doc: update NEWS

As an experimental feature it should be explicitly enabled.

NEWS

@@ -5,22 +5,26 @@ Enhancements
 ------------
 * Add support for configuration and monitoring over Unix domain socket
   (accessible by root or chrony user when root privileges are dropped)
-* Add support for system call filtering with seccomp on Linux
+* Add support for system call filtering with seccomp on Linux (experimental)
 * Add support for dropping root privileges on NetBSD
 * Control frequency of system clock on FreeBSD, NetBSD, Solaris
 * Add system leap second handling mode on FreeBSD, NetBSD, Solaris
 * Add dynamic drift removal on Mac OS X
 * Add support for setting real-time priority on Mac OS X
 * Add maxdistance directive to limit source selection by root distance
+  (3 seconds by default)
 * Add refresh command to get new addresses of NTP sources
 * Allow wildcard patterns in include directive
+* Restore time from driftfile with -s option if later than RTC time
+* Add configure option to set default hwclockfile
 * Add -d option to chronyc to enable debug messages
 * Allow multiple addresses to be specified for chronyc with -h option
   and reconnect when no valid reply is received
+* Make check interval in waitsync command configurable
 
 Bug fixes
 ---------
-* Fix building on Solaris
+* Fix building on NetBSD, Solaris
 * Restore time from driftfile with -s option if reading RTC failed
 
 Removed features

chrony.conf.5.in

@@ -34,7 +34,7 @@ useful configuration file would look something like
      server bar.example.net iburst
      server baz.example.net iburst
      driftfile @CHRONYVARDIR@/drift
-     makestep 10 3
+     makestep 1.0 3
      rtcsync
 .EE
 
@@ -46,7 +46,7 @@ case look like
 .EX
      pool pool.ntp.org iburst
      driftfile @CHRONYVARDIR@/drift
-     makestep 10 3
+     makestep 1.0 3
      rtcsync
 .EE
 

chrony.texi.in

@@ -3,7 +3,7 @@
 @afourwide
 @paragraphindent 0
 @setfilename chrony.info
-@settitle User guide for the chrony suite
+@settitle User guide for the chrony suite version @CHRONY_VERSION@
 @c @setchapternewpage off
 
 @ifinfo
@@ -49,7 +49,6 @@ Copyright @copyright{} 2009-2015 Miroslav Lichvar
 * Other time synchronisation packages::  Comparision with other software
 * Distribution and warranty::   There is no warranty
 * Bug reporting::               How to report bugs and make suggestions
-* Contributing::                Areas where contributions are particularly welcome
 @end menu
 @c }}}
 @c {{{ S:Overview
@@ -138,9 +137,9 @@ The `reference' implementation of the Network Time Protocol is the
 program @code{ntpd}, available via
 @uref{http://www.ntp.org/, The NTP home page}.
 
-One of the main differences between @code{ntpd} and @code{chronyd} is in
-the algorithms used to control the computer's clock. Things
-@code{chronyd} can do better than @code{ntpd}:
+One of the main differences between @code{ntpd} and @code{chronyd} is in how
+they control the computer's clock.  Things @code{chronyd} can do better than
+@code{ntpd}:
 
 @itemize @bullet
 @item
@@ -160,13 +159,16 @@ longer periods of time.
 @item
 @code{chronyd} in the default configuration never steps the time to not
 upset other running programs.  @code{ntpd} can be configured to never
-step the time too, but it has to use a different means of adjusting the
-clock, which has some
-disadvantages.
+step the time too, but in that case it has to use a different means of
+adjusting the clock (daemon loop instead of kernel discipline), which may
+have a negative effect on accuracy of the clock.
 @item
 @code{chronyd} can adjust the rate of the clock in a larger range, which
 allows it to operate even on machines with broken or unstable clock
 (e.g. in some virtual machines).
+@item
+@code{chronyd} is smaller, it uses less memory and it wakes up the CPU only
+when necessary, which is better for power saving.
 @end itemize
 
