summaryrefslogtreecommitdiff
path: root/units/systemd-timesyncd.service.in
Commit message (Collapse)AuthorAgeFilesLines
* Revert "units: Add missing dependencies on initrd-switch-root.target"Daan De Meyer2023-05-151-2/+2
| | | | This reverts commit f0ad3e6b9652fe785245934ff8604cc897d3b8f4.
* units: Add missing dependencies on initrd-switch-root.targetDaan De Meyer2023-05-131-2/+2
| | | | | | | These are all services that valid to be run in the initrd, so let's make sure they have the appropriate dependencies on initrd-switch-root.target so that they are stopped when we're about to switch root.
* meson: use jinja2 for unit templatesZbigniew Jędrzejewski-Szmek2021-05-191-2/+2
| | | | | | | | | We don't need two (and half) templating systems anymore, yay! I'm keeping the changes minimal, to make the diff manageable. Some enhancements due to a better templating system might be possible in the future. For handling of '## ' — see the next commit.
* units: turn off DNSSEC validation when timesyncd resolves hostnamesLennart Poettering2021-02-141-0/+4
| | | | | | | | | | | | | | | We have a chicken and egg problem: validation of DNSSEC signatures doesn't work without a correct clock, but to set the correct clock we need to contact NTP servers which requires resolving a hostname, which would normally require DNSSEC validation. Let's break the cycle by excluding NTP hostname resolution from validation for now. Of course, this leaves NTP traffic unprotected. To cover that we need NTPSEC support, which we can add later. Fixes: #5873 #15607
* units: don't pull in time-sync.target from systemd-timesyncd.serviceLennart Poettering2020-12-171-1/+1
| | | | | | | systemd-timesyncd.service only applies the much weaker monotonic clock from file logic, i.e should pull in and order itself before time-set.target. The strong time-sync.target unit is pulled in by systemd-time-wait-sync.service.
* license: LGPL-2.1+ -> LGPL-2.1-or-laterYu Watanabe2020-11-091-1/+1
|
* unit: declare BusName= in all our units that are on the bus, event if they ↵Lennart Poettering2020-09-111-0/+1
| | | | | | | don't use Type=dbus This information is always useful, so let's always declare it, particular in the light of #16976.
* units: turn on ProtectProc= wherever suitableLennart Poettering2020-08-241-1/+2
|
* units: drop systemd-remount-fs.service dependency from more servicesLennart Poettering2020-04-081-1/+1
| | | | | All services using StateDirectory= don't need the explicit dep anymore, let's hence drop it everywhere.
* units: set ProtectKernelLogs=yes on relevant unitsKevin Kuehler2019-11-151-0/+1
| | | | | | We set ProtectKernelLogs=yes on all long running services except for udevd, since it accesses /dev/kmsg, and journald, since it calls syslog and accesses /dev/kmsg.
* meson: allow WatchdogSec= in services to be configuredZbigniew Jędrzejewski-Szmek2019-10-251-1/+1
| | | | | | | | | | | | | | | | As discussed on systemd-devel [1], in Fedora we get lots of abrt reports about the watchdog firing [2], but 100% of them seem to be caused by resource starvation in the machine, and never actual deadlocks in the services being monitored. Killing the services not only does not improve anything, but it makes the resource starvation worse, because the service needs cycles to restart, and coredump processing is also fairly expensive. This adds a configuration option to allow the value to be changed. If the setting is not set, there is no change. My plan is to set it to some ridiculusly high value, maybe 1h, to catch cases where a service is actually hanging. [1] https://lists.freedesktop.org/archives/systemd-devel/2019-October/043618.html [2] https://bugzilla.redhat.com/show_bug.cgi?id=1300212
* Revert "timesyncd: add Conflicts for ntpd and chronyd"Lennart Poettering2019-07-241-1/+0
| | | | | | | | | This reverts commit 971a7a1526a6c1d5cb439a8a41dc65ccd4e3a66f. These unit names are typically different on distributions, let's not hardcode those. Stuff like this should probably live in the distro RPM/.deb, but not upstream, where we should be distro agnostic and agnostic to other higher level packages like this.
* timesyncd: add Conflicts for ntpd and chronydZbigniew Jędrzejewski-Szmek2019-07-221-0/+1
| | | | | | | | Users might end up with more than one of those service enabled, through admin mistake, or broken installation scriptlets, or whatever. On my machine, I had both chronyd and timesyncd happilly running at the same time. If more than one is enabled, it's better to have just one running. Adding Conflicts will make the issue more visible in logs too.
