Hello, The attached patches fix this issue as well as the openntpd package not being able to load the CA cert used to authenticate constraint servers.
It depends on the NTP patches posted here: bugs.gnu.org/37295.
From 8a1d7720fd37206c33a6887e6d3ba354349ca0fa Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer <maxim.courno...@gmail.com> Date: Fri, 6 Sep 2019 18:52:51 +0900 Subject: [PATCH 1/4] gnu: openntpd: Fix error CA errors when using constraints. The error printed by nttpd was "constraint: failed to load constraint ca" when libressl tried loading the file /etc/ssl/cert.pem. The problem was investigated as part of fixing issue 37318 (see: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=37318). * gnu/packages/ntp.scm (openntpd)[configure-flags]: Use the '--with-cacert' flag to specify the location of the certificate authority file of libressl. --- gnu/packages/ntp.scm | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/gnu/packages/ntp.scm b/gnu/packages/ntp.scm index 419b6d7321..363496817f 100644 --- a/gnu/packages/ntp.scm +++ b/gnu/packages/ntp.scm @@ -108,8 +108,11 @@ computers over a network.") "0fn12i4kzsi0zkr4qp3dp9bycmirnfapajqvdfx02zhr4hanj0kv")))) (build-system gnu-build-system) (arguments - '(#:configure-flags '("--with-privsep-user=ntpd" - "--localstatedir=/var") + '(#:configure-flags `( "--with-privsep-user=ntpd" + "--localstatedir=/var" + ,(string-append "--with-cacert=" + (assoc-ref %build-inputs "libressl") + "/etc/ssl/cert.pem")) #:phases (modify-phases %standard-phases (add-after 'unpack 'modify-install-locations -- 2.23.0
From bd4124cb0eb85210df296c412b87276a0e2fba4b Mon Sep 17 00:00:00 2001
From: Maxim Cournoyer <maxim.courno...@gmail.com>
Date: Fri, 6 Sep 2019 21:12:26 +0900
Subject: [PATCH 2/4] services: openntpd: Remove useless let.
* gnu/services/networking.scm (openntpd-shepherd-service): Remove useless let.
---
gnu/services/networking.scm | 68 ++++++++++++++++++-------------------
1 file changed, 34 insertions(+), 34 deletions(-)
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index c45bfcdad9..dd2f9e29e2 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -508,41 +508,41 @@ make an initial adjustment of more than 1,000 seconds."
(match-record config <openntpd-configuration>
(openntpd listen-on query-from sensor server servers constraint-from
constraints-from allow-large-adjustment?)
- (let ()
- (define config
- (string-join
- (filter-map
- (lambda (field value)
- (string-join
- (map (cut string-append field <> "\n")
- value)))
- '("listen on " "query from " "sensor " "server " "servers "
- "constraint from ")
- (list listen-on query-from sensor server servers constraint-from))
- ;; The 'constraints from' field needs to be enclosed in double quotes.
- (string-join
- (map (cut string-append "constraints from \"" <> "\"\n")
- constraints-from))))
-
- (define ntpd.conf
- (plain-file "ntpd.conf" config))
- (list (shepherd-service
- (provision '(ntpd))
- (documentation "Run the Network Time Protocol (NTP) daemon.")
- (requirement '(user-processes networking))
- (start #~(make-forkexec-constructor
- (list (string-append #$openntpd "/sbin/ntpd")
- "-f" #$ntpd.conf
- "-d" ;; don't daemonize
- #$@(if allow-large-adjustment?
- '("-s")
- '()))
- ;; When ntpd is daemonized it repeatedly tries to respawn
- ;; while running, leading shepherd to disable it. To
- ;; prevent spamming stderr, redirect output to logfile.
- #:log-file "/var/log/ntpd"))
- (stop #~(make-kill-destructor)))))))
+ (define config
+ (string-join
+ (filter-map
+ (lambda (field value)
+ (string-join
+ (map (cut string-append field <> "\n")
+ value)))
+ '("listen on " "query from " "sensor " "server " "servers "
+ "constraint from ")
+ (list listen-on query-from sensor server servers constraint-from))
+ ;; The 'constraints from' field needs to be enclosed in double quotes.