 Things @code{chronyd} can do that @code{ntpd} can't:
@@ -192,21 +194,36 @@ Things @code{ntpd} can do that @code{chronyd} can't:
 
 @itemize @bullet
 @item
-@code{ntpd} supports all operating modes from RFC 5905, including
-broadcast, multicast and manycast client / server.  It supports the
-orphan mode and it also supports authentication based on public-key
-cryptography described in RFC 5906.
+@code{ntpd} supports all operating modes from RFC 5905, including broadcast,
+multicast, and manycast server/client.  However, the broadcast and multicast
+modes are inherently less accurate and less secure (even with authentication)
+than the ordinary server/client mode and should generally be avoided.
 
 @item
-@code{ntpd} has been ported to more types of computer / operating
-system.
+@code{ntpd} supports the Autokey protocol (RFC 5906) to authenticate servers
+with public-key cryptography.  Note that the protocol has been shown to be
+insecure and it will be probably replaced with an implementation of the Network
+Time Security (NTS) specification.
 
 @item
-@code{ntpd} includes drivers for many reference clocks. @code{chronyd}
-relies on other programs (e.g. gpsd) to access the data from the
-reference clocks.
+@code{ntpd} supports the orphan mode, which allows synchronisation to a common
+timescale in isolated networks with multiple servers.  With @code{chronyd}
+there can be only one master and all other computers have to be directly or
+indirectly synchronised to it.
+
+@item
+@code{ntpd} has been ported to more operating systems.
+
+@item
+@code{ntpd} includes a large number of reference clock drivers. @code{chronyd}
+relies on other programs (e.g. @code{gpsd}) to access the timing data via the
+@code{SHM} or @code{SOCK} driver.
 @end itemize
 
+A comparison of NTP implementations that includes more features and also
+their performance is on the @uref{http://chrony.tuxfamily.org/comparison.html,
+chrony comparison} page.
+
 @node Comparison with timed
 @subsection timed
 @code{timed} is a program that is part of the BSD networking suite.  It
@@ -272,39 +289,6 @@ pin-point the problem in some cases.  Please be patient and plan for this!
 Of course, if you can debug the problem yourself and send us a source code
 patch to fix it, we will be very grateful!
 
-@c }}}
-@c {{{ S:Contributions
-@node Contributing
-@section Contributions
-
-Although chrony is now a fairly mature and established project, there are still
-areas that could be improved.  If you can program in C and have some expertise
-in these areas, you might be able to fill the gaps.
-
-Particular areas that need addressing are :
-
-@enumerate
-@item Porting to other Unices
-
-This involves creating equivalents of sys_solaris.c, sys_linux.c etc for the
-new system.
-
-@item Porting to Windows NT
-
-A small amount of work on this was done under Cygwin.  Only the sorting
-out of the include files has really been achieved so far.  The two main
-areas still to address are
-
-@enumerate
-@item The system clock driver.
-@item How to make chronyd into an NT service (i.e. what to replace fork(),
-setsid() etc with so that chronyd can be automatically started in the system
-bootstrap.
-@end enumerate
-
-@item More drivers for reference clock support
-
-@end enumerate
 @c }}}
 @c }}}
 @c {{{ Ch:Installation
@@ -419,7 +403,7 @@ minimal useful configuration file could be
 
 @example
 pool pool.ntp.org iburst
-makestep 10 3
+makestep 1.0 3
 rtcsync
 @end example
 
@@ -576,7 +560,7 @@ server foo.example.net iburst
 server bar.example.net iburst
 server baz.example.net iburst
 driftfile @CHRONYVARDIR@/drift
-makestep 10 3
+makestep 1.0 3
 rtcsync
 @end example
 
@@ -588,7 +572,7 @@ could in this case look like
 @example
 pool pool.ntp.org iburst
 driftfile @CHRONYVARDIR@/drift
-makestep 10 3
+makestep 1.0 3
 rtcsync
 @end example
 @c }}}
@@ -648,7 +632,7 @@ server foo.example.net offline
 server bar.example.net offline
 server baz.example.net offline
 driftfile @CHRONYVARDIR@/drift
-makestep 10 3
+makestep 1.0 3
 rtcsync
 @end example
 