* units: add time-set.targetPeter A. Bigot2019-04-081-2/+2
| | | | | | | | | | | | | time-sync.target is supposed to indicate system clock is synchronized with a remote clock, but as used through 241 it only provided a system clock that was updated based on a locally-maintained timestamp. Systems that are powered off for extended periods would not come up with accurate time. Retain the existing behavior using a new time-set.target leaving time-sync.target for cases where accuracy is required. Closes #8861
* units: turn on RestrictSUIDSGID= in most of our long-running daemonsLennart Poettering2019-04-021-0/+1
|
* units: enable ProtectHostname=yesTopi Miettinen2019-02-201-0/+1
|
* units: set NoNewPrivileges= for all long-running servicesLennart Poettering2018-11-121-18/+19
| | | | | | | | | | | | | | | | | Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219
* Revert "timesyncd: enable DynamicUser="Zbigniew Jędrzejewski-Szmek2018-09-191-1/+2
| | | | | | | This reverts commit 48d3e88c18258d423c3953372ec4a2e638ab0422. I kept the follow-symlink=false → follow-symlink=true change instact, since we're likely to have existing installations with a symlink now.
* Revert "unit: drop After=systemd-sysusers.service from timesyncd"Zbigniew Jędrzejewski-Szmek2018-09-191-1/+1
| | | | This reverts commit be80154827100b19b6cc79a59323791b4f1a409f.
* units: switch from system call blacklist to whitelistLennart Poettering2018-06-141-1/+2
| | | | | | | | | | | | | | | | | | | | | This is generally the safer approach, and is what container managers (including nspawn) do, hence let's move to this too for our own services. This is particularly useful as this this means the new @system-service system call filter group will get serious real-life testing quickly. This also switches from firing SIGSYS on unexpected syscalls to returning EPERM. This would have probably been a better default anyway, but it's hard to change that these days. When whitelisting system calls SIGSYS is highly problematic as system calls that are newly introduced to Linux become minefields for services otherwise. Note that this enables a system call filter for udev for the first time, and will block @clock, @mount and @swap from it. Some downstream distributions might want to revert this locally if they want to permit unsafe operations on udev rules, but in general this shiuld be mostly safe, as we already set MountFlags=shared for udevd, hence at least @mount won't change anything.
* unit: drop After=systemd-sysusers.service from timesyncdYu Watanabe2018-05-221-1/+1
| | | | | After=systemd-sysusers.service is not necessary, as timesyncd already enables DynamicUser=.
* timesync: expose manager properties on busYu Watanabe2018-05-031-0/+1
|
* time-wait-sync: use watchfile to coordinate with timesyncdPeter A. Bigot2018-04-141-0/+1
| | | | | | | | | | | Systems that have an accurate real-time clock may have an initial unsynchronized time that is close enough to the synchronized time that the final adjustment doesn't trigger a waking "clock set" event. Have timesyncd touch a file in its runtime directory as a secondary signal for synchronization. Continue to support the timerfd-based trigger as a sufficient condition when the watchfile is not present. Closes issue #8683
* Add SPDX license headers to unit filesZbigniew Jędrzejewski-Szmek2017-11-191-0/+2
|
* timesyncd: enable DynamicUser=Yu Watanabe2017-10-061-2/+1
|
* units: set LockPersonality= for all our long-running services (#6819)Lennart Poettering2017-09-141-0/+1
| | | | Let's lock things down. Also, using it is the only way how to properly test this to the fullest extent.
* unit: drop redundant optionsYu Watanabe2017-08-311-1/+0
|
* timesync: move stamp file to /var/lib/systemd/timesync/clockYu Watanabe2017-08-301-2/+2
|
* units: make use of !! ExecStart= prefix in systemd-timesyncd.serviceYu Watanabe2017-08-271-3/+5
| | | | | Let's make use of !! to run timesyncd with ambient capabilities on systems supporting them.
* units: make use of @reboot and @swap in our long-running service ↵Lennart Poettering2017-02-091-1/+1
| | | | | | SystemCallFilter= settings Tighten security up a bit more.
