Merge pull request #1792 from flatcar/jepio/clock

NTP/PTP by default on Azure/AWS/GCP

.github/workflows/portage-stable-packages-list

@@ -430,6 +430,7 @@ net-libs/nghttp2
 net-libs/rpcsvc-proto
 
 net-misc/bridge-utils
+net-misc/chrony
 net-misc/curl
 net-misc/ethertypes
 net-misc/iperf

changelog/changes/2024-03-28-ntp-chrony.md

@@ -0,0 +1,3 @@
+- Enabled ntpd by default on AWS & GCP, enabled chronyd by default on Azure. The native time sync source is used on each cloud. ([scripts#1792](https://github.com/flatcar/scripts/pull/1792))
+- Enabled the ptp_vmw module in the kernel.
+- Switched ptp_kvm from kernel builtin to module.

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild

@@ -10,7 +10,7 @@ CROS_WORKON_REPO="https://github.com"
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
 else
-	CROS_WORKON_COMMIT="7e30bf5baa1abc5113024f2238d9c235aedaf62e" # flatcar-master
+	CROS_WORKON_COMMIT="32982439c691b6de6446f82b8713edb09451d97b" # flatcar-master
 	KEYWORDS="amd64 arm arm64 x86"
 fi
 

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp/ntp.conf

@@ -10,6 +10,14 @@
 # Common pool for random people
 #server pool.ntp.org
 
+# AWS Time Sync Service.
+server 169.254.169.123 prefer iburst minpoll 4 maxpoll 4
+# AWS Time Sync Service IPv6:
+server fd00:ec2::123 prefer iburst minpoll 4 maxpoll 4
+
+# GCP NTP Service
+server metadata.google.internal prefer iburst
+
 # Pools for Flatcar users
 server 0.flatcar.pool.ntp.org
 server 1.flatcar.pool.ntp.org

sdk_container/src/third_party/coreos-overlay/coreos-base/oem-ami/oem-ami-3.2.985.0-r1.ebuild

@@ -30,4 +30,5 @@ src_install() {
 	insinto "$(systemd_get_systemunitdir)/multi-user.target.d"
 	doins "${FILESDIR}/10-oem-ami.conf"
 
+	systemd_enable_service multi-user.target ntpd.service
 }

sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/chrony-hyperv.conf

@@ -0,0 +1,4 @@
+# This should only be used when chronyd is configured to use the /dev/ptp_hyperv device
+[Unit]
+Wants=dev-ptp_hyperv.device
+After=dev-ptp_hyperv.device

sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/chrony.conf

@@ -0,0 +1,65 @@
+# CLOUD_IMG: This file was created/modified by the Cloud Image build process
+# Welcome to the chrony configuration file. See chrony.conf(5) for more
+# information about usable directives.
+
+# Include configuration files found in /etc/chrony/conf.d.
+confdir /etc/chrony/conf.d
+
+# This will use (up to):
+# - 2 sources from 2.ubuntu.pool.ntp.org which is ipv6 enabled as well
+# - 1 source from [013].ubuntu.pool.ntp.org each (ipv4 only atm)
+# This means by default, up to 2 dual-stack and up to 3 additional IPv4-only
+# sources will be used.
+# At the same time it retains some protection against one of the entries being
+# down (compare to just using one of the lines).
+#
+# See http://www.pool.ntp.org/join.html for more information.
+#pool 0.flatcar.pool.ntp.org iburst maxsources 1
+#pool 1.flatcar.pool.ntp.org iburst maxsources 1
+#pool 2.flatcar.pool.ntp.org iburst maxsources 2
+#pool 3.flatcar.pool.ntp.org iburst maxsources 1
+
+# Use time sources from DHCP.
+sourcedir /run/chrony-dhcp
+
+# Use NTP sources found in /etc/chrony/sources.d.
+sourcedir /etc/chrony/sources.d
+
+# This directive specify the location of the file containing ID/key pairs for
+# NTP authentication.
+#keyfile /etc/chrony/chrony.keys
+
+# This directive specify the file into which chronyd will store the rate
+# information.
+driftfile /var/lib/chrony/chrony.drift
+
+# Save NTS keys and cookies.
+ntsdumpdir /var/lib/chrony
+
+# Uncomment the following line to turn logging on.
+#log tracking measurements statistics
+
+# Log files location.
+#logdir /var/log/chrony
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
+rtcsync
+
+# Step the system clock instead of slewing it if the adjustment is larger than
+# one second, but only in the first three clock updates.
+makestep 1.0 -1
+
+# Get TAI-UTC offset and leap seconds from the system tz database.
+# This directive must be commented out when using time sources serving
+# leap-smeared time.
+leapsectz right/UTC
+
+# Azure hosts are synchronized to internal Microsoft time servers
+# that take their time from Microsoft-owned Stratum 1 devices.
+# The Hyper-V drivers surface this time source as a PTP-based
+# time source in the guest. This configures chrony to use it.
+refclock PHC /dev/ptp_hyperv poll 3 dpoll -2 offset 0 stratum 2

sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/etc-chrony.conf

@@ -0,0 +1,3 @@
+d /etc/chrony 0755 root root  - -
+d /etc/chrony/conf.d 0755 root root - -
+L /etc/chrony/chrony.conf - - - - ../../usr/share/oem-azure/chrony.conf

sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/manglefs.sh

@@ -18,5 +18,5 @@ ln -sf /usr/bin/true "${rootfs}/usr/bin/eject"
 # At runtime we need the agent to write systemd.service to /etc but during
 # package creation it needs to be /usr/lib. waagent uses the same function in
 # both cases, so mangle manually.
-mkdir -p "${rootfs}"/usr/lib/systemd
+mkdir -p "${rootfs}"/usr/lib/systemd/system
-mv "${rootfs}"/{etc,usr/lib}/systemd/system
+cp -a "${rootfs}"/{etc,usr/lib}/systemd/system/.

sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/files/var-chrony.conf

@@ -0,0 +1 @@
+d /var/lib/chrony 0770 ntp ntp - -

sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/oem-azure-2.9.1.1-r2.ebuild

@@ -3,6 +3,8 @@
 
 EAPI=8
 
+inherit systemd tmpfiles
+
 DESCRIPTION="OEM suite for Azure"
 HOMEPAGE="https://azure.microsoft.com/"
 SRC_URI=""
@@ -14,7 +16,20 @@ IUSE=""
 
 RDEPEND="
   ~app-emulation/wa-linux-agent-${PV}
+  net-misc/chrony
 "
 
 # for coreos-base/common-oem-files
 OEM_NAME="Microsoft Azure"
+
+S="${WORKDIR}"
+
+src_install() {
+	systemd_enable_service multi-user.target chronyd.service
+	insinto "$(systemd_get_systemunitdir)"/chronyd.service.d
+	doins "${FILESDIR}"/chrony-hyperv.conf
+	dotmpfiles "${FILESDIR}"/var-chrony.conf
+	dotmpfiles "${FILESDIR}"/etc-chrony.conf
+	insinto /usr/share/${PN}
+	doins "${FILESDIR}"/chrony.conf
+}

sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild

@@ -30,6 +30,7 @@ src_install() {
     systemd_dounit "${FILESDIR}/units/oem-gce-enable-oslogin.service"
     systemd_dounit "${FILESDIR}/units/setup-oem.service"
     systemd_install_dropin "multi-user.target" "${FILESDIR}/units/10-oem-gce.conf"
+    systemd_enable_service "multi-user.target" "ntpd.service"
 
     dobin "${FILESDIR}/bin/enable-oslogin"
     dobin "${FILESDIR}/bin/init.sh"

sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild

@@ -34,5 +34,6 @@ RDEPEND="
 	coreos-base/coreos
 	coreos-base/coreos-dev
 	coreos-base/flatcar-eks
+	net-misc/chrony
 	sys-fs/zfs
 	"

sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd

@@ -0,0 +1,13 @@
+cros_post_src_install_timesync() {
+  local dir="${D}$(systemd_get_systemunitdir)/systemd-timesyncd.service.d"
+  mkdir -p "${dir}"
+  pushd "${dir}"
+  cat <<EOF >flatcar.conf || die
+# Allow sysexts to ship timesyncd replacements which can have
+# a Conflicts=systemd-timesyncd directive that would result
+# in systemd-timesyncd not being started.
+[Unit]
+After=ensure-sysext.service
+EOF
+  popd
+}

sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use

@@ -47,3 +47,6 @@ app-emulation/open-vm-tools -fuse fuse3 -icu pam -resolutionkms
 
 # no suid binaries, please
 sys-fs/fuse -suid
+
+# skip dependency for this sysext package
+net-misc/chrony -readline

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-6.6

@@ -96,6 +96,7 @@ CONFIG_PMIC_OPREGION=y
 # CONFIG_PNP_DEBUG_MESSAGES is not set
 CONFIG_POWERCAP=y
 CONFIG_PREEMPT_VOLUNTARY=y
+CONFIG_PTP_1588_CLOCK_VMW=m
 CONFIG_PVPANIC=y
 CONFIG_PVPANIC_MMIO=m
 CONFIG_SCHED_TRACER=y

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6

@@ -125,14 +125,12 @@ CONFIG_CPU_FREQ_GOV_USERSPACE=m
 CONFIG_CPU_FREQ_STAT=y
 # CONFIG_CROSS_MEMORY_ATTACH is not set
 CONFIG_CRYPTO_CTS=m
+CONFIG_CRYPTO_DES=m
 CONFIG_CRYPTO_FIPS=y
 CONFIG_CRYPTO_GCM=m
 CONFIG_CRYPTO_HMAC=y
-CONFIG_CRYPTO_LZO=m
-# CONFIG_RPCSEC_GSS_KRB5 requires some older crypto modules
 CONFIG_CRYPTO_LIB_DES=m
-CONFIG_CRYPTO_DES=m
+CONFIG_CRYPTO_LZO=m
-CONFIG_RPCSEC_GSS_KRB5=m
 # CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
 CONFIG_CRYPTO_SHA1=y
 CONFIG_CRYPTO_USER_API_HASH=m
@@ -280,8 +278,8 @@ CONFIG_INFINIBAND_MTHCA=m
 CONFIG_INFINIBAND_OCRDMA=m
 CONFIG_INFINIBAND_SRP=m
 CONFIG_INFINIBAND_USER_MAD=m
-CONFIG_INIT_STACK_NONE=y
 CONFIG_INITRAMFS_COMPRESSION_ZSTD=y
+CONFIG_INIT_STACK_NONE=y
 CONFIG_INPUT_EVDEV=m
 CONFIG_INPUT_MISC=y
 CONFIG_INPUT_MOUSEDEV=m
@@ -751,6 +749,8 @@ CONFIG_PROC_KCORE=y
 CONFIG_PROFILING=y
 CONFIG_PSI=y
 # CONFIG_PSI_DEFAULT_DISABLED is not set
+CONFIG_PTP_1588_CLOCK=m
+CONFIG_PTP_1588_CLOCK_KVM=m
 CONFIG_QED=m
 CONFIG_QEDE=m
 CONFIG_QEDF=m
@@ -772,6 +772,8 @@ CONFIG_RDS_TCP=m
 CONFIG_REALTEK_PHY=m
 CONFIG_REGULATOR=y
 CONFIG_REGULATOR_FIXED_VOLTAGE=y
+# CONFIG_RPCSEC_GSS_KRB5 requires some older crypto modules
+CONFIG_RPCSEC_GSS_KRB5=m
 CONFIG_RTC_CLASS=y
 CONFIG_RT_GROUP_SCHED=y
 CONFIG_S2IO=m