@@ -845,7 +829,7 @@ server baz.example.net maxdelay 0.4 offline
 logdir /var/log/chrony
 log statistics measurements tracking
 driftfile @CHRONYVARDIR@/drift
-makestep 10 3
+makestep 1.0 3
 maxupdateskew 100.0
 dumponexit
 dumpdir @CHRONYVARDIR@
@@ -972,13 +956,9 @@ This option is useful when restarting @code{chronyd} and can be used
 in conjunction with the `-r' option.
 
 @item -s
-This option will set the system clock from the computer's real-time
-clock.  This is analogous to supplying the `-s' flag to the
-@file{/sbin/hwclock} program during the Linux boot sequence.
-
-Support for real-time clocks is limited at present - the criteria are
-described in the section on the @code{rtcfile} directive (@pxref{rtcfile
-directive}).
+This option will set the system clock from the computer's real-time clock or
+to the last modification time of the file specified by the @code{driftfile}
+directive.  Real-time clocks are supported only on Linux.
 
 If used in conjunction with the `-r' flag, @code{chronyd} will attempt
 to preserve the old samples after setting the system clock from the real
@@ -989,11 +969,10 @@ to work well, it relies on @code{chronyd} having been able to determine
 accurate statistics for the difference between the RTC and
 system clock last time the computer was on.
 
-If @code{chronyd} doesn't support the RTC on your computer or there is no RTC
-installed, the system clock will be set with this option forward to the time of
-the last modification of the drift file (specified by the @code{driftfile}
-directive) to restore the system time at which @code{chronyd} was previously
-stopped.
+If the last modification time of the drift file is later than the current time
+and the RTC time, the system time will be set to it to restore the time when
+@code{chronyd} was previously stopped.  This is useful on computers that have
+no RTC or the RTC is broken (e.g. it has no battery).
 @item -u <user>
 This option sets the name of the system user to which @code{chronyd} will
 switch after start in order to drop root privileges.  It overrides the
@@ -1600,9 +1579,11 @@ NTP, reference clocks or manual input.
 @node hwclockfile directive
 @subsection hwclockfile
 The @code{hwclockfile} directive sets the location of the adjtime file which is
-used by the @file{/sbin/hwclock} program.  With this directive, @code{chronyd}
-will parse the file to find out if the RTC keeps local time or UTC.  It
-overrides the @code{rtconutc} directive (@pxref{rtconutc directive}).
+used by the @file{/sbin/hwclock} program on Linux.  @code{chronyd} parses the
+file to find out if the RTC keeps local time or UTC.  It overrides the
+@code{rtconutc} directive (@pxref{rtconutc directive}).
+
+The default value is @file{@DEFAULT_HWCLOCK_FILE@}.
 
 An example of the command is
 
@@ -2328,10 +2309,10 @@ only with NTP sources.
 An example of the use of this directive is
 
 @example
-makestep 1000 10
+makestep 0.1 10
 @end example
 
-This would step system clock if the adjustment is larger than 1000
+This would step system clock if the adjustment is larger than 0.1
 seconds, but only in the first ten clock updates.
 @c }}}
 @c {{{ manual
@@ -2397,7 +2378,11 @@ includes the accumulated dispersion, which may be large when the source is no
 longer synchronised, and half of the total round-trip delay to the primary
 source.
 
-By default, the maximum distance is 3 seconds.
+By default, the maximum root distance is 3 seconds.
+
+Setting @code{maxdistance} to a larger value can be useful to allow
+synchronisation with a server that only has a very infrequent connection to its
+sources and can accumulate a large dispersion between updates of its clock.
 
 The syntax is
 
@@ -4692,10 +4677,10 @@ with the @code{rtcautotrim} directive (@pxref{rtcautotrim directive}).
 @subsubsection waitsync
 The @code{waitsync} command waits for @code{chronyd} to synchronise.
 
