From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:470:142:3::10]:33305) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i57pw-00086g-KT for guix-patches@gnu.org; Tue, 03 Sep 2019 08:23:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1i57pu-0007PN-8D for guix-patches@gnu.org; Tue, 03 Sep 2019 08:23:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:50557) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1i57pu-0007PG-42 for guix-patches@gnu.org; Tue, 03 Sep 2019 08:23:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1i57pt-0000WC-TU for guix-patches@gnu.org; Tue, 03 Sep 2019 08:23:01 -0400 Subject: [bug#37295] [PATCH] services: ntp: Support different NTP server types and options. Resent-Message-ID: Received: from eggs.gnu.org ([2001:470:142:3::10]:33176) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i57op-0007Rb-4J for guix-patches@gnu.org; Tue, 03 Sep 2019 08:21:57 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1i57om-0006kX-LH for guix-patches@gnu.org; Tue, 03 Sep 2019 08:21:55 -0400 Received: from mail-pg1-x544.google.com ([2607:f8b0:4864:20::544]:42044) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1i57om-0006jr-80 for guix-patches@gnu.org; Tue, 03 Sep 2019 08:21:52 -0400 Received: by mail-pg1-x544.google.com with SMTP id p3so9034775pgb.9 for ; Tue, 03 Sep 2019 05:21:51 -0700 (PDT) Received: from x200 ([240f:c7:38e9:1:314b:485c:9ba4:72c6]) by smtp.gmail.com with ESMTPSA id d10sm1971510pfh.8.2019.09.03.05.21.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Sep 2019 05:21:49 -0700 (PDT) From: maxim.cournoyer@gmail.com Date: Tue, 03 Sep 2019 21:21:44 +0900 Message-ID: <8736hd1sfb.fsf@x200.i-did-not-set--mail-host-address--so-tickle-me> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 37295@debbugs.gnu.org --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Hello! This patch series aims at improving our NTP service. While traveling, my date wouldn't be synchronized correctly, due to my hardware clock (the one configurable through the BIOS) was more than 1000 s off the time queried from the NTP servers, and 'ntpd' was not configured by default to allow an initial correction larger than 1000 s. This patch series fixes this use case (travelling across timezones) and further the ntp-configuration record to allow specifying different types of NTP servers as well as their options. --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-services-ntp-Allow-large-adjustment-by-default.patch Content-Transfer-Encoding: quoted-printable From=207b86b4c80077690d2bfeed6211d2b52a596d080d Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer Date: Tue, 3 Sep 2019 00:42:24 +0900 Subject: [PATCH 1/4] services: ntp: Allow large adjustment by default. This is documented as best practice in `man ntpd', and is required to allow the date to be set correctly when traveling (without having to manually upd= ate the hardware clock in the BIOS/UEFI). * gnu/services/networking.scm ()[allow-large-adjustment?]: Set = the default value to #t. * doc/guix.texi (Networking Services): Update documentation. =2D-- doc/guix.texi | 2 +- gnu/services/networking.scm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 031ee53295..50f800ef61 100644 =2D-- a/doc/guix.texi +++ b/doc/guix.texi @@ -12990,7 +12990,7 @@ This is the data type for the NTP service configura= tion. This is the list of servers (host names) with which @command{ntpd} will be synchronized. =20 =2D@item @code{allow-large-adjustment?} (default: @code{#f}) +@item @code{allow-large-adjustment?