overlay coreos-base/misc-files: Add net-misc/ntp customizations

These are following things:

- adding notrap to restrict option in ntp.conf
- setting Flatcar-specific NTP servers in ntp.conf
- setting Restart=always for ntpd.service
- setting up environment for sntp and ntpdate

Author: krnowak

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp-environment.conf

@@ -0,0 +1,2 @@
+[Service]
+Environment="SERVER=0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org"

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp.conf

@@ -0,0 +1,60 @@
+# NOTES:
+# DHCP clients can append or replace NTP configuration files.
+# You should consult your DHCP client documentation about its
+# default behaviour and how to change it.
+
+# Name of the servers ntpd should sync with
+# Please respect the access policy as stated by the responsible person.
+#server		ntp.example.tld		iburst
+
+# Common pool for random people
+#server pool.ntp.org
+
+# Pools for Flatcar users
+server 0.flatcar.pool.ntp.org
+server 1.flatcar.pool.ntp.org
+server 2.flatcar.pool.ntp.org
+server 3.flatcar.pool.ntp.org
+
+##
+# A list of available servers can be found here:
+# http://www.pool.ntp.org/
+# http://www.pool.ntp.org/#use
+# A good way to get servers for your machine is:
+# netselect -s 3 pool.ntp.org
+##
+
+# you should not need to modify the following paths
+driftfile	/var/lib/ntp/ntp.drift
+
+#server ntplocal.example.com prefer
+#server timeserver.example.org
+
+# Warning: Using default NTP settings will leave your NTP
+# server accessible to all hosts on the Internet.
+
+# If you want to deny all machines (including your own)
+# from accessing the NTP server, uncomment:
+#restrict default ignore
+
+
+# Default configuration:
+# - Allow only time queries, at a limited rate, sending KoD when in excess.
+# - Allow all local queries (IPv4, IPv6)
+# From commit da515112395ea7ce0da7cba7103de65d53fc93c9:
+#
+# net-misc/ntp: add notrap to default restrict config
+#
+# It's a common security hardening option and doesn't seem likely to
+# affect any actual usage.
+restrict default nomodify nopeer noquery notrap limited kod
+restrict 127.0.0.1
+restrict [::1]
+
+
+# To allow machines within your network to synchronize
+# their clocks with your server, but ensure they are
+# not allowed to configure the server or used as peers
+# to synchronize against, uncomment this line.
+#
+#restrict 192.168.0.0 mask 255.255.255.0 nomodify nopeer notrap

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntpd-always-restart.conf

@@ -0,0 +1,14 @@
+[Service]
+# From commit 5e5abb4d7ea48a9238b9baa22941fda6a6bbda8c:
+#
+# ntpd: always restart, required to handle large time jumps.
+#
+# Some VM platforms suspend machines by simply stopping them instead of
+# gracefully suspending them like real hardware would. This means that
+# when the system is resumed the kernel's time will be completely wrong
+# and it doesn't have a way to fix it. Additionally ntp will abort if the
+# clock offset is greater than 1000 seconds (conveniently without logging
+# any error messages). We can tune that in ntp.conf but ntpd has so many
+# knobs related to how it skews the clock and other update strategies that
+# the easiest option is to just restart.
+Restart=always

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r2.ebuild renamed to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r3.ebuild

@@ -12,7 +12,7 @@ HOMEPAGE='https://www.flatcar.org/'
 LICENSE='Apache-2.0'
 SLOT='0'
 KEYWORDS='amd64 arm64'
-IUSE="openssh"
+IUSE="openssh ntp"
 
 # No source directory.
 S="${WORKDIR}"
@@ -31,6 +31,7 @@ DEPEND="
 RDEPEND="
 	${DEPEND}
 	>=app-shells/bash-5.2_p15-r2
+	ntp? ( >=net-misc/ntp-4.2.8_p17 )
 "
 
 declare -A CORE_BASH_SYMLINKS
@@ -57,6 +58,24 @@ src_compile() {
     LC_ALL=C sort "${config_tmp}" >"${config}"
 }
 
+misc_files_install_dropin() {
+    local unit conf
+    unit=${1}; shift
+    conf=${1}; shift
+
+    [[ -n ${unit} ]] || die "No unit specified"
+    [[ -n ${conf} ]] || die "No conf file specified"
+    [[ ${conf} = *.conf ]] || die "Conf file must have .conf suffix"
+
+    local override_dir
+    override_dir="$(systemd_get_systemunitdir)/${unit}.d"
+    (
+        insopts -m 0644
+        insinto "${override_dir}"
+        doins "${conf}"
+    )
+}
+
 src_install() {
     # Use absolute paths to be clear about what locations are used. The
     # dosym below will make relative paths out of them.
@@ -85,6 +104,11 @@ src_install() {
             ['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf'
         )
     fi
+    if use ntp; then
+        compat_symlinks+=(
+            ['/usr/share/ntp/ntp.conf']='/usr/share/flatcar/etc/ntp.conf'
+        )
+    fi
 
     local link target
     for link in "${!compat_symlinks[@]}"; do
@@ -133,16 +157,20 @@ src_install() {
 
         # Install our socket drop-in file that disables the rate
         # limiting on the sshd socket.
-        local override_dir
-        override_dir="$(systemd_get_systemunitdir)/sshd.socket.d"
-        dodir "${override_dir}"
-        insinto "${override_dir}"
-        doins "${FILESDIR}/no-trigger-limit-burst.conf"
+        misc_files_install_dropin sshd.socket "${FILESDIR}/no-trigger-limit-burst.conf"
 
         # Enable some sockets that aren't enabled by their own ebuilds.
         systemd_enable_service sockets.target sshd.socket
     fi
 
+    if use ntp; then
+        insinto /etc
+        doins "${FILESDIR}/ntp.conf"
+        misc_files_install_dropin ntpd.service "${FILESDIR}/ntpd-always-restart.conf"
+        misc_files_install_dropin ntpdate.service "${FILESDIR}/ntp-environment.conf"
+        misc_files_install_dropin sntp.service "${FILESDIR}/ntp-environment.conf"
+    fi
+
     # Create a symlink for Kubernetes to redirect writes from /usr/libexec/... to /var/kubernetes/...
     # (The below keepdir will result in a tmpfiles entry in base_image_var.conf)
     keepdir /var/kubernetes/kubelet-plugins/volume/exec