-Up to three optional arguments can be specified, the first is the maximum
-number of tries in 10 second intervals before giving up and returning a
-non-zero error code.  When 0 is specified, or there are no arguments, the
-number of tries will not be limited.
+Up to four optional arguments can be specified, the first is the maximum
+number of tries before giving up and returning a non-zero error code.  When 0
+is specified, or there are no arguments, the number of tries will not be
+limited.
 
 The second and third arguments are the maximum allowed remaining correction of
 the system clock and the maximum allowed skew (in ppm) as reported by the
@@ -4703,14 +4688,18 @@ the system clock and the maximum allowed skew (in ppm) as reported by the
 and @code{Skew} fields.  If not specified or zero, the value will not be
 checked.
 
+The fourth argument is the interval in which the check is repeated.  The
+interval is 10 seconds by default.
+
 An example is
 
 @example
 waitsync 60 0.01
 @end example
 
-which will wait up to about 10 minutes for @code{chronyd} to synchronise to a
-source and the remaining correction to be less than 10 milliseconds.
+which will wait up to about 10 minutes (60 times 10 seconds) for @code{chronyd}
+to synchronise to a source and the remaining correction to be less than 10
+milliseconds.
 @c }}}
 @c {{{ writertc
 @node writertc command

chronyd.8.in

@@ -80,13 +80,9 @@ option is useful when restarting \fBchronyd\fR and can be used in conjunction
 with the \fB-r\fR option.
 .TP
 .B \-s
-This option will set the system clock from the computer's real-time
-clock.  This is analogous to supplying the \fI-s\fR flag to the
-\fI/sbin/hwclock\fR program during the Linux boot sequence.
-
-Support for real-time clocks is limited at present - the criteria
-are described in the section on the \fIrtcfile\fR directive in the
-documentation supplied with the distribution.
+This option will set the system clock from the computer's real-time clock or
+to the last modification time of the file specified by the \fIdriftfile\fR
+directive.  Real-time clocks are supported only on Linux.
 
 If used in conjunction with the \fB-r\fR flag, \fBchronyd\fR will attempt
 to preserve the old samples after setting the system clock from
@@ -97,11 +93,10 @@ not in use.  For this to work well, it relies on \fBchronyd\fR having
 been able to determine accurate statistics for the difference
 between the RTC and system clock last time the computer was on.
 
-If \fBchronyd\fR doesn't support the RTC on your computer or there is no RTC
-installed, the system clock will be set with this option forward to the time of
-the last modification of the drift file (specified by the \fIdriftfile\fR
-directive) to restore the system time at which \fBchronyd\fR was previously
-stopped.
+If the last modification time of the drift file is later than the current time
+and the RTC time, the system time will be set to it to restore the time when
+\fBchronyd\fR was previously stopped.  This is useful on computers that have no
+RTC or the RTC is broken (e.g. it has no battery).
 .TP
 \fB\-u\fR \fIuser\fR
 This option sets the name of the system user to which \fBchronyd\fR will switch

client.c

@@ -1191,7 +1191,7 @@ give_help(void)
     "makestep\0Correct clock by stepping immediately\0"
     "makestep <threshold> <updates>\0Configure automatic clock stepping\0"
     "maxupdateskew <skew>\0Modify maximum valid skew to update frequency\0"
-    "waitsync [max-tries [max-correction [max-skew]]]\0"
+    "waitsync [max-tries [max-correction [max-skew [interval]]]]\0"
                           "Wait until synchronised in specified limits\0"
     "\0\0"
     "Time sources:\0\0"
@@ -1366,6 +1366,7 @@ submit_request(CMD_Request *request, CMD_Reply *reply)
       if (recv_status < 0) {
         /* If we get connrefused here, it suggests the sendto is
            going to a dead port */
+        DEBUG_LOG(LOGF_Client, "Could not receive : %s", strerror(errno));
 
         n_attempts++;
         if (n_attempts > max_retries) {
@@ -2313,14 +2314,20 @@ process_cmd_waitsync(char *line)
   CMD_Request request;
   CMD_Reply reply;
   uint32_t ref_id, a, b, c, d;
-  double correction, skew_ppm, max_correction, max_skew_ppm;
+  double correction, skew_ppm, max_correction, max_skew_ppm, interval;
   int ret = 0, max_tries, i;
+  struct timeval timeout;
 
   max_tries = 0;
   max_correction = 0.0;
   max_skew_ppm = 0.0;
+  interval = 10.0;
 
