 2021 00:56:56 +0200, Waldemar Brodkorb <wbx@openadk.org> wrote:
> Hi Peter,
> Peter Seiderer wrote,
>
> > Hello Waldemar, *,
> >
> > On Mon, 25 Oct 2021 23:25:41 +0200, Peter Seiderer <ps.report@gmx.net> wrote:
> >
> > The resulting ntpd runs fine with the raspberrypi3_defconfig, but segfaults
> > when compiled/used with raspberrypi3_64_defconfig (uclibc, -Os):
> >
> > $ /usr/sbin/ntpd -n -d -g
> > 1970-01-01T00:04:18 ntpd[263]: INIT: ntpd ntpsec-1.2.0 2021-10-24T13:39:21Z: Starting
> > 1970-01-01T00:04:18 ntpd[263]: INIT: Command line: /usr/sbin/ntpd -n -d
> > 1970-01-01T00:04:18 ntpd[263]: INIT: precision = 7.291 usec (-17)
> > 1970-01-01T00:04:18 ntpd[263]: INIT: successfully locked into RAM
> > 1970-01-01T00:04:18 ntpd[263]: CONFIG: readconfig: parsing file: /etc/ntp.conf
> > 1970-01-01T00:04:18 ntpd[263]: CONFIG: restrict nopeer ignored
> > 1970-01-01T00:04:18 ntpd[263]: INIT: Using SO_TIMESTAMPNS
> > 1970-01-01T00:04:18 ntpd[263]: IO: Listen and drop on 0 v6wildcard [::]:123
> > 1970-01-01T00:04:18 ntpd[263]: IO: Listen and drop on 1 v4wildcard 0.0.0.0:123
> > 1970-01-01T00:04:18 ntpd[263]: IO: Listen normally on 2 lo 127.0.0.1:123
> > 1970-01-01T00:04:18 ntpd[263]: IO: Listen normally on 3 eth0 172.16.0.30:123
> > 1970-01-01T00:04:18 ntpd[263]: IO: Listen normally on 4 lo [::1]:123
> > 1970-01-01T00:04:18 ntpd[263]: IO: Listen normally on 5 eth0 [fe80::ba27:ebff:fea6:340%2]:123
> > 1970-01-01T00:04:18 ntpd[263]: IO: Listening on routing socket on fd #22 for interface updates
> > 1970-01-01T00:04:19 ntpd[263]: SYNC: Found 10 servers, suggest minsane at least 3
> > 1970-01-01T00:04:19 ntpd[263]: INIT: MRU 10922 entries, 13 hash bits, 65536 bytes
> > 1970-01-01T00:04:20 ntpd[263]: DNS: dns_probe: 0.pool.ntp.org, cast_flags:8, flags:101
> > Segmentation fault (core dumped)
>
> Could you add a small C test program to uClibc-ng-test to trigger
> the bug? That would help to find any regression to targets without
> TLS support.
Did take a first look at the uClibc-ng-test regarding the problem,
there is already one test/inet/tst-res test...
For the raspberrypi3_defconfig case (uclibc unpatched):
$ sh uclibcng-testrunner.sh
[...]
FAIL tst-ethers-line got 1 expected 0
Cannot open file /etc/ethers: No such file or directory
FAIL tst-ethers got 1 expected 0
Either /etc/ethers is missing or it has incorrect contents
[...]
FAIL tst-cancel18 got 1 expected 0
going to cancel in-time
Timed out: killed the child process
[...]
FAIL tst-cancelx18 got 1 expected 0
going to cancel in-time
Timed out: killed the child process
[...]
Total skipped: 15
Total failed: 4
Total passed: 460
For the raspberrypi3_64_defconfig case (uclibc unpatched):
$ sh uclibcng-testrunner.sh
[...]
FAIL tst-ethers-line got 1 expected 0
Cannot open file /etc/ethers: No such file or directory
FAIL tst-ethers got 1 expected 0
Either /etc/ethers is missing or it has incorrect contents
[...]
FAIL tst-res got 139 expected 0
Segmentation fault (core dumped)
[...]
FAIL tst-seekdir got 1 expected 0
.
..
tst-seekdir.out
tst-utmpx
tst-inotify
tst-mkostemps.out
seek.out
tst-scandir
tst-seekdir
tst-statvfs.out
sem
stdarg.out
fdopen.out
tst-utmp
tst-preadvwritev.out
bug-glob2.out
popen
dirent64.out
tst-scandir.out
tst-hasmntopt.out
tst-statvfs
bug-glob2
popen.out
Makefile
opendir-tst1
sem.out
tst-inotify.out
tst-syscall0
tst-statfs.out
bug-readdir1
dirent.out
tst-statfs
tst-syscall1.out
tst-syscall0.out
stdarg
tst-preadvwritev
tst-syscall6.out
tst-mkostemps
Makefile.in
tst-utmp.out
tst-nftw
opendir-tst1.out
tst-syscall1
bug-readdir1.out
tst-hasmntopt
tst-syscall6
fdopen
seek
tst-nftw.out
dirent64
tst-fnmatch.input
tst-utmpx.out
dirent
going back past 4-th entry...
seekdir (d, -1600443765); telldir (d) == -1
[...]
FAIL tst-cancel18 got 1 expected 0
going to cancel in-time
Timed out: killed the child process
[...]
FAIL tst-cancelx18 got 1 expected 0
going to cancel in-time
Timed out: killed the child process
[...]
FAIL tst-tls3 got 1 expected 0
/usr/lib/uclibc-ng-test/test/tls/tst-tls3: symbol 'baz': can't handle reloc type 0x404
FAIL tst-tls4 got 1 expected 0
/usr/lib/uclibc-ng-test/test/tls/tst-tls4: symbol 'foo': can't handle reloc type 0x404
FAIL tst-tls5 got 1 expected 0
/usr/lib/uclibc-ng-test/test/tls/tst-tls5: symbol 'foo': can't handle reloc type 0x404
FAIL tst-tls6 got 1 expected 0
/usr/lib/uclibc-ng-test/test/tls/tst-tls6: symbol 'foo': can't handle reloc type 0x404
FAIL tst-tls7 got 1 expected 0
/usr/lib/uclibc-ng-test/test/tls/tst-tls7: symbol 'foo': can't handle reloc type 0x404
FAIL tst-tls8 got 1 expected 0
/usr/lib/uclibc-ng-test/test/tls/tst-tls8: symbol 'foo': can't handle reloc type 0x404
[...]
Total skipped: 15
Total failed: 12
Total passed: 454
The tst-res Segmentation fault failure can be fixed by
this additional uclibc patch:
--- a/include/resolv.h
+++ b/include/resolv.h
@@ -457,7 +457,7 @@ __END_DECLS
# ifndef NOT_IN_libc
# define __resp __libc_resp
# endif
-# define _res (*__resp)
+# define _res (*__res_state())
extern __thread struct __res_state *__resp attribute_tls_model_ie;
# endif
# else
Will take a look at some glibc resolv tests and try to port
them (and, if I find enough time, at some of the other
failures)...
Regards,
Peter
>
> best regards
> Waldemar
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Buildroot] [uclibc-ng-devel] Re: [PATCH v1] package/ntpsec: new package
2021-11-04 20:30 ` Peter Seiderer
@ 2021-11-11 8:58 ` Waldemar Brodkorb
2021-11-25 20:26 ` Peter Seiderer
0 siblings, 1 reply; 11+ messages in thread
From: Waldemar Brodkorb @ 2021-11-11 8:58 UTC (permalink / raw)
To: Peter Seiderer; +Cc: devel, Yann E . MORIN, buildroot
Hi Peter,
Peter Seiderer wrote,
> Hello Waldemar,
>
> On Sun, 31 Oct 2021 00:56:56 +0200, Waldemar Brodkorb <wbx@openadk.org> wrote:
>
> > Hi Peter,
> > Peter Seiderer wrote,
> >
> > > Hello Waldemar, *,
> > >
> > > On Mon, 25 Oct 2021 23:25:41 +0200, Peter Seiderer <ps.report@gmx.net> wrote:
> > >
> > > The resulting ntpd runs fine with the raspberrypi3_defconfig, but segfaults
> > > when compiled/used with raspberrypi3_64_defconfig (uclibc, -Os):
> > >
> > > $ /usr/sbin/ntpd -n -d -g
> > > 1970-01-01T00:04:18 ntpd[263]: INIT: ntpd ntpsec-1.2.0 2021-10-24T13:39:21Z: Starting
> > > 1970-01-01T00:04:18 ntpd[263]: INIT: Command line: /usr/sbin/ntpd -n -d
> > > 1970-01-01T00:04:18 ntpd[263]: INIT: precision = 7.291 usec (-17)
> > > 1970-01-01T00:04:18 ntpd[263]: INIT: successfully locked into RAM
> > > 1970-01-01T00:04:18 ntpd[263]: CONFIG: readconfig: parsing file: /etc/ntp.conf
> > > 1970-01-01T00:04:18 ntpd[263]: CONFIG: restrict nopeer ignored
> > > 1970-01-01T00:04:18 ntpd[263]: INIT: Using SO_TIMESTAMPNS
> > > 1970-01-01T00:04:18 ntpd[263]: IO: Listen and drop on 0 v6wildcard [::]:123
> > > 1970-01-01T00:04:18 ntpd[263]: IO: Listen and drop on 1 v4wildcard 0.0.0.0:123
> > > 1970-01-01T00:04:18 ntpd[263]: IO: Listen normally on 2 lo 127.0.0.1:123
> > > 1970-01-01T00:04:18 ntpd[263]: IO: Listen normally on 3 eth0 172.16.0.30:123
> > > 1970-01-01T00:04:18 ntpd[263]: IO: Listen normally on 4 lo [::1]:123
> > > 1970-01-01T00:04:18 ntpd[263]: IO: Listen normally on 5 eth0 [fe80::ba27:ebff:fea6:340%2]:123
> > > 1970-01-01T00:04:18 ntpd[263]: IO: Listening on routing socket on fd #22 for interface updates
> > > 1970-01-01T00:04:19 ntpd[263]: SYNC: Found 10 servers, suggest minsane at least 3
> > > 1970-01-01T00:04:19 ntpd[263]: INIT: MRU 10922 entries, 13 hash bits, 65536 bytes
> > > 1970-01-01T00:04:20 ntpd[263]: DNS: dns_probe: 0.pool.ntp.org, cast_flags:8, flags:101
> > > Segmentation fault (core dumped)
> >
> > Could you add a small C test program to uClibc-ng-test to trigger
> > the bug? That would help to find any regression to targets without
> > TLS support.
>
> Did take a first look at the uClibc-ng-test regarding the problem,
> there is already one test/inet/tst-res test...
>
>
> For the raspberrypi3_defconfig case (uclibc unpatched):
>
> $ sh uclibcng-testrunner.sh
> [...]
> FAIL tst-ethers-line got 1 expected 0
> Cannot open file /etc/ethers: No such file or directory
> FAIL tst-ethers got 1 expected 0
> Either /etc/ethers is missing or it has incorrect contents
> [...]
> FAIL tst-cancel18 got 1 expected 0
> going to cancel in-time
> Timed out: killed the child process
> [...]
> FAIL tst-cancelx18 got 1 expected 0
> going to cancel in-time
> Timed out: killed the child process
> [...]
> Total skipped: 15
> Total failed: 4
> Total passed: 460
>
>
>
> For the raspberrypi3_64_defconfig case (uclibc unpatched):
>
> $ sh uclibcng-testrunner.sh
> [...]
> FAIL tst-ethers-line got 1 expected 0
> Cannot open file /etc/ethers: No such file or directory
> FAIL tst-ethers got 1 expected 0
> Either /etc/ethers is missing or it has incorrect contents
> [...]
> FAIL tst-res got 139 expected 0
> Segmentation fault (core dumped)
> [...]
> FAIL tst-seekdir got 1 expected 0
> .
> ..
> tst-seekdir.out
> tst-utmpx
> tst-inotify
> tst-mkostemps.out
> seek.out
> tst-scandir
> tst-seekdir
> tst-statvfs.out
> sem
> stdarg.out
> fdopen.out
> tst-utmp
> tst-preadvwritev.out
> bug-glob2.out
> popen
> dirent64.out
> tst-scandir.out
> tst-hasmntopt.out
> tst-statvfs
> bug-glob2
> popen.out
> Makefile
> opendir-tst1
> sem.out
> tst-inotify.out
> tst-syscall0
> tst-statfs.out
> bug-readdir1
> dirent.out
> tst-statfs
> tst-syscall1.out
> tst-syscall0.out
> stdarg
> tst-preadvwritev
> tst-syscall6.out
> tst-mkostemps
> Makefile.in
> tst-utmp.out
> tst-nftw
> opendir-tst1.out
> tst-syscall1
> bug-readdir1.out
> tst-hasmntopt
> tst-syscall6
> fdopen
> seek
> tst-nftw.out
> dirent64
> tst-fnmatch.input
> tst-utmpx.out
> dirent
> going back past 4-th entry...
> seekdir (d, -1600443765); telldir (d) == -1
> [...]
> FAIL tst-cancel18 got 1 expected 0
> going to cancel in-time
> Timed out: killed the child process
> [...]
> FAIL tst-cancelx18 got 1 expected 0
> going to cancel in-time
> Timed out: killed the child process
> [...]
> FAIL tst-tls3 got 1 expected 0
>
> /usr/lib/uclibc-ng-test/test/tls/tst-tls3: symbol 'baz': can't handle reloc type 0x404
> FAIL tst-tls4 got 1 expected 0
>
> /usr/lib/uclibc-ng-test/test/tls/tst-tls4: symbol 'foo': can't handle reloc type 0x404
> FAIL tst-tls5 got 1 expected 0
>
> /usr/lib/uclibc-ng-test/test/tls/tst-tls5: symbol 'foo': can't handle reloc type 0x404
> FAIL tst-tls6 got 1 expected 0
>
> /usr/lib/uclibc-ng-test/test/tls/tst-tls6: symbol 'foo': can't handle reloc type 0x404
> FAIL tst-tls7 got 1 expected 0
>
> /usr/lib/uclibc-ng-test/test/tls/tst-tls7: symbol 'foo': can't handle reloc type 0x404
> FAIL tst-tls8 got 1 expected 0
>
> /usr/lib/uclibc-ng-test/test/tls/tst-tls8: symbol 'foo': can't handle reloc type 0x404
> [...]
> Total skipped: 15
> Total failed: 12
> Total passed: 454
>
>
> The tst-res Segmentation fault failure can be fixed by
> this additional uclibc patch:
>
> --- a/include/resolv.h
> +++ b/include/resolv.h
> @@ -457,7 +457,7 @@ __END_DECLS
> # ifndef NOT_IN_libc
> # define __resp __libc_resp
> # endif
> -# define _res (*__resp)
> +# define _res (*__res_state())
> extern __thread struct __res_state *__resp attribute_tls_model_ie;
> # endif
> # else
>
>
> Will take a look at some glibc resolv tests and try to port
> them (and, if I find enough time, at some of the other
> failures)...
Can you sent the two existing patches with your SoB Line added?
best regards
Waldemar
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Buildroot] [uclibc-ng-devel] Re: [PATCH v1] package/ntpsec: new package
2021-11-11 8:58 ` Waldemar Brodkorb
@ 2021-11-25 20:26 ` Peter Seiderer
0 siblings, 0 replies; 11+ messages in thread
From: Peter Seiderer @ 2021-11-25 20:26 UTC (permalink / raw)
To: Waldemar Brodkorb; +Cc: devel, Waldemar Brodkorb, Yann E . MORIN, buildroot
Hello Waldemar,
On Thu, 11 Nov 2021 09:58:07 +0100, Waldemar Brodkorb <wbx@openadk.org> wrote:
> Hi Peter,
> Peter Seiderer wrote,
>
> > Hello Waldemar,
> >
> > On Sun, 31 Oct 2021 00:56:56 +0200, Waldemar Brodkorb <wbx@openadk.org> wrote:
> >
> > > Hi Peter,
> > > Peter Seiderer wrote,
> > >
> > > > Hello Waldemar, *,
> > > >
> > > > On Mon, 25 Oct 2021 23:25:41 +0200, Peter Seiderer <ps.report@gmx.net> wrote:
> > > >
> > > > The resulting ntpd runs fine with the raspberrypi3_defconfig, but segfaults
> > > > when compiled/used with raspberrypi3_64_defconfig (uclibc, -Os):
> > > >
> > > > $ /usr/sbin/ntpd -n -d -g
> > > > 1970-01-01T00:04:18 ntpd[263]: INIT: ntpd ntpsec-1.2.0 2021-10-24T13:39:21Z: Starting
> > > > 1970-01-01T00:04:18 ntpd[263]: INIT: Command line: /usr/sbin/ntpd -n -d
> > > > 1970-01-01T00:04:18 ntpd[263]: INIT: precision = 7.291 usec (-17)
> > > > 1970-01-01T00:04:18 ntpd[263]: INIT: successfully locked into RAM
> > > > 1970-01-01T00:04:18 ntpd[263]: CONFIG: readconfig: parsing file: /etc/ntp.conf
> > > > 1970-01-01T00:04:18 ntpd[263]: CONFIG: restrict nopeer ignored
> > > > 1970-01-01T00:04:18 ntpd[263]: INIT: Using SO_TIMESTAMPNS
> > > > 1970-01-01T00:04:18 ntpd[263]: IO: Listen and drop on 0 v6wildcard [::]:123
> > > > 1970-01-01T00:04:18 ntpd[263]: IO: Listen and drop on 1 v4wildcard 0.0.0.0:123
> > > > 1970-01-01T00:04:18 ntpd[263]: IO: Listen normally on 2 lo 127.0.0.1:123
> > > > 1970-01-01T00:04:18 ntpd[263]: IO: Listen normally on 3 eth0 172.16.0.30:123
> > > > 1970-01-01T00:04:18 ntpd[263]: IO: Listen normally on 4 lo [::1]:123
> > > > 1970-01-01T00:04:18 ntpd[263]: IO: Listen normally on 5 eth0 [fe80::ba27:ebff:fea6:340%2]:123
> > > > 1970-01-01T00:04:18 ntpd[263]: IO: Listening on routing socket on fd #22 for interface updates
> > > > 1970-01-01T00:04:19 ntpd[263]: SYNC: Found 10 servers, suggest minsane at least 3
> > > > 1970-01-01T00:04:19 ntpd[263]: INIT: MRU 10922 entries, 13 hash bits, 65536 bytes
> > > > 1970-01-01T00:04:20 ntpd[263]: DNS: dns_probe: 0.pool.ntp.org, cast_flags:8, flags:101
> > > > Segmentation fault (core dumped)
> > >
> > > Could you add a small C test program to uClibc-ng-test to trigger
> > > the bug? That would help to find any regression to targets without
> > > TLS support.
> >
> > Did take a first look at the uClibc-ng-test regarding the problem,
> > there is already one test/inet/tst-res test...
> >
> >
> > For the raspberrypi3_defconfig case (uclibc unpatched):
> >
> > $ sh uclibcng-testrunner.sh
> > [...]
> > FAIL tst-ethers-line got 1 expected 0
> > Cannot open file /etc/ethers: No such file or directory
> > FAIL tst-ethers got 1 expected 0
> > Either /etc/ethers is missing or it has incorrect contents
> > [...]
> > FAIL tst-cancel18 got 1 expected 0
> > going to cancel in-time
> > Timed out: killed the child process
> > [...]
> > FAIL tst-cancelx18 got 1 expected 0
> > going to cancel in-time
> > Timed out: killed the child process
> > [...]
> > Total skipped: 15
> > Total failed: 4
> > Total passed: 460
> >
> >
> >
> > For the raspberrypi3_64_defconfig case (uclibc unpatched):
> >
> > $ sh uclibcng-testrunner.sh
> > [...]
> > FAIL tst-ethers-line got 1 expected 0
> > Cannot open file /etc/ethers: No such file or directory
> > FAIL tst-ethers got 1 expected 0
> > Either /etc/ethers is missing or it has incorrect contents
> > [...]
