This update for chrony fixes the following issues:
Chrony was updated to 4.1, bringing features and bugfixes.
Update to 4.1
- Add support for NTS servers specified by IP address (matching
Subject Alternative Name in server certificate)
- Add source-specific configuration of trusted certificates
- Allow multiple files and directories with trusted certificates
- Allow multiple pairs of server keys and certificates
- Add copy option to server/pool directive
- Increase PPS lock limit to 40% of pulse interval
- Perform source selection immediately after loading dump files
- Reload dump files for addresses negotiated by NTS-KE server
- Update seccomp filter and add less restrictive level
- Restart ongoing name resolution on online command
- Fix dump files to not include uncorrected offset
- Fix initstepslew to accept time from own NTP clients
- Reset NTP address and port when no longer negotiated by NTS-KE
server
-
Ensure the correct pool packages are installed for openSUSE
and SLE (bsc#1180689).
-
Fix pool package dependencies, so that SLE prefers chrony-pool-suse
over chrony-pool-empty. (bsc#1194229)
-
Enable syscallfilter unconditionally [bsc#1181826].
Update to 4.0
-
Enhancements
- Add support for Network Time Security (NTS) authentication
- Add support for AES-CMAC keys (AES128, AES256) with Nettle
- Add authselectmode directive to control selection of
unauthenticated sources
- Add binddevice, bindacqdevice, bindcmddevice directives
- Add confdir directive to better support fragmented
configuration
- Add sourcedir directive and 'reload sources' command to
support dynamic NTP sources specified in files
- Add clockprecision directive
- Add dscp directive to set Differentiated Services Code Point
(DSCP)
- Add -L option to limit log messages by severity
- Add -p option to print whole configuration with included
files
- Add -U option to allow start under non-root user
- Allow maxsamples to be set to 1 for faster update with -q/-Q
option
- Avoid replacing NTP sources with sources that have
unreachable address
- Improve pools to repeat name resolution to get 'maxsources'
sources
- Improve source selection with trusted sources
- Improve NTP loop test to prevent synchronisation to itself
- Repeat iburst when NTP source is switched from offline state
to online
- Update clock synchronisation status and leap status more
frequently
- Update seccomp filter
- Add 'add pool' command
- Add 'reset sources' command to drop all measurements
- Add authdata command to print details about NTP
authentication
- Add selectdata command to print details about source
selection
- Add -N option and sourcename command to print original names
of sources
- Add -a option to some commands to print also unresolved
sources
- Add -k, -p, -r options to clients command to select, limit,
reset data
-
Bug fixes
- Don’t set interface for NTP responses to allow asymmetric
routing
- Handle RTCs that don’t support interrupts
- Respond to command requests with correct address on
multihomed hosts
-
Removed features
- Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
- Drop support for long (non-standard) MACs in NTPv4 packets
(chrony 2.x clients using non-MD5/SHA1 keys need to use
option 'version 3')
- Drop support for line editing with GNU Readline
-
By default we don't write log files but log to journald, so
only recommend logrotate.
-
Adjust and rename the sysconfig file, so that it matches the
expectations of chronyd.service (bsc#1173277).
Update to 3.5.1:
- Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)
Update to 3.5:
- Add support for more accurate reading of PHC on Linux 5.0
- Add support for hardware timestamping on interfaces with read-only timestamping configuration
- Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
- Update seccomp filter to work on more architectures
- Validate refclock driver options
- Fix bindaddress directive on FreeBSD
- Fix transposition of hardware RX timestamp on Linux 4.13 and later
- Fix building on non-glibc systems
-
Fix location of helper script in chrony-dnssrv@.service
(bsc#1128846).
-
Read runtime servers from /var/run/netconfig/chrony.servers to
fix bsc#1099272.
-
Move chrony-helper to /usr/lib/chrony/helper, because there
should be no executables in /usr/share.
Update to version 3.4
-
Enhancements
- Add filter option to server/pool/peer directive
- Add minsamples and maxsamples options to hwtimestamp directive
- Add support for faster frequency adjustments in Linux 4.19
- Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd
without root privileges to remove it on exit
- Disable sub-second polling intervals for distant NTP sources
- Extend range of supported sub-second polling intervals
- Get/set IPv4 destination/source address of NTP packets on FreeBSD
- Make burst options and command useful with short polling intervals
- Modify auto_offline option to activate when sending request failed
- Respond from interface that received NTP request if possible
- Add onoffline command to switch between online and offline state
according to current system network configuration
- Improve example NetworkManager dispatcher script
-
Bug fixes
- Avoid waiting in Linux getrandom system call
- Fix PPS support on FreeBSD and NetBSD
Update to version 3.3
-
Enhancements:
- Add burst option to server/pool directive
- Add stratum and tai options to refclock directive
- Add support for Nettle crypto library
- Add workaround for missing kernel receive timestamps on Linux
- Wait for late hardware transmit timestamps
- Improve source selection with unreachable sources
- Improve protection against replay attacks on symmetric mode
- Allow PHC refclock to use socket in /var/run/chrony
- Add shutdown command to stop chronyd
- Simplify format of response to manual list command
- Improve handling of unknown responses in chronyc
-
Bug fixes:
- Respond to NTPv1 client requests with zero mode
- Fix -x option to not require CAP_SYS_TIME under non-root user
- Fix acquisitionport directive to work with privilege separation
- Fix handling of socket errors on Linux to avoid high CPU usage
- Fix chronyc to not get stuck in infinite loop after clock step