+ (string-join
+ (map (cut string-append "constraints from \"" <> "\"\n")
+ constraints-from))))
+
+ (define ntpd.conf
+ (plain-file "ntpd.conf" config))
+
+ (list (shepherd-service
+ (provision '(ntpd))
+ (documentation "Run the Network Time Protocol (NTP) daemon.")
+ (requirement '(user-processes networking))
+ (start #~(make-forkexec-constructor
+ (list (string-append #$openntpd "/sbin/ntpd")
+ "-f" #$ntpd.conf
+ "-d" ;; don't daemonize
+ #$@(if allow-large-adjustment?
+ '("-s")
+ '()))
+ ;; When ntpd is daemonized it repeatedly tries to respawn
+ ;; while running, leading shepherd to disable it. To
+ ;; prevent spamming stderr, redirect output to logfile.
+ #:log-file "/var/log/ntpd"))
+ (stop #~(make-kill-destructor))))))
(define (openntpd-service-activation config)
"Return the activation gexp for CONFIG."
--
2.23.0
From c88b2a75ba9325979143458b2de024bb309563fd Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer <maxim.courno...@gmail.com> Date: Sat, 7 Sep 2019 09:24:43 +0900 Subject: [PATCH 3/4] services: openntpd: Add test for issue #3731. See http://debbugs.gnu.org/cgi/bugreport.cgi?bug=37318. * gnu/services/networking.scm (openntpd-configuration->string): New procedure, extracted from top of the `openntpd-shepherd-service' to make it testable. (openntpd-shepherd-service): Adapt following the move of the code to the above procedure. * tests/networking.scm: Add a test for the `openntpd-configuration->string' procedure. --- gnu/services/networking.scm | 40 ++++++++++++------------ tests/networking.scm | 62 +++++++++++++++++++++++++++++++++++-- 2 files changed, 81 insertions(+), 21 deletions(-) diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index dd2f9e29e2..432f3a80ee 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -504,28 +504,30 @@ make an initial adjustment of more than 1,000 seconds." (allow-large-adjustment? openntpd-allow-large-adjustment? (default #f))) ; upstream default -(define (openntpd-shepherd-service config) +(define (openntpd-configuration->string config) (match-record config <openntpd-configuration> - (openntpd listen-on query-from sensor server servers constraint-from - constraints-from allow-large-adjustment?) - - (define config - (string-join - (filter-map - (lambda (field value) - (string-join - (map (cut string-append field <> "\n") - value))) - '("listen on " "query from " "sensor " "server " "servers " - "constraint from ") - (list listen-on query-from sensor server servers constraint-from)) - ;; The 'constraints from' field needs to be enclosed in double quotes. - (string-join - (map (cut string-append "constraints from \"" <> "\"\n") - constraints-from)))) + (listen-on query-from sensor server servers constraint-from + constraints-from) + (string-join + (filter-map + (lambda (field value) + (string-join + (map (cut string-append field <> "\n") + value))) + '("listen on " "query from " "sensor " "server " "servers " + "constraint from ") + (list listen-on query-from sensor server servers constraint-from)) + ;; The 'constraints from' field needs to be enclosed in double quotes. + (string-join + (map (cut string-append "constraints from \"" <> "\"\n") + constraints-from))))) + +(define (openntpd-shepherd-service config) + (let ((openntpd (openntpd-configuration-openntpd config)) + (allow-large-adjustment? (openntpd-allow-large-adjustment? config))) (define ntpd.conf - (plain-file "ntpd.conf" config)) + (plain-file "ntpd.conf" (openntpd-configuration->string config))) (list (shepherd-service (provision '(ntpd)) diff --git a/tests/networking.scm b/tests/networking.scm index 001d7df74d..d56760fa4d 100644 --- a/tests/networking.scm +++ b/tests/networking.scm @@ -17,11 +17,19 @@ ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. (define-module (tests networking) + #:use-module (ice-9 regex) #:use-module (gnu services networking) #:use-module (srfi srfi-64)) ;;; Tests for the (gnu services networking) module. +(test-begin "networking") + + +;;; +;;; NTP. +;;; + (define ntp-server->string (@@ (gnu services networking) ntp-server->string)) (define %ntp-server-sample @@ -30,8 +38,6 @@ (address "some.ntp.server.org") (options `(iburst (version 3) (maxpoll 16) prefer)))) -(test-begin "networking") - (test-equal "ntp-server->string" (ntp-server->string %ntp-server-sample) "server some.ntp.server.org iburst version 3 maxpoll 16 prefer") @@ -47,4 +53,56 @@ (ntp-configuration (servers (list "example.pool.ntp.org"))))) + +;;; +;;; OpenNTPD +;;; + +(define openntpd-configuration->string (@@ (gnu services networking) + openntpd-configuration->string)) + +(define %openntpd-conf-sample + (openntpd-configuration + (server '("0.guix.pool.ntp.org" "1.guix.pool.ntp.org")) + (listen-on '("127.0.0.1" "::1")) + (sensor '("udcf0 correction 70000")) + (constraint-from '("www.gnu.org")) + (constraints-from '("https://www.google.com/";)) + (allow-large-adjustment? #t))) + +(test-assert "openntpd configuration generation sanity check" + + (begin + (define (string-match/newline pattern text) + (regexp-exec (make-regexp pattern regexp/newline) text)) + + (define (match-count pattern text) + (fold-matches (make-regexp pattern regexp/newline) text 0 + (lambda (match count) + (1+ count)))) + + (let ((config (openntpd-configuration->string %openntpd-conf-sample))) + (if (not + (and (string-match/newline "^listen on 127.0.0.1$" config) + (string-match/newline "^listen on ::1$" config) + (string-match/newline "^sensor udcf0 correction 70000$" config) + (string-match/newline "^constraint from www.gnu.org$" config) + (string-match/newline "^server 0.guix.pool.ntp.org$" config) + (string-match/newline + "^constraints from \"https://www.google.com/\"$"; + config) + + ;; Check for issue #3731 (see: + ;; http://debbugs.gnu.org/cgi/bugreport.cgi?bug=37318). + (= (match-count "^listen on " config) 2) + (= (match-count "^sensor " config) 1) + (= (match-count "^constraint from " config) 1) + (= (match-count "^server " config) 2) + (= (match-count "^constraints from " config) 1))) + (begin + (format #t "The configuration below failed \ +the sanity check:\n~a~%" config) + #f) + #t)))) + (test-end "networking") -- 2.23.0
From e4a982cd4c356052a06990e05e3070650919caa3 Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer <maxim.courno...@gmail.com> Date: Sat, 7 Sep 2019 12:37:37 +0900 Subject: [PATCH 4/4] services: openntpd: Fix the config generation code. This fixes issue #37318 (see: http://bugs.gnu.org/37318). * gnu/services/networking.scm (openntpd-configuration->string): Rewrite in order to make the "openntpd configuration generation sanity check" test pass. --- gnu/services/networking.scm | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 432f3a80ee..fce82f3042 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -505,22 +505,31 @@ make an initial adjustment of more than 1,000 seconds." (default #f))) ; upstream default (define (openntpd-configuration->string config) + + (define (quote-field? name) + (member name '("constraints from"))) + (match-record config <openntpd-configuration> (listen-on query-from sensor server servers constraint-from constraints-from) (string-join - (filter-map - (lambda (field value) - (string-join - (map (cut string-append field <> "\n") - value))) - '("listen on " "query from " "sensor " "server " "servers " - "constraint from ") - (list listen-on query-from sensor server servers constraint-from)) - ;; The 'constraints from' field needs to be enclosed in double quotes. - (string-join - (map (cut string-append "constraints from \"" <> "\"\n") - constraints-from))))) + (concatenate + (filter-map (lambda (field values) + (match values + (() #f) ;discard entry with filter-map + ((val ...) ;validate value type + (map (lambda (value) + (if (quote-field? field) + (format #f "~a \"~a\"" field value) + (format #f "~a ~a" field value))) + values)))) + ;; The entry names. + '("listen on" "query from" "sensor" "server" "servers" + "constraint from" "constraints from") + ;; The corresponding entry values. + (list listen-on query-from sensor server servers + constraint-from constraints-from))) + "\n"))) (define (openntpd-shepherd-service config) (let ((openntpd (openntpd-configuration-openntpd config)) -- 2.23.0
signature.asc
Description: PGP signature