> > FAIL tst-res got 139 expected 0
> > Segmentation fault (core dumped)
> > [...]
> > FAIL tst-seekdir got 1 expected 0
> > .
> > ..
> > tst-seekdir.out
> > tst-utmpx
> > tst-inotify
> > tst-mkostemps.out
> > seek.out
> > tst-scandir
> > tst-seekdir
> > tst-statvfs.out
> > sem
> > stdarg.out
> > fdopen.out
> > tst-utmp
> > tst-preadvwritev.out
> > bug-glob2.out
> > popen
> > dirent64.out
> > tst-scandir.out
> > tst-hasmntopt.out
> > tst-statvfs
> > bug-glob2
> > popen.out
> > Makefile
> > opendir-tst1
> > sem.out
> > tst-inotify.out
> > tst-syscall0
> > tst-statfs.out
> > bug-readdir1
> > dirent.out
> > tst-statfs
> > tst-syscall1.out
> > tst-syscall0.out
> > stdarg
> > tst-preadvwritev
> > tst-syscall6.out
> > tst-mkostemps
> > Makefile.in
> > tst-utmp.out
> > tst-nftw
> > opendir-tst1.out
> > tst-syscall1
> > bug-readdir1.out
> > tst-hasmntopt
> > tst-syscall6
> > fdopen
> > seek
> > tst-nftw.out
> > dirent64
> > tst-fnmatch.input
> > tst-utmpx.out
> > dirent
> > going back past 4-th entry...
> > seekdir (d, -1600443765); telldir (d) == -1
> > [...]
> > FAIL tst-cancel18 got 1 expected 0
> > going to cancel in-time
> > Timed out: killed the child process
> > [...]
> > FAIL tst-cancelx18 got 1 expected 0
> > going to cancel in-time
> > Timed out: killed the child process
> > [...]
> > FAIL tst-tls3 got 1 expected 0
> >
> > /usr/lib/uclibc-ng-test/test/tls/tst-tls3: symbol 'baz': can't handle reloc type 0x404
> > FAIL tst-tls4 got 1 expected 0
> >
> > /usr/lib/uclibc-ng-test/test/tls/tst-tls4: symbol 'foo': can't handle reloc type 0x404
> > FAIL tst-tls5 got 1 expected 0
> >
> > /usr/lib/uclibc-ng-test/test/tls/tst-tls5: symbol 'foo': can't handle reloc type 0x404
> > FAIL tst-tls6 got 1 expected 0
> >
> > /usr/lib/uclibc-ng-test/test/tls/tst-tls6: symbol 'foo': can't handle reloc type 0x404
> > FAIL tst-tls7 got 1 expected 0
> >
> > /usr/lib/uclibc-ng-test/test/tls/tst-tls7: symbol 'foo': can't handle reloc type 0x404
> > FAIL tst-tls8 got 1 expected 0
> >
> > /usr/lib/uclibc-ng-test/test/tls/tst-tls8: symbol 'foo': can't handle reloc type 0x404
> > [...]
> > Total skipped: 15
> > Total failed: 12
> > Total passed: 454
> >
> >
> > The tst-res Segmentation fault failure can be fixed by
> > this additional uclibc patch:
> >
> > --- a/include/resolv.h
> > +++ b/include/resolv.h
> > @@ -457,7 +457,7 @@ __END_DECLS
> > # ifndef NOT_IN_libc
> > # define __resp __libc_resp
> > # endif
> > -# define _res (*__resp)
> > +# define _res (*__res_state())
> > extern __thread struct __res_state *__resp attribute_tls_model_ie;
> > # endif
> > # else
> >
> >
> > Will take a look at some glibc resolv tests and try to port
> > them (and, if I find enough time, at some of the other
> > failures)...
>
> Can you sent the two existing patches with your SoB Line added?
And finally done (sorry for the delay):
https://patchwork.ozlabs.org/project/uclibc-ng/patch/20211125201825.22354-1-ps.report@gmx.net/
Regards,
Peter
>
> best regards
> Waldemar
>
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Buildroot] [PATCH 1/1] package/ntpsec: new package
2021-10-25 21:25 [Buildroot] [PATCH v1] package/ntpsec: new package Peter Seiderer
2021-10-28 21:01 ` Peter Seiderer
@ 2021-12-12 20:07 ` guillaume.bressaix
2021-12-15 20:43 ` Peter Seiderer
1 sibling, 1 reply; 11+ messages in thread
From: guillaume.bressaix @ 2021-12-12 20:07 UTC (permalink / raw)
To: buildroot; +Cc: Peter Seiderer, Guillaume W . Bres
From: Peter Seiderer <ps.report@gmx.net>
- set 'CC=gcc' to avoid cross-compile failure (see [1]):
/bin/sh: line 1: .../build/ntpsec-1_2_0/build/host/ntpd/keyword-gen: cannot execute binary file: Exec format error
Waf: Leaving directory `.../build/ntpsec-1_2_0/build/host'
Build failed
-> task in 'ntp_keyword.h' failed with exit status 126 (run with -v to display more information)
- set '-std=gnu99"' to avoid compile failure with old compilers
- explicit set PYTHON_CONFIG
- add patch 001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch to
fix ntptime jfmt5/ofmt5 jfmt6/ofmt6 related compile failure
- add SYSV init file (S49ntp)
- add example ntpd.conf (with legacy option enabled and provide skeleton
for NTS configuration)
- add config option for NTS support
- depend on python3 (omit python2 to reduce test effort)
- add ntp user/group and run ntpd as restricted user
- add libcap dependency (compile time optional but needed for droproot
support)
- submit latest ntpsec version 1.2.1
- lib ntpc import in python is fixed by specifying the --libdir flag.
-> removed the symlink trick
- add --refclock=all flags to configure, see notes down below
- add leap second management options & ntpviz
- improved Config.in:
libbsd is required
openssl is only needed when NTS encryption is enabled
(depend on python3 only to simply things)
improved classic mode help description
improved early-drop-root feature description
- early droproot should be an option: adapt libcap accordingly
- corrected CC=gcc to CC=$(HOSTCC) in ntpsec.mk
- provide service script for systemd infra along sysv infra
- I don't think we need the patch if we restrict to !BR2_TOOLCHAIN_UCLIBC
IMO it's better to keep the patch and allow all toolchains.
I usually have glibc, but I just ran a sanity check on my zedboard with uclibc,
it passed.
- used on zynq_zed_defconfig and beaglebone_defconfig
daemon automatically started
ntpq works fine
[1] https://gitlab.com/NTPsec/ntpsec/-/issues/694
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Guillaume W. Bres <guillaume.bressaix@gmail.com>
---
notes on refclocks: https://docs.ntpsec.org/latest/refclock.html
"For security reasons, we will no longer support any refclock
that requires a closed-source driver to run", see webpage.
--refclock=all is hardcoded at the moment
One must compile ntpsec with the 'refclock' option
if they want to drive or interact with hardware.
In any case, refclocks are not critical for both buildtime & runtime:
[+] ./configure is smart enough to disable a refclock
if requirements are not met. In the submitted context,
this happens for refclock=gpsd without BR2_PACKAGE_GPSD
selected by user
[+] some refclocks naturally require a specific hw support
with related kernel driver.
This is not buildtime critical because build does not care
about hw support.
This is not runtime critical either because any missing
hw support or unfeasible hardware access ends up as a logged
error message. It is up to the user to correct it in the
submitted context: example: 'nmea/gps' receivers without kernel support
or hardware not plugged in.
ntpd / ntpsec should be mutualy exclusive if we harcode S49ntp as the service script
---
DEVELOPERS | 1 +
package/Config.in | 1 +
...-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch | 61 ++++++++++++++++
package/ntpsec/Config.in | 68 +++++++++++++++++
package/ntpsec/S49ntp | 58 +++++++++++++++
package/ntpsec/ntpd.etc.conf | 33 +++++++++
package/ntpsec/ntpd.service | 15 ++++
package/ntpsec/ntpsec.hash | 4 +
package/ntpsec/ntpsec.mk | 85 ++++++++++++++++++++++
9 files changed, 326 insertions(+)
create mode 100644 package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
create mode 100644 package/ntpsec/Config.in
create mode 100644 package/ntpsec/S49ntp
create mode 100644 package/ntpsec/ntpd.etc.conf
create mode 100644 package/ntpsec/ntpd.service
create mode 100644 package/ntpsec/ntpsec.hash
create mode 100644 package/ntpsec/ntpsec.mk
diff --git a/DEVELOPERS b/DEVELOPERS
index 3023526..32b5e87 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -2196,6 +2196,7 @@ F: package/iwd/
F: package/libevdev/
F: package/libuev/
F: package/log4cplus/
+F: package/ntpsec/
F: package/postgresql/
F: package/python-colorzero/
F: package/python-flask-wtf/
diff --git a/package/Config.in b/package/Config.in
index 5720830..544a0fd 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2271,6 +2271,7 @@ endif
source "package/nmap/Config.in"
source "package/noip/Config.in"
source "package/ntp/Config.in"
+ source "package/ntpsec/Config.in"
source "package/nuttcp/Config.in"
source "package/odhcp6c/Config.in"
source "package/odhcploc/Config.in"
diff --git a/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch b/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
new file mode 100644
index 0000000..c2838fe
--- /dev/null
+++ b/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
@@ -0,0 +1,61 @@
+From 4015a1183d2f79dad6dd675ca5e0d329825f3fa3 Mon Sep 17 00:00:00 2001
+From: Peter Seiderer <ps.report@gmx.net>
+Date: Mon, 4 Oct 2021 22:25:58 +0200
+Subject: [PATCH] ntptime: fix jfmt5/ofmt5 jfmt6/ofmt6 related compile failure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use same define guard for definiton as for usage ('HAVE_STRUCT_NTPTIMEVAL_TAI'
+instead of 'NTP_API && NTP_API > 3').
+
+Fixes:
+
+ ../../ntptime/ntptime.c: In function ‘main’:
+ ../../ntptime/ntptime.c:349:17: error: ‘jfmt5’ undeclared (first use in this function); did you mean ‘jfmt6’?
+ 349 | printf(json ? jfmt5 : ofmt5, (long)ntv.tai);
+ | ^~~~~
+ | jfmt6
+ ../../ntptime/ntptime.c:349:17: note: each undeclared identifier is reported only once for each function it appears in
+ ../../ntptime/ntptime.c:349:25: error: ‘ofmt5’ undeclared (first use in this function); did you mean ‘ofmt6’?
+ 349 | printf(json ? jfmt5 : ofmt5, (long)ntv.tai);
+ | ^~~~~
+ | ofmt6
+ ../../ntptime/ntptime.c:321:15: warning: unused variable ‘jfmt6’ [-Wunused-variable]
+ 321 | const char *jfmt6 = "";
+ | ^~~~~
+ ../../ntptime/ntptime.c:311:15: warning: unused variable ‘ofmt6’ [-Wunused-variable]
+ 311 | const char *ofmt6 = "\n";
+ | ^~~~~
+
+[Upstream: https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1245]
+Signed-off-by: Peter Seiderer <ps.report@gmx.net>
+---
+ ntptime/ntptime.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ntptime/ntptime.c b/ntptime/ntptime.c
+index ff861cb..5d58593 100644
+--- a/ntptime/ntptime.c
++++ b/ntptime/ntptime.c
+@@ -305,7 +305,7 @@ main(
+ const char *ofmt2 = " time %s, (.%0*d),\n";
+ const char *ofmt3 = " maximum error %lu us, estimated error %lu us";
+ const char *ofmt4 = " ntptime=%x.%x unixtime=%x.%0*d %s";
+-#if defined NTP_API && NTP_API > 3
++#if defined(HAVE_STRUCT_NTPTIMEVAL_TAI)
+ const char *ofmt5 = ", TAI offset %ld\n";
+ #else
+ const char *ofmt6 = "\n";
+@@ -315,7 +315,7 @@ main(
+ const char *jfmt2 = "\"time\":\"%s\",\"fractional-time\":\".%0*d\",";
+ const char *jfmt3 = "\"maximum-error\":%lu,\"estimated-error\":%lu,";
+ const char *jfmt4 = "\"raw-ntp-time\":\"%x.%x\",\"raw-unix-time\":\"%x.%0*d %s\",";
+-#if defined NTP_API && NTP_API > 3
++#if defined(HAVE_STRUCT_NTPTIMEVAL_TAI)
+ const char *jfmt5 = "\"TAI-offset\":%d,";
+ #else
+ const char *jfmt6 = "";
+--
+2.33.0
+
diff --git a/package/ntpsec/Config.in b/package/ntpsec/Config.in
new file mode 100644
index 0000000..9044aa4
--- /dev/null
+++ b/package/ntpsec/Config.in
@@ -0,0 +1,68 @@
+comment "ntpsec needs a toolchain w/ wchar, thread, dynamic library"
+ depends on BR2_STATIC_LIBS
+ depends on !BR2_USE_WCHAR
+ depends on !BR2_TOOLCHAIN_HAS_THREADS # libbsd
+
+comment "ntpsec needs libbsd"
+ depends on !BR2_PACKAGE_LIBBSD_ARCH_SUPPORTS
+ depends on !BR2_STATIC_LIBS # libbsd
+
+comment "ntpsec needs python3"
+ depends on !BR2_PACKAGE_PYTHON3
+
+config BR2_PACKAGE_NTPSEC
+ bool "ntpsec"
+ depends on !BR2_STATIC_LIBS # libbsd
+ depends on BR2_PACKAGE_LIBBSD_ARCH_SUPPORTS
+ depends on BR2_TOOLCHAIN_HAS_THREADS # libbsd
+ depends on BR2_PACKAGE_PYTHON3
+ select BR2_PACKAGE_LIBCAP
+ select BR2_PACKAGE_LIBBSD
+ select BR2_PACKAGE_PPS_TOOLS # refclock(pps)
+ help
+ NTPsec is a secure, hardened, and improved
+ implementation of Network Time Protocol derived
+ from NTP Classic, Dave Mills’s original.
+
+ Provides things like ntpd, ntpdate, ntpq, etc...
+
+ https://www.ntpsec.org/
+
+if BR2_PACKAGE_NTPSEC
+
+config BR2_PACKAGE_NTPSEC_CLASSIC_MODE
+ bool "ntpsec-classic"
+ help
+ Enable strict configuration and log-format compatibility
+ with NTP Classic.
+ This option is not recommended as it makes the module
+ less efficient.
+
+config BR2_PACKAGE_NTPSEC_NTS
+ bool "ntpsec-nts"
+ select BR2_PACKAGE_OPENSSL
+ help
+ Enable Network Time Security (NTS) support.
+
+comment "ntpsec-ntploggpsd needs gpsd"
+ depends on !BR2_PACKAGE_GPSD
+
+config BR2_PACKAGE_NTPSEC_LEAP_SMEAR
+ bool "ntpsec-leap-smear"
+ help
+ Activates leap second smearing,
+ https://docs.ntpsec.org/latest/leapsmear.html
+
+config BR2_PACKAGE_NTPSEC_LEAP_TESTING
+ bool "ntpsec-leap-testing"
+ help
+ Enables leap seconds on other than 1st day of month
+
+config BR2_PACKAGE_NTPSEC_EARLY_DROPROOT
+ bool "ntpsec-early-droproot"
+ help
+ Drops root privileges as early as possible.
+ This requires the refclock devices to be owned
+ by owner/group running 'ntpd'
+
+endif
diff --git a/package/ntpsec/S49ntp b/package/ntpsec/S49ntp
new file mode 100644
index 0000000..f3db514
--- /dev/null
+++ b/package/ntpsec/S49ntp
@@ -0,0 +1,58 @@
+#!/bin/sh
+#
+# Starts Network Time Protocol daemon
+#
+
+DAEMON="ntpd"
+PIDFILE="/var/run/$DAEMON.pid"
+
+NTPD_ARGS="-g -u ntp:ntp -s /var/run/ntp"
+
+# shellcheck source=/dev/null
+[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
+
+mkdir -p /var/run/ntp && chown ntp:ntp /var/run/ntp
+
+start() {
+ printf 'Starting %s: ' "$DAEMON"
+ # shellcheck disable=SC2086 # we need the word splitting
+ start-stop-daemon -S -q -p "$PIDFILE" -x "/usr/sbin/$DAEMON" \
+ -- $NTPD_ARGS -p "$PIDFILE"
+ status=$?
+ if [ "$status" -eq 0 ]; then
+ echo "OK"
+ else
+ echo "FAIL"
+ fi
+ return "$status"
+}
+
+stop() {
+ printf 'Stopping %s: ' "$DAEMON"
+ start-stop-daemon -K -q -p "$PIDFILE"
+ status=$?
+ if [ "$status" -eq 0 ]; then
+ rm -f "$PIDFILE"
+ echo "OK"
+ else
+ echo "FAIL"
+ fi
+ return "$status"
+}
+
+restart() {
+ stop
+ sleep 1
+ start
+}
+
+case "$1" in
+ start|stop|restart)
+ "$1";;
+ reload)
+ # Restart, since there is no true "reload" feature.
+ restart;;
+ *)
+ echo "Usage: $0 {start|stop|restart|reload}"
+ exit 1
+esac
diff --git a/package/ntpsec/ntpd.etc.conf b/package/ntpsec/ntpd.etc.conf
new file mode 100644
index 0000000..e0f45c1
--- /dev/null
+++ b/package/ntpsec/ntpd.etc.conf
@@ -0,0 +1,33 @@
+#
+# legacy NTP configuration
+#
+pool 0.pool.ntp.org iburst
+pool 1.pool.ntp.org iburst
+pool 2.pool.ntp.org iburst
+pool 3.pool.ntp.org iburst
+
+#
+# NTS configuration
+#
+# Notes:
+# - uncomment the following lines to enable NTS support (but
+# make sure the initial clock is up-to-date (otherwise the
+# NTS certificate validation will fail with 'NTSc: certificate invalid:
+# 9=>certificate is not yet valid' as on boards without RTC support)
+# and/or keep at least one line from the legacy NTP lines
+# - enable BR2_PACKAGE_CA_CERTIFICATES to gain access to the certificate
+# files
+#
+# server time.cloudflare.com nts # Global, anycast
+# server nts.ntp.se:4443 nts # Sweden
+# server ntpmon.dcs1.biz nts # Singapore
+# server ntp1.glypnod.com nts # San Francisco
+# server ntp2.glypnod.com nts # London
+#
+# ca /usr/share/ca-certificates/mozilla
+
+# Allow only time queries, at a limited rate, sending KoD when in excess.
+# Allow all local queries (IPv4, IPv6)
+restrict default nomodify nopeer noquery limited kod
+restrict 127.0.0.1
+restrict [::1]
diff --git a/package/ntpsec/ntpd.service b/package/ntpsec/ntpd.service
new file mode 100644
index 0000000..b7db4a2
--- /dev/null
+++ b/package/ntpsec/ntpd.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Network Time Service
+After=network.target
+
+[Service]
+Type=forking
+PIDFile=/run/ntpd.pid
+# Turn off DNSSEC validation for hostname look-ups, since those need the
+# correct time to work, but we likely won't acquire that without NTP. Let's
+# break this chicken-and-egg cycle here.
+Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0
+ExecStart=/usr/sbin/ntpd @NTPD_EXTRA_ARGS@ -g -p /run/ntpd.pid
+
+[Install]
+WantedBy=multi-user.target
diff --git a/package/ntpsec/ntpsec.hash b/package/ntpsec/ntpsec.hash
new file mode 100644
index 0000000..49dc4e4
--- /dev/null
+++ b/package/ntpsec/ntpsec.hash
@@ -0,0 +1,4 @@
+# Locally calculated
+sha256 71c9f4bde6953bbc048bbaf278da81c451a56cc08d6772542b4ad37c67d72e89 ntpsec-NTPsec_1_2_1.tar.bz2
+sha256 b4db4de3317c3b0554ed91eb692968800bdfd6ad2c16ffbeee8ce4895ed91da4 LICENSE.adoc
+sha256 d3b21470adadd9abd9c6d675378f8c371ac5a4ea6dbec91859e02fadca3c0856 docs/copyright.adoc
diff --git a/package/ntpsec/ntpsec.mk b/package/ntpsec/ntpsec.mk
new file mode 100644
index 0000000..55b4bb0
--- /dev/null
+++ b/package/ntpsec/ntpsec.mk
@@ -0,0 +1,85 @@
+################################################################################
+#
+# ntpsec
+#
+################################################################################
+
+NTPSEC_VERSION_MAJOR = 1
+NTPSEC_VERSION_MINOR = 2
+NTPSEC_VERSION_POINT = 1
+NTPSEC_VERSION = $(NTPSEC_VERSION_MAJOR)_$(NTPSEC_VERSION_MINOR)_$(NTPSEC_VERSION_POINT)
+NTPSEC_SOURCE = ntpsec-NTPsec_$(NTPSEC_VERSION).tar.bz2
+NTPSEC_SITE = https://gitlab.com/NTPsec/ntpsec/-/archive/NTPsec_$(NTPSEC_VERSION)
+NTPSEC_LICENSE = BSD-2-Clause NTP BSD-3-Clause MIT
+NTPSEC_LICENSE_FILES = LICENSE.adoc docs/copyright.adoc
+
+NTPSEC_CPE_ID_VENDOR = ntpsec
+NTPSEC_CPE_ID_VERSION = $(NTPSEC_VERSION_MAJOR).$(NTPSEC_VERSION_MINOR)
+NTPSEC_CPE_ID_UPDATE = $(NTPSEC_VERSION_POINT)
+
+NTPSEC_DEPENDENCIES = \
+ $(if $(BR2_PACKAGE_PYTHON),python,python3) \
+ libbsd \
+ pps-tools
+
+NTPSEC_PYVER = $(if $(BR2_PACKAGE_PYTHON),python$(PYTHON_VERSION_MAJOR),python$(PYTHON3_VERSION_MAJOR))
+
+NTPSEC_CONF_OPTS = \
+ CC=$(HOSTCC) \
+ PYTHON_CONFIG="$(STAGING_DIR)/usr/bin/$(if $(BR2_PACKAGE_PYTHON),python,python3)-config" \
+ --cross-compiler="$(TARGET_CC)" \
+ --cross-cflags="$(TARGET_CFLAGS) -std=gnu99" \
+ --cross-ldflags="$(TARGET_LDFLAGS)" \
+ --notests \
+ --disable-mdns-registration \
+ --enable-pylib=ffi \
+ --nopyc \
+ --nopyo \
+ --nopycache \
+ --disable-doc \
+ --disable-manpage \
+ --refclock=all \
+ --libdir=/usr/lib/$(NTPSEC_PYVER)/site-packages/ntp
+
+ifeq ($(BR2_PACKAGE_NTPSEC_CLASSIC_MODE),y)
+NTPSEC_CONF_OPTS += --enable-classic-mode
+endif
+
+ifeq ($(BR2_PACKAGE_NTPSEC_NTS),y)
+NTPSEC_DEPENDENCIES += openssl
+else
+NTPSEC_CONF_OPTS += --disable-nts
+endif
+
+ifeq ($(BR2_PACKAGE_NTPSEC_EARLY_DROPROOT),y)
+NTPSEC_DEPENDENCIES += libcap
+NTPSEC_CONF_OPTS += --enable-early-droproot
+endif
+
+ifeq ($(BR2_PACKAGE_NTPSEC_LEAP_SMEAR),y)
+NTPSEC_CONF_OPTS += --enable-leap-smear
+endif
+
+ifeq ($(BR2_PACKAGE_NTPSEC_LEAP_TESTING),y)
+NTPSEC_CONF_OPTS += --enable-leap-testing
+endif
+
+define NTPSEC_INSTALL_NTPSEC_CONF
+ $(INSTALL) -m 644 package/ntpsec/ntpd.etc.conf $(TARGET_DIR)/etc/ntp.conf
+endef
+NTPSEC_POST_INSTALL_TARGET_HOOKS += NTPSEC_INSTALL_NTPSEC_CONF
+
+define NTPSEC_INSTALL_INIT_SYSV
+ $(INSTALL) -D -m 755 $(NTPSEC_PKGDIR)/S49ntp $(TARGET_DIR)/etc/init.d/S49ntp
+endef
+
+define NTPSEC_INSTALL_INIT_SYSTEMD
+ $(INSTALL) -D -m 644 $(NTPSEC_PKGDIR)/ntpd.service \
+ $(TARGET_DIR)/usr/lib/systemd/system/ntpd.service
+endef
+
+define NTPSEC_USERS
+ ntp -1 ntp -1 * - - - ntpd user
+endef
+
+$(eval $(waf-package))
--
1.8.3.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/ntpsec: new package
2021-12-12 20:07 ` [Buildroot] [PATCH 1/1] " guillaume.bressaix
@ 2021-12-15 20:43 ` Peter Seiderer
2021-12-15 21:21 ` Guillaume Bres
0 siblings, 1 reply; 11+ messages in thread
From: Peter Seiderer @ 2021-12-15 20:43 UTC (permalink / raw)
To: guillaume.bressaix; +Cc: buildroot
Hello Guillaume,
thanks of interest, testing and improvement of the ntpsec patch, some comments below...
On Sun, 12 Dec 2021 21:07:41 +0100, guillaume.bressaix@gmail.com wrote:
> From: Peter Seiderer <ps.report@gmx.net>
>
> - set 'CC=gcc' to avoid cross-compile failure (see [1]):
>
> /bin/sh: line 1: .../build/ntpsec-1_2_0/build/host/ntpd/keyword-gen: cannot execute binary file: Exec format error
>
> Waf: Leaving directory `.../build/ntpsec-1_2_0/build/host'
> Build failed
> -> task in 'ntp_keyword.h' failed with exit status 126 (run with -v to display more information)
>
> - set '-std=gnu99"' to avoid compile failure with old compilers
>
> - explicit set PYTHON_CONFIG
>
> - add patch 001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch to
> fix ntptime jfmt5/ofmt5 jfmt6/ofmt6 related compile failure
>
> - add SYSV init file (S49ntp)
>
> - add example ntpd.conf (with legacy option enabled and provide skeleton
> for NTS configuration)
>
> - add config option for NTS support
>
> - depend on python3 (omit python2 to reduce test effort)
>
> - add ntp user/group and run ntpd as restricted user
>
> - add libcap dependency (compile time optional but needed for droproot
> support)
>
> - submit latest ntpsec version 1.2.1
Interesting, not listed as release, but tagged and downloadable...
>
> - lib ntpc import in python is fixed by specifying the --libdir flag.
> -> removed the symlink trick
Fine..., will test it...
>
> - add --refclock=all flags to configure, see notes down below
>
> - add leap second management options & ntpviz
>
> - improved Config.in:
> libbsd is required
Are you sure? With the original patch ntpsec builds fine without libbsd available...
> openssl is only needed when NTS encryption is enabled
A build without NTS and without openssl gives:
Checking for OpenSSL/libcrypto (via pkg-config) : not found
Checking for OpenSSL's crypto library : not found
The configuration failed
> (depend on python3 only to simply things)
> improved classic mode help description
> improved early-drop-root feature description
>
> - early droproot should be an option: adapt libcap accordingly
This will break (the hard coded) '-u npt:npt' option from package/ntpsec/S49ntp,
any reason to avoid the security feature?
>
> - corrected CC=gcc to CC=$(HOSTCC) in ntpsec.mk
Good point...
>
> - provide service script for systemd infra along sysv infra
Better done as an extra patch (easier to review)....
>
> - I don't think we need the patch if we restrict to !BR2_TOOLCHAIN_UCLIBC
> IMO it's better to keep the patch and allow all toolchains.
> I usually have glibc, but I just ran a sanity check on my zedboard with uclibc,
> it passed.
Not important for the commit log...
>
> - used on zynq_zed_defconfig and beaglebone_defconfig
> daemon automatically started
> ntpq works fine
>
> [1] https://gitlab.com/NTPsec/ntpsec/-/issues/694
>
> Signed-off-by: Peter Seiderer <ps.report@gmx.net>
> Signed-off-by: Guillaume W. Bres <guillaume.bressaix@gmail.com>
>
> ---
> notes on refclocks: https://docs.ntpsec.org/latest/refclock.html
> "For security reasons, we will no longer support any refclock
> that requires a closed-source driver to run", see webpage.
>
> --refclock=all is hardcoded at the moment
>
> One must compile ntpsec with the 'refclock' option
> if they want to drive or interact with hardware.
>
> In any case, refclocks are not critical for both buildtime & runtime:
>
> [+] ./configure is smart enough to disable a refclock
> if requirements are not met. In the submitted context,
> this happens for refclock=gpsd without BR2_PACKAGE_GPSD
> selected by user
>
> [+] some refclocks naturally require a specific hw support
> with related kernel driver.
> This is not buildtime critical because build does not care
> about hw support.
> This is not runtime critical either because any missing
> hw support or unfeasible hardware access ends up as a logged
> error message. It is up to the user to correct it in the
> submitted context: example: 'nmea/gps' receivers without kernel support
> or hardware not plugged in.
Would prefer one option per refclock to reduce dependencies...
>
> ntpd / ntpsec should be mutualy exclusive if we harcode S49ntp as the service script
>
> ---
> DEVELOPERS | 1 +
> package/Config.in | 1 +
> ...-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch | 61 ++++++++++++++++
> package/ntpsec/Config.in | 68 +++++++++++++++++
> package/ntpsec/S49ntp | 58 +++++++++++++++
> package/ntpsec/ntpd.etc.conf | 33 +++++++++
> package/ntpsec/ntpd.service | 15 ++++
> package/ntpsec/ntpsec.hash | 4 +
> package/ntpsec/ntpsec.mk | 85 ++++++++++++++++++++++
> 9 files changed, 326 insertions(+)
> create mode 100644 package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
> create mode 100644 package/ntpsec/Config.in
> create mode 100644 package/ntpsec/S49ntp
> create mode 100644 package/ntpsec/ntpd.etc.conf
> create mode 100644 package/ntpsec/ntpd.service
> create mode 100644 package/ntpsec/ntpsec.hash
> create mode 100644 package/ntpsec/ntpsec.mk
>
> diff --git a/DEVELOPERS b/DEVELOPERS
> index 3023526..32b5e87 100644
> --- a/DEVELOPERS
> +++ b/DEVELOPERS
> @@ -2196,6 +2196,7 @@ F: package/iwd/
> F: package/libevdev/
> F: package/libuev/
> F: package/log4cplus/
> +F: package/ntpsec/
> F: package/postgresql/
> F: package/python-colorzero/
> F: package/python-flask-wtf/
> diff --git a/package/Config.in b/package/Config.in
> index 5720830..544a0fd 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -2271,6 +2271,7 @@ endif
> source "package/nmap/Config.in"
> source "package/noip/Config.in"
> source "package/ntp/Config.in"
> + source "package/ntpsec/Config.in"
> source "package/nuttcp/Config.in"
> source "package/odhcp6c/Config.in"
> source "package/odhcploc/Config.in"
> diff --git a/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch b/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
> new file mode 100644
> index 0000000..c2838fe
> --- /dev/null
> +++ b/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
> @@ -0,0 +1,61 @@
> +From 4015a1183d2f79dad6dd675ca5e0d329825f3fa3 Mon Sep 17 00:00:00 2001
> +From: Peter Seiderer <ps.report@gmx.net>
> +Date: Mon, 4 Oct 2021 22:25:58 +0200
> +Subject: [PATCH] ntptime: fix jfmt5/ofmt5 jfmt6/ofmt6 related compile failure
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Use same define guard for definiton as for usage ('HAVE_STRUCT_NTPTIMEVAL_TAI'
> +instead of 'NTP_API && NTP_API > 3').
> +
> +Fixes:
> +
> + ../../ntptime/ntptime.c: In function ‘main’:
> + ../../ntptime/ntptime.c:349:17: error: ‘jfmt5’ undeclared (first use in this function); did you mean ‘jfmt6’?
> + 349 | printf(json ? jfmt5 : ofmt5, (long)ntv.tai);
> + | ^~~~~
> + | jfmt6
> + ../../ntptime/ntptime.c:349:17: note: each undeclared identifier is reported only once for each function it appears in
> + ../../ntptime/ntptime.c:349:25: error: ‘ofmt5’ undeclared (first use in this function); did you mean ‘ofmt6’?
> + 349 | printf(json ? jfmt5 : ofmt5, (long)ntv.tai);
> + | ^~~~~
> + | ofmt6
> + ../../ntptime/ntptime.c:321:15: warning: unused variable ‘jfmt6’ [-Wunused-variable]
> + 321 | const char *jfmt6 = "";
> + | ^~~~~
> + ../../ntptime/ntptime.c:311:15: warning: unused variable ‘ofmt6’ [-Wunused-variable]
> + 311 | const char *ofmt6 = "\n";
> + | ^~~~~
> +
> +[Upstream: https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1245]
> +Signed-off-by: Peter Seiderer <ps.report@gmx.net>
> +---
> + ntptime/ntptime.c | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/ntptime/ntptime.c b/ntptime/ntptime.c
> +index ff861cb..5d58593 100644
> +--- a/ntptime/ntptime.c
> ++++ b/ntptime/ntptime.c
> +@@ -305,7 +305,7 @@ main(
> + const char *ofmt2 = " time %s, (.%0*d),\n";
> + const char *ofmt3 = " maximum error %lu us, estimated error %lu us";
> + const char *ofmt4 = " ntptime=%x.%x unixtime=%x.%0*d %s";
> +-#if defined NTP_API && NTP_API > 3
> ++#if defined(HAVE_STRUCT_NTPTIMEVAL_TAI)
> + const char *ofmt5 = ", TAI offset %ld\n";
> + #else
> + const char *ofmt6 = "\n";
> +@@ -315,7 +315,7 @@ main(
> + const char *jfmt2 = "\"time\":\"%s\",\"fractional-time\":\".%0*d\",";
> + const char *jfmt3 = "\"maximum-error\":%lu,\"estimated-error\":%lu,";
> + const char *jfmt4 = "\"raw-ntp-time\":\"%x.%x\",\"raw-unix-time\":\"%x.%0*d %s\",";
> +-#if defined NTP_API && NTP_API > 3
> ++#if defined(HAVE_STRUCT_NTPTIMEVAL_TAI)
> + const char *jfmt5 = "\"TAI-offset\":%d,";
> + #else
> + const char *jfmt6 = "";
> +--
> +2.33.0
> +
> diff --git a/package/ntpsec/Config.in b/package/ntpsec/Config.in
> new file mode 100644
> index 0000000..9044aa4
> --- /dev/null
> +++ b/package/ntpsec/Config.in
> @@ -0,0 +1,68 @@
> +comment "ntpsec needs a toolchain w/ wchar, thread, dynamic library"
> + depends on BR2_STATIC_LIBS
> + depends on !BR2_USE_WCHAR
> + depends on !BR2_TOOLCHAIN_HAS_THREADS # libbsd
> +
> +comment "ntpsec needs libbsd"
> + depends on !BR2_PACKAGE_LIBBSD_ARCH_SUPPORTS
> + depends on !BR2_STATIC_LIBS # libbsd
> +
> +comment "ntpsec needs python3"
> + depends on !BR2_PACKAGE_PYTHON3
> +
> +config BR2_PACKAGE_NTPSEC
> + bool "ntpsec"
> + depends on !BR2_STATIC_LIBS # libbsd
> + depends on BR2_PACKAGE_LIBBSD_ARCH_SUPPORTS
> + depends on BR2_TOOLCHAIN_HAS_THREADS # libbsd
> + depends on BR2_PACKAGE_PYTHON3
> + select BR2_PACKAGE_LIBCAP
> + select BR2_PACKAGE_LIBBSD
> + select BR2_PACKAGE_PPS_TOOLS # refclock(pps)
> + help
> + NTPsec is a secure, hardened, and improved
> + implementation of Network Time Protocol derived
> + from NTP Classic, Dave Mills’s original.
> +
> + Provides things like ntpd, ntpdate, ntpq, etc...
> +
> + https://www.ntpsec.org/
> +
> +if BR2_PACKAGE_NTPSEC
> +
> +config BR2_PACKAGE_NTPSEC_CLASSIC_MODE
> + bool "ntpsec-classic"
> + help
> + Enable strict configuration and log-format compatibility
> + with NTP Classic.
> + This option is not recommended as it makes the module
> + less efficient.
> +
> +config BR2_PACKAGE_NTPSEC_NTS
> + bool "ntpsec-nts"
> + select BR2_PACKAGE_OPENSSL
> + help
> + Enable Network Time Security (NTS) support.
> +
> +comment "ntpsec-ntploggpsd needs gpsd"
> + depends on !BR2_PACKAGE_GPSD
> +
> +config BR2_PACKAGE_NTPSEC_LEAP_SMEAR
> + bool "ntpsec-leap-smear"
> + help
> + Activates leap second smearing,
> + https://docs.ntpsec.org/latest/leapsmear.html
> +
> +config BR2_PACKAGE_NTPSEC_LEAP_TESTING
> + bool "ntpsec-leap-testing"
> + help
> + Enables leap seconds on other than 1st day of month
> +
> +config BR2_PACKAGE_NTPSEC_EARLY_DROPROOT
> + bool "ntpsec-early-droproot"
> + help
> + Drops root privileges as early as possible.
> + This requires the refclock devices to be owned
> + by owner/group running 'ntpd'
> +
> +endif
> diff --git a/package/ntpsec/S49ntp b/package/ntpsec/S49ntp
> new file mode 100644
> index 0000000..f3db514
> --- /dev/null
> +++ b/package/ntpsec/S49ntp
> @@ -0,0 +1,58 @@
> +#!/bin/sh
> +#
> +# Starts Network Time Protocol daemon
> +#
> +
> +DAEMON="ntpd"
> +PIDFILE="/var/run/$DAEMON.pid"
> +
> +NTPD_ARGS="-g -u ntp:ntp -s /var/run/ntp"
> +
> +# shellcheck source=/dev/null
> +[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
> +
> +mkdir -p /var/run/ntp && chown ntp:ntp /var/run/ntp
> +
> +start() {
> + printf 'Starting %s: ' "$DAEMON"
> + # shellcheck disable=SC2086 # we need the word splitting
> + start-stop-daemon -S -q -p "$PIDFILE" -x "/usr/sbin/$DAEMON" \
> + -- $NTPD_ARGS -p "$PIDFILE"
> + status=$?
> + if [ "$status" -eq 0 ]; then
> + echo "OK"
> + else
> + echo "FAIL"
> + fi
> + return "$status"
> +}
> +
> +stop() {
> + printf 'Stopping %s: ' "$DAEMON"
> + start-stop-daemon -K -q -p "$PIDFILE"
> + status=$?
> + if [ "$status" -eq 0 ]; then
> + rm -f "$PIDFILE"
> + echo "OK"
> + else
> + echo "FAIL"
> + fi
> + return "$status"
> +}
> +
> +restart() {
> + stop
> + sleep 1
> + start
> +}
> +
> +case "$1" in
> + start|stop|restart)
> + "$1";;
> + reload)
> + # Restart, since there is no true "reload" feature.