-  sscanf(line, "%d %lf %lf", &max_tries, &max_correction, &max_skew_ppm);
+  sscanf(line, "%d %lf %lf %lf", &max_tries, &max_correction, &max_skew_ppm, &interval);
+
+  /* Don't allow shorter interval than 0.1 seconds */
+  if (interval < 0.1)
+    interval = 0.1;
 
   request.command = htons(REQ_TRACKING);
 
@@ -2347,7 +2354,9 @@ process_cmd_waitsync(char *line)
     }
 
     if (!ret && (!max_tries || i < max_tries) && !quit) {
-      sleep(10);
+      UTI_DoubleToTimeval(interval, &timeout);
+      if (select(0, NULL, NULL, NULL, &timeout))
+        break;
     } else {
       break;
     }

conf.c

@@ -124,7 +124,7 @@ static int enable_manual=0;
 static int rtc_on_utc = 0;
 
 /* Filename used to read the hwclock(8) LOCAL/UTC setting */
-static char *hwclock_file = NULL;
+static char *hwclock_file;
 
 /* Flag set if the RTC should be automatically synchronised by kernel */
 static int rtc_sync = 0;
@@ -324,6 +324,7 @@ CNF_Initialise(int r)
   bind_cmd_path = Strdup(DEFAULT_COMMAND_SOCKET);
   pidfile = Strdup("/var/run/chronyd.pid");
   rtc_device = Strdup("/dev/rtc");
+  hwclock_file = Strdup(DEFAULT_HWCLOCK_FILE);
   user = Strdup(DEFAULT_USER);
 }
 

configure

@@ -95,13 +95,14 @@ For better control, use the options below.
   --disable-rtc          Don't include RTC even on Linux
   --disable-privdrop     Disable support for dropping root privileges
   --without-libcap       Don't use libcap even if it is available
-  --disable-scfilter     Disable support for system call filtering
+  --enable-scfilter      Enable support for system call filtering
   --without-seccomp      Don't use seccomp even if it is available
   --disable-asyncdns     Disable asynchronous name resolving
   --disable-forcednsretry Don't retry on permanent DNS error
   --with-ntp-era=SECONDS Specify earliest assumed NTP time in seconds
                          since 1970-01-01 [50*365 days ago]
   --with-user=USER       Specify default chronyd user [root]
+  --with-hwclockfile=PATH Specify default path to hwclock(8) adjtime file
   --with-sendmail=PATH   Path to sendmail binary [/usr/lib/sendmail]
   --enable-debug         Enable debugging support
 
@@ -199,7 +200,7 @@ try_rtc=0
 feat_droproot=1
 try_libcap=-1
 try_clockctl=0
-feat_scfilter=1
+feat_scfilter=0
 try_seccomp=-1
 readline_lib=""
 readline_inc=""
@@ -214,6 +215,7 @@ feat_asyncdns=1
 feat_forcednsretry=1
 ntp_era_split=""
 default_user="root"
+default_hwclockfile=""
 mail_program="/usr/lib/sendmail"
 
 for option
@@ -303,6 +305,9 @@ do
     --without-libcap|--disable-linuxcaps)
       try_libcap=0
     ;;
+    --enable-scfilter)
+      feat_scfilter=1
+    ;;
     --disable-scfilter)
       feat_scfilter=0
     ;;
@@ -321,6 +326,9 @@ do
     --with-user=* )
       default_user=`echo $option | sed -e 's/^.*=//;'`
     ;;
+    --with-hwclockfile=* )
+      default_hwclockfile=`echo $option | sed -e 's/^.*=//;'`
+    ;;
     --with-sendmail=* )
       mail_program=`echo $option | sed -e 's/^.*=//;'`
     ;;
@@ -514,6 +522,13 @@ if test_code '<inttypes.h>' 'inttypes.h' '' '' ''; then
   add_def HAVE_INTTYPES_H
 fi
 
