commit 011e924109e77bb5e958b2a1adf230c34d5d83ca · pyrox.dev/nixpkgs

nixos/modules/system/boot/timesyncd.nix

···

       46
       46
        
             wantedBy = [ "sysinit.target" ];

     

       47
       47
        
             aliases = [ "dbus-org.freedesktop.timesync1.service" ];

     

       48
       48
        
             restartTriggers = [ config.environment.etc."systemd/timesyncd.conf".source ];

     

       49
       49
       +
             # systemd-timesyncd disables DNSSEC validation in the nss-resolve module by setting SYSTEMD_NSS_RESOLVE_VALIDATE to 0 in the unit file.

     

       50
       50
       +
             # This is required in order to solve the chicken-and-egg problem when DNSSEC validation needs the correct time to work, but to set the

     

       51
       51
       +
             # correct time, we need to connect to an NTP server, which usually requires resolving its hostname.

     

       52
       52
       +
             # In order for nss-resolve to be able to read this environment variable we patch systemd-timesyncd to disable NSCD and use NSS modules directly.

     

       53
       53
       +
             # This means that systemd-timesyncd needs to have NSS modules path in LD_LIBRARY_PATH. When systemd-resolved is disabled we still need to set

     

       54
       54
       +
             # NSS module path so that systemd-timesyncd keeps using other NSS modules that are configured in the system.

     

       55
       55
       +
             environment.LD_LIBRARY_PATH = config.system.nssModules.path;

     

       49
       56
        
       

     

       50
       57
        
             preStart = (

     

       51
       58
        
               # Ensure that we have some stored time to prevent

nixos/tests/all-tests.nix

···

       851
       851
        
         systemd-shutdown = handleTest ./systemd-shutdown.nix {};

     

       852
       852
        
         systemd-sysupdate = runTest ./systemd-sysupdate.nix;

     

       853
       853
        
         systemd-timesyncd = handleTest ./systemd-timesyncd.nix {};

     

       854
       854
       +
         systemd-timesyncd-nscd-dnssec = handleTest ./systemd-timesyncd-nscd-dnssec.nix {};

     

       854
       855
        
         systemd-user-tmpfiles-rules = handleTest ./systemd-user-tmpfiles-rules.nix {};

     

       855
       856
        
         systemd-misc = handleTest ./systemd-misc.nix {};

     

       856
       857
        
         systemd-userdbd = handleTest ./systemd-userdbd.nix {};

+61

nixos/tests/systemd-timesyncd-nscd-dnssec.nix

···

       1
       1
       +
       # This test verifies that systemd-timesyncd can resolve the NTP server hostname when DNSSEC validation

     

       2
       2
       +
       # fails even though it is enforced in the systemd-resolved settings. It is required in order to solve

     

       3
       3
       +
       # the chicken-and-egg problem when DNSSEC validation needs the correct time to work, but to set the

     

       4
       4
       +
       # correct time, we need to connect to an NTP server, which usually requires resolving its hostname.

     

       5
       5
       +
       #

     

       6
       6
       +
       # This test does the following:

     

       7
       7
       +
       # - Sets up a DNS server (tinydns) listening on the eth1 ip addess, serving .ntp and fake.ntp records.

     

       8
       8
       +
       # - Configures that DNS server as a resolver and enables DNSSEC in systemd-resolved settings.

     

       9
       9
       +
       # - Configures systemd-timesyncd to use fake.ntp hostname as an NTP server.

     

       10
       10
       +
       # - Performs a regular DNS lookup, to ensure it fails due to broken DNSSEC.

     

       11
       11
       +
       # - Waits until systemd-timesyncd resolves fake.ntp by checking its debug output.

     

       12
       12
       +
       #   Here, we don't expect systemd-timesyncd to connect and synchronize time because there is no NTP

     

       13
       13
       +
       #   server running. For this test to succeed, we only need to ensure that systemd-timesyncd

     

       14
       14
       +
       #   resolves the IP address of the fake.ntp host.

     

       15
       15
       +
       

     

       16
       16
       +
       import ./make-test-python.nix ({ pkgs, ... }:

     

       17
       17
       +
       

     

       18
       18
       +
       let

     

       19
       19
       +
         ntpHostname = "fake.ntp";

     

       20
       20
       +
         ntpIP = "192.0.2.1";

     

       21
       21
       +
       in

     

       22
       22
       +
       {

     

       23
       23
       +
         name = "systemd-timesyncd";

     

       24
       24
       +
         nodes.machine = { pkgs, lib, config, ... }:

     

       25
       25
       +
           let

     

       26
       26
       +
             eth1IP = (lib.head config.networking.interfaces.eth1.ipv4.addresses).address;

     

       27
       27
       +
           in

     

       28
       28
       +
           {

     

       29
       29
       +
             # Setup a local DNS server for the NTP domain on the eth1 IP address

     

       30
       30
       +
             services.tinydns = {

     

       31
       31
       +
               enable = true;

     

       32
       32
       +
               ip = eth1IP;

     

       33
       33
       +
               data = ''

     

       34
       34
       +
                 .ntp:${eth1IP}

     

       35
       35
       +
                 +.${ntpHostname}:${ntpIP}

     

       36
       36
       +
               '';

     

       37
       37
       +
             };

     

       38
       38
       +
       

     

       39
       39
       +
             # Enable systemd-resolved with DNSSEC and use the local DNS as a name server

     

       40
       40
       +
             services.resolved.enable = true;

     

       41
       41
       +
             services.resolved.dnssec = "true";

     

       42
       42
       +
             networking.nameservers = [ eth1IP ];

     

       43
       43
       +
       

     

