[ubuntu/eoan-proposed] chrony 3.4-4ubuntu1 (Accepted)
Christian Ehrhardt
christian.ehrhardt at canonical.com
Thu May 16 13:27:11 UTC 2019
chrony (3.4-4ubuntu1) eoan; urgency=medium
* Merge with Debian unstable (LP: #1828992). Remaining changes:
- d/chrony.conf: use ubuntu ntp pool and server (LP 1744664 1754358)
- Set -x as default if unable to set time (e.g. in containers) (LP 1589780)
Chrony is a single service which acts as both NTP client (i.e. syncing the
local clock) and NTP server (i.e. providing NTP services to the network),
and that is both desired and expected in the vast majority of cases.
But in containers syncing the local clock is usually impossible, but this
shall not break the providing of NTP services to the network.
To some extent this makes chrony's default config more similar to 'ntpd',
which complained in syslog but still provided NTP server service in those
cases.
+ debian/chrony.service: allow the service to run without CAP_SYS_TIME
+ debian/control: add new dependency libcap2-bin for capsh (usually
installed anyway, but make them explicit to be sure).
+ debian/chrony.default: new option SYNC_IN_CONTAINER to not fall back
(Default off) [fixed a minor typo in the comment in this update]
+ debian/chronyd-starter.sh: wrapper to handle special cases in containers
and if CAP_SYS_TIME is missing. Effectively allows to run NTP server in
containers on a default installation and avoid failing to sync time (or
if allowed to sync, avoid multiple containers to fight over it by
accident).
+ debian/install: make chrony-starter.sh available on install.
+ debian/docs, debian/README.container: provide documentation about the
handling of this case.
- d/postrm: re-establish systemd-timesyncd on removal (LP 1764357)
- d/postrm: respect policy-rc.d when restoring systemd-timesyncd
(LP 1771994)
* Added Changes:
- removed d/init to avoid weird interactions between sysV and systemd
* Dropped Changes:
- Notify chrony to update sources in response to systemd-networkd
events (LP: 1718227)
+ d/links: link dispatcher script to networkd-dispatcher events routable
and off
+ d/control: set Recommends to networkd-dispatcher
[Those are in Debian, except that we agreed to have networkd-dispatcher
to only be a Suggests]
chrony (3.4-4) unstable; urgency=medium
* debian/patches/*:
- Add allow-further-syscalls-in-seccomp-filter.patch. Supplementing the
seccomp filter whitelist with those syscalls is a prerequisite, notably for
the arm64 architecture.
[ Leigh Brown ]
* debian/patches/*:
- Add allow-recv-send-in-seccomp-filter.patch. Necessary on armel and
ppc64el. Other architectures might also be affected. (Closes: #924494)
chrony (3.4-3) unstable; urgency=medium
* debian/.gitlab-ci.yml:
- Check for missing hardening flags.
* debian/patches/*:
- Add allow-_llseek-in-seccomp-filter.patch. Needed on various 32-bit
plateforms to log the {raw}measurements and statistics information when
the seccomp filter is enabled. Thanks a lot to Francesco Poli (wintermute)
<invernomuto at paranoici.org> for the report. (Closes: #923137)
- Add allow-waitpid-in-seccomp-filter.patch. Needed to correctly stop
chronyd on some plateforms when the seccomp filter is enabled.
chrony (3.4-2) unstable; urgency=medium
* debian/.gitlab-ci.yml:
- Replace home-made GitLab CI with the standard Salsa pipeline.
- Allow autopkgtest job to fail. The time-sources-from-dhcp-servers test
currently fails due to a testbed issue on salsa CI.
* debian/chrony.default:
- Enable the system call filter by default.
* debian/control:
- Bump standard-version to 4.3.0 (no changes required).
- Use the new debhelper-compat (= 12) notation and drop d/compat.
- Add Pre-Depends: ${misc:Pre-Depends}. Debhelper compatibility level 12
makes use of the “--skip-systemd-native” flag from “invoke-rc.d”. Adding
Pre-Depends: ${misc:Pre-Depends} to d/control ensure that we have a recent
enough version of “init-system-helpers”.
- Suggest networkd-dispatcher.
* debian/copyright:
- Add myself as a copyright holder for 2019.
* debian/links:
- Now that “networkd-dispatcher” is in the Debian archive, link
NetworkManager dispatcher script to networkd-dispatcher routable and off
states. Patch cherry-picked from Ubuntu; thanks to Christian Ehrhardt
<christian.ehrhardt at canonical.com> for working on this.
* debian/NEWS:
- Report that a system call filter is now enabled by default and the way
to disable it if needed.
* debian/rules:
- Don’t enable the system call filter on some architectures due to missing
support in the “libseccomp” and/or the Linux kernel.
* debian/upstream/:
- Strip upstream key from extra signatures. Thanks lintian!