+if test_code 'struct in_pktinfo' 'sys/socket.h netinet/in.h' '' '' '
+  struct in_pktinfo ipi;
+  return sizeof (ipi.ipi_spec_dst.s_addr) + IP_PKTINFO;'
+then
+  add_def HAVE_IN_PKTINFO
+fi
+
 if [ $feat_ipv6 = "1" ] && \
   test_code 'IPv6 support' 'arpa/inet.h sys/socket.h netinet/in.h' '' "$EXTRA_LIBS" '
     struct sockaddr_in6 n;
@@ -522,13 +537,13 @@ if [ $feat_ipv6 = "1" ] && \
     return !inet_ntop(AF_INET6, &n.sin6_addr.s6_addr, p, sizeof(p));'
 then
   add_def FEAT_IPV6
-  if test_code 'in6_pktinfo' 'sys/socket.h netinet/in.h' '' '' '
-    return sizeof(struct in6_pktinfo);'
+  if test_code 'struct in6_pktinfo' 'sys/socket.h netinet/in.h' '' '' '
+    return sizeof (struct in6_pktinfo) + IPV6_PKTINFO;'
   then
     add_def HAVE_IN6_PKTINFO
   else
-    if test_code 'in6_pktinfo with _GNU_SOURCE' 'sys/socket.h netinet/in.h' \
-      '-D_GNU_SOURCE' '' 'return sizeof(struct in6_pktinfo);'
+    if test_code 'struct in6_pktinfo with _GNU_SOURCE' 'sys/socket.h netinet/in.h' \
+      '-D_GNU_SOURCE' '' 'return sizeof (struct in6_pktinfo) + IPV6_PKTINFO;'
     then
       add_def _GNU_SOURCE
       add_def HAVE_IN6_PKTINFO
@@ -784,6 +799,7 @@ if [ "x$SETCHRONYVARDIR" != "x" ]; then
 fi
 
 add_def DEFAULT_CONF_FILE "\"$SYSCONFDIR/chrony.conf\""
+add_def DEFAULT_HWCLOCK_FILE "\"$default_hwclockfile\""
 add_def DEFAULT_USER "\"$default_user\""
 add_def DEFAULT_COMMAND_SOCKET "\"$CHRONYSOCKDIR/chronyd.sock\""
 add_def MAIL_PROGRAM "\"$mail_program\""
@@ -796,11 +812,13 @@ add_def CHRONYD_FEATURES "\"$chronyd_features $common_features\""
 echo "Features : $chronyd_features $chronyc_features $common_features"
 
 if [ -f version.txt ]; then
-  add_def CHRONY_VERSION "\"`cat version.txt`\""
+  CHRONY_VERSION="`cat version.txt`"
 else
-  add_def CHRONY_VERSION "\"DEVELOPMENT\""
+  CHRONY_VERSION="DEVELOPMENT"
 fi
 
+add_def CHRONY_VERSION "\"${CHRONY_VERSION}\""
+
 for f in Makefile chrony.conf.5 chrony.texi chronyc.1 chronyd.8
 do
   echo Creating $f
@@ -824,7 +842,9 @@ do
           s%@LOCALSTATEDIR@%${LOCALSTATEDIR}%;\
           s%@CHRONYSOCKDIR@%${CHRONYSOCKDIR}%;\
           s%@CHRONYVARDIR@%${CHRONYVARDIR}%;\
-          s%@DEFAULT_USER@%${default_user}%;"\
+          s%@DEFAULT_HWCLOCK_FILE@%${default_hwclockfile}%;\
+          s%@DEFAULT_USER@%${default_user}%;\
+          s%@CHRONY_VERSION@%${CHRONY_VERSION}%;" \
           < ${f}.in > $f
 done
 

doc/faq.adoc

@@ -49,6 +49,44 @@ added to +chrony+ to deal with this.
 