} (default: @code{#t}) This determines whether @command{ntpd} is allowed to make an initial adjustment of more than 1,000 seconds. =20 diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 376b4ccc4e..e149fe0b69 100644 =2D-- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -315,7 +315,7 @@ Protocol (DHCP) client, on all the non-loopback network= interfaces." (servers ntp-configuration-servers (default %ntp-servers)) (allow-large-adjustment? ntp-allow-large-adjustment? =2D (default #f))) + (default #t))) ;as recommended in the ntpd manu= al =20 (define ntp-shepherd-service (match-lambda =2D-=20 2.23.0 --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0002-services-ntp-Fix-KOD-warning.patch Content-Transfer-Encoding: quoted-printable From=20bc2fe08fd6556a50af5a4209c77938d975f62f8f Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer Date: Tue, 3 Sep 2019 10:05:06 +0900 Subject: [PATCH 2/4] services: ntp: Fix KOD warning. Otherwise the following messages would be printed by ntpd: Sep 2 05:18:21 localhost ntpd[15849]: restrict default: KOD does nothing w= ithout LIMITE. Sep 2 05:18:21 localhost ntpd[15849]: restrict ::: KOD does nothing withou= t LIMITED. Debian uses the same set of "restrict" keywords (see: https://sources.debian.org/src/ntp/1:4.2.8p13+dfsg-2/debian/ntp.conf). * gnu/services/networking.scm (ntp-shepherd-service): Add the 'limited' keyword to both the IPv4 and IPv6 'restrict' directives. =2D-- gnu/services/networking.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index e149fe0b69..13a5c6c98d 100644 =2D-- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -330,8 +330,8 @@ Protocol (DHCP) client, on all the non-loopback network= interfaces." " # Disable status queries as a workaround for CVE-2013-5211: # . =2Drestrict default kod nomodify notrap nopeer noquery =2Drestrict -6 default kod nomodify notrap nopeer noquery +restrict default kod nomodify notrap nopeer noquery limited +restrict -6 default kod nomodify notrap nopeer noquery limited =20 # Yet, allow use of the local 'ntpq'. restrict 127.0.0.1 =2D-=20 2.23.0 --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0003-doc-Add-index-to-find-ntpd.patch Content-Transfer-Encoding: quoted-printable From=2009f98715e4e7795d88c5b02f24c23f6128120a05 Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer Date: Tue, 3 Sep 2019 10:13:26 +0900 Subject: [PATCH 3/4] doc: Add index to find 'ntpd'. * doc/guix.texi (Networking Services): Add @cindex to find 'ntpd' =2D-- doc/guix.texi | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/guix.texi b/doc/guix.texi index 50f800ef61..9de0957d14 100644 =2D-- a/doc/guix.texi +++ b/doc/guix.texi @@ -12972,6 +12972,7 @@ objects}). @end deftp =20 @cindex NTP (Network Time Protocol), service +@cindex ntpd, service for the Network Time Protocol daemon @cindex real time clock @defvr {Scheme Variable} ntp-service-type This is the type of the service running the @uref{http://www.ntp.org, =2D-=20 2.23.0 --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: attachment; filename=0004-services-ntp-Support-different-NTP-server-types-and-.patch Content-Transfer-Encoding: quoted-printable From=2026e74f556c121f24241c3b7b7df5ae1a93d22b2d Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer Date: Tue, 3 Sep 2019 10:14:59 +0900 Subject: [PATCH 4/4] services: ntp: Support different NTP server types and options. * gnu/services/networking.scm (ntp-server-types): New enum. (): New record type. (ntp-server->string): New procedure. (%ntp-servers): Define in terms of records. Use the first entrypoint server as a pool instead of a list of static servers. This is m= ore resilient since a new server of the pool can be interrogated on every request. Add the 'iburst' options. (ntp-configuration-servers): Define a custom accessor that warns but honors about the now deprecated server format. (): Use it. * tests/networking.scm: Test it. * doc/guix.texi: Document it. =2D-- doc/guix.texi | 31 ++++++++++- gnu/services/networking.scm | 100 ++++++++++++++++++++++++++++++------ tests/networking.scm | 50 ++++++++++++++++++ 3 files changed, 163 insertions(+), 18 deletions(-) create mode 100644 tests/networking.scm diff --git a/doc/guix.texi b/doc/guix.texi index 9de0957d14..e76c9322d8 100644 =2D-- a/doc/guix.texi +++ b/doc/guix.texi @@ -12988,8 +12988,9 @@ This is the data type for the NTP service configura= tion. =20 @table @asis @item @code{servers} (default: @code{%ntp-servers}) =2DThis is the list of servers (host names) with which @command{ntpd} will = be =2Dsynchronized. +This is the list of servers (@code{} records) with which +@command{ntpd} will be synchronized. See the @code{ntp-server} data type +definition below. =20 @item @code{allow-large-adjustment?