- Remove the Miroslav-Lichvar.txt file as it serves no purpose.
* debian/usr.sbin.chronyd:
- Don’t include “tunables/sys”. The etc/apparmor.d/tunables/sys file has
been deprecated in AppArmor 2.13.1! The @{sys} variable is now defined in
“tunables/kernelvars” which is included in “tunables/global”.
Date: Tue, 14 May 2019 12:49:30 +0200
Changed-By: Christian Ehrhardt <christian.ehrhardt at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/chrony/3.4-4ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 14 May 2019 12:49:30 +0200
Source: chrony
Binary: chrony
Architecture: source
Version: 3.4-4ubuntu1
Distribution: eoan
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Christian Ehrhardt <christian.ehrhardt at canonical.com>
Description:
chrony - Versatile implementation of the Network Time Protocol
Closes: 923137 924494
Launchpad-Bugs-Fixed: 1828992
Changes:
chrony (3.4-4ubuntu1) eoan; urgency=medium
.
* Merge with Debian unstable (LP: #1828992). Remaining changes:
- d/chrony.conf: use ubuntu ntp pool and server (LP 1744664 1754358)
- Set -x as default if unable to set time (e.g. in containers) (LP 1589780)
Chrony is a single service which acts as both NTP client (i.e. syncing the
local clock) and NTP server (i.e. providing NTP services to the network),
and that is both desired and expected in the vast majority of cases.
But in containers syncing the local clock is usually impossible, but this
shall not break the providing of NTP services to the network.
To some extent this makes chrony's default config more similar to 'ntpd',
which complained in syslog but still provided NTP server service in those
cases.
+ debian/chrony.service: allow the service to run without CAP_SYS_TIME
+ debian/control: add new dependency libcap2-bin for capsh (usually
installed anyway, but make them explicit to be sure).
+ debian/chrony.default: new option SYNC_IN_CONTAINER to not fall back
(Default off) [fixed a minor typo in the comment in this update]
+ debian/chronyd-starter.sh: wrapper to handle special cases in containers
and if CAP_SYS_TIME is missing. Effectively allows to run NTP server in
containers on a default installation and avoid failing to sync time (or
if allowed to sync, avoid multiple containers to fight over it by
accident).
+ debian/install: make chrony-starter.sh available on install.
+ debian/docs, debian/README.container: provide documentation about the
handling of this case.
- d/postrm: re-establish systemd-timesyncd on removal (LP 1764357)
- d/postrm: respect policy-rc.d when restoring systemd-timesyncd
(LP 1771994)
* Added Changes:
- removed d/init to avoid weird interactions between sysV and systemd
* Dropped Changes:
- Notify chrony to update sources in response to systemd-networkd
events (LP: 1718227)
+ d/links: link dispatcher script to networkd-dispatcher events routable
and off
+ d/control: set Recommends to networkd-dispatcher
[Those are in Debian, except that we agreed to have networkd-dispatcher
to only be a Suggests]
.
chrony (3.4-4) unstable; urgency=medium
.
* debian/patches/*:
- Add allow-further-syscalls-in-seccomp-filter.patch. Supplementing the
seccomp filter whitelist with those syscalls is a prerequisite, notably for
the arm64 architecture.
.
[ Leigh Brown ]
* debian/patches/*:
- Add allow-recv-send-in-seccomp-filter.patch. Necessary on armel and
ppc64el. Other architectures might also be affected. (Closes: #924494)
.
chrony (3.4-3) unstable; urgency=medium
.
* debian/.gitlab-ci.yml:
- Check for missing hardening flags.
.
* debian/patches/*:
- Add allow-_llseek-in-seccomp-filter.patch. Needed on various 32-bit
plateforms to log the {raw}measurements and statistics information when
the seccomp filter is enabled. Thanks a lot to Francesco Poli (wintermute)
<invernomuto at paranoici.org> for the report. (Closes: #923137)
- Add allow-waitpid-in-seccomp-filter.patch. Needed to correctly stop
chronyd on some plateforms when the seccomp filter is enabled.
.
chrony (3.4-2) unstable; urgency=medium
.
* debian/.gitlab-ci.yml:
- Replace home-made GitLab CI with the standard Salsa pipeline.
- Allow autopkgtest job to fail. The time-sources-from-dhcp-servers test
currently fails due to a testbed issue on salsa CI.
.
* debian/chrony.default:
- Enable the system call filter by default.
.
* debian/control:
- Bump standard-version to 4.3.0 (no changes required).
- Use the new debhelper-compat (= 12) notation and drop d/compat.
- Add Pre-Depends: ${misc:Pre-Depends}. Debhelper compatibility level 12
makes use of the “--skip-systemd-native” flag from “invoke-rc.d”. Adding
Pre-Depends: ${misc:Pre-Depends} to d/control ensure that we have a recent
enough version of “init-system-helpers”.