> + restart;;
> + *)
> + echo "Usage: $0 {start|stop|restart|reload}"
> + exit 1
> +esac
> diff --git a/package/ntpsec/ntpd.etc.conf b/package/ntpsec/ntpd.etc.conf
> new file mode 100644
> index 0000000..e0f45c1
> --- /dev/null
> +++ b/package/ntpsec/ntpd.etc.conf
> @@ -0,0 +1,33 @@
> +#
> +# legacy NTP configuration
> +#
> +pool 0.pool.ntp.org iburst
> +pool 1.pool.ntp.org iburst
> +pool 2.pool.ntp.org iburst
> +pool 3.pool.ntp.org iburst
> +
> +#
> +# NTS configuration
> +#
> +# Notes:
> +# - uncomment the following lines to enable NTS support (but
> +# make sure the initial clock is up-to-date (otherwise the
> +# NTS certificate validation will fail with 'NTSc: certificate invalid:
> +# 9=>certificate is not yet valid' as on boards without RTC support)
> +# and/or keep at least one line from the legacy NTP lines
> +# - enable BR2_PACKAGE_CA_CERTIFICATES to gain access to the certificate
> +# files
> +#
> +# server time.cloudflare.com nts # Global, anycast
> +# server nts.ntp.se:4443 nts # Sweden
> +# server ntpmon.dcs1.biz nts # Singapore
> +# server ntp1.glypnod.com nts # San Francisco
> +# server ntp2.glypnod.com nts # London
> +#
> +# ca /usr/share/ca-certificates/mozilla
> +
> +# Allow only time queries, at a limited rate, sending KoD when in excess.
> +# Allow all local queries (IPv4, IPv6)
> +restrict default nomodify nopeer noquery limited kod
> +restrict 127.0.0.1
> +restrict [::1]
> diff --git a/package/ntpsec/ntpd.service b/package/ntpsec/ntpd.service
> new file mode 100644
> index 0000000..b7db4a2
> --- /dev/null
> +++ b/package/ntpsec/ntpd.service
> @@ -0,0 +1,15 @@
> +[Unit]
> +Description=Network Time Service
> +After=network.target
> +
> +[Service]
> +Type=forking
> +PIDFile=/run/ntpd.pid
> +# Turn off DNSSEC validation for hostname look-ups, since those need the
> +# correct time to work, but we likely won't acquire that without NTP. Let's
> +# break this chicken-and-egg cycle here.
> +Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0
> +ExecStart=/usr/sbin/ntpd @NTPD_EXTRA_ARGS@ -g -p /run/ntpd.pid
The @NTPD_EXTRA_ARGS@ handling needs the sed command instead of the
simple install one (see package/ntp/ntp.mk)...
> +
> +[Install]
> +WantedBy=multi-user.target
> diff --git a/package/ntpsec/ntpsec.hash b/package/ntpsec/ntpsec.hash
> new file mode 100644
> index 0000000..49dc4e4
> --- /dev/null
> +++ b/package/ntpsec/ntpsec.hash
> @@ -0,0 +1,4 @@
> +# Locally calculated
> +sha256 71c9f4bde6953bbc048bbaf278da81c451a56cc08d6772542b4ad37c67d72e89 ntpsec-NTPsec_1_2_1.tar.bz2
> +sha256 b4db4de3317c3b0554ed91eb692968800bdfd6ad2c16ffbeee8ce4895ed91da4 LICENSE.adoc
> +sha256 d3b21470adadd9abd9c6d675378f8c371ac5a4ea6dbec91859e02fadca3c0856 docs/copyright.adoc
> diff --git a/package/ntpsec/ntpsec.mk b/package/ntpsec/ntpsec.mk
> new file mode 100644
> index 0000000..55b4bb0
> --- /dev/null
> +++ b/package/ntpsec/ntpsec.mk
> @@ -0,0 +1,85 @@
> +################################################################################
> +#
> +# ntpsec
> +#
> +################################################################################
> +
> +NTPSEC_VERSION_MAJOR = 1
> +NTPSEC_VERSION_MINOR = 2
> +NTPSEC_VERSION_POINT = 1
> +NTPSEC_VERSION = $(NTPSEC_VERSION_MAJOR)_$(NTPSEC_VERSION_MINOR)_$(NTPSEC_VERSION_POINT)
> +NTPSEC_SOURCE = ntpsec-NTPsec_$(NTPSEC_VERSION).tar.bz2
> +NTPSEC_SITE = https://gitlab.com/NTPsec/ntpsec/-/archive/NTPsec_$(NTPSEC_VERSION)
> +NTPSEC_LICENSE = BSD-2-Clause NTP BSD-3-Clause MIT
> +NTPSEC_LICENSE_FILES = LICENSE.adoc docs/copyright.adoc
> +
> +NTPSEC_CPE_ID_VENDOR = ntpsec
> +NTPSEC_CPE_ID_VERSION = $(NTPSEC_VERSION_MAJOR).$(NTPSEC_VERSION_MINOR)
> +NTPSEC_CPE_ID_UPDATE = $(NTPSEC_VERSION_POINT)
> +
> +NTPSEC_DEPENDENCIES = \
> + $(if $(BR2_PACKAGE_PYTHON),python,python3) \
> + libbsd \
> + pps-tools
> +
> +NTPSEC_PYVER = $(if $(BR2_PACKAGE_PYTHON),python$(PYTHON_VERSION_MAJOR),python$(PYTHON3_VERSION_MAJOR))
> +
> +NTPSEC_CONF_OPTS = \
> + CC=$(HOSTCC) \
> + PYTHON_CONFIG="$(STAGING_DIR)/usr/bin/$(if $(BR2_PACKAGE_PYTHON),python,python3)-config" \
> + --cross-compiler="$(TARGET_CC)" \
> + --cross-cflags="$(TARGET_CFLAGS) -std=gnu99" \
> + --cross-ldflags="$(TARGET_LDFLAGS)" \
> + --notests \
> + --disable-mdns-registration \
> + --enable-pylib=ffi \
> + --nopyc \
> + --nopyo \
> + --nopycache \
> + --disable-doc \
> + --disable-manpage \
> + --refclock=all \
> + --libdir=/usr/lib/$(NTPSEC_PYVER)/site-packages/ntp
> +
> +ifeq ($(BR2_PACKAGE_NTPSEC_CLASSIC_MODE),y)
> +NTPSEC_CONF_OPTS += --enable-classic-mode
> +endif
> +
> +ifeq ($(BR2_PACKAGE_NTPSEC_NTS),y)
> +NTPSEC_DEPENDENCIES += openssl
> +else
> +NTPSEC_CONF_OPTS += --disable-nts
> +endif
> +
> +ifeq ($(BR2_PACKAGE_NTPSEC_EARLY_DROPROOT),y)
> +NTPSEC_DEPENDENCIES += libcap
> +NTPSEC_CONF_OPTS += --enable-early-droproot
> +endif
> +
> +ifeq ($(BR2_PACKAGE_NTPSEC_LEAP_SMEAR),y)
> +NTPSEC_CONF_OPTS += --enable-leap-smear
> +endif
> +
> +ifeq ($(BR2_PACKAGE_NTPSEC_LEAP_TESTING),y)
> +NTPSEC_CONF_OPTS += --enable-leap-testing
> +endif
> +
> +define NTPSEC_INSTALL_NTPSEC_CONF
> + $(INSTALL) -m 644 package/ntpsec/ntpd.etc.conf $(TARGET_DIR)/etc/ntp.conf
> +endef
> +NTPSEC_POST_INSTALL_TARGET_HOOKS += NTPSEC_INSTALL_NTPSEC_CONF
> +
> +define NTPSEC_INSTALL_INIT_SYSV
> + $(INSTALL) -D -m 755 $(NTPSEC_PKGDIR)/S49ntp $(TARGET_DIR)/etc/init.d/S49ntp
> +endef
> +
> +define NTPSEC_INSTALL_INIT_SYSTEMD
> + $(INSTALL) -D -m 644 $(NTPSEC_PKGDIR)/ntpd.service \
> + $(TARGET_DIR)/usr/lib/systemd/system/ntpd.service
> +endef
> +
> +define NTPSEC_USERS
> + ntp -1 ntp -1 * - - - ntpd user
> +endef
> +
> +$(eval $(waf-package))
Will prepare an update of my original patch with the version update and some of
your findings..., feel free to provide your improvements as add-on patches ;-)
Regards,
Peter
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/ntpsec: new package
2021-12-15 20:43 ` Peter Seiderer
@ 2021-12-15 21:21 ` Guillaume Bres
2021-12-15 22:15 ` Peter Seiderer
0 siblings, 1 reply; 11+ messages in thread
From: Guillaume Bres @ 2021-12-15 21:21 UTC (permalink / raw)
To: Peter Seiderer; +Cc: buildroot
[-- Attachment #1.1: Type: text/plain, Size: 22809 bytes --]
Hello Peter,
> Will prepare an update of my original patch with the version update and
some of
> your findings..., feel free to provide your improvements as add-on
patches ;-)
sounds good, i'll wait for your v2 and will test it on my side
> Better done as an extra patch (easier to review)....
ok let's do that later
> libbsd is required
>> Are you sure?
>> With the original patch ntpsec builds fine without libbsd available...
it's listed in the dependencies for this pkg in debian.
Ran a quick grep in their sources, it's clearly in their CI basic
requirements too, but I cant figure where they actually use it. They
clearly pass -lbsd to the linker though.
>Would prefer one option per refclock to reduce dependencies...
I tried to do so at first, but am failing at correctly concatenating the
refclocks in a comma separated string.
Expected format is "refclocks=gpsd,nmea,shm"
Order does not matter. It is very important to only have valid refclocks in
the submitted string otherwise configure fails. refclocks=",nmea,shm" and
refclocks="shm," would fail.
>Would prefer one option per refclock to reduce dependencies...
Actually there are no dependencies related to refclocks, it's up to the
user to provide a correct kernel config for specific hardware though. Only
"gpsd" will have unmet requirements at the moment and would get dropped out
by configure (smart detection). If you can provide a proper interface to
concatenate the string, that would be useful (I'm not a good at shell
scripting). If we do so, I would recommend we stick to the list of actively
maintained refclocks (URL in my reply to v1)
Guillaume W. Bres
Software engineer
<guillaume.bressaix@gmail.com>
Le mer. 15 déc. 2021 à 21:43, Peter Seiderer <ps.report@gmx.net> a écrit :
> Hello Guillaume,
>
> thanks of interest, testing and improvement of the ntpsec patch, some
> comments below...
>
> On Sun, 12 Dec 2021 21:07:41 +0100, guillaume.bressaix@gmail.com wrote:
>
> > From: Peter Seiderer <ps.report@gmx.net>
> >
> > - set 'CC=gcc' to avoid cross-compile failure (see [1]):
> >
> > /bin/sh: line 1: .../build/ntpsec-1_2_0/build/host/ntpd/keyword-gen:
> cannot execute binary file: Exec format error
> >
> > Waf: Leaving directory `.../build/ntpsec-1_2_0/build/host'
> > Build failed
> > -> task in 'ntp_keyword.h' failed with exit status 126 (run with -v
> to display more information)
> >
> > - set '-std=gnu99"' to avoid compile failure with old compilers
> >
> > - explicit set PYTHON_CONFIG
> >
> > - add patch
> 001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch to
> > fix ntptime jfmt5/ofmt5 jfmt6/ofmt6 related compile failure
> >
> > - add SYSV init file (S49ntp)
> >
> > - add example ntpd.conf (with legacy option enabled and provide skeleton
> > for NTS configuration)
> >
> > - add config option for NTS support
> >
> > - depend on python3 (omit python2 to reduce test effort)
> >
> > - add ntp user/group and run ntpd as restricted user
> >
> > - add libcap dependency (compile time optional but needed for droproot
> > support)
> >
> > - submit latest ntpsec version 1.2.1
>
> Interesting, not listed as release, but tagged and downloadable...
>
> >
> > - lib ntpc import in python is fixed by specifying the --libdir flag.
> > -> removed the symlink trick
>
> Fine..., will test it...
>
> >
> > - add --refclock=all flags to configure, see notes down below
> >
> > - add leap second management options & ntpviz
> >
> > - improved Config.in:
> > libbsd is required
>
> Are you sure? With the original patch ntpsec builds fine without libbsd
> available...
>
> > openssl is only needed when NTS encryption is enabled
>
> A build without NTS and without openssl gives:
>
> Checking for OpenSSL/libcrypto (via pkg-config) :
> not found
> Checking for OpenSSL's crypto library :
> not found
> The configuration failed
>
> > (depend on python3 only to simply things)
> > improved classic mode help description
> > improved early-drop-root feature description
> >
> > - early droproot should be an option: adapt libcap accordingly
>
> This will break (the hard coded) '-u npt:npt' option from
> package/ntpsec/S49ntp,
> any reason to avoid the security feature?
>
> >
> > - corrected CC=gcc to CC=$(HOSTCC) in ntpsec.mk
>
> Good point...
>
> >
> > - provide service script for systemd infra along sysv infra
>
> Better done as an extra patch (easier to review)....
>
> >
> > - I don't think we need the patch if we restrict to !BR2_TOOLCHAIN_UCLIBC
> > IMO it's better to keep the patch and allow all toolchains.
> > I usually have glibc, but I just ran a sanity check on my zedboard
> with uclibc,
> > it passed.
>
> Not important for the commit log...
>
> >
> > - used on zynq_zed_defconfig and beaglebone_defconfig
> > daemon automatically started
> > ntpq works fine
> >
> > [1] https://gitlab.com/NTPsec/ntpsec/-/issues/694
> >
> > Signed-off-by: Peter Seiderer <ps.report@gmx.net>
> > Signed-off-by: Guillaume W. Bres <guillaume.bressaix@gmail.com>
> >
> > ---
> > notes on refclocks: https://docs.ntpsec.org/latest/refclock.html
> > "For security reasons, we will no longer support any refclock
> > that requires a closed-source driver to run", see webpage.
> >
> > --refclock=all is hardcoded at the moment
> >
> > One must compile ntpsec with the 'refclock' option
> > if they want to drive or interact with hardware.
> >
> > In any case, refclocks are not critical for both buildtime & runtime:
> >
> > [+] ./configure is smart enough to disable a refclock
> > if requirements are not met. In the submitted context,
> > this happens for refclock=gpsd without BR2_PACKAGE_GPSD
> > selected by user
> >
> > [+] some refclocks naturally require a specific hw support
> > with related kernel driver.
> > This is not buildtime critical because build does not care
> > about hw support.
> > This is not runtime critical either because any missing
> > hw support or unfeasible hardware access ends up as a logged
> > error message. It is up to the user to correct it in the
> > submitted context: example: 'nmea/gps' receivers without kernel
> support
> > or hardware not plugged in.
>
> Would prefer one option per refclock to reduce dependencies...
>
> >
> > ntpd / ntpsec should be mutualy exclusive if we harcode S49ntp as the
> service script
> >
> > ---
> > DEVELOPERS | 1 +
> > package/Config.in | 1 +
> > ...-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch | 61 ++++++++++++++++
> > package/ntpsec/Config.in | 68
> +++++++++++++++++
> > package/ntpsec/S49ntp | 58 +++++++++++++++
> > package/ntpsec/ntpd.etc.conf | 33 +++++++++
> > package/ntpsec/ntpd.service | 15 ++++
> > package/ntpsec/ntpsec.hash | 4 +
> > package/ntpsec/ntpsec.mk | 85
> ++++++++++++++++++++++
> > 9 files changed, 326 insertions(+)
> > create mode 100644
> package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
> > create mode 100644 package/ntpsec/Config.in
> > create mode 100644 package/ntpsec/S49ntp
> > create mode 100644 package/ntpsec/ntpd.etc.conf
> > create mode 100644 package/ntpsec/ntpd.service
> > create mode 100644 package/ntpsec/ntpsec.hash
> > create mode 100644 package/ntpsec/ntpsec.mk
> >
> > diff --git a/DEVELOPERS b/DEVELOPERS
> > index 3023526..32b5e87 100644
> > --- a/DEVELOPERS
> > +++ b/DEVELOPERS
> > @@ -2196,6 +2196,7 @@ F: package/iwd/
> > F: package/libevdev/
> > F: package/libuev/
> > F: package/log4cplus/
> > +F: package/ntpsec/
> > F: package/postgresql/
> > F: package/python-colorzero/
> > F: package/python-flask-wtf/
> > diff --git a/package/Config.in b/package/Config.in
> > index 5720830..544a0fd 100644
> > --- a/package/Config.in
> > +++ b/package/Config.in
> > @@ -2271,6 +2271,7 @@ endif
> > source "package/nmap/Config.in"
> > source "package/noip/Config.in"
> > source "package/ntp/Config.in"
> > + source "package/ntpsec/Config.in"
> > source "package/nuttcp/Config.in"
> > source "package/odhcp6c/Config.in"
> > source "package/odhcploc/Config.in"
> > diff --git
> a/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
> b/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
> > new file mode 100644
> > index 0000000..c2838fe
> > --- /dev/null
> > +++
> b/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
> > @@ -0,0 +1,61 @@
> > +From 4015a1183d2f79dad6dd675ca5e0d329825f3fa3 Mon Sep 17 00:00:00 2001
> > +From: Peter Seiderer <ps.report@gmx.net>
> > +Date: Mon, 4 Oct 2021 22:25:58 +0200
> > +Subject: [PATCH] ntptime: fix jfmt5/ofmt5 jfmt6/ofmt6 related compile
> failure
> > +MIME-Version: 1.0
> > +Content-Type: text/plain; charset=UTF-8
> > +Content-Transfer-Encoding: 8bit
> > +
> > +Use same define guard for definiton as for usage
> ('HAVE_STRUCT_NTPTIMEVAL_TAI'
> > +instead of 'NTP_API && NTP_API > 3').
> > +
> > +Fixes:
> > +
> > + ../../ntptime/ntptime.c: In function ‘main’:
> > + ../../ntptime/ntptime.c:349:17: error: ‘jfmt5’ undeclared (first use
> in this function); did you mean ‘jfmt6’?
> > + 349 | printf(json ? jfmt5 : ofmt5, (long)ntv.tai);
> > + | ^~~~~
> > + | jfmt6
> > + ../../ntptime/ntptime.c:349:17: note: each undeclared identifier is
> reported only once for each function it appears in
> > + ../../ntptime/ntptime.c:349:25: error: ‘ofmt5’ undeclared (first use
> in this function); did you mean ‘ofmt6’?
> > + 349 | printf(json ? jfmt5 : ofmt5, (long)ntv.tai);
> > + | ^~~~~
> > + | ofmt6
> > + ../../ntptime/ntptime.c:321:15: warning: unused variable ‘jfmt6’
> [-Wunused-variable]
> > + 321 | const char *jfmt6 = "";
> > + | ^~~~~
> > + ../../ntptime/ntptime.c:311:15: warning: unused variable ‘ofmt6’
> [-Wunused-variable]
> > + 311 | const char *ofmt6 = "\n";
> > + | ^~~~~
> > +
> > +[Upstream: https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1245]
> > +Signed-off-by: Peter Seiderer <ps.report@gmx.net>
> > +---
> > + ntptime/ntptime.c | 4 ++--
> > + 1 file changed, 2 insertions(+), 2 deletions(-)
> > +
> > +diff --git a/ntptime/ntptime.c b/ntptime/ntptime.c
> > +index ff861cb..5d58593 100644
> > +--- a/ntptime/ntptime.c
> > ++++ b/ntptime/ntptime.c
> > +@@ -305,7 +305,7 @@ main(
> > + const char *ofmt2 = " time %s, (.%0*d),\n";
> > + const char *ofmt3 = " maximum error %lu us, estimated
> error %lu us";
> > + const char *ofmt4 = " ntptime=%x.%x unixtime=%x.%0*d %s";
> > +-#if defined NTP_API && NTP_API > 3
> > ++#if defined(HAVE_STRUCT_NTPTIMEVAL_TAI)
> > + const char *ofmt5 = ", TAI offset %ld\n";
> > + #else
> > + const char *ofmt6 = "\n";
> > +@@ -315,7 +315,7 @@ main(
> > + const char *jfmt2 =
> "\"time\":\"%s\",\"fractional-time\":\".%0*d\",";
> > + const char *jfmt3 =
> "\"maximum-error\":%lu,\"estimated-error\":%lu,";
> > + const char *jfmt4 =
> "\"raw-ntp-time\":\"%x.%x\",\"raw-unix-time\":\"%x.%0*d %s\",";
> > +-#if defined NTP_API && NTP_API > 3
> > ++#if defined(HAVE_STRUCT_NTPTIMEVAL_TAI)
> > + const char *jfmt5 = "\"TAI-offset\":%d,";
> > + #else
> > + const char *jfmt6 = "";
> > +--
> > +2.33.0
> > +
> > diff --git a/package/ntpsec/Config.in b/package/ntpsec/Config.in
> > new file mode 100644
> > index 0000000..9044aa4
> > --- /dev/null
> > +++ b/package/ntpsec/Config.in
> > @@ -0,0 +1,68 @@
> > +comment "ntpsec needs a toolchain w/ wchar, thread, dynamic library"
> > + depends on BR2_STATIC_LIBS
> > + depends on !BR2_USE_WCHAR
> > + depends on !BR2_TOOLCHAIN_HAS_THREADS # libbsd
> > +
> > +comment "ntpsec needs libbsd"
> > + depends on !BR2_PACKAGE_LIBBSD_ARCH_SUPPORTS
> > + depends on !BR2_STATIC_LIBS # libbsd
> > +
> > +comment "ntpsec needs python3"
> > + depends on !BR2_PACKAGE_PYTHON3
> > +
> > +config BR2_PACKAGE_NTPSEC
> > + bool "ntpsec"
> > + depends on !BR2_STATIC_LIBS # libbsd
> > + depends on BR2_PACKAGE_LIBBSD_ARCH_SUPPORTS
> > + depends on BR2_TOOLCHAIN_HAS_THREADS # libbsd
> > + depends on BR2_PACKAGE_PYTHON3
> > + select BR2_PACKAGE_LIBCAP
> > + select BR2_PACKAGE_LIBBSD
> > + select BR2_PACKAGE_PPS_TOOLS # refclock(pps)
> > + help
> > + NTPsec is a secure, hardened, and improved
> > + implementation of Network Time Protocol derived
> > + from NTP Classic, Dave Mills’s original.
