meta-ibm: Add an override for chrony daemon
The huygens machine is based on the new pstbmc machine family from IBM.
It will be our first redundant BMC system [1]. This new system expects
to have chrony daemon to run along with the existing systemd-
timesyncd deamon.
The purpose of installing chrony in rootfs is to run chrony only in
time server mode so that it can allow other BMC to obtain time
from it.
This commit adds an override to the chrony configuration and allows
us to run both the daemons as per our use case.
[1]: https://gerrit.openbmc.org/c/openbmc/docs/+/70233
Tested: Both the daemons run parallely without any conflict.
Change-Id: I9de73ab135977847121daabefaf81265000e371e
Signed-off-by: Pavithra Barithaya <pavithrabarithaya07@gmail.com>
diff --git a/meta-ibm/conf/machine/huygens.conf b/meta-ibm/conf/machine/huygens.conf
index a5f6cd0..c59d29f 100644
--- a/meta-ibm/conf/machine/huygens.conf
+++ b/meta-ibm/conf/machine/huygens.conf
@@ -1,5 +1,6 @@
MACHINEOVERRIDES =. "pstbmc:"
require conf/machine/pstbmc.conf
+require conf/distro/include/chrony.inc
# Focus Huygens initially on a multi-BMC setup for integrating
# BMC to BMC redundancy logic. Remove anything host or chassis
diff --git a/meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend b/meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend
index 0029ee7..cc4a20d 100644
--- a/meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend
+++ b/meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend
@@ -3,6 +3,7 @@
OBMC_IMAGE_EXTRA_INSTALL:append:p10bmc = " mboxd"
# No host firmware related features for huygens wanted yet
OBMC_IMAGE_EXTRA_INSTALL:remove:huygens = " mboxd"
+OBMC_IMAGE_EXTRA_INSTALL:append:df-chrony = " chrony"
IMAGE_FEATURES:append = " obmc-dbus-monitor"
diff --git a/meta-ibm/recipes-support/chrony/chrony/huygens/chronyd.service b/meta-ibm/recipes-support/chrony/chrony/huygens/chronyd.service
new file mode 100644
index 0000000..1dd23d4
--- /dev/null
+++ b/meta-ibm/recipes-support/chrony/chrony/huygens/chronyd.service
@@ -0,0 +1,48 @@
+[Unit]
+Description=NTP client/server
+Documentation=man:chronyd(8) man:chrony.conf(5)
+After=ntpdate.service sntp.service ntpd.service
+Conflicts=ntpd.service
+ConditionCapability=CAP_SYS_TIME
+
+[Service]
+Type=forking
+PIDFile=/run/chrony/chronyd.pid
+EnvironmentFile=-/etc/default/chronyd
+ExecStart=/usr/sbin/chronyd $OPTIONS
+
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
+DeviceAllow=char-pps rw
+DeviceAllow=char-ptp rw
+DeviceAllow=char-rtc rw
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/run /var/lib/chrony -/var/log
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap
+
+# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
+NoNewPrivileges=no
+ReadWritePaths=-/var/spool
+RestrictAddressFamilies=AF_NETLINK
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta-ibm/recipes-support/chrony/chrony_%.bbappend b/meta-ibm/recipes-support/chrony/chrony_%.bbappend
new file mode 100644
index 0000000..d32a79d
--- /dev/null
+++ b/meta-ibm/recipes-support/chrony/chrony_%.bbappend
@@ -0,0 +1,10 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/chrony:"
+
+install_chrony_configuration() {
+ install -D -m 0644 ${WORKDIR}/chronyd.service ${D}${systemd_system_unitdir}/chronyd.service
+}
+
+SRC_URI:append:df-chrony = " file://chronyd.service"
+do_install:append:huygens() {
+ install_chrony_configuration
+}
diff --git a/meta-phosphor/conf/distro/include/chrony.inc b/meta-phosphor/conf/distro/include/chrony.inc
new file mode 100644
index 0000000..a3d7ed9
--- /dev/null
+++ b/meta-phosphor/conf/distro/include/chrony.inc
@@ -0,0 +1,2 @@
+DISTRO_FEATURES += "chrony"
+DISTROOVERRIDES .= ":df-chrony"