sdk_container/src/third_party/portage-stable/net-misc/chrony/Manifest

@@ -0,0 +1,10 @@
+AUX chrony-2.4-r1.logrotate 131 BLAKE2B 4e649ce1c126639ea73c4e03d42175d1715b1c321544376ff2e48d67ee13bebcf04a8fea56326bf5efe66f568913dc92ff7f16a641ffb39a456e9cdac6004a6c SHA512 e6febb744476be6c83ac086f2054dc2c190b6e1abd2cf20d4187f222b2485817f06c4ad62b8d40fcea3e18a771cf21899fe0a1dafbfb31f5c99da9092d24d79b
+AUX chrony-3.5-pool-vendor-gentoo.patch 544 BLAKE2B 5ef7fcea43c59d1da8f3b3a735f1e70565a8437f142f317abe81531c31e934af05eda5e3043f7874bc9b4592d44579ae1827ddba06c514b4b8124c899931ed0f SHA512 0a109e1b8367def620f5089b3fcb92d84e592eb1a2fced2b60f6c9295159a605d9605e837a06e118c8ba8095208da68592fb9cd537937a153d6eecfa0eb35eb4
+AUX chrony-4.2-systemd-gentoo.patch 538 BLAKE2B 70d3bb2a190aa2401ff566dd88d1cace1d3573261819d082863fe310bb16507fcc1497fd31ec24033cb9dbe8356aef416d91b36df6067fd37f4273e59bc4e330 SHA512 62e54e1c16380812b3cf11a84091e134401341a4a64dda806af1a52dfa4158912adc4c2524388956f67a44e095e893ed714a2eee15650080c38ce44d2bc279ec
+AUX chronyd.conf-r3 390 BLAKE2B aa193e6bcf62cc305620139b7c198d39358feea7106356083cf1a20bdb8fd4b85bd8cce8cf20ce6839e8788fedc1f94e912ec512193988f83283ceef86d6cfc7 SHA512 ab0bbd07c17e391d068c5a37d5f8d9c8fc2c42add2700869217a95784666bd3f23bebd70942cf11b42c124e0947f68c101153998e89bc61ccb71b30a0187cf0c
+AUX chronyd.init-r2 1694 BLAKE2B 5ee55954c8afc2df09291dd7df4c3f1b3a01f97079ae19799a87c0217118c02b24ace0422b1f355fb67d1a0224eacf2104f3b984035f4ac9fa6b41624187d009 SHA512 63d9816017bb13b57c28de4a9d5b8061139d4aea1db5800ec7a4d9e8b2a8f5c5109b556ae5bec5c6d1cc7c4839bd49f12a0046c74fe4d1d11049ead00f1407da
+DIST chrony-4.5.tar.gz 620287 BLAKE2B e89665e6ff700805b41f89e9349d280579aebab31a30817512a165da939c8f39dc55ef9a17a50e3d7e298015620667638ab119901a71868a9188093606a95d32 SHA512 58a449e23186da799064b16ab16f799c1673296984b152b43e87c620d86e272c55365e83439d410fc89e4e0ba0befd7d5c625eac78a6665813b7ea75444f71b5
+DIST chrony-4.5.tar.gz.asc 833 BLAKE2B 7d680a4f5d86335b067b95cb900761615180701cabae5978d6f924063f7a43748534bb2e4f23cd9cd2e6919ed005014db6d396330fbfb5aa6d5f1c46f3c0c3a0 SHA512 05470e6cc34524fdab494f70cee71d46172b38bdd4acd8173ac79fdec12178239248880db474437690094aae7909002113289ac7f9305130c5e0a1d9364122cb
+EBUILD chrony-4.5.ebuild 6814 BLAKE2B 392707d5e5dd672eb18159911ad19645ff132cb25ca6ddd102eb17974e492c6370d87b6994ce40dc0191c74b184feba3ac5fe52dd28fe1fd545320841eb02a77 SHA512 699d6e4a24f6b5f0f7c1bcfdce728c3db694ae17684a91ad45d6360c71257db012d24d12bcd83ae3eb0df09c0cfbc23cbf113074894937cef3730baa2c935f43
+EBUILD chrony-9999.ebuild 6822 BLAKE2B 38c6b067e7f07b2045865b83c5064c9b26b02357d1718a8b1e67cb7cbafafac4b1f7425fb957d439c9793b34af4135c5d7d7fe6875394e06ed4c6f9e2f62df35 SHA512 2a2c83c5520ed3d38e9535898aeb6134a9ecda752c8ba5d7a71bea014403b7af758a35f546fd192b3b09b6d5769e9e1fd2eef1d8be9c6b44d34a966a75732e98
+MISC metadata.xml 2353 BLAKE2B c5a7458f2aabf443f01e670cf1e1a578c6d1095b607df07a6a979610f8446ad8fbbbc2b86ca79f8f06b49cfeba1a31cd05b2748c46e2d283863fd43d0b8e7a3a SHA512 1ec4023f55368e03158535d45239572e6bd160d94c85126d3c7d1ddd02fd5743d65ee9ea2bf2e6fbde5b010483928432b5d5848bed03bcc78e9f6924ee189b42