> > +
> > + Provides things like ntpd, ntpdate, ntpq, etc...
> > +
> > + https://www.ntpsec.org/
> > +
> > +if BR2_PACKAGE_NTPSEC
> > +
> > +config BR2_PACKAGE_NTPSEC_CLASSIC_MODE
> > + bool "ntpsec-classic"
> > + help
> > + Enable strict configuration and log-format compatibility
> > + with NTP Classic.
> > + This option is not recommended as it makes the module
> > + less efficient.
> > +
> > +config BR2_PACKAGE_NTPSEC_NTS
> > + bool "ntpsec-nts"
> > + select BR2_PACKAGE_OPENSSL
> > + help
> > + Enable Network Time Security (NTS) support.
> > +
> > +comment "ntpsec-ntploggpsd needs gpsd"
> > + depends on !BR2_PACKAGE_GPSD
> > +
> > +config BR2_PACKAGE_NTPSEC_LEAP_SMEAR
> > + bool "ntpsec-leap-smear"
> > + help
> > + Activates leap second smearing,
> > + https://docs.ntpsec.org/latest/leapsmear.html
> > +
> > +config BR2_PACKAGE_NTPSEC_LEAP_TESTING
> > + bool "ntpsec-leap-testing"
> > + help
> > + Enables leap seconds on other than 1st day of month
> > +
> > +config BR2_PACKAGE_NTPSEC_EARLY_DROPROOT
> > + bool "ntpsec-early-droproot"
> > + help
> > + Drops root privileges as early as possible.
> > + This requires the refclock devices to be owned
> > + by owner/group running 'ntpd'
> > +
> > +endif
> > diff --git a/package/ntpsec/S49ntp b/package/ntpsec/S49ntp
> > new file mode 100644
> > index 0000000..f3db514
> > --- /dev/null
> > +++ b/package/ntpsec/S49ntp
> > @@ -0,0 +1,58 @@
> > +#!/bin/sh
> > +#
> > +# Starts Network Time Protocol daemon
> > +#
> > +
> > +DAEMON="ntpd"
> > +PIDFILE="/var/run/$DAEMON.pid"
> > +
> > +NTPD_ARGS="-g -u ntp:ntp -s /var/run/ntp"
> > +
> > +# shellcheck source=/dev/null
> > +[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
> > +
> > +mkdir -p /var/run/ntp && chown ntp:ntp /var/run/ntp
> > +
> > +start() {
> > + printf 'Starting %s: ' "$DAEMON"
> > + # shellcheck disable=SC2086 # we need the word splitting
> > + start-stop-daemon -S -q -p "$PIDFILE" -x "/usr/sbin/$DAEMON" \
> > + -- $NTPD_ARGS -p "$PIDFILE"
> > + status=$?
> > + if [ "$status" -eq 0 ]; then
> > + echo "OK"
> > + else
> > + echo "FAIL"
> > + fi
> > + return "$status"
> > +}
> > +
> > +stop() {
> > + printf 'Stopping %s: ' "$DAEMON"
> > + start-stop-daemon -K -q -p "$PIDFILE"
> > + status=$?
> > + if [ "$status" -eq 0 ]; then
> > + rm -f "$PIDFILE"
> > + echo "OK"
> > + else
> > + echo "FAIL"
> > + fi
> > + return "$status"
> > +}
> > +
> > +restart() {
> > + stop
> > + sleep 1
> > + start
> > +}
> > +
> > +case "$1" in
> > + start|stop|restart)
> > + "$1";;
> > + reload)
> > + # Restart, since there is no true "reload" feature.
> > + restart;;
> > + *)
> > + echo "Usage: $0 {start|stop|restart|reload}"
> > + exit 1
> > +esac
> > diff --git a/package/ntpsec/ntpd.etc.conf b/package/ntpsec/ntpd.etc.conf
> > new file mode 100644
> > index 0000000..e0f45c1
> > --- /dev/null
> > +++ b/package/ntpsec/ntpd.etc.conf
> > @@ -0,0 +1,33 @@
> > +#
> > +# legacy NTP configuration
> > +#
> > +pool 0.pool.ntp.org iburst
> > +pool 1.pool.ntp.org iburst
> > +pool 2.pool.ntp.org iburst
> > +pool 3.pool.ntp.org iburst
> > +
> > +#
> > +# NTS configuration
> > +#
> > +# Notes:
> > +# - uncomment the following lines to enable NTS support (but
> > +# make sure the initial clock is up-to-date (otherwise the
> > +# NTS certificate validation will fail with 'NTSc: certificate
> invalid:
> > +# 9=>certificate is not yet valid' as on boards without RTC support)
> > +# and/or keep at least one line from the legacy NTP lines
> > +# - enable BR2_PACKAGE_CA_CERTIFICATES to gain access to the
> certificate
> > +# files
> > +#
> > +# server time.cloudflare.com nts # Global, anycast
> > +# server nts.ntp.se:4443 nts # Sweden
> > +# server ntpmon.dcs1.biz nts # Singapore
> > +# server ntp1.glypnod.com nts # San Francisco
> > +# server ntp2.glypnod.com nts # London
> > +#
> > +# ca /usr/share/ca-certificates/mozilla
> > +
> > +# Allow only time queries, at a limited rate, sending KoD when in
> excess.
> > +# Allow all local queries (IPv4, IPv6)
> > +restrict default nomodify nopeer noquery limited kod
> > +restrict 127.0.0.1
> > +restrict [::1]
> > diff --git a/package/ntpsec/ntpd.service b/package/ntpsec/ntpd.service
> > new file mode 100644
> > index 0000000..b7db4a2
> > --- /dev/null
> > +++ b/package/ntpsec/ntpd.service
> > @@ -0,0 +1,15 @@
> > +[Unit]
> > +Description=Network Time Service
> > +After=network.target
> > +
> > +[Service]
> > +Type=forking
> > +PIDFile=/run/ntpd.pid
> > +# Turn off DNSSEC validation for hostname look-ups, since those need the
> > +# correct time to work, but we likely won't acquire that without NTP.
> Let's
> > +# break this chicken-and-egg cycle here.
> > +Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0
> > +ExecStart=/usr/sbin/ntpd @NTPD_EXTRA_ARGS@ -g -p /run/ntpd.pid
>
> The @NTPD_EXTRA_ARGS@ handling needs the sed command instead of the
> simple install one (see package/ntp/ntp.mk)...
>
> > +
> > +[Install]
> > +WantedBy=multi-user.target
> > diff --git a/package/ntpsec/ntpsec.hash b/package/ntpsec/ntpsec.hash
> > new file mode 100644
> > index 0000000..49dc4e4
> > --- /dev/null
> > +++ b/package/ntpsec/ntpsec.hash
> > @@ -0,0 +1,4 @@
> > +# Locally calculated
> > +sha256
> 71c9f4bde6953bbc048bbaf278da81c451a56cc08d6772542b4ad37c67d72e89
> ntpsec-NTPsec_1_2_1.tar.bz2
> > +sha256
> b4db4de3317c3b0554ed91eb692968800bdfd6ad2c16ffbeee8ce4895ed91da4
> LICENSE.adoc
> > +sha256
> d3b21470adadd9abd9c6d675378f8c371ac5a4ea6dbec91859e02fadca3c0856
> docs/copyright.adoc
> > diff --git a/package/ntpsec/ntpsec.mk b/package/ntpsec/ntpsec.mk
> > new file mode 100644
> > index 0000000..55b4bb0
> > --- /dev/null
> > +++ b/package/ntpsec/ntpsec.mk
> > @@ -0,0 +1,85 @@
> >
> +################################################################################
> > +#
> > +# ntpsec
> > +#
> >
> +################################################################################
> > +
> > +NTPSEC_VERSION_MAJOR = 1
> > +NTPSEC_VERSION_MINOR = 2
> > +NTPSEC_VERSION_POINT = 1
> > +NTPSEC_VERSION =
> $(NTPSEC_VERSION_MAJOR)_$(NTPSEC_VERSION_MINOR)_$(NTPSEC_VERSION_POINT)
> > +NTPSEC_SOURCE = ntpsec-NTPsec_$(NTPSEC_VERSION).tar.bz2
> > +NTPSEC_SITE =
> https://gitlab.com/NTPsec/ntpsec/-/archive/NTPsec_$(NTPSEC_VERSION)
> > +NTPSEC_LICENSE = BSD-2-Clause NTP BSD-3-Clause MIT
> > +NTPSEC_LICENSE_FILES = LICENSE.adoc docs/copyright.adoc
> > +
> > +NTPSEC_CPE_ID_VENDOR = ntpsec
> > +NTPSEC_CPE_ID_VERSION = $(NTPSEC_VERSION_MAJOR).$(NTPSEC_VERSION_MINOR)
> > +NTPSEC_CPE_ID_UPDATE = $(NTPSEC_VERSION_POINT)
> > +
> > +NTPSEC_DEPENDENCIES = \
> > + $(if $(BR2_PACKAGE_PYTHON),python,python3) \
> > + libbsd \
> > + pps-tools
> > +
> > +NTPSEC_PYVER = $(if
> $(BR2_PACKAGE_PYTHON),python$(PYTHON_VERSION_MAJOR),python$(PYTHON3_VERSION_MAJOR))
> > +
> > +NTPSEC_CONF_OPTS = \
> > + CC=$(HOSTCC) \
> > + PYTHON_CONFIG="$(STAGING_DIR)/usr/bin/$(if
> $(BR2_PACKAGE_PYTHON),python,python3)-config" \
> > + --cross-compiler="$(TARGET_CC)" \
> > + --cross-cflags="$(TARGET_CFLAGS) -std=gnu99" \
> > + --cross-ldflags="$(TARGET_LDFLAGS)" \
> > + --notests \
> > + --disable-mdns-registration \
> > + --enable-pylib=ffi \
> > + --nopyc \
> > + --nopyo \
> > + --nopycache \
> > + --disable-doc \
> > + --disable-manpage \
> > + --refclock=all \
> > + --libdir=/usr/lib/$(NTPSEC_PYVER)/site-packages/ntp
> > +
> > +ifeq ($(BR2_PACKAGE_NTPSEC_CLASSIC_MODE),y)
> > +NTPSEC_CONF_OPTS += --enable-classic-mode
> > +endif
> > +
> > +ifeq ($(BR2_PACKAGE_NTPSEC_NTS),y)
> > +NTPSEC_DEPENDENCIES += openssl
> > +else
> > +NTPSEC_CONF_OPTS += --disable-nts
> > +endif
> > +
> > +ifeq ($(BR2_PACKAGE_NTPSEC_EARLY_DROPROOT),y)
> > +NTPSEC_DEPENDENCIES += libcap
> > +NTPSEC_CONF_OPTS += --enable-early-droproot
> > +endif
> > +
> > +ifeq ($(BR2_PACKAGE_NTPSEC_LEAP_SMEAR),y)
> > +NTPSEC_CONF_OPTS += --enable-leap-smear
> > +endif
> > +
> > +ifeq ($(BR2_PACKAGE_NTPSEC_LEAP_TESTING),y)
> > +NTPSEC_CONF_OPTS += --enable-leap-testing
> > +endif
> > +
> > +define NTPSEC_INSTALL_NTPSEC_CONF
> > + $(INSTALL) -m 644 package/ntpsec/ntpd.etc.conf
> $(TARGET_DIR)/etc/ntp.conf
> > +endef
> > +NTPSEC_POST_INSTALL_TARGET_HOOKS += NTPSEC_INSTALL_NTPSEC_CONF
> > +
> > +define NTPSEC_INSTALL_INIT_SYSV
> > + $(INSTALL) -D -m 755 $(NTPSEC_PKGDIR)/S49ntp
> $(TARGET_DIR)/etc/init.d/S49ntp
> > +endef
> > +
> > +define NTPSEC_INSTALL_INIT_SYSTEMD
> > + $(INSTALL) -D -m 644 $(NTPSEC_PKGDIR)/ntpd.service \
> > + $(TARGET_DIR)/usr/lib/systemd/system/ntpd.service
> > +endef
> > +
> > +define NTPSEC_USERS
> > + ntp -1 ntp -1 * - - - ntpd user
> > +endef
> > +
> > +$(eval $(waf-package))
>
> Will prepare an update of my original patch with the version update and
> some of
> your findings..., feel free to provide your improvements as add-on patches
> ;-)
>
> Regards,
> Peter
>
>
[-- Attachment #1.2: Type: text/html, Size: 30210 bytes --]
[-- Attachment #2: Type: text/plain, Size: 150 bytes --]
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/ntpsec: new package
2021-12-15 21:21 ` Guillaume Bres
@ 2021-12-15 22:15 ` Peter Seiderer
2021-12-17 7:57 ` Guillaume Bres
0 siblings, 1 reply; 11+ messages in thread
From: Peter Seiderer @ 2021-12-15 22:15 UTC (permalink / raw)
To: Guillaume Bres; +Cc: buildroot
Hello Guillaume,
On Wed, 15 Dec 2021 22:21:31 +0100, Guillaume Bres <guillaume.bressaix@gmail.com> wrote:
> Hello Peter,
>
> > Will prepare an update of my original patch with the version update and
> some of
> > your findings..., feel free to provide your improvements as add-on
> patches ;-)
> sounds good, i'll wait for your v2 and will test it on my side
>
> > Better done as an extra patch (easier to review)....
> ok let's do that later
>
> > libbsd is required
> >> Are you sure?
> >> With the original patch ntpsec builds fine without libbsd available...
> it's listed in the dependencies for this pkg in debian.
> Ran a quick grep in their sources, it's clearly in their CI basic
> requirements too, but I cant figure where they actually use it. They
> clearly pass -lbsd to the linker though.
Checking for library bsd : not found
[...]
LDFLAGS : -Wl,-z,now -Wl,--strip-all -Wl,-z,relro
LINKFLAGS_NTPD : -pie
With libbsd enabled I get the following failure:
--- building host ---
Waf: Entering directory `.../build/ntpsec-1_2_1/build/host'
[1/2] Processing ntpd/ntp_parser.y
[2/2] Compiling build/host/ntpd/ntp_parser.tab.c
In file included from ../../include/ntp.h:15,
from .../build/ntpsec-1_2_1/ntpd/ntp_parser.y:16:
../../include/ntp_stdlib.h:20:10: fatal error: bsd/string.h: No such file or directory
20 | #include <bsd/string.h>
| ^~~~~~~~~~~~~~
compilation terminated.
Can be avoided by the following patch:
diff --git a/package/libbsd/libbsd.mk b/package/libbsd/libbsd.mk
index 256a75f15e..454cee3f37 100644
--- a/package/libbsd/libbsd.mk
+++ b/package/libbsd/libbsd.mk
@@ -14,3 +14,4 @@ LIBBSD_CPE_ID_VENDOR = freedesktop
LIBBSD_INSTALL_STAGING = YES
$(eval $(autotools-package))
+$(eval $(host-autotools-package))
diff --git a/package/ntpsec/Config.in b/package/ntpsec/Config.in
index 7275533d26..41013d1e99 100644
--- a/package/ntpsec/Config.in
+++ b/package/ntpsec/Config.in
@@ -1,6 +1,7 @@
config BR2_PACKAGE_NTPSEC
bool "ntpsec"
depends on BR2_PACKAGE_PYTHON3
+ select BR2_PACKAGE_LIBBSD
select BR2_PACKAGE_LIBCAP
select BR2_PACKAGE_OPENSSL
help
diff --git a/package/ntpsec/ntpsec.mk b/package/ntpsec/ntpsec.mk
index 739ef0eab4..63eaf35268 100644
--- a/package/ntpsec/ntpsec.mk
+++ b/package/ntpsec/ntpsec.mk
@@ -20,11 +20,12 @@ NTPSEC_CPE_ID_UPDATE = $(NTPSEC_VERSION_POINT)
NTPSEC_DEPENDENCIES = \
host-pkgconf \
python3 \
+ host-libbsd libbsd \
libcap \
openssl
NTPSEC_CONF_OPTS = \
- CC="$(HOSTCC)" \
+ CC="$(HOSTCC) -I$(HOST_DIR)/include" \
PYTHON_CONFIG="$(STAGING_DIR)/usr/bin/python3-config" \
--libdir=/usr/lib/python$(PYTHON3_VERSION_MAJOR)/site-packages/ntp \
--cross-compiler="$(TARGET_CC)" \
>
> >Would prefer one option per refclock to reduce dependencies...
> I tried to do so at first, but am failing at correctly concatenating the
> refclocks in a comma separated string.
> Expected format is "refclocks=gpsd,nmea,shm"
> Order does not matter. It is very important to only have valid refclocks in
> the submitted string otherwise configure fails. refclocks=",nmea,shm" and
> refclocks="shm," would fail.
>
> >Would prefer one option per refclock to reduce dependencies...
> Actually there are no dependencies related to refclocks, it's up to the
> user to provide a correct kernel config for specific hardware though. Only
> "gpsd" will have unmet requirements at the moment and would get dropped out
> by configure (smart detection). If you can provide a proper interface to
> concatenate the string, that would be useful (I'm not a good at shell
> scripting). If we do so, I would recommend we stick to the list of actively
> maintained refclocks (URL in my reply to v1)
Maybe take a look at package/mesa3d/mesa3d.mk and the dri-drivers handling:
137 -Ddri-drivers=$(subst $(space),$(comma),$(MESA3D_DRI_DRIVERS-y))
Regards,
Peter
>
>
> Guillaume W. Bres
> Software engineer
> <guillaume.bressaix@gmail.com>
>
>
> Le mer. 15 déc. 2021 à 21:43, Peter Seiderer <ps.report@gmx.net> a écrit :
>
> > Hello Guillaume,
> >
> > thanks of interest, testing and improvement of the ntpsec patch, some
> > comments below...