       44
       44
       +
             # Configure systemd-timesyncd to use our NTP hostname

     

       45
       45
       +
             services.timesyncd.enable = lib.mkForce true;

     

       46
       46
       +
             services.timesyncd.servers = [ ntpHostname ];

     

       47
       47
       +
             services.timesyncd.extraConfig = ''

     

       48
       48
       +
               FallbackNTP=${ntpHostname}

     

       49
       49
       +
             '';

     

       50
       50
       +
       

     

       51
       51
       +
             # The debug output is necessary to determine whether systemd-timesyncd successfully resolves our NTP hostname or not

     

       52
       52
       +
             systemd.services.systemd-timesyncd.environment.SYSTEMD_LOG_LEVEL = "debug";

     

       53
       53
       +
           };

     

       54
       54
       +
       

     

       55
       55
       +
         testScript = ''

     

       56
       56
       +
           machine.wait_for_unit("tinydns.service")

     

       57
       57
       +
           machine.wait_for_unit("systemd-timesyncd.service")

     

       58
       58
       +
           machine.fail("resolvectl query ${ntpHostname}")

     

       59
       59
       +
           machine.wait_until_succeeds("journalctl -u systemd-timesyncd.service --grep='Resolved address ${ntpIP}:123 for ${ntpHostname}'")

     

       60
       60
       +
         '';

     

       61
       61
       +
       })

+46

pkgs/os-specific/linux/systemd/0020-timesyncd-disable-NSCD-when-DNSSEC-validation-is-dis.patch

···

       1
       1
       +
       From 7a27556920fe1feefd17096841c8f3ca1294a1b3 Mon Sep 17 00:00:00 2001

     

       2
       2
       +
       From: Yuri Nesterov <yuriy.nesterov@unikie.com>

     

       3
       3
       +
       Date: Wed, 21 Jun 2023 17:17:38 +0300

     

       4
       4
       +
       Subject: [PATCH] timesyncd: disable NSCD when DNSSEC validation is disabled

     

       5
       5
       +
       

     

       6
       6
       +
       Systemd-timesyncd sets SYSTEMD_NSS_RESOLVE_VALIDATE=0 in the unit file

     

       7
       7
       +
       to disable DNSSEC validation but it doesn't work when NSCD is used in

     

       8
       8
       +
       the system. This patch disabes NSCD in systemd-timesyncd when

     

       9
       9
       +
       SYSTEMD_NSS_RESOLVE_VALIDATE is set to 0 so that it uses NSS libraries

     

       10
       10
       +
       directly.

     

       11
       11
       +
       ---

     

       12
       12
       +
        src/timesync/timesyncd.c | 11 +++++++++++

     

       13
       13
       +
        1 file changed, 11 insertions(+)

     

       14
       14
       +
       

     

       15
       15
       +
       diff --git a/src/timesync/timesyncd.c b/src/timesync/timesyncd.c

     

       16
       16
       +
       index 1d8ebecc91..2b0ae361ff 100644

     

       17
       17
       +
       --- a/src/timesync/timesyncd.c

     

       18
       18
       +
       +++ b/src/timesync/timesyncd.c

     

       19
       19
       +
       @@ -21,6 +21,11 @@

     

       20
       20
       +
        #include "timesyncd-conf.h"

     

       21
       21
       +
        #include "timesyncd-manager.h"

     

       22
       22
       +
        #include "user-util.h"

     

       23
       23
       +
       +#include "env-util.h"

     

       24
       24
       +
       +

     

       25
       25
       +
       +struct traced_file;

     

       26
       26
       +
       +extern void __nss_disable_nscd(void (*)(size_t, struct traced_file *));

     

       27
       27
       +
       +static void register_traced_file(size_t dbidx, struct traced_file *finfo) {}

     

       28
       28
       +
        

     

       29
       29
       +
        static int advance_tstamp(int fd, const struct stat *st) {

     

       30
       30
       +
                assert_se(fd >= 0);

     

       31
       31
       +
       @@ -198,6 +203,12 @@ static int run(int argc, char *argv[]) {

     

       32
       32
       +
                if (r < 0)

     

       33
       33
       +
                        return log_error_errno(r, "Failed to parse fallback server strings: %m");

     

       34
       34
       +
        

     

       35
       35
       +
       +        r = getenv_bool_secure("SYSTEMD_NSS_RESOLVE_VALIDATE");

     

       36
       36
       +
       +        if (r == 0) {

     

       37
       37
       +
       +                log_info("Disabling NSCD because DNSSEC validation is turned off");

     

       38
       38
       +
       +                __nss_disable_nscd(register_traced_file);

     

       39
       39
       +
       +        }

     

       40
       40
       +
       +

     

       41
       41
       +
                log_debug("systemd-timesyncd running as pid " PID_FMT, getpid_cached());

     

       42
       42
       +
        

     

       43
       43
       +
                notify_message = notify_start("READY=1\n"

     

       44
       44
       +
       -- 

     

       45
       45
       +
       2.34.1

     

       46
       46
       +

pkgs/os-specific/linux/systemd/default.nix

···

       208
       208
        
           ./0017-core-don-t-taint-on-unmerged-usr.patch

     

       209
       209
        
           ./0018-tpm2_context_init-fix-driver-name-checking.patch

     

       210
       210
        
           ./0019-systemctl-edit-suggest-systemdctl-edit-runtime-on-sy.patch

     

       211
       211
       +
           ./0020-timesyncd-disable-NSCD-when-DNSSEC-validation-is-dis.patch

     

       211
       212
        
         ] ++ lib.optional stdenv.hostPlatform.isMusl (

     

       212
       213
        
           let

     

       213
       214
        
             oe-core = fetchzip {