From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60922) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1erlH8-0007V8-Ov for guix-patches@gnu.org; Fri, 02 Mar 2018 09:03:11 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1erlH4-0005pJ-Jl for guix-patches@gnu.org; Fri, 02 Mar 2018 09:03:06 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:60624) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1erlH4-0005pD-EM for guix-patches@gnu.org; Fri, 02 Mar 2018 09:03:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1erlH4-0001As-4l for guix-patches@gnu.org; Fri, 02 Mar 2018 09:03:02 -0500 Subject: [bug#29483] [PATCH] services: Add openntpd service. Resent-Message-ID: Date: Fri, 2 Mar 2018 16:02:11 +0200 From: Efraim Flashner Message-ID: <20180302140211.GA3213@macbook41> References: <20171128090443.15544-1-efraim@flashner.co.il> <87lgimiwc2.fsf@gnu.org> <87k1wdh0eo.fsf@gnu.org> <20180129192423.GC17751@macbook41> <871shzbgoz.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="EuxKj2iCbKjpUGkD" Content-Disposition: inline In-Reply-To: <871shzbgoz.fsf@gnu.org> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 29483@debbugs.gnu.org --EuxKj2iCbKjpUGkD Content-Type: multipart/mixed; boundary="vtzGhvizbBRQ85DL" Content-Disposition: inline --vtzGhvizbBRQ85DL Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Feb 05, 2018 at 04:26:52PM +0100, Ludovic Court=C3=A8s wrote: > Heya Efraim, >=20 > > +(define openntpd-shepherd-service > > + (match-lambda > > + (($ openntpd openntpd-listen-on > > + openntpd-query-from openntpd-sensor openntpd-server > > + openntpd-servers openntpd-constraint-from > > + openntpd-constraints-from allow-large-adjustment?) >=20 > This is error prone (you could be matching the wrong fields), could you > change that to =E2=80=98match-record=E2=80=99? >=20 I think this is the only thing left over. I compared my fields to murmur, and for murmur we're looking at true/false or a single value. Other than 'openntpd' and 'allow-large-adjustment?' each are lists because they can all be lists, and I didn't want to make the logic phase of generating the config file to be immensely long. currently: (match-lambda (($ openntpd openntpd-listen-on openntpd-query-from openntpd-sensor openntpd-server openntpd-servers openntpd-constraint-from openntpd-constraints-from allow-large-adjustment?) (let () (define config (string-join (filter-map (lambda (field value) (string-join (map (cut string-append field <> "\n") value))) '("listen on " "query from " "sensor " "server " "servers " "constraint from ") (list openntpd-listen-on openntpd-query-from openntpd-sensor openntpd-server openntpd-servers openntpd-constraint-fr= om)) ;; The 'constraints from' field needs to be enclosed in double quo= tes. (string-join (map (cut string-append "constraints from \"" <> "\"\n") openntpd-constraints-from)))) Other wise I suppose I'd be looking more at [the following] for most fields: (match-record =2E.. (if (not (null-list? openntpd-listen-on)) (lambda (value) (string-append "listen on " value "\n") value) '()) =2E.. currently to use the defaults I have (service openntpd-service-type (openntpd-configuration)) which obviously isn't ideal. =20 --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --vtzGhvizbBRQ85DL Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0001-services-Add-openntpd-service.patch" Content-Transfer-Encoding: quoted-printable =46rom 7db57baceadf509407068cd969d24f107ee8a027 Mon Sep 17 00:00:00 2001 =46rom: Efraim Flashner Date: Tue, 28 Nov 2017 10:19:11 +0200 Subject: [PATCH] services: Add openntpd service. * gnu/packages/ntp.scm (openntpd)[arguments]: Add 'configure-flags to set openntpd daemon's user and localstatedir. Add a custom phase to not try to create said directory at install time. * gnu/services/networking.scm (): New record type. (openntpd-shepherd-service, openntpd-service-activation): New procedures. (openntpd-service-type): New variable. * doc/guix.texi (Networking Services): Add openntpd documentation. --- doc/guix.texi | 55 ++++++++++++++++++++++++- gnu/packages/ntp.scm | 13 +++++- gnu/services/networking.scm | 98 +++++++++++++++++++++++++++++++++++++++++= +++- 3 files changed, 163 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index f9d7e13e2..100b23215 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -24,7 +24,7 @@ Copyright @copyright{} 2015, 2016, 2017 Leo Famulari@* Copyright @copyright{} 