} (default: @code{#t}) This determines whether @command{ntpd} is allowed to make an initial @@ -13005,6 +13006,32 @@ List of host names used as the default NTP servers= . These are servers of the @uref{https://www.ntppool.org/en/, NTP Pool Project}. @end defvr =20 +@deftp {Data Type} ntp-server +The data type representing the configuration of a NTP server. + +@table @asis +@item @code{type} (default: @code{'server}) +The type of the NTP server, given as a symbol. One of @code{'pool}, +@code{'server}, @code{'peer}, @code{'broadcast} or @code{'manycastclient}. + +@item @code{address} +The address of the server, as a string. + +@item @code{options} +NTPD options to use with that specific server, given as a list of option n= ames +and/or of option names and values tuples. The following example define a s= erver +to use with the options @option{iburst} and @option{prefer}, as well as +@option{version} 3 and a @option{maxpoll} time of 16 seconds. + +@example +(ntp-server + (type 'server) + (address "some.ntp.server.org") + (options `(iburst (version 3) (maxpoll 16) prefer)))) +@end example +@end table +@end deftp + @cindex OpenNTPD @deffn {Scheme Procedure} openntpd-service-type Run the @command{ntpd}, the Network Time Protocol (NTP) daemon, as impleme= nted diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 13a5c6c98d..752a165941 100644 =2D-- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -51,6 +51,7 @@ #:use-module (guix records) #:use-module (guix modules) #:use-module (guix deprecation) + #:use-module (rnrs enums) #:use-module (srfi srfi-1) #:use-module (srfi srfi-9) #:use-module (srfi srfi-26) @@ -72,10 +73,18 @@ dhcpd-configuration-pid-file dhcpd-configuration-interfaces =20 =2D %ntp-servers =2D ntp-configuration ntp-configuration? + ntp-configuration-ntp + ntp-configuration-servers + ntp-allow-large-adjustment? + + %ntp-servers + ntp-server + ntp-server-type + ntp-server-address + ntp-server-options + ntp-service ntp-service-type =20 @@ -292,31 +301,87 @@ Protocol (DHCP) client, on all the non-loopback netwo= rk interfaces." (list (service-extension shepherd-root-service-type dhcpd-shepherd-ser= vice) (service-extension activation-service-type dhcpd-activation))))) =20 =2D(define %ntp-servers =2D ;; Default set of NTP servers. These URLs are managed by the NTP Pool = project. =2D ;; Within Guix, Leo Famulari is the administrative= contact =2D ;; for this NTP pool "zone". =2D '("0.guix.pool.ntp.org" =2D "1.guix.pool.ntp.org" =2D "2.guix.pool.ntp.org" =2D "3.guix.pool.ntp.org")) =2D ;;; ;;; NTP. ;;; =20 =2D;; TODO: Export. +(define ntp-server-types (make-enumeration + '(pool + server + peer + broadcast + manycastclient))) + +(define-record-type* + ntp-server make-ntp-server + ntp-server? + ;; The type can be one of the symbols of the NTP-SERVER-TYPE? enumeratio= n. + (type ntp-server-type + (default 'server)) + (address ntp-server-address) ; a string + ;; The list of options can contain single option names or tuples in the = form + ;; '(name value). + (options ntp-server-options + (default '()))) + +(define (ntp-server->string ntp-server) + ;; Serialize the NTP server object as a string, ready to use in the NTP + ;; configuration file. + (define (flatten lst) + (reverse + (let loop ((x lst) + (res '())) + (if (list? x) + (fold loop res x) + (cons (format #f "~s" x) res))))) + + (match ntp-server + (($ type address options) + ;; XXX: It'd be neater if fields were validated at the syntax level (= for + ;; static ones at least). Perhaps the Guix record type could support= a + ;; predicate property on a field? + (unless (enum-set-member? type ntp-server-types) + (error "Invalid NTP server type" type)) + (string-join (cons* (symbol->string type) + address + (flatten options)))))) + +(define %ntp-servers + ;; Default set of NTP servers. These URLs are managed by the NTP Pool pr= oject. + ;; Within