sdk_container/src/third_party/portage-stable/net-misc/chrony/chrony-4.5.ebuild

@@ -0,0 +1,261 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit edo systemd tmpfiles toolchain-funcs
+
+DESCRIPTION="NTP client and server programs"
+HOMEPAGE="https://chrony-project.org/"
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://gitlab.com/chrony/chrony.git"
+	inherit git-r3
+else
+	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/mlichvar.asc
+	inherit verify-sig
+
+	SRC_URI="https://chrony-project.org/releases/${P/_/-}.tar.gz"
+	SRC_URI+=" verify-sig? ( https://chrony-project.org/releases/${P/_/-}-tar-gz-asc.txt -> ${P/_/-}.tar.gz.asc )"
+
+	if [[ ${PV} != *_pre* ]] ; then
+		KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv sparc x86"
+	fi
+fi
+
+S="${WORKDIR}/${P/_/-}"
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="+caps +cmdmon debug html libtomcrypt +nettle nss +ntp +nts +phc pps +readline +refclock +rtc samba +seccomp +sechash selinux"
+# nettle > nss > libtomcrypt in configure
+REQUIRED_USE="
+	sechash? ( || ( nettle nss libtomcrypt ) )
+	nettle? ( !nss )
+	nss? ( !nettle )
+	libtomcrypt? ( !nettle !nss )
+	!sechash? ( !nss )
+	!sechash? ( !nts? ( !nettle ) )
+"
+
+DEPEND="
+	caps? (
+		acct-group/ntp
+		acct-user/ntp
+		sys-libs/libcap
+	)
+	libtomcrypt? ( dev-libs/libtomcrypt:= )
+	nettle? ( dev-libs/nettle:= )
+	nss? ( dev-libs/nss:= )
+	nts? ( net-libs/gnutls:= )
+	pps? ( net-misc/pps-tools )
+	readline? ( dev-libs/libedit )
+	seccomp? ( sys-libs/libseccomp )
+"
+RDEPEND="
+	${DEPEND}
+	selinux? ( sec-policy/selinux-chronyd )
+"
+BDEPEND="
+	html? ( dev-ruby/asciidoctor )
+	nts? ( virtual/pkgconfig )
+	sechash? (
+		nettle? ( virtual/pkgconfig )
+		nss? ( virtual/pkgconfig )
+	)
+"
+
+if [[ ${PV} == 9999 ]] ; then
+	# Needed for doc generation in 9999
+	REQUIRED_USE+=" html"
+	BDEPEND+="
+		app-alternatives/yacc
+		virtual/w3m
+	"
+else
+	BDEPEND+=" verify-sig? ( >=sec-keys/openpgp-keys-mlichvar-20210513 )"
+fi
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-3.5-pool-vendor-gentoo.patch
+	"${FILESDIR}"/${PN}-4.2-systemd-gentoo.patch
+)
+
+src_prepare() {
+	default
+
+	sed -i \
+		-e 's:/etc/chrony\.conf:/etc/chrony/chrony.conf:g' \
+		doc/* examples/* || die
+
+	cp "${FILESDIR}"/chronyd.conf-r3 "${T}"/chronyd.conf || die
+}
+
+src_configure() {
+	if ! use caps ; then
+		sed -i \
+			-e 's/ -u ntp//' \
+			"${T}"/chronyd.conf examples/chronyd.service || die
+	fi
+
+	if ! use seccomp ; then
+		sed -i \
+			-e 's/ -F 2//' \
+			"${T}"/chronyd.conf examples/chronyd.service || die
+	fi
+
+	tc-export CC PKG_CONFIG
+
+	# Update from time to time with output from "date +%s"
+	# on a system that is time-synced.
+	export SOURCE_DATE_EPOCH=1607976314
+
+	# Not an autotools generated script
+	local myconf=(
+		$(use_enable seccomp scfilter)
+
+		$(usev !caps '--disable-linuxcaps')
+		$(usev !cmdmon '--disable-cmdmon')
+		$(usev debug '--enable-debug')
+
+		# USE=readline here means "readline-like functionality"
+		# chrony only supports libedit in terms of the library providing
+		# it.
+		$(usev !readline '--without-editline --disable-readline')
+
+		$(usev !libtomcrypt '--without-tomcrypt')
+		$(usev !nettle '--without-nettle')
+		$(usev !nss '--without-nss')
+		$(usev !ntp '--disable-ntp')
+		$(usev !nts '--disable-nts')
+		$(usev !nts '--without-gnutls')
+		$(usev !phc '--disable-phc')
+		$(usev !pps '--disable-pps')
+		$(usev !refclock '--disable-refclock')
+		$(usev !rtc '--disable-rtc')
+		$(usev samba '--enable-ntp-signd')
+		$(usev !sechash '--disable-sechash')