* units: turn on ProtectKernelModules= for most long-running servicesLennart Poettering2017-02-091-0/+1
|
* units: switch on ProtectSystem=strict for our long running servicesLennart Poettering2017-02-091-1/+2
| | | | Let's step up the protection a notch
* units: restrict namespace for a good number of our own servicesLennart Poettering2017-02-091-0/+1
| | | | | | | | Basically, we turn it on for most long-running services, with the exception of machined (whose child processes need to join containers here and there), and importd (which sandboxes tar in a CLONE_NEWNET namespace). machined is left unrestricted, and importd is restricted to use only "net"
* units: set SystemCallArchitectures=native on all our long-running servicesLennart Poettering2017-02-091-0/+1
|
* units: further lock down our long-running servicesLennart Poettering2016-09-251-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | Let's make this an excercise in dogfooding: let's turn on more security features for all our long-running services. Specifically: - Turn on RestrictRealtime=yes for all of them - Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of them - Turn on RestrictAddressFamilies= for all of them, but different sets of address families for each Also, always order settings in the unit files, that the various sandboxing features are close together. Add a couple of missing, older settings for a numbre of unit files. Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively turning of networking from udev rule commands. Since this might break stuff (that is already broken I'd argue) this is documented in NEWS.
* units: tighten system call filters a bitLennart Poettering2016-06-131-1/+1
| | | | | Take away kernel keyring access, CPU emulation system calls and various debug system calls from the various daemons we have.
* units: add a basic SystemCallFilter (#3471)Topi Miettinen2016-06-091-0/+1
| | | | | | | Add a line SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace for daemons shipped by systemd. As an exception, systemd-timesyncd needs @clock system calls and systemd-localed is not privileged. ptrace(2) is blocked to prevent seccomp escapes.
* units: enable MemoryDenyWriteExecute (#3459)Topi Miettinen2016-06-081-0/+1
| | | | | Secure daemons shipped by systemd by enabling MemoryDenyWriteExecute. Closes: #3459
* units: increase watchdog timeout to 3min for all our servicesLennart Poettering2015-09-291-1/+1
| | | | | | | | Apparently, disk IO issues are more frequent than we hope, and 1min waiting for disk IO happens, so let's increase the watchdog timeout a bit, for all our services. See #1353 for an example where this triggers.
* timesyncd: enable timesyncd in virtual machinesKay Sievers2015-03-151-1/+1
| | | | | | | | | | | | | | | | | On Fri, Mar 13, 2015 at 8:25 PM, Michael Marineau <michael.marineau@coreos.com> wrote: > Currently systemd-timesyncd.service includes > ConditionVirtualization=no, disabling it in both containers and > virtual machines. Each VM platform tends to deal with or ignore the > time problem in their own special ways, KVM/QEMU has the kernel time > source kvm-clock, Xen has had different schemes over the years, VMware > expects a userspace daemon sync the clock, and other platforms are > content to drift with the wind as far as I can tell. > > I don't know of a robust way to know if a platform needs a little > extra help from userspace to keep the clock sane or not but it seems > generally safer to try than to risk drifting. Does anyone know of a > reason to leave timesyncd off by default? Otherwise switching to > ConditionVirtualization=!container should be reasonable.
* Revert "units: add SecureBits"Lennart Poettering2015-02-111-1/+0
| | | | | | | | This reverts commit 6a716208b346b742053cfd01e76f76fb27c4ea47. Apparently this doesn't work. http://lists.freedesktop.org/archives/systemd-devel/2015-February/028212.html
* units: add SecureBitsTopi Miettinen2015-02-111-0/+1
| | | | | | No setuid programs are expected to be executed, so add SecureBits=noroot noroot-locked to unit files.
* timesyncd: do not start in virtualized environmentsKay Sievers2014-06-171-0/+1
|
* units: minor cleanupsLennart Poettering2014-06-171-3/+2
|
* units: rebuild /etc/passwd, the udev hwdb and the journal catalog files on bootLennart Poettering2014-06-131-1/+1
| | | | | Only when necessary of course, nicely guarded with the new ConditionNeedsUpdate= condition we added.
* units: pull in time-sync.target from systemd-timedated.serviceLennart Poettering2014-06-061-0/+2
| | | | | After all, that's what we document for time-sync.target in systemd.special(5), hence let's follow our own suggestion.
* core: rename ReadOnlySystem= to ProtectSystem= and add a third value for ↵Lennart Poettering2014-06-041-2/+2
| | | | | | | | | | also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data.
* core: add new ReadOnlySystem= and ProtectedHome= settings for service unitsLennart Poettering2014-06-031-0/+2
| | | | | | | | | | | | | | ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
* timesyncd: only update stamp file when we are synchronizedKay Sievers2014-05-241-1/+1
| | | | | | | | Create initial stamp file with compiled-in time to prevent bootups with clocks in the future from storing invalid timestamps. At shutdown, only update the timestamp if we got an authoritative time to store.
* timesyncd: order after tmpfiles to get a working network monitorKay Sievers2014-05-221-1/+1
|
View Lorry Controller Status