Guix, Leo Famulari is the administrative c= ontact + ;; for this NTP pool "zone". + (list + (ntp-server + (type 'pool) + (address "0.guix.pool.ntp.org") + (options '("iburst"))))) ;as recommended in the ntpd man= ual + (define-record-type* ntp-configuration make-ntp-configuration ntp-configuration? (ntp ntp-configuration-ntp (default ntp)) =2D (servers ntp-configuration-servers + (servers %ntp-configuration-servers ;list of objects (default %ntp-servers)) (allow-large-adjustment? ntp-allow-large-adjustment? (default #t))) ;as recommended in the ntpd manu= al =20 +(define (ntp-configuration-servers ntp-configuration) + ;; A wrapper to support the deprecated form of this field. + (let ((ntp-servers (%ntp-configuration-servers ntp-configuration))) + (match ntp-servers + (((? string?) (? string?) ...) + (format (current-error-port) "warning: Defining NTP servers as stri= ngs is \ +deprecated. Please use records instead.\n") + (map (lambda (addr) + (ntp-server + (type 'server) + (address addr) + (options '()))) ntp-servers)) + ((($ ) ($ ) ...) + ntp-servers)))) + (define ntp-shepherd-service (match-lambda (($ ntp servers allow-large-adjustment?) @@ -324,8 +389,7 @@ Protocol (DHCP) client, on all the non-loopback network= interfaces." ;; TODO: Add authentication support. (define config (string-append "driftfile /var/run/ntpd/ntp.drift\n" =2D (string-join (map (cut string-append "server " <= >) =2D servers) + (string-join (map ntp-server->string servers) "\n") " # Disable status queries as a workaround for CVE-2013-5211: @@ -335,7 +399,11 @@ restrict -6 default kod nomodify notrap nopeer noquery= limited =20 # Yet, allow use of the local 'ntpq'. restrict 127.0.0.1 =2Drestrict -6 ::1\n")) +restrict -6 ::1 + +# This is required to use servers from a pool directive when using the 'no= peer' +# option by default, as documented in the 'ntp.conf' manual. +restrict source notrap nomodify noquery\n")) =20 (define ntpd.conf (plain-file "ntpd.conf" config)) diff --git a/tests/networking.scm b/tests/networking.scm new file mode 100644 index 0000000000..001d7df74d =2D-- /dev/null +++ b/tests/networking.scm @@ -0,0 +1,50 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright =C2=A9 2019 Maxim Cournoyer +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (tests networking) + #:use-module (gnu services networking) + #:use-module (srfi srfi-64)) + +;;; Tests for the (gnu services networking) module. + +(define ntp-server->string (@@ (gnu services networking) ntp-server->strin= g)) + +(define %ntp-server-sample + (ntp-server + (type 'server) + (address "some.ntp.server.org") + (options `(iburst (version 3) (maxpoll 16) prefer)))) + +(test-begin "networking") + +(test-equal "ntp-server->string" + (ntp-server->string %ntp-server-sample) + "server some.ntp.server.org iburst version 3 maxpoll 16 prefer") + +(test-equal "ntp configuration servers deprecated form" + (ntp-configuration-servers + (ntp-configuration + (servers (list (ntp-server + (type 'server) + (address "example.pool.ntp.org") + (options '())))))) + (ntp-configuration-servers + (ntp-configuration + (servers (list "example.pool.ntp.org"))))) + +(test-end "networking") =2D-=20 2.23.0 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEJ9WGpPiQCFQyn/CfEmDkZILmNWIFAl1uWtgACgkQEmDkZILm NWLyug/9EzW5jH7Otyc2P/jk/4+Dmeg0Eqb+rtxVDD43H+gVOt2XWL9xH0Gdh2wa Fjh7LB75xSOAwKC38aNhb/lZ6YhisqAE0fnZ84XrCyPon6s/sgsml4hhpUoMLYUz S1Ce0He3LcxULTZQA7loaRTxcRvaqe/8CpB4/fliQZ5O+B+W/1yId+/psAHLpyM+ Fjt/oY6uwnL4He9ZH1MG+W8novH6oEh34KspdgdmtIXLcZzzX7vWkFdosWATMIPL 7+9z+hzlRVrcqsBirWVwjmfhMh/w6u1C68XHZ4RZpl0M639XgX9GSh+G9Wx5jIc2 A2n6WZNmRQKYaSVDj3NhsxTJDgG+1TfHwd117BAqu17qTvJJWhx2ptW+6bs45sxZ EBAr6+1H6BUeUKLRuE8T7efxRnkAbbD0HeRwUQpRLsfZgByzx8Zeqrfpvo+djiQO YGoRM8hqDjzkFa8y8wemJCm8w3/hoW3a4KwhihIcbtQvh5Il/55ZOkdjLgBLNPJb 3eXZvCjX6onF7CGpCclIZM+n4hL2N/EN7sVumFXHszFLhh0CKyjoTzzdEzHQZ96i QWLZ3TwRh+m/P647PRf+hr33p2txlIhEKuvX6MTDklyr31sDvIrrURgWUZMjI123 u7OQr/sE95kmnkWXOQohKI15i3OB8tH0QfgEwH1YuQLRTvRNgm0= =sGdI -----END PGP SIGNATURE----- --==-=-=--