> >
> > On Sun, 12 Dec 2021 21:07:41 +0100, guillaume.bressaix@gmail.com wrote:
> >
> > > From: Peter Seiderer <ps.report@gmx.net>
> > >
> > > - set 'CC=gcc' to avoid cross-compile failure (see [1]):
> > >
> > > /bin/sh: line 1: .../build/ntpsec-1_2_0/build/host/ntpd/keyword-gen:
> > cannot execute binary file: Exec format error
> > >
> > > Waf: Leaving directory `.../build/ntpsec-1_2_0/build/host'
> > > Build failed
> > > -> task in 'ntp_keyword.h' failed with exit status 126 (run with -v
> > to display more information)
> > >
> > > - set '-std=gnu99"' to avoid compile failure with old compilers
> > >
> > > - explicit set PYTHON_CONFIG
> > >
> > > - add patch
> > 001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch to
> > > fix ntptime jfmt5/ofmt5 jfmt6/ofmt6 related compile failure
> > >
> > > - add SYSV init file (S49ntp)
> > >
> > > - add example ntpd.conf (with legacy option enabled and provide skeleton
> > > for NTS configuration)
> > >
> > > - add config option for NTS support
> > >
> > > - depend on python3 (omit python2 to reduce test effort)
> > >
> > > - add ntp user/group and run ntpd as restricted user
> > >
> > > - add libcap dependency (compile time optional but needed for droproot
> > > support)
> > >
> > > - submit latest ntpsec version 1.2.1
> >
> > Interesting, not listed as release, but tagged and downloadable...
> >
> > >
> > > - lib ntpc import in python is fixed by specifying the --libdir flag.
> > > -> removed the symlink trick
> >
> > Fine..., will test it...
> >
> > >
> > > - add --refclock=all flags to configure, see notes down below
> > >
> > > - add leap second management options & ntpviz
> > >
> > > - improved Config.in:
> > > libbsd is required
> >
> > Are you sure? With the original patch ntpsec builds fine without libbsd
> > available...
> >
> > > openssl is only needed when NTS encryption is enabled
> >
> > A build without NTS and without openssl gives:
> >
> > Checking for OpenSSL/libcrypto (via pkg-config) :
> > not found
> > Checking for OpenSSL's crypto library :
> > not found
> > The configuration failed
> >
> > > (depend on python3 only to simply things)
> > > improved classic mode help description
> > > improved early-drop-root feature description
> > >
> > > - early droproot should be an option: adapt libcap accordingly
> >
> > This will break (the hard coded) '-u npt:npt' option from
> > package/ntpsec/S49ntp,
> > any reason to avoid the security feature?
> >
> > >
> > > - corrected CC=gcc to CC=$(HOSTCC) in ntpsec.mk
> >
> > Good point...
> >
> > >
> > > - provide service script for systemd infra along sysv infra
> >
> > Better done as an extra patch (easier to review)....
> >
> > >
> > > - I don't think we need the patch if we restrict to !BR2_TOOLCHAIN_UCLIBC
> > > IMO it's better to keep the patch and allow all toolchains.
> > > I usually have glibc, but I just ran a sanity check on my zedboard
> > with uclibc,
> > > it passed.
> >
> > Not important for the commit log...
> >
> > >
> > > - used on zynq_zed_defconfig and beaglebone_defconfig
> > > daemon automatically started
> > > ntpq works fine
> > >
> > > [1] https://gitlab.com/NTPsec/ntpsec/-/issues/694
> > >
> > > Signed-off-by: Peter Seiderer <ps.report@gmx.net>
> > > Signed-off-by: Guillaume W. Bres <guillaume.bressaix@gmail.com>
> > >
> > > ---
> > > notes on refclocks: https://docs.ntpsec.org/latest/refclock.html
> > > "For security reasons, we will no longer support any refclock
> > > that requires a closed-source driver to run", see webpage.
> > >
> > > --refclock=all is hardcoded at the moment
> > >
> > > One must compile ntpsec with the 'refclock' option
> > > if they want to drive or interact with hardware.
> > >
> > > In any case, refclocks are not critical for both buildtime & runtime:
> > >
> > > [+] ./configure is smart enough to disable a refclock
> > > if requirements are not met. In the submitted context,
> > > this happens for refclock=gpsd without BR2_PACKAGE_GPSD
> > > selected by user
> > >
> > > [+] some refclocks naturally require a specific hw support
> > > with related kernel driver.
> > > This is not buildtime critical because build does not care
> > > about hw support.
> > > This is not runtime critical either because any missing
> > > hw support or unfeasible hardware access ends up as a logged
> > > error message. It is up to the user to correct it in the
> > > submitted context: example: 'nmea/gps' receivers without kernel
> > support
> > > or hardware not plugged in.
> >
> > Would prefer one option per refclock to reduce dependencies...
> >
> > >
> > > ntpd / ntpsec should be mutualy exclusive if we harcode S49ntp as the
> > service script
> > >
> > > ---
> > > DEVELOPERS | 1 +
> > > package/Config.in | 1 +
> > > ...-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch | 61 ++++++++++++++++
> > > package/ntpsec/Config.in | 68
> > +++++++++++++++++
> > > package/ntpsec/S49ntp | 58 +++++++++++++++
> > > package/ntpsec/ntpd.etc.conf | 33 +++++++++
> > > package/ntpsec/ntpd.service | 15 ++++
> > > package/ntpsec/ntpsec.hash | 4 +
> > > package/ntpsec/ntpsec.mk | 85
> > ++++++++++++++++++++++
> > > 9 files changed, 326 insertions(+)
> > > create mode 100644
> > package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
> > > create mode 100644 package/ntpsec/Config.in
> > > create mode 100644 package/ntpsec/S49ntp
> > > create mode 100644 package/ntpsec/ntpd.etc.conf
> > > create mode 100644 package/ntpsec/ntpd.service
> > > create mode 100644 package/ntpsec/ntpsec.hash
> > > create mode 100644 package/ntpsec/ntpsec.mk
> > >
> > > diff --git a/DEVELOPERS b/DEVELOPERS
> > > index 3023526..32b5e87 100644
> > > --- a/DEVELOPERS
> > > +++ b/DEVELOPERS
> > > @@ -2196,6 +2196,7 @@ F: package/iwd/
> > > F: package/libevdev/
> > > F: package/libuev/
> > > F: package/log4cplus/
> > > +F: package/ntpsec/
> > > F: package/postgresql/
> > > F: package/python-colorzero/
> > > F: package/python-flask-wtf/
> > > diff --git a/package/Config.in b/package/Config.in
> > > index 5720830..544a0fd 100644
> > > --- a/package/Config.in
> > > +++ b/package/Config.in
> > > @@ -2271,6 +2271,7 @@ endif
> > > source "package/nmap/Config.in"
> > > source "package/noip/Config.in"
> > > source "package/ntp/Config.in"
> > > + source "package/ntpsec/Config.in"
> > > source "package/nuttcp/Config.in"
> > > source "package/odhcp6c/Config.in"
> > > source "package/odhcploc/Config.in"
> > > diff --git
> > a/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
> > b/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
> > > new file mode 100644
> > > index 0000000..c2838fe
> > > --- /dev/null
> > > +++
> > b/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
> > > @@ -0,0 +1,61 @@
> > > +From 4015a1183d2f79dad6dd675ca5e0d329825f3fa3 Mon Sep 17 00:00:00 2001
> > > +From: Peter Seiderer <ps.report@gmx.net>
> > > +Date: Mon, 4 Oct 2021 22:25:58 +0200
> > > +Subject: [PATCH] ntptime: fix jfmt5/ofmt5 jfmt6/ofmt6 related compile
> > failure
> > > +MIME-Version: 1.0
> > > +Content-Type: text/plain; charset=UTF-8
> > > +Content-Transfer-Encoding: 8bit
> > > +
> > > +Use same define guard for definiton as for usage
> > ('HAVE_STRUCT_NTPTIMEVAL_TAI'
> > > +instead of 'NTP_API && NTP_API > 3').
> > > +
> > > +Fixes:
> > > +
> > > + ../../ntptime/ntptime.c: In function ‘main’:
> > > + ../../ntptime/ntptime.c:349:17: error: ‘jfmt5’ undeclared (first use
> > in this function); did you mean ‘jfmt6’?
> > > + 349 | printf(json ? jfmt5 : ofmt5, (long)ntv.tai);
> > > + | ^~~~~
> > > + | jfmt6
> > > + ../../ntptime/ntptime.c:349:17: note: each undeclared identifier is
> > reported only once for each function it appears in
> > > + ../../ntptime/ntptime.c:349:25: error: ‘ofmt5’ undeclared (first use
> > in this function); did you mean ‘ofmt6’?
> > > + 349 | printf(json ? jfmt5 : ofmt5, (long)ntv.tai);
> > > + | ^~~~~
> > > + | ofmt6
> > > + ../../ntptime/ntptime.c:321:15: warning: unused variable ‘jfmt6’
> > [-Wunused-variable]
> > > + 321 | const char *jfmt6 = "";
> > > + | ^~~~~
> > > + ../../ntptime/ntptime.c:311:15: warning: unused variable ‘ofmt6’
> > [-Wunused-variable]
> > > + 311 | const char *ofmt6 = "\n";
> > > + | ^~~~~
> > > +
> > > +[Upstream: https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1245]
> > > +Signed-off-by: Peter Seiderer <ps.report@gmx.net>
> > > +---
> > > + ntptime/ntptime.c | 4 ++--
> > > + 1 file changed, 2 insertions(+), 2 deletions(-)
> > > +
> > > +diff --git a/ntptime/ntptime.c b/ntptime/ntptime.c
> > > +index ff861cb..5d58593 100644
> > > +--- a/ntptime/ntptime.c
> > > ++++ b/ntptime/ntptime.c
> > > +@@ -305,7 +305,7 @@ main(
> > > + const char *ofmt2 = " time %s, (.%0*d),\n";
> > > + const char *ofmt3 = " maximum error %lu us, estimated
> > error %lu us";
> > > + const char *ofmt4 = " ntptime=%x.%x unixtime=%x.%0*d %s";
> > > +-#if defined NTP_API && NTP_API > 3
> > > ++#if defined(HAVE_STRUCT_NTPTIMEVAL_TAI)
> > > + const char *ofmt5 = ", TAI offset %ld\n";
> > > + #else
> > > + const char *ofmt6 = "\n";
> > > +@@ -315,7 +315,7 @@ main(
> > > + const char *jfmt2 =
> > "\"time\":\"%s\",\"fractional-time\":\".%0*d\",";
> > > + const char *jfmt3 =
> > "\"maximum-error\":%lu,\"estimated-error\":%lu,";
> > > + const char *jfmt4 =
> > "\"raw-ntp-time\":\"%x.%x\",\"raw-unix-time\":\"%x.%0*d %s\",";
> > > +-#if defined NTP_API && NTP_API > 3
> > > ++#if defined(HAVE_STRUCT_NTPTIMEVAL_TAI)
> > > + const char *jfmt5 = "\"TAI-offset\":%d,";
> > > + #else
> > > + const char *jfmt6 = "";
> > > +--
> > > +2.33.0
> > > +
> > > diff --git a/package/ntpsec/Config.in b/package/ntpsec/Config.in
> > > new file mode 100644
> > > index 0000000..9044aa4
> > > --- /dev/null
> > > +++ b/package/ntpsec/Config.in
> > > @@ -0,0 +1,68 @@
> > > +comment "ntpsec needs a toolchain w/ wchar, thread, dynamic library"
> > > + depends on BR2_STATIC_LIBS
> > > + depends on !BR2_USE_WCHAR
> > > + depends on !BR2_TOOLCHAIN_HAS_THREADS # libbsd
> > > +
> > > +comment "ntpsec needs libbsd"
> > > + depends on !BR2_PACKAGE_LIBBSD_ARCH_SUPPORTS
> > > + depends on !BR2_STATIC_LIBS # libbsd
> > > +
> > > +comment "ntpsec needs python3"
> > > + depends on !BR2_PACKAGE_PYTHON3
> > > +
> > > +config BR2_PACKAGE_NTPSEC
> > > + bool "ntpsec"
> > > + depends on !BR2_STATIC_LIBS # libbsd
> > > + depends on BR2_PACKAGE_LIBBSD_ARCH_SUPPORTS
> > > + depends on BR2_TOOLCHAIN_HAS_THREADS # libbsd
> > > + depends on BR2_PACKAGE_PYTHON3
> > > + select BR2_PACKAGE_LIBCAP
> > > + select BR2_PACKAGE_LIBBSD
> > > + select BR2_PACKAGE_PPS_TOOLS # refclock(pps)
> > > + help
> > > + NTPsec is a secure, hardened, and improved
> > > + implementation of Network Time Protocol derived
> > > + from NTP Classic, Dave Mills’s original.
> > > +
> > > + Provides things like ntpd, ntpdate, ntpq, etc...
> > > +
> > > + https://www.ntpsec.org/
> > > +
> > > +if BR2_PACKAGE_NTPSEC
> > > +
> > > +config BR2_PACKAGE_NTPSEC_CLASSIC_MODE
> > > + bool "ntpsec-classic"
> > > + help
> > > + Enable strict configuration and log-format compatibility
> > > + with NTP Classic.
> > > + This option is not recommended as it makes the module
> > > + less efficient.
> > > +
> > > +config BR2_PACKAGE_NTPSEC_NTS
> > > + bool "ntpsec-nts"
> > > + select BR2_PACKAGE_OPENSSL
> > > + help
> > > + Enable Network Time Security (NTS) support.
> > > +
> > > +comment "ntpsec-ntploggpsd needs gpsd"
> > > + depends on !BR2_PACKAGE_GPSD
> > > +
> > > +config BR2_PACKAGE_NTPSEC_LEAP_SMEAR
> > > + bool "ntpsec-leap-smear"
> > > + help
> > > + Activates leap second smearing,
> > > + https://docs.ntpsec.org/latest/leapsmear.html
> > > +
> > > +config BR2_PACKAGE_NTPSEC_LEAP_TESTING
> > > + bool "ntpsec-leap-testing"
> > > + help
> > > + Enables leap seconds on other than 1st day of month
> > > +
> > > +config BR2_PACKAGE_NTPSEC_EARLY_DROPROOT
> > > + bool "ntpsec-early-droproot"
> > > + help
> > > + Drops root privileges as early as possible.
> > > + This requires the refclock devices to be owned
> > > + by owner/group running 'ntpd'
> > > +
> > > +endif
> > > diff --git a/package/ntpsec/S49ntp b/package/ntpsec/S49ntp
> > > new file mode 100644
> > > index 0000000..f3db514
> > > --- /dev/null
> > > +++ b/package/ntpsec/S49ntp
> > > @@ -0,0 +1,58 @@
> > > +#!/bin/sh
> > > +#
> > > +# Starts Network Time Protocol daemon
> > > +#
> > > +
> > > +DAEMON="ntpd"
> > > +PIDFILE="/var/run/$DAEMON.pid"
> > > +
> > > +NTPD_ARGS="-g -u ntp:ntp -s /var/run/ntp"
> > > +
> > > +# shellcheck source=/dev/null
> > > +[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
> > > +
> > > +mkdir -p /var/run/ntp && chown ntp:ntp /var/run/ntp
> > > +
> > > +start() {
> > > + printf 'Starting %s: ' "$DAEMON"
> > > + # shellcheck disable=SC2086 # we need the word splitting
> > > + start-stop-daemon -S -q -p "$PIDFILE" -x "/usr/sbin/$DAEMON" \
> > > + -- $NTPD_ARGS -p "$PIDFILE"
> > > + status=$?
> > > + if [ "$status" -eq 0 ]; then
> > > + echo "OK"
> > > + else
> > > + echo "FAIL"
> > > + fi
> > > + return "$status"
> > > +}
> > > +
> > > +stop() {
> > > + printf 'Stopping %s: ' "$DAEMON"
> > > + start-stop-daemon -K -q -p "$PIDFILE"
> > > + status=$?
> > > + if [ "$status" -eq 0 ]; then
> > > + rm -f "$PIDFILE"
> > > + echo "OK"
> > > + else
> > > + echo "FAIL"
> > > + fi
> > > + return "$status"
> > > +}
> > > +
> > > +restart() {
> > > + stop
> > > + sleep 1
> > > + start
> > > +}
> > > +
> > > +case "$1" in
> > > + start|stop|restart)
> > > + "$1";;
> > > + reload)
> > > + # Restart, since there is no true "reload" feature.
> > > + restart;;
> > > + *)
> > > + echo "Usage: $0 {start|stop|restart|reload}"
> > > + exit 1
> > > +esac
> > > diff --git a/package/ntpsec/ntpd.etc.conf b/package/ntpsec/ntpd.etc.conf
> > > new file mode 100644
> > > index 0000000..e0f45c1
> > > --- /dev/null
> > > +++ b/package/ntpsec/ntpd.etc.conf
> > > @@ -0,0 +1,33 @@
> > > +#
> > > +# legacy NTP configuration
> > > +#
> > > +pool 0.pool.ntp.org iburst
> > > +pool 1.pool.ntp.org iburst
> > > +pool 2.pool.ntp.org iburst
> > > +pool 3.pool.ntp.org iburst
> > > +
> > > +#
> > > +# NTS configuration
> > > +#
> > > +# Notes:
> > > +# - uncomment the following lines to enable NTS support (but
> > > +# make sure the initial clock is up-to-date (otherwise the
> > > +# NTS certificate validation will fail with 'NTSc: certificate
> > invalid:
> > > +# 9=>certificate is not yet valid' as on boards without RTC support)
> > > +# and/or keep at least one line from the legacy NTP lines
> > > +# - enable BR2_PACKAGE_CA_CERTIFICATES to gain access to the
> > certificate
> > > +# files
> > > +#
> > > +# server time.cloudflare.com nts # Global, anycast
> > > +# server nts.ntp.se:4443 nts # Sweden
> > > +# server ntpmon.dcs1.biz nts # Singapore
> > > +# server ntp1.glypnod.com nts # San Francisco
> > > +# server ntp2.glypnod.com nts # London
> > > +#
> > > +# ca /usr/share/ca-certificates/mozilla
> > > +
> > > +# Allow only time queries, at a limited rate, sending KoD when in
> > excess.
> > > +# Allow all local queries (IPv4, IPv6)
> > > +restrict default nomodify nopeer noquery limited kod
> > > +restrict 127.0.0.1
> > > +restrict [::1]
> > > diff --git a/package/ntpsec/ntpd.service b/package/ntpsec/ntpd.service
> > > new file mode 100644
> > > index 0000000..b7db4a2
> > > --- /dev/null
> > > +++ b/package/ntpsec/ntpd.service
> > > @@ -0,0 +1,15 @@
> > > +[Unit]
> > > +Description=Network Time Service
> > > +After=network.target
> > > +
> > > +[Service]
> > > +Type=forking
> > > +PIDFile=/run/ntpd.pid
> > > +# Turn off DNSSEC validation for hostname look-ups, since those need the
> > > +# correct time to work, but we likely won't acquire that without NTP.
> > Let's
> > > +# break this chicken-and-egg cycle here.
> > > +Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0
> > > +ExecStart=/usr/sbin/ntpd @NTPD_EXTRA_ARGS@ -g -p /run/ntpd.pid
> >
> > The @NTPD_EXTRA_ARGS@ handling needs the sed command instead of the
> > simple install one (see package/ntp/ntp.mk)...