2015, 2016, 2017, 2018 Ricardo Wurmus@* Copyright @copyright{} 2016 Ben Woodcroft@* Copyright @copyright{} 2016, 2017 Chris Marusich@* -Copyright @copyright{} 2016, 2017 Efraim Flashner@* +Copyright @copyright{} 2016, 2017, 2018 Efraim Flashner@* Copyright @copyright{} 2016 John Darrington@* Copyright @copyright{} 2016, 2017 ng0@* Copyright @copyright{} 2016, 2017 Jan Nieuwenhuizen@* @@ -10718,6 +10718,59 @@ make an initial adjustment of more than 1,000 seco= nds. List of host names used as the default NTP servers. @end defvr =20 +@cindex OpenNTPD +@deffn {Scheme Procedure} openntpd-service-type +Run the @command{ntpd}, the Network Time Protocol (NTP) daemon, as impleme= nted +by @uref{http://www.openntpd.org, OpenNTPD}. The daemon will keep the sys= tem +clock synchronized with that of the given servers. + +@example +(service + openntpd-service-type + (openntpd-configuration + (listen-on '("127.0.0.1" "::1")) + (sensor '("udcf0 correction 70000")) + (constraint-from '("www.gnu.org")) + (constraints-from '("https://www.google.com/")) + (allow-large-adjustment? #t))) + +@end example +@end deffn + +@deftp {Data Type} openntpd-configuration +@table @asis +@item @code{openntpd} (default: @code{(file-append openntpd "/sbin/ntpd")}) +The openntpd executable to use. +@item @code{listen-on} (default: @code{'("127.0.0.1" "::1")}) +A list of local IP addresses or hostnames the ntpd daemon should listen on. +@item @code{query-from} (default: @code{'()}) +A list of local IP address the ntpd daemon should use for outgoing queries. +@item @code{sensor} (default: @code{'()}) +Specify a list of timedelta sensor devices ntpd should use. @code{ntpd} +will listen to each sensor that acutally exists and ignore non-existant on= es. +See @uref{https://man.openbsd.org/ntpd.conf, upstream documentation} for m= ore +information. +@item @code{server} (default: @var{%ntp-servers}) +Specify a list of IP addresses or hostnames of NTP servers to synchronize = to. +@item @code{servers} (default: @code{'()}) +Specify a list of IP addresses or hostnames of NTP pools to synchronize to. +@item @code{constraint-from} (default: @code{'()}) +@code{ntpd} can be configured to query the =E2=80=98Date=E2=80=99 from tru= sted HTTPS servers via TLS. +This time information is not used for precision but acts as an authenticat= ed +constraint, thereby reducing the impact of unauthenticated NTP +man-in-the-middle attacks. +Specify a list of URLs, IP addresses or hostnames of HTTPS servers to prov= ide +a constraint. +@item @code{constraints-from} (default: @code{'()}) +As with constraint from, specify a list of URLs, IP addresses or hostnames= of +HTTPS servers to provide a constraint. Should the hostname resolve to mul= tiple +IP addresses, @code{ntpd} will calculate a median constraint from all of t= hem. +@item @code{allow-large-adjustment?} (default: @code{#f}) +Determines if @code{ntpd} is allowed to make an initial adjustment of more +than 180 seconds. +@end table +@end deftp + @cindex inetd @deffn {Scheme variable} inetd-service-type This service runs the @command{inetd} (@pxref{inetd invocation,,, diff --git a/gnu/packages/ntp.scm b/gnu/packages/ntp.scm index d270f513d..1c3b8cd31 100644 --- a/gnu/packages/ntp.scm +++ b/gnu/packages/ntp.scm @@ -3,7 +3,7 @@ ;;; Copyright =C2=A9 2014, 2015 Mark H Weaver ;;; Copyright =C2=A9 2015 Taylan Ulrich Bay=C4=B1rl=C4=B1/Kammer ;;; Copyright =C2=A9 2015 Ludovic Court=C3=A8s -;;; Copyright =C2=A9 2016, 2017 Efraim Flashner +;;; Copyright =C2=A9 2016, 2017, 2018 Efraim Flashner ;;; ;;; This file is part of GNU Guix. ;;; @@ -107,6 +107,17 @@ computers over a network.") (base32 "0fn12i4kzsi0zkr4qp3dp9bycmirnfapajqvdfx02zhr4hanj0kv")))) (build-system gnu-build-system) + (arguments + '(#:configure-flags '("--with-privsep-user=3Dntpd" + "--localstatedir=3D/var") + #:phases + (modify-phases %standard-phases + (add-after 'unpack 'modify-install-locations + (lambda _ + ;; Don't try to create /var/run or /var/db + (substitute* "src/Makefile.in" + (("DESTDIR\\)\\$\\(localstatedir") "TMPDIR")) + #t))))) (inputs `(("libressl" ,libressl))) ; enable TLS time constraints. See ntpd.co= nf(5). (home-page "http://www.openntpd.org/") diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 5ba3c5eed..c59ff85bc 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -1,7 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =C2=A9 2013, 2014, 2015, 2016, 2017 Ludovic