+
+		--chronysockdir="${EPREFIX}/run/chrony"
+		--docdir="${EPREFIX}/usr/share/doc/${PF}"
+		--mandir="${EPREFIX}/usr/share/man"
+		--prefix="${EPREFIX}/usr"
+		--sysconfdir="${EPREFIX}/etc/chrony"
+		--with-hwclockfile="${EPREFIX}/etc/adjtime"
+		--with-pidfile="${EPREFIX}/run/chrony/chronyd.pid"
+
+		${EXTRA_ECONF}
+	)
+
+	# Print the ./configure call
+	edo ./configure "${myconf[@]}" || die
+}
+
+src_compile() {
+	if [[ ${PV} == 9999 ]] ; then
+		# Uses w3m
+		emake -C doc man txt
+	fi
+
+	emake all docs $(usev !html 'ADOC=true')
+}
+
+src_install() {
+	default
+
+	# Compatibility with other distributions who install to /etc/chrony.conf (bug #835461)
+	dosym -r /etc/chrony/chrony.conf /etc/chrony.conf
+
+	newinitd "${FILESDIR}"/chronyd.init-r2 chronyd
+	newconfd "${T}"/chronyd.conf chronyd
+
+	insinto /etc/${PN}
+	newins examples/chrony.conf.example1 chrony.conf
+
+	docinto examples
+	dodoc examples/*.example*
+
+	newtmpfiles - chronyd.conf <<<"d /run/chrony 0750 $(usex caps 'ntp ntp' 'root root')"
+
+	if use html ; then
+		docinto html
+		dodoc doc/*.html
+	fi
+
+	keepdir /var/{lib,log}/chrony
+
+	if use caps ; then
+		# Prepare a directory for the chrony.drift file (a la ntpsec)
+		# Ensures the environment is sane on new installs
+		# bug #711058
+		fowners -R ntp:ntp /var/{lib,log}/chrony
+		fperms -R 770 /var/lib/chrony
+	fi
+
+	insinto /etc/logrotate.d
+	newins "${FILESDIR}"/chrony-2.4-r1.logrotate chrony
+
+	systemd_dounit examples/chronyd.service
+	systemd_dounit examples/chrony-wait.service
+	systemd_enable_ntpunit 50-chrony chronyd.service
+}
+
+pkg_preinst() {
+	HAD_CAPS=0
+	HAD_SECCOMP=0
+	HAD_PRE_NEW_SECCOMP_LEVEL=0
+
+	# See https://dev.gentoo.org/~zmedico/portage/doc/portage.html#package-ebuild-phases-after-2.1.5
+	# in "Ebuild Phases" for an explanation of why we need to save the variable beforehand
+	if has_version 'net-misc/chrony[caps]' ; then
+		HAD_CAPS=1
+	fi
+
+	if has_version 'net-misc/chrony[seccomp]' ; then
+		HAD_SECCOMP=1
+	fi
+
+	if has_version '>=net-misc/chrony-4.1[seccomp]' ; then
+		# This version introduced a new filter level: -F 2
+		# It's a limited set of seccomp filters designed to be 'bare minimum'
+		HAD_PRE_NEW_SECCOMP_LEVEL=1
+	fi
+}
+
+pkg_postinst() {
+	tmpfiles_process chronyd.conf
+
+	if [[ -n "${REPLACING_VERSIONS}" ]] ; then
+		if use caps && ! [[ ${HAD_CAPS} -eq 1 ]] ; then
+			# bug #719876
+			ewarn "Please adjust permissions on ${EROOT}/var/{lib,log}/chrony to be owned by ntp:ntp"
+			ewarn "e.g. chown -R ntp:ntp ${EROOT}/var/{lib,log}/chrony"
+			ewarn "This is necessary for chrony to drop privileges"
+		elif ! use caps && [[ ${HAD_CAPS} -eq 0 ]] ; then
+			ewarn "Please adjust permissions on ${EROOT}/var/{lib,log}/chrony to be owned by root:root"
+		fi
+	fi
+
+	# See bug #783915 for general discussion on enabling seccomp filtering
+	# by default.
+	local show_seccomp_enable_msg=0
+
+	# Was seccomp disabled before and now enabled?
+	if [[ ${HAD_SECCOMP} -eq 0 ]] && use seccomp ; then
+		show_seccomp_enable_msg=1
+	fi
+
+	# Are we coming from an old version without the new 'minimal' filter?
+	# (-F 2)
+	if [[ ${HAD_PRE_NEW_SECCOMP_LEVEL} -eq 0 ]] ; then
+		show_seccomp_enable_msg=1
+	fi
+
+	if [[ ${show_seccomp_enable_msg} -eq 1 ]] ; then
+		elog "To enable seccomp in a stricter mode, please modify:"
+		elog "- ${EROOT}/etc/conf.d/chronyd for OpenRC"
+		elog "- systemctl edit chronyd for systemd"
+		elog "to use -F 1 or -F -1 instead of -F 2 (see man chronyd)"
+		elog "By default, we now use -F 2 which is a baseline/minimal filter."
+	fi
+}

