Merge pull request #1392 from flatcar/krnowak/dev-libs-automation

Put dev-libs packages under automation, move net-misc/ntp to portage-stable

Author: krnowak

.github/workflows/portage-stable-packages-list

@@ -115,8 +115,8 @@ app-misc/mime-types
 app-misc/pax-utils
 
 app-portage/elt-patches
-app-portage/portage-utils
 app-portage/gentoolkit
+app-portage/portage-utils
 
 app-shells/bash
 app-shells/bash-completion
@@ -129,8 +129,6 @@ app-text/docbook-xsl-stylesheets
 app-text/manpager
 app-text/sgml-common
 
-sec-keys/openpgp-keys-gentoo-release
-
 dev-cpp/gtest
 
 dev-db/sqlite
@@ -146,33 +144,49 @@ dev-lang/yasm
 
 dev-libs/cJSON
 dev-libs/cyrus-sasl
+dev-libs/ding-libs
 dev-libs/elfutils
 dev-libs/expat
 dev-libs/glib
 dev-libs/gmp
 dev-libs/gobject-introspection
 dev-libs/gobject-introspection-common
 dev-libs/inih
+dev-libs/jansson
+dev-libs/json-c
 dev-libs/jsoncpp
 dev-libs/libaio
 dev-libs/libassuan
 dev-libs/libbsd
 dev-libs/libdnet
+dev-libs/libev
+dev-libs/libevent
+dev-libs/libffi
 dev-libs/libgcrypt
 dev-libs/libgpg-error
 dev-libs/libksba
+dev-libs/liblinear
 dev-libs/libltdl
 dev-libs/libmspack
 dev-libs/libnl
 dev-libs/libpcre
 dev-libs/libpcre2
 dev-libs/libpipeline
+dev-libs/libsodium
 dev-libs/libtasn1
+dev-libs/libunistring
 dev-libs/libusb
 dev-libs/libuv
+dev-libs/libverto
 dev-libs/libxml2
 dev-libs/libxslt
+dev-libs/libyaml
+dev-libs/lzo
+dev-libs/mpc
+dev-libs/mpfr
 dev-libs/nettle
+dev-libs/npth
+dev-libs/nspr
 dev-libs/oniguruma
 dev-libs/popt
 dev-libs/protobuf
@@ -355,6 +369,7 @@ net-misc/curl
 net-misc/ethertypes
 net-misc/iperf
 net-misc/iputils
+net-misc/ntp
 net-misc/rsync
 net-misc/socat
 net-misc/wget
@@ -373,14 +388,15 @@ profiles
 #
 # scripts
 
+sec-keys/openpgp-keys-gentoo-release
+
 sec-policy/selinux-base
 sec-policy/selinux-base-policy
 sec-policy/selinux-container
 sec-policy/selinux-dbus
 sec-policy/selinux-sssd
 sec-policy/selinux-unconfined
 
-
 sys-apps/acl
 sys-apps/attr
 sys-apps/bubblewrap

changelog/updates/2023-11-14-dev-libs-automation.md

@@ -0,0 +1,10 @@
+- ding-libs ([0.6.2](https://github.com/SSSD/ding-libs/releases/tag/0.6.2))
+- json-c ([0.17](https://github.com/json-c/json-c/blob/json-c-0.17-20230812/ChangeLog))
+- libffi ([3.4.4](https://github.com/libffi/libffi/releases/tag/v3.4.4) (includes [3.4.2](https://github.com/libffi/libffi/releases/tag/v3.4.2) and [3.4.3](https://github.com/libffi/libffi/releases/tag/v3.4.3)))
+- liblinear (246)
+- libsodium ([1.0.19](https://github.com/jedisct1/libsodium/releases/tag/1.0.19-RELEASE))
+- libunistring ([1.1](https://git.savannah.gnu.org/gitweb/?p=libunistring.git;a=blob;f=NEWS;h=5a43ddd7011d62a952733f6c0b7ad52aa4f385c7;hb=8006860b710aae2e8442088c3ddc7d819dfa8ac7))
+- mpc ([1.3.1](https://sympa.inria.fr/sympa/arc/mpc-discuss/2022-12/msg00049.html) (includes [1.3.0](https://sympa.inria.fr/sympa/arc/mpc-discuss/2022-12/msg00028.html))
+- mpfr ([4.2.1](https://gitlab.inria.fr/mpfr/mpfr/-/blob/4.2.1/NEWS))
+- nspr ([4.35](https://hg.mozilla.org/projects/nspr/log/b563bfc16c887c48b038b7b441fcc4e40a126d3b))
+- ntp ([4.2.8p17](https://www.ntp.org/support/securitynotice/4_2_8p17-release-announcement/))

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp-environment.conf

@@ -0,0 +1,2 @@
+[Service]
+Environment="SERVER=0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org"