Court=C3=A8s ;;; Copyright =C2=A9 2015 Mark H Weaver -;;; Copyright =C2=A9 2016 Efraim Flashner +;;; Copyright =C2=A9 2016, 2018 Efraim Flashner ;;; Copyright =C2=A9 2016 John Darrington ;;; Copyright =C2=A9 2017 Cl=C3=A9ment Lassieur ;;; Copyright =C2=A9 2017 Thomas Danckaert @@ -64,6 +64,10 @@ ntp-service ntp-service-type =20 + openntpd-configuration + openntpd-configuration? + openntpd-service-type + inetd-configuration inetd-entry inetd-service-type @@ -446,6 +450,98 @@ make an initial adjustment of more than 1,000 seconds." (allow-large-adjustment? allow-large-adjustment?)))) =20 +(define-record-type* + openntpd-configuration make-openntpd-configuration + openntpd-configuration? + (openntpd openntpd-configuration-openntpd + (default openntpd)) + (listen-on openntpd-listen-on + (default '("127.0.0.1" + "::1"))) + (query-from openntpd-query-from + (default '())) + (sensor openntpd-sensor + (default '())) + (server openntpd-server + (default %ntp-servers)) + (servers openntpd-servers + (default '())) + (constraint-from openntpd-constraint-from + (default '())) + (constraints-from openntpd-constriants-from + (default '())) + (allow-large-adjustment? openntpd-allow-large-adjustment? + (default #f))) ; upstream default + +(define openntpd-shepherd-service + (match-lambda + (($ openntpd openntpd-listen-on + openntpd-query-from openntpd-sensor openntpd-server + openntpd-servers openntpd-constraint-from + openntpd-constraints-from allow-large-adjustment?) + (let () + (define config + (string-join + (filter-map (lambda (field value) + (string-join + (map (cut string-append field <> "\n") + value))) + '("listen on " "query from " "sensor " "server " "servers " + "constraint from ") + (list openntpd-listen-on openntpd-query-from openntpd-sens= or + openntpd-server openntpd-servers openntpd-constraint= -from)) + ;; The 'constraints from' field needs to be enclosed in double = quotes. + (string-join + (map (cut string-append "constraints from \"" <> "\"\n") + openntpd-constraints-from)))) + + (define ntpd.conf + (plain-file "ntpd.conf" config)) + + (list (shepherd-service + (provision '(ntpd)) + (documentation "Run the Network Time Protocol (NTP) daemon.") + (requirement '(user-processes networking)) + (start #~(make-forkexec-constructor + (list (string-append #$openntpd "/sbin/ntpd") + "-f" #$ntpd.conf + "-d" ;; don't daemonize + #$@(if allow-large-adjustment? + '("-s") + '())) + ;; When ntpd is daemonized it repeatedly tries to = respawn + ;; while running, leading shepherd to disable it. = To + ;; prevent spamming stderr, redirect output to log= file. + #:log-file "/var/log/ntpd")) + (stop #~(make-kill-destructor)))))))) + +(define (openntpd-service-activation config) + "Return the activation gexp for CONFIG." + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + + (mkdir-p "/var/db") + (mkdir-p "/var/run") + (unless (file-exists? "/var/db/ntpd.drift") + (with-output-to-file "/var/db/ntpd.drift" + (lambda _ + (format #t "0.0"))))))) + +(define openntpd-service-type + (service-type (name 'openntpd) + (extensions + (list (service-extension shepherd-root-service-type + openntpd-shepherd-service) + (service-extension account-service-type + (const %ntp-accounts)) + (service-extension activation-service-type + openntpd-service-activation))) + (description + "Run the @command{ntpd}, the Network Time Protocol (NTP) +daemon, as implemented by @uref{http://www.openntpd.org, OpenNTPD}. The +daemon will keep the system clock synchronized with that of the given serv= ers."))) + =0C ;;; ;;; Inetd. --=20 2.16.2 --vtzGhvizbBRQ85DL-- --EuxKj2iCbKjpUGkD Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAlqZWWMACgkQQarn3Mo9 g1E2oA/7BhEzL6MiaP8Xqz31km6POcqlro2uUSmeSXR31OdsKikaeI1tFHii+2bD lmFqpmfVgzcKDmAVk7h7l8escUzHV6EJbFBIzv1rYNXn4xrkR/NNxItiKlaVbABf Q0ismfB7JZ2T3OAvBPgElzMfibt2xwRHNFhC1JUwSnQJEJrRnLu2YDbFCOXjfkBe O27+E0gRBTBzlawyFTfpqIHVooxsSq8p0xG62newGPiqBWpy5RLQPnlcZupK4GF2 gUjmDiSZ7bQ27Wrwr6qtZyrGpoLULWPzC8t8NhJIg7fMs8V8Yr59tKhs5CtBlwrx wri2DQF7yUDzQZulLEj4I7z6gPSg+XSIhL9UnvWbkTOFj6aeoBveLO7Ugv5UtMtc UCuc9OEPIZ2kIt5wQe7SkHliCOVqa3wHYFli6SsAT2NVTluU4bEiYNG3wcmw8S+f BegbcA/HtUqumQQeHCbfkNvs72oF5LFreHVKwRMLLiD+xXFSp3XKT2ejPGx/U3r2 O8znPO4ckIP5z1nqXjTUpG12qlU6749k8Jgx+kTZqJyL/yewoO88Njg+w+oCewdO MriK9ZU0wQXISJs//99ht1pf6xdaLgWUNc5qJtqM5jWxGwZWoCBczlWZN91gWmnv dOxGFvrqU0HGUA7RpsC1kkBiMQQPopzrgbGPSWWuObvBwW/sHpU= =6XLl -----END PGP SIGNATURE----- --EuxKj2iCbKjpUGkD--