sdk_container/src/third_party/portage-stable/net-misc/chrony/chrony-9999.ebuild

@@ -0,0 +1,261 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit edo systemd tmpfiles toolchain-funcs
+
+DESCRIPTION="NTP client and server programs"
+HOMEPAGE="https://chrony-project.org/"
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://gitlab.com/chrony/chrony.git"
+	inherit git-r3
+else
+	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/mlichvar.asc
+	inherit verify-sig
+
+	SRC_URI="https://chrony-project.org/releases/${P/_/-}.tar.gz"
+	SRC_URI+=" verify-sig? ( https://chrony-project.org/releases/${P/_/-}-tar-gz-asc.txt -> ${P/_/-}.tar.gz.asc )"
+
+	if [[ ${PV} != *_pre* ]] ; then
+		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+	fi
+fi
+
+S="${WORKDIR}/${P/_/-}"
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="+caps +cmdmon debug html libtomcrypt +nettle nss +ntp +nts +phc pps +readline +refclock +rtc samba +seccomp +sechash selinux"
+# nettle > nss > libtomcrypt in configure
+REQUIRED_USE="
+	sechash? ( || ( nettle nss libtomcrypt ) )
+	nettle? ( !nss )
+	nss? ( !nettle )
+	libtomcrypt? ( !nettle !nss )
+	!sechash? ( !nss )
+	!sechash? ( !nts? ( !nettle ) )
+"
+
+DEPEND="
+	caps? (
+		acct-group/ntp
+		acct-user/ntp
+		sys-libs/libcap
+	)
+	libtomcrypt? ( dev-libs/libtomcrypt:= )
+	nettle? ( dev-libs/nettle:= )
+	nss? ( dev-libs/nss:= )
+	nts? ( net-libs/gnutls:= )
+	pps? ( net-misc/pps-tools )
+	readline? ( dev-libs/libedit )
+	seccomp? ( sys-libs/libseccomp )
+"
+RDEPEND="
+	${DEPEND}
+	selinux? ( sec-policy/selinux-chronyd )
+"
+BDEPEND="
+	html? ( dev-ruby/asciidoctor )
+	nts? ( virtual/pkgconfig )
+	sechash? (
+		nettle? ( virtual/pkgconfig )
+		nss? ( virtual/pkgconfig )
+	)
+"
+
+if [[ ${PV} == 9999 ]] ; then
+	# Needed for doc generation in 9999
+	REQUIRED_USE+=" html"
+	BDEPEND+="
+		app-alternatives/yacc
+		virtual/w3m
+	"
+else
+	BDEPEND+=" verify-sig? ( >=sec-keys/openpgp-keys-mlichvar-20210513 )"
+fi
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-3.5-pool-vendor-gentoo.patch
+	"${FILESDIR}"/${PN}-4.2-systemd-gentoo.patch
+)
+
+src_prepare() {
+	default
+
+	sed -i \
+		-e 's:/etc/chrony\.conf:/etc/chrony/chrony.conf:g' \
+		doc/* examples/* || die
+
+	cp "${FILESDIR}"/chronyd.conf-r3 "${T}"/chronyd.conf || die
+}
+
+src_configure() {
+	if ! use caps ; then
+		sed -i \
+			-e 's/ -u ntp//' \
+			"${T}"/chronyd.conf examples/chronyd.service || die
+	fi
+
+	if ! use seccomp ; then
+		sed -i \
+			-e 's/ -F 2//' \
+			"${T}"/chronyd.conf examples/chronyd.service || die
+	fi
+
+	tc-export CC PKG_CONFIG
+
+	# Update from time to time with output from "date +%s"
+	# on a system that is time-synced.
+	export SOURCE_DATE_EPOCH=1607976314
+
+	# Not an autotools generated script
+	local myconf=(
+		$(use_enable seccomp scfilter)
+
+		$(usev !caps '--disable-linuxcaps')
+		$(usev !cmdmon '--disable-cmdmon')
+		$(usev debug '--enable-debug')
+
+		# USE=readline here means "readline-like functionality"
+		# chrony only supports libedit in terms of the library providing
+		# it.
+		$(usev !readline '--without-editline --disable-readline')
+
+		$(usev !libtomcrypt '--without-tomcrypt')
+		$(usev !nettle '--without-nettle')
+		$(usev !nss '--without-nss')
+		$(usev !ntp '--disable-ntp')
+		$(usev !nts '--disable-nts')
+		$(usev !nts '--without-gnutls')
+		$(usev !phc '--disable-phc')
+		$(usev !pps '--disable-pps')
+		$(usev !refclock '--disable-refclock')
+		$(usev !rtc '--disable-rtc')
+		$(usev samba '--enable-ntp-signd')
+		$(usev !sechash '--disable-sechash')
+