> >
> > > +
> > > +[Install]
> > > +WantedBy=multi-user.target
> > > diff --git a/package/ntpsec/ntpsec.hash b/package/ntpsec/ntpsec.hash
> > > new file mode 100644
> > > index 0000000..49dc4e4
> > > --- /dev/null
> > > +++ b/package/ntpsec/ntpsec.hash
> > > @@ -0,0 +1,4 @@
> > > +# Locally calculated
> > > +sha256
> > 71c9f4bde6953bbc048bbaf278da81c451a56cc08d6772542b4ad37c67d72e89
> > ntpsec-NTPsec_1_2_1.tar.bz2
> > > +sha256
> > b4db4de3317c3b0554ed91eb692968800bdfd6ad2c16ffbeee8ce4895ed91da4
> > LICENSE.adoc
> > > +sha256
> > d3b21470adadd9abd9c6d675378f8c371ac5a4ea6dbec91859e02fadca3c0856
> > docs/copyright.adoc
> > > diff --git a/package/ntpsec/ntpsec.mk b/package/ntpsec/ntpsec.mk
> > > new file mode 100644
> > > index 0000000..55b4bb0
> > > --- /dev/null
> > > +++ b/package/ntpsec/ntpsec.mk
> > > @@ -0,0 +1,85 @@
> > >
> > +################################################################################
> > > +#
> > > +# ntpsec
> > > +#
> > >
> > +################################################################################
> > > +
> > > +NTPSEC_VERSION_MAJOR = 1
> > > +NTPSEC_VERSION_MINOR = 2
> > > +NTPSEC_VERSION_POINT = 1
> > > +NTPSEC_VERSION =
> > $(NTPSEC_VERSION_MAJOR)_$(NTPSEC_VERSION_MINOR)_$(NTPSEC_VERSION_POINT)
> > > +NTPSEC_SOURCE = ntpsec-NTPsec_$(NTPSEC_VERSION).tar.bz2
> > > +NTPSEC_SITE =
> > https://gitlab.com/NTPsec/ntpsec/-/archive/NTPsec_$(NTPSEC_VERSION)
> > > +NTPSEC_LICENSE = BSD-2-Clause NTP BSD-3-Clause MIT
> > > +NTPSEC_LICENSE_FILES = LICENSE.adoc docs/copyright.adoc
> > > +
> > > +NTPSEC_CPE_ID_VENDOR = ntpsec
> > > +NTPSEC_CPE_ID_VERSION = $(NTPSEC_VERSION_MAJOR).$(NTPSEC_VERSION_MINOR)
> > > +NTPSEC_CPE_ID_UPDATE = $(NTPSEC_VERSION_POINT)
> > > +
> > > +NTPSEC_DEPENDENCIES = \
> > > + $(if $(BR2_PACKAGE_PYTHON),python,python3) \
> > > + libbsd \
> > > + pps-tools
> > > +
> > > +NTPSEC_PYVER = $(if
> > $(BR2_PACKAGE_PYTHON),python$(PYTHON_VERSION_MAJOR),python$(PYTHON3_VERSION_MAJOR))
> > > +
> > > +NTPSEC_CONF_OPTS = \
> > > + CC=$(HOSTCC) \
> > > + PYTHON_CONFIG="$(STAGING_DIR)/usr/bin/$(if
> > $(BR2_PACKAGE_PYTHON),python,python3)-config" \
> > > + --cross-compiler="$(TARGET_CC)" \
> > > + --cross-cflags="$(TARGET_CFLAGS) -std=gnu99" \
> > > + --cross-ldflags="$(TARGET_LDFLAGS)" \
> > > + --notests \
> > > + --disable-mdns-registration \
> > > + --enable-pylib=ffi \
> > > + --nopyc \
> > > + --nopyo \
> > > + --nopycache \
> > > + --disable-doc \
> > > + --disable-manpage \
> > > + --refclock=all \
> > > + --libdir=/usr/lib/$(NTPSEC_PYVER)/site-packages/ntp
> > > +
> > > +ifeq ($(BR2_PACKAGE_NTPSEC_CLASSIC_MODE),y)
> > > +NTPSEC_CONF_OPTS += --enable-classic-mode
> > > +endif
> > > +
> > > +ifeq ($(BR2_PACKAGE_NTPSEC_NTS),y)
> > > +NTPSEC_DEPENDENCIES += openssl
> > > +else
> > > +NTPSEC_CONF_OPTS += --disable-nts
> > > +endif
> > > +
> > > +ifeq ($(BR2_PACKAGE_NTPSEC_EARLY_DROPROOT),y)
> > > +NTPSEC_DEPENDENCIES += libcap
> > > +NTPSEC_CONF_OPTS += --enable-early-droproot
> > > +endif
> > > +
> > > +ifeq ($(BR2_PACKAGE_NTPSEC_LEAP_SMEAR),y)
> > > +NTPSEC_CONF_OPTS += --enable-leap-smear
> > > +endif
> > > +
> > > +ifeq ($(BR2_PACKAGE_NTPSEC_LEAP_TESTING),y)
> > > +NTPSEC_CONF_OPTS += --enable-leap-testing
> > > +endif
> > > +
> > > +define NTPSEC_INSTALL_NTPSEC_CONF
> > > + $(INSTALL) -m 644 package/ntpsec/ntpd.etc.conf
> > $(TARGET_DIR)/etc/ntp.conf
> > > +endef
> > > +NTPSEC_POST_INSTALL_TARGET_HOOKS += NTPSEC_INSTALL_NTPSEC_CONF
> > > +
> > > +define NTPSEC_INSTALL_INIT_SYSV
> > > + $(INSTALL) -D -m 755 $(NTPSEC_PKGDIR)/S49ntp
> > $(TARGET_DIR)/etc/init.d/S49ntp
> > > +endef
> > > +
> > > +define NTPSEC_INSTALL_INIT_SYSTEMD
> > > + $(INSTALL) -D -m 644 $(NTPSEC_PKGDIR)/ntpd.service \
> > > + $(TARGET_DIR)/usr/lib/systemd/system/ntpd.service
> > > +endef
> > > +
> > > +define NTPSEC_USERS
> > > + ntp -1 ntp -1 * - - - ntpd user
> > > +endef
> > > +
> > > +$(eval $(waf-package))
> >
> > Will prepare an update of my original patch with the version update and
> > some of
> > your findings..., feel free to provide your improvements as add-on patches
> > ;-)
> >
> > Regards,
> > Peter
> >
> >
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/ntpsec: new package
2021-12-15 22:15 ` Peter Seiderer
@ 2021-12-17 7:57 ` Guillaume Bres
0 siblings, 0 replies; 11+ messages in thread
From: Guillaume Bres @ 2021-12-17 7:57 UTC (permalink / raw)
To: Peter Seiderer, wbx; +Cc: buildroot, Yann E. MORIN, Thomas Petazzoni
[-- Attachment #1.1: Type: text/plain, Size: 28880 bytes --]
Peter, all,
I'm currently testing (runtime) on your V2 and will get back soon to you.
>Maybe take a look at package/mesa3d/mesa3d.mk and the dri-drivers handling:
>-Ddri-drivers=$(subst $(space),$(comma),$(MESA3D_DRI_DRIVERS-y))
I will not increment the v2 with new features, let's have it merged and we
start from there
>With libbsd enabled I get the following failure:
I solved that issue with similar -I flags,
but did not realize libbsd was not available to staging.
What do you think is best then, should we enable libbsd and provide a mini
libbsd patch along our ntpsec patch?
If we all say so, then we will wait for your v3
Guillaume W. Bres
Software engineer
<guillaume.bressaix@gmail.com>
Le mer. 15 déc. 2021 à 23:15, Peter Seiderer <ps.report@gmx.net> a écrit :
> Hello Guillaume,
>
> On Wed, 15 Dec 2021 22:21:31 +0100, Guillaume Bres <
> guillaume.bressaix@gmail.com> wrote:
>
> > Hello Peter,
> >
> > > Will prepare an update of my original patch with the version update
> and
> > some of
> > > your findings..., feel free to provide your improvements as add-on
> > patches ;-)
> > sounds good, i'll wait for your v2 and will test it on my side
> >
> > > Better done as an extra patch (easier to review)....
> > ok let's do that later
> >
> > > libbsd is required
> > >> Are you sure?
> > >> With the original patch ntpsec builds fine without libbsd
> available...
> > it's listed in the dependencies for this pkg in debian.
> > Ran a quick grep in their sources, it's clearly in their CI basic
> > requirements too, but I cant figure where they actually use it. They
> > clearly pass -lbsd to the linker though.
>
>
> Checking for library bsd : not found
> [...]
> LDFLAGS : -Wl,-z,now -Wl,--strip-all -Wl,-z,relro
> LINKFLAGS_NTPD : -pie
>
>
> With libbsd enabled I get the following failure:
>
> --- building host ---
> Waf: Entering directory `.../build/ntpsec-1_2_1/build/host'
> [1/2] Processing ntpd/ntp_parser.y
> [2/2] Compiling build/host/ntpd/ntp_parser.tab.c
> In file included from ../../include/ntp.h:15,
> from .../build/ntpsec-1_2_1/ntpd/ntp_parser.y:16:
> ../../include/ntp_stdlib.h:20:10: fatal error: bsd/string.h: No such file
> or directory
> 20 | #include <bsd/string.h>
> | ^~~~~~~~~~~~~~
> compilation terminated.
>
>
> Can be avoided by the following patch:
>
> diff --git a/package/libbsd/libbsd.mk b/package/libbsd/libbsd.mk
> index 256a75f15e..454cee3f37 100644
> --- a/package/libbsd/libbsd.mk
> +++ b/package/libbsd/libbsd.mk
> @@ -14,3 +14,4 @@ LIBBSD_CPE_ID_VENDOR = freedesktop
> LIBBSD_INSTALL_STAGING = YES
>
> $(eval $(autotools-package))
> +$(eval $(host-autotools-package))
> diff --git a/package/ntpsec/Config.in b/package/ntpsec/Config.in
> index 7275533d26..41013d1e99 100644
> --- a/package/ntpsec/Config.in
> +++ b/package/ntpsec/Config.in
> @@ -1,6 +1,7 @@
> config BR2_PACKAGE_NTPSEC
> bool "ntpsec"
> depends on BR2_PACKAGE_PYTHON3
> + select BR2_PACKAGE_LIBBSD
> select BR2_PACKAGE_LIBCAP
> select BR2_PACKAGE_OPENSSL
> help
> diff --git a/package/ntpsec/ntpsec.mk b/package/ntpsec/ntpsec.mk
> index 739ef0eab4..63eaf35268 100644
> --- a/package/ntpsec/ntpsec.mk
> +++ b/package/ntpsec/ntpsec.mk
> @@ -20,11 +20,12 @@ NTPSEC_CPE_ID_UPDATE = $(NTPSEC_VERSION_POINT)
> NTPSEC_DEPENDENCIES = \
> host-pkgconf \
> python3 \
> + host-libbsd libbsd \
> libcap \
> openssl
>
> NTPSEC_CONF_OPTS = \
> - CC="$(HOSTCC)" \
> + CC="$(HOSTCC) -I$(HOST_DIR)/include" \
> PYTHON_CONFIG="$(STAGING_DIR)/usr/bin/python3-config" \
> --libdir=/usr/lib/python$(PYTHON3_VERSION_MAJOR)/site-packages/ntp
> \
> --cross-compiler="$(TARGET_CC)" \
>
> >
> > >Would prefer one option per refclock to reduce dependencies...
> > I tried to do so at first, but am failing at correctly concatenating the
> > refclocks in a comma separated string.
> > Expected format is "refclocks=gpsd,nmea,shm"
> > Order does not matter. It is very important to only have valid refclocks
> in
> > the submitted string otherwise configure fails. refclocks=",nmea,shm" and
> > refclocks="shm," would fail.
> >
> > >Would prefer one option per refclock to reduce dependencies...
> > Actually there are no dependencies related to refclocks, it's up to the
> > user to provide a correct kernel config for specific hardware though.
> Only
> > "gpsd" will have unmet requirements at the moment and would get dropped
> out
> > by configure (smart detection). If you can provide a proper interface to
> > concatenate the string, that would be useful (I'm not a good at shell
> > scripting). If we do so, I would recommend we stick to the list of
> actively
> > maintained refclocks (URL in my reply to v1)
>
> Maybe take a look at package/mesa3d/mesa3d.mk and the dri-drivers
> handling:
>
> 137 -Ddri-drivers=$(subst
> $(space),$(comma),$(MESA3D_DRI_DRIVERS-y))
>
> Regards,
> Peter
>
> >
> >
> > Guillaume W. Bres
> > Software engineer
> > <guillaume.bressaix@gmail.com>
> >
> >
> > Le mer. 15 déc. 2021 à 21:43, Peter Seiderer <ps.report@gmx.net> a
> écrit :
> >
> > > Hello Guillaume,
> > >
> > > thanks of interest, testing and improvement of the ntpsec patch, some
> > > comments below...
> > >
> > > On Sun, 12 Dec 2021 21:07:41 +0100, guillaume.bressaix@gmail.com
> wrote:
> > >
> > > > From: Peter Seiderer <ps.report@gmx.net>
> > > >
> > > > - set 'CC=gcc' to avoid cross-compile failure (see [1]):
> > > >
> > > > /bin/sh: line 1:
> .../build/ntpsec-1_2_0/build/host/ntpd/keyword-gen:
> > > cannot execute binary file: Exec format error
> > > >
> > > > Waf: Leaving directory `.../build/ntpsec-1_2_0/build/host'
> > > > Build failed
> > > > -> task in 'ntp_keyword.h' failed with exit status 126 (run with
> -v
> > > to display more information)
> > > >
> > > > - set '-std=gnu99"' to avoid compile failure with old compilers
> > > >
> > > > - explicit set PYTHON_CONFIG
> > > >
> > > > - add patch
> > > 001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch to
> > > > fix ntptime jfmt5/ofmt5 jfmt6/ofmt6 related compile failure
> > > >
> > > > - add SYSV init file (S49ntp)
> > > >
> > > > - add example ntpd.conf (with legacy option enabled and provide
> skeleton
> > > > for NTS configuration)
> > > >
> > > > - add config option for NTS support
> > > >
> > > > - depend on python3 (omit python2 to reduce test effort)
> > > >
> > > > - add ntp user/group and run ntpd as restricted user
> > > >
> > > > - add libcap dependency (compile time optional but needed for
> droproot
> > > > support)
> > > >
> > > > - submit latest ntpsec version 1.2.1
> > >
> > > Interesting, not listed as release, but tagged and downloadable...
> > >
> > > >
> > > > - lib ntpc import in python is fixed by specifying the --libdir
> flag.
> > > > -> removed the symlink trick
> > >
> > > Fine..., will test it...
> > >
> > > >
> > > > - add --refclock=all flags to configure, see notes down below
> > > >
> > > > - add leap second management options & ntpviz
> > > >
> > > > - improved Config.in:
> > > > libbsd is required
> > >
> > > Are you sure? With the original patch ntpsec builds fine without libbsd
> > > available...
> > >
> > > > openssl is only needed when NTS encryption is enabled
> > >
> > > A build without NTS and without openssl gives:
> > >
> > > Checking for OpenSSL/libcrypto (via pkg-config)
> :
> > > not found
> > > Checking for OpenSSL's crypto library
> :
> > > not found
> > > The configuration failed
> > >
> > > > (depend on python3 only to simply things)
> > > > improved classic mode help description
> > > > improved early-drop-root feature description
> > > >
> > > > - early droproot should be an option: adapt libcap accordingly
> > >
> > > This will break (the hard coded) '-u npt:npt' option from
> > > package/ntpsec/S49ntp,
> > > any reason to avoid the security feature?
> > >
> > > >
> > > > - corrected CC=gcc to CC=$(HOSTCC) in ntpsec.mk
> > >
> > > Good point...
> > >
> > > >
> > > > - provide service script for systemd infra along sysv infra
> > >
> > > Better done as an extra patch (easier to review)....
> > >
> > > >
> > > > - I don't think we need the patch if we restrict to
> !BR2_TOOLCHAIN_UCLIBC
> > > > IMO it's better to keep the patch and allow all toolchains.
> > > > I usually have glibc, but I just ran a sanity check on my
> zedboard
> > > with uclibc,
> > > > it passed.
> > >
> > > Not important for the commit log...
> > >
> > > >
> > > > - used on zynq_zed_defconfig and beaglebone_defconfig
> > > > daemon automatically started
> > > > ntpq works fine
> > > >
> > > > [1] https://gitlab.com/NTPsec/ntpsec/-/issues/694
> > > >
> > > > Signed-off-by: Peter Seiderer <ps.report@gmx.net>
> > > > Signed-off-by: Guillaume W. Bres <guillaume.bressaix@gmail.com>
> > > >
> > > > ---
> > > > notes on refclocks: https://docs.ntpsec.org/latest/refclock.html
> > > > "For security reasons, we will no longer support any refclock
> > > > that requires a closed-source driver to run", see webpage.
> > > >
> > > > --refclock=all is hardcoded at the moment
> > > >
> > > > One must compile ntpsec with the 'refclock' option
> > > > if they want to drive or interact with hardware.
> > > >
> > > > In any case, refclocks are not critical for both buildtime &
> runtime:
> > > >
> > > > [+] ./configure is smart enough to disable a refclock
> > > > if requirements are not met. In the submitted context,
> > > > this happens for refclock=gpsd without BR2_PACKAGE_GPSD
> > > > selected by user
> > > >
> > > > [+] some refclocks naturally require a specific hw support
> > > > with related kernel driver.
> > > > This is not buildtime critical because build does not care
> > > > about hw support.
> > > > This is not runtime critical either because any missing
> > > > hw support or unfeasible hardware access ends up as a logged
> > > > error message. It is up to the user to correct it in the
> > > > submitted context: example: 'nmea/gps' receivers without
> kernel
> > > support
> > > > or hardware not plugged in.
> > >
> > > Would prefer one option per refclock to reduce dependencies...
> > >
> > > >
> > > > ntpd / ntpsec should be mutualy exclusive if we harcode S49ntp as
> the
> > > service script
> > > >
> > > > ---
> > > > DEVELOPERS | 1 +
> > > > package/Config.in | 1 +
> > > > ...-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch | 61
> ++++++++++++++++
> > > > package/ntpsec/Config.in | 68
> > > +++++++++++++++++
> > > > package/ntpsec/S49ntp | 58
> +++++++++++++++
> > > > package/ntpsec/ntpd.etc.conf | 33 +++++++++
> > > > package/ntpsec/ntpd.service | 15 ++++
> > > > package/ntpsec/ntpsec.hash | 4 +
> > > > package/ntpsec/ntpsec.mk | 85
> > > ++++++++++++++++++++++
> > > > 9 files changed, 326 insertions(+)
> > > > create mode 100644
> > >
> package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
>
> > > > create mode 100644 package/ntpsec/Config.in
> > > > create mode 100644 package/ntpsec/S49ntp
> > > > create mode 100644 package/ntpsec/ntpd.etc.conf
> > > > create mode 100644 package/ntpsec/ntpd.service
> > > > create mode 100644 package/ntpsec/ntpsec.hash
> > > > create mode 100644 package/ntpsec/ntpsec.mk
> > > >
> > > > diff --git a/DEVELOPERS b/DEVELOPERS
> > > > index 3023526..32b5e87 100644
> > > > --- a/DEVELOPERS
> > > > +++ b/DEVELOPERS
> > > > @@ -2196,6 +2196,7 @@ F: package/iwd/
> > > > F: package/libevdev/
> > > > F: package/libuev/
> > > > F: package/log4cplus/
> > > > +F: package/ntpsec/
> > > > F: package/postgresql/
> > > > F: package/python-colorzero/
> > > > F: package/python-flask-wtf/
> > > > diff --git a/package/Config.in b/package/Config.in
> > > > index 5720830..544a0fd 100644
> > > > --- a/package/Config.in
> > > > +++ b/package/Config.in
> > > > @@ -2271,6 +2271,7 @@ endif
> > > > source "package/nmap/Config.in"
> > > > source "package/noip/Config.in"
> > > > source "package/ntp/Config.in"
> > > > + source "package/ntpsec/Config.in"
> > > > source "package/nuttcp/Config.in"
> > > > source "package/odhcp6c/Config.in"
> > > > source "package/odhcploc/Config.in"
> > > > diff --git
> > >
> a/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
> > >
> b/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
>
> > > > new file mode 100644
> > > > index 0000000..c2838fe
> > > > --- /dev/null
> > > > +++
> > >
> b/package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch
>
> > > > @@ -0,0 +1,61 @@
> > > > +From 4015a1183d2f79dad6dd675ca5e0d329825f3fa3 Mon Sep 17 00:00:00
> 2001
> > > > +From: Peter Seiderer <ps.report@gmx.net>
> > > > +Date: Mon, 4 Oct 2021 22:25:58 +0200
> > > > +Subject: [PATCH] ntptime: fix jfmt5/ofmt5 jfmt6/ofmt6 related
> compile
> > > failure
> > > > +MIME-Version: 1.0
> > > > +Content-Type: text/plain; charset=UTF-8
> > > > +Content-Transfer-Encoding: 8bit
> > > > +
> > > > +Use same define guard for definiton as for usage
> > > ('HAVE_STRUCT_NTPTIMEVAL_TAI'
> > > > +instead of 'NTP_API && NTP_API > 3').