- Suggest networkd-dispatcher.
.
* debian/copyright:
- Add myself as a copyright holder for 2019.
.
* debian/links:
- Now that “networkd-dispatcher” is in the Debian archive, link
NetworkManager dispatcher script to networkd-dispatcher routable and off
states. Patch cherry-picked from Ubuntu; thanks to Christian Ehrhardt
<christian.ehrhardt at canonical.com> for working on this.
.
* debian/NEWS:
- Report that a system call filter is now enabled by default and the way
to disable it if needed.
.
* debian/rules:
- Don’t enable the system call filter on some architectures due to missing
support in the “libseccomp” and/or the Linux kernel.
.
* debian/upstream/:
- Strip upstream key from extra signatures. Thanks lintian!
- Remove the Miroslav-Lichvar.txt file as it serves no purpose.
.
* debian/usr.sbin.chronyd:
- Don’t include “tunables/sys”. The etc/apparmor.d/tunables/sys file has
been deprecated in AppArmor 2.13.1! The @{sys} variable is now defined in
“tunables/kernelvars” which is included in “tunables/global”.
Checksums-Sha1:
80d9cd36b376b5cb916132b713947430cbe4921f 2373 chrony_3.4-4ubuntu1.dsc
fa41e595e7041a9deda76a69e970a023091474f6 453056 chrony_3.4.orig.tar.gz
dcce0d33a792f636a24297f4ed7d79ec34e12d28 35660 chrony_3.4-4ubuntu1.debian.tar.xz
87668b810612d9cd19dfd0ee590f5f4f41cf1633 6596 chrony_3.4-4ubuntu1_source.buildinfo
Checksums-Sha256:
4585062de741c270cae40495dc97cffbe5b376db19ded337e4e6710df5931367 2373 chrony_3.4-4ubuntu1.dsc
af77e47c2610a7e55c8af5b89a8aeff52d9a867dd5983d848b52d374bc0e6b9f 453056 chrony_3.4.orig.tar.gz
40544850516619e6f2d400cb37474dc6efb0e297abe84fda1cd08888a5b4890e 35660 chrony_3.4-4ubuntu1.debian.tar.xz
78c718428a2a8ca6e344c990e03691cec015c8ddb660e5f0c1d90b5e183a939c 6596 chrony_3.4-4ubuntu1_source.buildinfo
Files:
c899fc8a152cceee63aa922daad850b5 2373 net optional chrony_3.4-4ubuntu1.dsc
7170e750469c198fc6784047d6f71144 453056 net optional chrony_3.4.orig.tar.gz
963913dd2013f5fb6dc4013024ee1446 35660 net optional chrony_3.4-4ubuntu1.debian.tar.xz
84cc707117864fe9c9e1fc1e2f32bb09 6596 net optional chrony_3.4-4ubuntu1_source.buildinfo
Original-Maintainer: Vincent Blut <vincent.debian at free.fr>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEktYY9mjyL47YC+71uj4pM4KAskIFAlzdZDcACgkQuj4pM4KA
skIXohAAnO7akBJ5gCfl/KLlSqxQP5O35McSVy+G8CIL41pQOj9nwRfJn7/R11Es
eXm7zHvyUgTaJ7VarcVsq0GuzUdE0gkgWm3xLdGUDMKPUqVjZk2ztiUQSZ9mix+m
m3C6A8Yp5Bsy/PrdiW/fRz7I0wcGc34yYN0FaECt3Fw+nc0a1/BSqaV0GpsXQDNu
ht7hFhg14oiN8Di+5H+Gsqr+UX4xzuaAAJe8RJLZnwRvsoVnQ4K7t+AcXe0CbLD5
0lu6B1EGRa1Yvd+Brs+oopLyEX8ZK6OWw2zPHG7IGF2jK1DhY9SqWtJgokuG+U2n
+WvLrRbQbkytHuPfPag2CWdH+E2VPskaX3bFoMv0eTsKx8Yrnyx2IXdr+e/dxolk
8I53drnqZqz7SUmAGvC1VHB/K9H4UAHhBeBep9u5bcYKdxtkJLRZqsWcd+E5869h
jPXJnDmHzNoWo7zfO9DHKoLg8Y0ov5QcvzALcrABABgku1hcBMFuK7lQTf6z3f6e
d+SHfMeKaOOAN+FzL0MYL1oT7Nv0eWpD8eqfKGW+yYdo0oivgTf9bVqV6Yq+jdGz
LMEx9PXVwaQw3U0LJufiFHJMx5VzTkw3+DJll8wzMadrYjkngcSgTfvO9X1rZaDi
pmWHCfMwl1Z/Rub9KBFjVEmfsUj5h8mHz7Xn/UyWDQhl20Rv77A=
=k5pX
-----END PGP SIGNATURE-----
More information about the Eoan-changes
mailing list