+		--chronysockdir="${EPREFIX}/run/chrony"
+		--docdir="${EPREFIX}/usr/share/doc/${PF}"
+		--mandir="${EPREFIX}/usr/share/man"
+		--prefix="${EPREFIX}/usr"
+		--sysconfdir="${EPREFIX}/etc/chrony"
+		--with-hwclockfile="${EPREFIX}/etc/adjtime"
+		--with-pidfile="${EPREFIX}/run/chrony/chronyd.pid"
+
+		${EXTRA_ECONF}
+	)
+
+	# Print the ./configure call
+	edo ./configure "${myconf[@]}" || die
+}
+
+src_compile() {
+	if [[ ${PV} == 9999 ]] ; then
+		# Uses w3m
+		emake -C doc man txt
+	fi
+
+	emake all docs $(usev !html 'ADOC=true')
+}
+
+src_install() {
+	default
+
+	# Compatibility with other distributions who install to /etc/chrony.conf (bug #835461)
+	dosym -r /etc/chrony/chrony.conf /etc/chrony.conf
+
+	newinitd "${FILESDIR}"/chronyd.init-r2 chronyd
+	newconfd "${T}"/chronyd.conf chronyd
+
+	insinto /etc/${PN}
+	newins examples/chrony.conf.example1 chrony.conf
+
+	docinto examples
+	dodoc examples/*.example*
+
+	newtmpfiles - chronyd.conf <<<"d /run/chrony 0750 $(usex caps 'ntp ntp' 'root root')"
+
+	if use html ; then
+		docinto html
+		dodoc doc/*.html
+	fi
+
+	keepdir /var/{lib,log}/chrony
+
+	if use caps ; then
+		# Prepare a directory for the chrony.drift file (a la ntpsec)
+		# Ensures the environment is sane on new installs
+		# bug #711058
+		fowners -R ntp:ntp /var/{lib,log}/chrony
+		fperms -R 770 /var/lib/chrony
+	fi
+
+	insinto /etc/logrotate.d
+	newins "${FILESDIR}"/chrony-2.4-r1.logrotate chrony
+
+	systemd_dounit examples/chronyd.service
+	systemd_dounit examples/chrony-wait.service
+	systemd_enable_ntpunit 50-chrony chronyd.service
+}
+
+pkg_preinst() {
+	HAD_CAPS=0
+	HAD_SECCOMP=0
+	HAD_PRE_NEW_SECCOMP_LEVEL=0
+
+	# See https://dev.gentoo.org/~zmedico/portage/doc/portage.html#package-ebuild-phases-after-2.1.5
+	# in "Ebuild Phases" for an explanation of why we need to save the variable beforehand
+	if has_version 'net-misc/chrony[caps]' ; then
+		HAD_CAPS=1
+	fi
+
+	if has_version 'net-misc/chrony[seccomp]' ; then
+		HAD_SECCOMP=1
+	fi
+
+	if has_version '>=net-misc/chrony-4.1[seccomp]' ; then
+		# This version introduced a new filter level: -F 2
+		# It's a limited set of seccomp filters designed to be 'bare minimum'
+		HAD_PRE_NEW_SECCOMP_LEVEL=1
+	fi
+}
+
+pkg_postinst() {
+	tmpfiles_process chronyd.conf
+
+	if [[ -n "${REPLACING_VERSIONS}" ]] ; then
+		if use caps && ! [[ ${HAD_CAPS} -eq 1 ]] ; then
+			# bug #719876
+			ewarn "Please adjust permissions on ${EROOT}/var/{lib,log}/chrony to be owned by ntp:ntp"
+			ewarn "e.g. chown -R ntp:ntp ${EROOT}/var/{lib,log}/chrony"
+			ewarn "This is necessary for chrony to drop privileges"
+		elif ! use caps && [[ ${HAD_CAPS} -eq 0 ]] ; then
+			ewarn "Please adjust permissions on ${EROOT}/var/{lib,log}/chrony to be owned by root:root"
+		fi
+	fi
+
+	# See bug #783915 for general discussion on enabling seccomp filtering
+	# by default.
+	local show_seccomp_enable_msg=0
+
+	# Was seccomp disabled before and now enabled?
+	if [[ ${HAD_SECCOMP} -eq 0 ]] && use seccomp ; then
+		show_seccomp_enable_msg=1
+	fi
+
+	# Are we coming from an old version without the new 'minimal' filter?
+	# (-F 2)
+	if [[ ${HAD_PRE_NEW_SECCOMP_LEVEL} -eq 0 ]] ; then
+		show_seccomp_enable_msg=1
+	fi
+
+	if [[ ${show_seccomp_enable_msg} -eq 1 ]] ; then
+		elog "To enable seccomp in a stricter mode, please modify:"
+		elog "- ${EROOT}/etc/conf.d/chronyd for OpenRC"
+		elog "- systemctl edit chronyd for systemd"
+		elog "to use -F 1 or -F -1 instead of -F 2 (see man chronyd)"
+		elog "By default, we now use -F 2 which is a baseline/minimal filter."
+	fi
+}

sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chrony-2.4-r1.logrotate

@@ -0,0 +1,7 @@
+/var/log/chrony/*.log {
+	missingok
+	sharedscripts
+	postrotate
+		/usr/bin/chronyc cyclelogs |grep -v '^200 OK'; exit 0
+	endscript
+}

sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chrony-3.5-pool-vendor-gentoo.patch

@@ -0,0 +1,16 @@
+- Use the Gentoo pool
+- Use the server directive instead of the pool directive so we get four time
+  sources and not twelve.
+
+--- a/examples/chrony.conf.example1
++++ b/examples/chrony.conf.example1
+@@ -1,5 +1,8 @@
+ # Use public NTP servers from the pool.ntp.org project.
+-pool pool.ntp.org iburst
++server 0.gentoo.pool.ntp.org iburst
++server 1.gentoo.pool.ntp.org iburst
++server 2.gentoo.pool.ntp.org iburst
++server 3.gentoo.pool.ntp.org iburst
+ 
+ # Record the rate at which the system clock gains/losses time.
+ driftfile /var/lib/chrony/drift

sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chrony-4.2-systemd-gentoo.patch

@@ -0,0 +1,13 @@
+diff --git a/examples/chronyd.service b/examples/chronyd.service
+index 4fb930e..8df627a 100644
+--- a/examples/chronyd.service
++++ b/examples/chronyd.service
+@@ -9,7 +9,7 @@ ConditionCapability=CAP_SYS_TIME
+ Type=forking
+ PIDFile=/run/chrony/chronyd.pid
+ EnvironmentFile=-/etc/sysconfig/chronyd
+-ExecStart=/usr/sbin/chronyd $OPTIONS
++ExecStart=/usr/sbin/chronyd $OPTIONS -u ntp -F 2
+ 
+ CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE

sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chronyd.conf-r3

@@ -0,0 +1,12 @@
+# /etc/conf.d/chronyd
+
+CFGFILE="/etc/chrony/chrony.conf"
+
+# Configuration dependant options :
+#      -s - Set system time from RTC if rtcfile directive present
+#      -r - Reload sample histories if dumponexit directive present
+#
+# The combination of "-s -r" allows chronyd to perform long term averaging of
+# the gain or loss rate across system reboots and shutdowns.
+
+ARGS=" -u ntp -F 2"

sdk_container/src/third_party/portage-stable/net-misc/chrony/files/chronyd.init-r2

@@ -0,0 +1,70 @@
+#!/sbin/openrc-run
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+depend() {
+	use dns
+}
+
+checkconfig() {
+	# Note that /etc/chrony/chrony.keys is *NOT* checked. This
+	# is because the user may have specified another key
+	# file, and we don't want to force the user to use that
+	# exact name for the key file.
+	if [ ! -f "${CFGFILE}" ] ; then
+		eerror "Please create ${CFGFILE} and the"
+		eerror "chrony key file (usually /etc/chrony/chrony.keys)"
+		eerror "by using the"
+		eerror ""
+		eerror "        chrony.conf.example"
+		eerror "        chrony.keys.example"
+		eerror ""
+		eerror "files (from the documentation directory)"
+		eerror "as templates."
+		return 1
+	else
+		# Actually, I tried it, and chrony seems to ignore the pidfile
+		# option. I'm going to leave it here anyway, since you never
+		# know if it might be handy
+		PIDFILE=`awk '/^ *pidfile/{print $2}' "${CFGFILE}"`
+		[ -z "${PIDFILE}" ] && PIDFILE=/run/chrony/chronyd.pid
+	fi
+	return 0
+}
+
+setxtrarg() {
+	if [ -c /dev/rtc ]; then
+		grep -q '^rtcfile' "${CFGFILE}" && ARGS="${ARGS} -s"
+	fi
+	grep -q '^dumponexit$' "${CFGFILE}" && ARGS="${ARGS} -r"
+	return 0
+}
+
+start() {
+	checkconfig || return $?
+	setxtrarg
+
+	[ -n "${PIDFILE}" ] || PIDFILE=/run/chronyd.pid
+
+	ebegin "Starting chronyd"
+	start-stop-daemon \
+		--start \
+		--quiet \
+		--exec /usr/sbin/chronyd \
+		--pidfile "${PIDFILE}" \
+		-- -f "${CFGFILE}" ${ARGS}
+	eend $? "Failed to start chronyd"
+}
+
+stop() {
+	checkconfig || return $?
+
+	[ -n "${PIDFILE}" ] || PIDFILE=/run/chronyd.pid
+
+	ebegin "Stopping chronyd"
+	start-stop-daemon \
+		--stop \
+		--quiet \
+		--pidfile "${PIDFILE}"
+	eend $? "Failed to stop chronyd"
+}

sdk_container/src/third_party/portage-stable/net-misc/chrony/metadata.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>sam@gentoo.org</email>
+		<name>Sam James</name>
+	</maintainer>
+	<maintainer type="project">
+		<email>base-system@gentoo.org</email>
+		<name>Gentoo Base System</name>
+	</maintainer>
+	<longdescription>
+		Chrony is a pair of programs (chronyd and chronyc) which are used to maintain
+		the accuracy of the system clock on a computer. chronyd has been specifically
+		written to work well for systems which have only an intermittent (e.g. dial-up)
+		connection to the network where the NTP servers are. It still works well
+		in a "permanently connected" mode.
+	</longdescription>
+	<longdescription lang="ja">
+		Chrony はコンピュータのシステム・クロックの精度を保つために使われるプログラムの
+		ペア(chronyd と chronyc)です。chronyd は NTP サーバがあるネットワークと断続的な
+		接続(e.g. dial-up)しか持たないシステムで機能するよう書かれています。ですが永続的
+		な接続でも機能します。
+	</longdescription>
+	<use>
+		<flag name="cmdmon">Support for command and monitoring</flag>
+		<flag name="debug">Get DEBUG_LOG output from chronyd when passing -dd parameter</flag>
+		<flag name="html">Install HTML documentation</flag>
+		<flag name="nettle">Use <pkg>dev-libs/nettle</pkg> for hash functions or nts</flag>
+		<flag name="nss">Use <pkg>dev-libs/nss</pkg> for hash functions</flag>
+		<flag name="ntp">Support for the Network Time Protocol (NTP)</flag>
+		<flag name="nts">Support for Network Time Security (NTS). Uses <pkg>net-libs/gnutls</pkg></flag>
+		<flag name="phc">Support for the PTP (Precision Time Protocol) Hardware Clock (PHC) interface</flag>
+		<flag name="pps">Support for the Linux Pulse Per Second (PPS) interface</flag>
+		<flag name="refclock">Support for reference clocks</flag>
+		<flag name="rtc">Support for the Linux Real Time Clock interface</flag>
+		<flag name="sechash">Enable support for hashes other than MD5</flag>
+		<flag name="libtomcrypt">Support different hashes via <pkg>dev-libs/libtomcrypt</pkg></flag>
+	</use>
+	<upstream>
+		<remote-id type="cpe">cpe:/a:chrony_project:chrony</remote-id>
+		<remote-id type="gitlab">chrony/chrony</remote-id>
+	</upstream>
+</pkgmetadata>