> > > > +
> > > > +Fixes:
> > > > +
> > > > + ../../ntptime/ntptime.c: In function ‘main’:
> > > > + ../../ntptime/ntptime.c:349:17: error: ‘jfmt5’ undeclared (first
> use
> > > in this function); did you mean ‘jfmt6’?
> > > > + 349 | printf(json ? jfmt5 : ofmt5, (long)ntv.tai);
> > > > + | ^~~~~
> > > > + | jfmt6
> > > > + ../../ntptime/ntptime.c:349:17: note: each undeclared identifier
> is
> > > reported only once for each function it appears in
> > > > + ../../ntptime/ntptime.c:349:25: error: ‘ofmt5’ undeclared (first
> use
> > > in this function); did you mean ‘ofmt6’?
> > > > + 349 | printf(json ? jfmt5 : ofmt5, (long)ntv.tai);
> > > > + | ^~~~~
> > > > + | ofmt6
> > > > + ../../ntptime/ntptime.c:321:15: warning: unused variable ‘jfmt6’
> > > [-Wunused-variable]
> > > > + 321 | const char *jfmt6 = "";
> > > > + | ^~~~~
> > > > + ../../ntptime/ntptime.c:311:15: warning: unused variable ‘ofmt6’
> > > [-Wunused-variable]
> > > > + 311 | const char *ofmt6 = "\n";
> > > > + | ^~~~~
> > > > +
> > > > +[Upstream: https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1245]
> > > > +Signed-off-by: Peter Seiderer <ps.report@gmx.net>
> > > > +---
> > > > + ntptime/ntptime.c | 4 ++--
> > > > + 1 file changed, 2 insertions(+), 2 deletions(-)
> > > > +
> > > > +diff --git a/ntptime/ntptime.c b/ntptime/ntptime.c
> > > > +index ff861cb..5d58593 100644
> > > > +--- a/ntptime/ntptime.c
> > > > ++++ b/ntptime/ntptime.c
> > > > +@@ -305,7 +305,7 @@ main(
> > > > + const char *ofmt2 = " time %s, (.%0*d),\n";
> > > > + const char *ofmt3 = " maximum error %lu us,
> estimated
> > > error %lu us";
> > > > + const char *ofmt4 = " ntptime=%x.%x unixtime=%x.%0*d
> %s";
> > > > +-#if defined NTP_API && NTP_API > 3
> > > > ++#if defined(HAVE_STRUCT_NTPTIMEVAL_TAI)
> > > > + const char *ofmt5 = ", TAI offset %ld\n";
> > > > + #else
> > > > + const char *ofmt6 = "\n";
> > > > +@@ -315,7 +315,7 @@ main(
> > > > + const char *jfmt2 =
> > > "\"time\":\"%s\",\"fractional-time\":\".%0*d\",";
> > > > + const char *jfmt3 =
> > > "\"maximum-error\":%lu,\"estimated-error\":%lu,";
> > > > + const char *jfmt4 =
> > > "\"raw-ntp-time\":\"%x.%x\",\"raw-unix-time\":\"%x.%0*d %s\",";
> > > > +-#if defined NTP_API && NTP_API > 3
> > > > ++#if defined(HAVE_STRUCT_NTPTIMEVAL_TAI)
> > > > + const char *jfmt5 = "\"TAI-offset\":%d,";
> > > > + #else
> > > > + const char *jfmt6 = "";
> > > > +--
> > > > +2.33.0
> > > > +
> > > > diff --git a/package/ntpsec/Config.in b/package/ntpsec/Config.in
> > > > new file mode 100644
> > > > index 0000000..9044aa4
> > > > --- /dev/null
> > > > +++ b/package/ntpsec/Config.in
> > > > @@ -0,0 +1,68 @@
> > > > +comment "ntpsec needs a toolchain w/ wchar, thread, dynamic library"
> > > > + depends on BR2_STATIC_LIBS
> > > > + depends on !BR2_USE_WCHAR
> > > > + depends on !BR2_TOOLCHAIN_HAS_THREADS # libbsd
> > > > +
> > > > +comment "ntpsec needs libbsd"
> > > > + depends on !BR2_PACKAGE_LIBBSD_ARCH_SUPPORTS
> > > > + depends on !BR2_STATIC_LIBS # libbsd
> > > > +
> > > > +comment "ntpsec needs python3"
> > > > + depends on !BR2_PACKAGE_PYTHON3
> > > > +
> > > > +config BR2_PACKAGE_NTPSEC
> > > > + bool "ntpsec"
> > > > + depends on !BR2_STATIC_LIBS # libbsd
> > > > + depends on BR2_PACKAGE_LIBBSD_ARCH_SUPPORTS
> > > > + depends on BR2_TOOLCHAIN_HAS_THREADS # libbsd
> > > > + depends on BR2_PACKAGE_PYTHON3
> > > > + select BR2_PACKAGE_LIBCAP
> > > > + select BR2_PACKAGE_LIBBSD
> > > > + select BR2_PACKAGE_PPS_TOOLS # refclock(pps)
> > > > + help
> > > > + NTPsec is a secure, hardened, and improved
> > > > + implementation of Network Time Protocol derived
> > > > + from NTP Classic, Dave Mills’s original.
> > > > +
> > > > + Provides things like ntpd, ntpdate, ntpq, etc...
> > > > +
> > > > + https://www.ntpsec.org/
> > > > +
> > > > +if BR2_PACKAGE_NTPSEC
> > > > +
> > > > +config BR2_PACKAGE_NTPSEC_CLASSIC_MODE
> > > > + bool "ntpsec-classic"
> > > > + help
> > > > + Enable strict configuration and log-format compatibility
> > > > + with NTP Classic.
> > > > + This option is not recommended as it makes the module
> > > > + less efficient.
> > > > +
> > > > +config BR2_PACKAGE_NTPSEC_NTS
> > > > + bool "ntpsec-nts"
> > > > + select BR2_PACKAGE_OPENSSL
> > > > + help
> > > > + Enable Network Time Security (NTS) support.
> > > > +
> > > > +comment "ntpsec-ntploggpsd needs gpsd"
> > > > + depends on !BR2_PACKAGE_GPSD
> > > > +
> > > > +config BR2_PACKAGE_NTPSEC_LEAP_SMEAR
> > > > + bool "ntpsec-leap-smear"
> > > > + help
> > > > + Activates leap second smearing,
> > > > + https://docs.ntpsec.org/latest/leapsmear.html
> > > > +
> > > > +config BR2_PACKAGE_NTPSEC_LEAP_TESTING
> > > > + bool "ntpsec-leap-testing"
> > > > + help
> > > > + Enables leap seconds on other than 1st day of month
> > > > +
> > > > +config BR2_PACKAGE_NTPSEC_EARLY_DROPROOT
> > > > + bool "ntpsec-early-droproot"
> > > > + help
> > > > + Drops root privileges as early as possible.
> > > > + This requires the refclock devices to be owned
> > > > + by owner/group running 'ntpd'
> > > > +
> > > > +endif
> > > > diff --git a/package/ntpsec/S49ntp b/package/ntpsec/S49ntp
> > > > new file mode 100644
> > > > index 0000000..f3db514
> > > > --- /dev/null
> > > > +++ b/package/ntpsec/S49ntp
> > > > @@ -0,0 +1,58 @@
> > > > +#!/bin/sh
> > > > +#
> > > > +# Starts Network Time Protocol daemon
> > > > +#
> > > > +
> > > > +DAEMON="ntpd"
> > > > +PIDFILE="/var/run/$DAEMON.pid"
> > > > +
> > > > +NTPD_ARGS="-g -u ntp:ntp -s /var/run/ntp"
> > > > +
> > > > +# shellcheck source=/dev/null
> > > > +[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
> > > > +
> > > > +mkdir -p /var/run/ntp && chown ntp:ntp /var/run/ntp
> > > > +
> > > > +start() {
> > > > + printf 'Starting %s: ' "$DAEMON"
> > > > + # shellcheck disable=SC2086 # we need the word splitting
> > > > + start-stop-daemon -S -q -p "$PIDFILE" -x "/usr/sbin/$DAEMON" \
> > > > + -- $NTPD_ARGS -p "$PIDFILE"
> > > > + status=$?
> > > > + if [ "$status" -eq 0 ]; then
> > > > + echo "OK"
> > > > + else
> > > > + echo "FAIL"
> > > > + fi
> > > > + return "$status"
> > > > +}
> > > > +
> > > > +stop() {
> > > > + printf 'Stopping %s: ' "$DAEMON"
> > > > + start-stop-daemon -K -q -p "$PIDFILE"
> > > > + status=$?
> > > > + if [ "$status" -eq 0 ]; then
> > > > + rm -f "$PIDFILE"
> > > > + echo "OK"
> > > > + else
> > > > + echo "FAIL"
> > > > + fi
> > > > + return "$status"
> > > > +}
> > > > +
> > > > +restart() {
> > > > + stop
> > > > + sleep 1
> > > > + start
> > > > +}
> > > > +
> > > > +case "$1" in
> > > > + start|stop|restart)
> > > > + "$1";;
> > > > + reload)
> > > > + # Restart, since there is no true "reload" feature.
> > > > + restart;;
> > > > + *)
> > > > + echo "Usage: $0 {start|stop|restart|reload}"
> > > > + exit 1
> > > > +esac
> > > > diff --git a/package/ntpsec/ntpd.etc.conf
> b/package/ntpsec/ntpd.etc.conf
> > > > new file mode 100644
> > > > index 0000000..e0f45c1
> > > > --- /dev/null
> > > > +++ b/package/ntpsec/ntpd.etc.conf
> > > > @@ -0,0 +1,33 @@
> > > > +#
> > > > +# legacy NTP configuration
> > > > +#
> > > > +pool 0.pool.ntp.org iburst
> > > > +pool 1.pool.ntp.org iburst
> > > > +pool 2.pool.ntp.org iburst
> > > > +pool 3.pool.ntp.org iburst
> > > > +
> > > > +#
> > > > +# NTS configuration
> > > > +#
> > > > +# Notes:
> > > > +# - uncomment the following lines to enable NTS support (but
> > > > +# make sure the initial clock is up-to-date (otherwise the
> > > > +# NTS certificate validation will fail with 'NTSc: certificate
> > > invalid:
> > > > +# 9=>certificate is not yet valid' as on boards without RTC
> support)
> > > > +# and/or keep at least one line from the legacy NTP lines
> > > > +# - enable BR2_PACKAGE_CA_CERTIFICATES to gain access to the
> > > certificate
> > > > +# files
> > > > +#
> > > > +# server time.cloudflare.com nts # Global, anycast
> > > > +# server nts.ntp.se:4443 nts # Sweden
> > > > +# server ntpmon.dcs1.biz nts # Singapore
> > > > +# server ntp1.glypnod.com nts # San Francisco
> > > > +# server ntp2.glypnod.com nts # London
> > > > +#
> > > > +# ca /usr/share/ca-certificates/mozilla
> > > > +
> > > > +# Allow only time queries, at a limited rate, sending KoD when in
> > > excess.
> > > > +# Allow all local queries (IPv4, IPv6)
> > > > +restrict default nomodify nopeer noquery limited kod
> > > > +restrict 127.0.0.1
> > > > +restrict [::1]
> > > > diff --git a/package/ntpsec/ntpd.service
> b/package/ntpsec/ntpd.service
> > > > new file mode 100644
> > > > index 0000000..b7db4a2
> > > > --- /dev/null
> > > > +++ b/package/ntpsec/ntpd.service
> > > > @@ -0,0 +1,15 @@
> > > > +[Unit]
> > > > +Description=Network Time Service
> > > > +After=network.target
> > > > +
> > > > +[Service]
> > > > +Type=forking
> > > > +PIDFile=/run/ntpd.pid
> > > > +# Turn off DNSSEC validation for hostname look-ups, since those
> need the
> > > > +# correct time to work, but we likely won't acquire that without
> NTP.
> > > Let's
> > > > +# break this chicken-and-egg cycle here.
> > > > +Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0
> > > > +ExecStart=/usr/sbin/ntpd @NTPD_EXTRA_ARGS@ -g -p /run/ntpd.pid
> > >
> > > The @NTPD_EXTRA_ARGS@ handling needs the sed command instead of the
> > > simple install one (see package/ntp/ntp.mk)...
> > >
> > > > +
> > > > +[Install]
> > > > +WantedBy=multi-user.target
> > > > diff --git a/package/ntpsec/ntpsec.hash b/package/ntpsec/ntpsec.hash
> > > > new file mode 100644
> > > > index 0000000..49dc4e4
> > > > --- /dev/null
> > > > +++ b/package/ntpsec/ntpsec.hash
> > > > @@ -0,0 +1,4 @@
> > > > +# Locally calculated
> > > > +sha256
> > > 71c9f4bde6953bbc048bbaf278da81c451a56cc08d6772542b4ad37c67d72e89
> > > ntpsec-NTPsec_1_2_1.tar.bz2
> > > > +sha256
> > > b4db4de3317c3b0554ed91eb692968800bdfd6ad2c16ffbeee8ce4895ed91da4
> > > LICENSE.adoc
> > > > +sha256
> > > d3b21470adadd9abd9c6d675378f8c371ac5a4ea6dbec91859e02fadca3c0856
> > > docs/copyright.adoc
> > > > diff --git a/package/ntpsec/ntpsec.mk b/package/ntpsec/ntpsec.mk
> > > > new file mode 100644
> > > > index 0000000..55b4bb0
> > > > --- /dev/null
> > > > +++ b/package/ntpsec/ntpsec.mk
> > > > @@ -0,0 +1,85 @@
> > > >
> > >
> +################################################################################
>
> > > > +#
> > > > +# ntpsec
> > > > +#
> > > >
> > >
> +################################################################################
>
> > > > +
> > > > +NTPSEC_VERSION_MAJOR = 1
> > > > +NTPSEC_VERSION_MINOR = 2
> > > > +NTPSEC_VERSION_POINT = 1
> > > > +NTPSEC_VERSION =
> > >
> $(NTPSEC_VERSION_MAJOR)_$(NTPSEC_VERSION_MINOR)_$(NTPSEC_VERSION_POINT)
> > > > +NTPSEC_SOURCE = ntpsec-NTPsec_$(NTPSEC_VERSION).tar.bz2
> > > > +NTPSEC_SITE =
> > > https://gitlab.com/NTPsec/ntpsec/-/archive/NTPsec_$(NTPSEC_VERSION)
> > > > +NTPSEC_LICENSE = BSD-2-Clause NTP BSD-3-Clause MIT
> > > > +NTPSEC_LICENSE_FILES = LICENSE.adoc docs/copyright.adoc
> > > > +
> > > > +NTPSEC_CPE_ID_VENDOR = ntpsec
> > > > +NTPSEC_CPE_ID_VERSION =
> $(NTPSEC_VERSION_MAJOR).$(NTPSEC_VERSION_MINOR)
> > > > +NTPSEC_CPE_ID_UPDATE = $(NTPSEC_VERSION_POINT)
> > > > +
> > > > +NTPSEC_DEPENDENCIES = \
> > > > + $(if $(BR2_PACKAGE_PYTHON),python,python3) \
> > > > + libbsd \
> > > > + pps-tools
> > > > +
> > > > +NTPSEC_PYVER = $(if
> > >
> $(BR2_PACKAGE_PYTHON),python$(PYTHON_VERSION_MAJOR),python$(PYTHON3_VERSION_MAJOR))
>
> > > > +
> > > > +NTPSEC_CONF_OPTS = \
> > > > + CC=$(HOSTCC) \
> > > > + PYTHON_CONFIG="$(STAGING_DIR)/usr/bin/$(if
> > > $(BR2_PACKAGE_PYTHON),python,python3)-config" \
> > > > + --cross-compiler="$(TARGET_CC)" \
> > > > + --cross-cflags="$(TARGET_CFLAGS) -std=gnu99" \
> > > > + --cross-ldflags="$(TARGET_LDFLAGS)" \
> > > > + --notests \
> > > > + --disable-mdns-registration \
> > > > + --enable-pylib=ffi \
> > > > + --nopyc \
> > > > + --nopyo \
> > > > + --nopycache \
> > > > + --disable-doc \
> > > > + --disable-manpage \
> > > > + --refclock=all \
> > > > + --libdir=/usr/lib/$(NTPSEC_PYVER)/site-packages/ntp
> > > > +
> > > > +ifeq ($(BR2_PACKAGE_NTPSEC_CLASSIC_MODE),y)
> > > > +NTPSEC_CONF_OPTS += --enable-classic-mode
> > > > +endif
> > > > +
> > > > +ifeq ($(BR2_PACKAGE_NTPSEC_NTS),y)
> > > > +NTPSEC_DEPENDENCIES += openssl
> > > > +else
> > > > +NTPSEC_CONF_OPTS += --disable-nts
> > > > +endif
> > > > +
> > > > +ifeq ($(BR2_PACKAGE_NTPSEC_EARLY_DROPROOT),y)
> > > > +NTPSEC_DEPENDENCIES += libcap
> > > > +NTPSEC_CONF_OPTS += --enable-early-droproot
> > > > +endif
> > > > +
> > > > +ifeq ($(BR2_PACKAGE_NTPSEC_LEAP_SMEAR),y)
> > > > +NTPSEC_CONF_OPTS += --enable-leap-smear
> > > > +endif
> > > > +
> > > > +ifeq ($(BR2_PACKAGE_NTPSEC_LEAP_TESTING),y)
> > > > +NTPSEC_CONF_OPTS += --enable-leap-testing
> > > > +endif
> > > > +
> > > > +define NTPSEC_INSTALL_NTPSEC_CONF
> > > > + $(INSTALL) -m 644 package/ntpsec/ntpd.etc.conf
> > > $(TARGET_DIR)/etc/ntp.conf
> > > > +endef
> > > > +NTPSEC_POST_INSTALL_TARGET_HOOKS += NTPSEC_INSTALL_NTPSEC_CONF
> > > > +
> > > > +define NTPSEC_INSTALL_INIT_SYSV
> > > > + $(INSTALL) -D -m 755 $(NTPSEC_PKGDIR)/S49ntp
> > > $(TARGET_DIR)/etc/init.d/S49ntp
> > > > +endef
> > > > +
> > > > +define NTPSEC_INSTALL_INIT_SYSTEMD
> > > > + $(INSTALL) -D -m 644 $(NTPSEC_PKGDIR)/ntpd.service \
> > > > + $(TARGET_DIR)/usr/lib/systemd/system/ntpd.service
> > > > +endef
> > > > +
> > > > +define NTPSEC_USERS
> > > > + ntp -1 ntp -1 * - - - ntpd user
> > > > +endef
> > > > +
> > > > +$(eval $(waf-package))
> > >
> > > Will prepare an update of my original patch with the version update and
> > > some of
> > > your findings..., feel free to provide your improvements as add-on
> patches
> > > ;-)
> > >
> > > Regards,
> > > Peter
> > >
> > >
>
>
[-- Attachment #1.2: Type: text/html, Size: 41542 bytes --]
[-- Attachment #2: Type: text/plain, Size: 150 bytes --]
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2021-12-17 7:58 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-25 21:25 [Buildroot] [PATCH v1] package/ntpsec: new package Peter Seiderer
2021-10-28 21:01 ` Peter Seiderer
2021-10-30 22:56 ` [Buildroot] [uclibc-ng-devel] " Waldemar Brodkorb
2021-11-04 20:30 ` Peter Seiderer
2021-11-11 8:58 ` Waldemar Brodkorb
2021-11-25 20:26 ` Peter Seiderer
2021-12-12 20:07 ` [Buildroot] [PATCH 1/1] " guillaume.bressaix
2021-12-15 20:43 ` Peter Seiderer
2021-12-15 21:21 ` Guillaume Bres
2021-12-15 22:15 ` Peter Seiderer
2021-12-17 7:57 ` Guillaume Bres
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.