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp.conf

@@ -0,0 +1,60 @@
+# NOTES:
+# DHCP clients can append or replace NTP configuration files.
+# You should consult your DHCP client documentation about its
+# default behaviour and how to change it.
+
+# Name of the servers ntpd should sync with
+# Please respect the access policy as stated by the responsible person.
+#server		ntp.example.tld		iburst
+
+# Common pool for random people
+#server pool.ntp.org
+
+# Pools for Flatcar users
+server 0.flatcar.pool.ntp.org
+server 1.flatcar.pool.ntp.org
+server 2.flatcar.pool.ntp.org
+server 3.flatcar.pool.ntp.org
+
+##
+# A list of available servers can be found here:
+# http://www.pool.ntp.org/
+# http://www.pool.ntp.org/#use
+# A good way to get servers for your machine is:
+# netselect -s 3 pool.ntp.org
+##
+
+# you should not need to modify the following paths
+driftfile	/var/lib/ntp/ntp.drift
+
+#server ntplocal.example.com prefer
+#server timeserver.example.org
+
+# Warning: Using default NTP settings will leave your NTP
+# server accessible to all hosts on the Internet.
+
+# If you want to deny all machines (including your own)
+# from accessing the NTP server, uncomment:
+#restrict default ignore
+
+
+# Default configuration:
+# - Allow only time queries, at a limited rate, sending KoD when in excess.
+# - Allow all local queries (IPv4, IPv6)
+# From commit da515112395ea7ce0da7cba7103de65d53fc93c9:
+#
+# net-misc/ntp: add notrap to default restrict config
+#
+# It's a common security hardening option and doesn't seem likely to
+# affect any actual usage.
+restrict default nomodify nopeer noquery notrap limited kod
+restrict 127.0.0.1
+restrict [::1]
+
+
+# To allow machines within your network to synchronize
+# their clocks with your server, but ensure they are
+# not allowed to configure the server or used as peers
+# to synchronize against, uncomment this line.
+#
+#restrict 192.168.0.0 mask 255.255.255.0 nomodify nopeer notrap

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntpd-always-restart.conf

@@ -0,0 +1,14 @@
+[Service]
+# From commit 5e5abb4d7ea48a9238b9baa22941fda6a6bbda8c:
+#
+# ntpd: always restart, required to handle large time jumps.
+#
+# Some VM platforms suspend machines by simply stopping them instead of
+# gracefully suspending them like real hardware would. This means that
+# when the system is resumed the kernel's time will be completely wrong
+# and it doesn't have a way to fix it. Additionally ntp will abort if the
+# clock offset is greater than 1000 seconds (conveniently without logging
+# any error messages). We can tune that in ntp.conf but ntpd has so many
+# knobs related to how it skews the clock and other update strategies that
+# the easiest option is to just restart.
+Restart=always

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r2.ebuild renamed to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r3.ebuild

@@ -12,7 +12,7 @@ HOMEPAGE='https://www.flatcar.org/'
 LICENSE='Apache-2.0'
 SLOT='0'
 KEYWORDS='amd64 arm64'
-IUSE="openssh"
+IUSE="openssh ntp"
 
 # No source directory.
 S="${WORKDIR}"
@@ -31,6 +31,7 @@ DEPEND="
 RDEPEND="
 	${DEPEND}
 	>=app-shells/bash-5.2_p15-r2
+	ntp? ( >=net-misc/ntp-4.2.8_p17 )
 "
 
 declare -A CORE_BASH_SYMLINKS
@@ -57,6 +58,24 @@ src_compile() {
     LC_ALL=C sort "${config_tmp}" >"${config}"
 }
 
+misc_files_install_dropin() {
+    local unit conf
+    unit=${1}; shift
+    conf=${1}; shift
+
+    [[ -n ${unit} ]] || die "No unit specified"
+    [[ -n ${conf} ]] || die "No conf file specified"
+    [[ ${conf} = *.conf ]] || die "Conf file must have .conf suffix"
+
+    local override_dir
+    override_dir="$(systemd_get_systemunitdir)/${unit}.d"
+    (
+        insopts -m 0644
+        insinto "${override_dir}"
+        doins "${conf}"
+    )
+}
+
 src_install() {
     # Use absolute paths to be clear about what locations are used. The
     # dosym below will make relative paths out of them.
@@ -85,6 +104,11 @@ src_install() {
             ['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf'
         )
     fi
+    if use ntp; then
+        compat_symlinks+=(
+            ['/usr/share/ntp/ntp.conf']='/usr/share/flatcar/etc/ntp.conf'
+        )
+    fi
 
     local link target
     for link in "${!compat_symlinks[@]}"; do
@@ -133,16 +157,20 @@ src_install() {
 
         # Install our socket drop-in file that disables the rate
         # limiting on the sshd socket.
-        local override_dir
-        override_dir="$(systemd_get_systemunitdir)/sshd.socket.d"
-        dodir "${override_dir}"
-        insinto "${override_dir}"
-        doins "${FILESDIR}/no-trigger-limit-burst.conf"
+        misc_files_install_dropin sshd.socket "${FILESDIR}/no-trigger-limit-burst.conf"
 
         # Enable some sockets that aren't enabled by their own ebuilds.
         systemd_enable_service sockets.target sshd.socket
     fi
 
+    if use ntp; then
+        insinto /etc
+        doins "${FILESDIR}/ntp.conf"
+        misc_files_install_dropin ntpd.service "${FILESDIR}/ntpd-always-restart.conf"
+        misc_files_install_dropin ntpdate.service "${FILESDIR}/ntp-environment.conf"
+        misc_files_install_dropin sntp.service "${FILESDIR}/ntp-environment.conf"
+    fi
+
     # Create a symlink for Kubernetes to redirect writes from /usr/libexec/... to /var/kubernetes/...
     # (The below keepdir will result in a tmpfiles entry in base_image_var.conf)
     keepdir /var/kubernetes/kubelet-plugins/volume/exec

sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/ntp

@@ -0,0 +1,9 @@
+# Do not install ntpdate or sntp systemd files in /etc.
+INSTALL_MASK+=" /etc/systemd"
+# Do not install the default ntp.conf, we provide our own in
+# coreos-base/misc-files.
+INSTALL_MASK+=" /etc/ntp.conf"
+# Do not install perl scripts to /usr/bin.
+INSTALL_MASK+=" /usr/bin/calc_tickadj /usr/bin/ntp-wait /usr/bin/ntptrace /usr/bin/update-leap"
+# Do not install perl package to /usr/share/ntp.
+INSTALL_MASK+=" /usr/share/ntp"