diff options
Diffstat (limited to 'examples')
-rw-r--r-- | examples/chrony.keys.example | 2 | ||||
-rw-r--r-- | examples/chrony.nm-dispatcher.onoffline | 6 | ||||
-rw-r--r-- | examples/chronyd-restricted.service | 59 |
3 files changed, 65 insertions, 2 deletions
diff --git a/examples/chrony.keys.example b/examples/chrony.keys.example index 65b6be2..05e720c 100644 --- a/examples/chrony.keys.example +++ b/examples/chrony.keys.example @@ -11,3 +11,5 @@ #1 MD5 AVeryLongAndRandomPassword #2 MD5 HEX:12114855C7931009B4049EF3EFC48A139C3F989F #3 SHA1 HEX:B2159C05D6A219673A3B7E896B6DE07F6A440995 +#4 AES128 HEX:2DA837C4B6573748CA692B8C828E4891 +#5 AES256 HEX:2666B8099BFF2D5BA20876121788ED24D2BE59111B8FFB562F0F56AE6EC7246E diff --git a/examples/chrony.nm-dispatcher.onoffline b/examples/chrony.nm-dispatcher.onoffline index 01e6fdb..18f5c3f 100644 --- a/examples/chrony.nm-dispatcher.onoffline +++ b/examples/chrony.nm-dispatcher.onoffline @@ -12,8 +12,10 @@ if [ $# -ge 2 ]; then case "$2" in up|down|connectivity-change) ;; - dhcp6-change) - # No other action is reported for routable IPv6 + dhcp4-change|dhcp6-change) + # Actions "up" and "connectivity-change" in some cases do not + # guarantee that the interface has a route (e.g. a bond). + # dhcp(x)-change handles at least cases that use DHCP. ;; *) exit 0;; diff --git a/examples/chronyd-restricted.service b/examples/chronyd-restricted.service new file mode 100644 index 0000000..5099833 --- /dev/null +++ b/examples/chronyd-restricted.service @@ -0,0 +1,59 @@ +# This is a more restricted version of the chronyd service intended for +# minimal NTP/NTS client configurations. The daemon is started without root +# privileges and is allowed to write only to its own runtime, state, and log +# directories. It cannot bind to privileged ports in order to operate as an +# NTP server, or provide monitoring access over IPv4/IPv6. It cannot use +# reference clocks, HW timestamping, RTC tracking, and other features. +[Unit] +Description=NTP client (restricted) +Documentation=man:chronyd(8) man:chrony.conf(5) +After=chronyd.service ntpdate.service sntp.service ntpd.service +Conflicts=chronyd.service ntpd.service systemd-timesyncd.service +ConditionCapability=CAP_SYS_TIME + +[Service] +Type=forking +PIDFile=/run/chrony/chronyd.pid +EnvironmentFile=-/etc/sysconfig/chronyd +ExecStart=/usr/sbin/chronyd -U $OPTIONS + +User=chrony +LogsDirectory=chrony +LogsDirectoryMode=0750 +RuntimeDirectory=chrony +RuntimeDirectoryMode=0750 +RuntimeDirectoryPreserve=restart +StateDirectory=chrony +StateDirectoryMode=0750 + +AmbientCapabilities=CAP_SYS_TIME +CapabilityBoundingSet=CAP_SYS_TIME +DevicePolicy=closed +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateTmp=yes +# This breaks adjtimex() +#PrivateUsers=yes +ProcSubset=pid +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +RemoveIPC=yes +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io +SystemCallFilter=~@reboot @resources @swap +UMask=0077 + +[Install] +WantedBy=multi-user.target |