meta-ibm: Add an override for chrony daemon
The huygens machine is based on the new pstbmc machine family from IBM.
It will be our first redundant BMC system [1]. This new system expects
to have chrony daemon to run along with the existing systemd-
timesyncd deamon.
The purpose of installing chrony in rootfs is to run chrony only in
time server mode so that it can allow other BMC to obtain time
from it.
This commit adds an override to the chrony configuration and allows
us to run both the daemons as per our use case.
[1]: https://gerrit.openbmc.org/c/openbmc/docs/+/70233
Tested: Both the daemons run parallely without any conflict.
Change-Id: I9de73ab135977847121daabefaf81265000e371e
Signed-off-by: Pavithra Barithaya <pavithrabarithaya07@gmail.com>
diff --git a/meta-ibm/recipes-support/chrony/chrony/huygens/chronyd.service b/meta-ibm/recipes-support/chrony/chrony/huygens/chronyd.service
new file mode 100644
index 0000000..1dd23d4
--- /dev/null
+++ b/meta-ibm/recipes-support/chrony/chrony/huygens/chronyd.service
@@ -0,0 +1,48 @@
+[Unit]
+Description=NTP client/server
+Documentation=man:chronyd(8) man:chrony.conf(5)
+After=ntpdate.service sntp.service ntpd.service
+Conflicts=ntpd.service
+ConditionCapability=CAP_SYS_TIME
+
+[Service]
+Type=forking
+PIDFile=/run/chrony/chronyd.pid
+EnvironmentFile=-/etc/default/chronyd
+ExecStart=/usr/sbin/chronyd $OPTIONS
+
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
+DeviceAllow=char-pps rw
+DeviceAllow=char-ptp rw
+DeviceAllow=char-rtc rw
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/run /var/lib/chrony -/var/log
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap
+
+# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
+NoNewPrivileges=no
+ReadWritePaths=-/var/spool
+RestrictAddressFamilies=AF_NETLINK
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta-ibm/recipes-support/chrony/chrony_%.bbappend b/meta-ibm/recipes-support/chrony/chrony_%.bbappend
new file mode 100644
index 0000000..d32a79d
--- /dev/null
+++ b/meta-ibm/recipes-support/chrony/chrony_%.bbappend
@@ -0,0 +1,10 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/chrony:"
+
+install_chrony_configuration() {
+ install -D -m 0644 ${WORKDIR}/chronyd.service ${D}${systemd_system_unitdir}/chronyd.service
+}
+
+SRC_URI:append:df-chrony = " file://chronyd.service"
+do_install:append:huygens() {
+ install_chrony_configuration
+}