 == Configuration issues
 
+=== What is the minimum recommended configuration for an NTP client?
+
+First, the client needs to know which NTP servers it should ask for the current
+time.  They are specified by the +server+ or +pool+ directive.  The +pool+
+directive can be used for names that resolve to multiple addresses.  For good
+reliability the client should have at least three servers.  The +iburst+ option
+speeds up the initial synchronisation.
+
+To stabilize the initial synchronisation on the next start, the estimated drift
+of the system clock is saved by adding the +driftfile+ directive.
+
+If the system clock can be far from the true time after boot for any reason,
++chronyd+ should be allowed to correct it quickly by stepping instead of
+slewing, which would take a very long time.  The +makestep+ directive does
+that.
+
+In order to keep the real-time clock (RTC) close to the true time on Linux, so
+the system time is reasonably close to the true time when it's initialized on
+the next boot from the RTC, the +rtcsync+ directive enables a kernel mode in
+which the system time is copied to the RTC every 11 minutes.
+
+If you want to use public NTP servers from the
+http://www.pool.ntp.org/[pool.ntp.org] project, the minimal 'chrony.conf' file
+could be:
+
+----
+pool pool.ntp.org iburst
+driftfile /var/lib/chrony/drift
+makestep 1 3
+rtcsync
+----
+
+=== How do I make an NTP server from an NTP client?
+
+You need to add an +allow+ directive to the 'chrony.conf' file in order to open
+the NTP port and allow +chronyd+ to reply to client requests.  +allow+ with no
+specified subnet allows all IPv4 and IPv6 addresses.
+
 === I have several computers on a LAN. Should be all clients of an external server?
 
 The best configuration is usually to make one computer the master, with

examples/chrony-wait.service

@@ -9,7 +9,7 @@ Wants=time-sync.target
 Type=oneshot
 # Wait up to ~10 minutes for chronyd to synchronize and the remaining
 # clock correction to be less than 0.1 seconds
-ExecStart=/usr/bin/chronyc waitsync 60 0.1
+ExecStart=/usr/bin/chronyc waitsync 600 0.1 0.0 1
 RemainAfterExit=yes
 StandardOutput=null
 

examples/chrony.conf.example1

@@ -5,8 +5,8 @@ pool pool.ntp.org iburst
 driftfile /var/lib/chrony/drift
 
 # In first three updates step the system clock instead of slew
-# if the adjustment is larger than 10 seconds.
-makestep 10 3
+# if the adjustment is larger than 1 second.
+makestep 1.0 3
 
 # Enable kernel synchronization of the real-time clock (RTC).
 rtcsync

examples/chrony.conf.example2

@@ -6,8 +6,8 @@ pool pool.ntp.org iburst
 driftfile /var/lib/chrony/drift
 
 # In first three updates step the system clock instead of slew
-# if the adjustment is larger than 10 seconds.
-makestep 10 3
+# if the adjustment is larger than 1 second.
+makestep 1.0 3
 
 # Enable kernel synchronization of the real-time clock (RTC).
 rtcsync

examples/chrony.conf.example3

@@ -128,15 +128,15 @@ driftfile /var/lib/chrony/drift
 #######################################################################
 ### INITIAL CLOCK CORRECTION
 # This option is useful to quickly correct the clock on start if it's
-# off by a large amount.  The value '10' means that if the error is less
-# than 10 seconds, it will be gradually removed by speeding up or
-# slowing down your computer's clock until it is correct.  If the error
-# is above 10 seconds, an immediate time jump will be applied to correct
-# it.  The value '1' means the step is allowed only on the first update
-# of the clock.  Some software can get upset if the system clock jumps
+# off by a large amount.  The value '1.0' means that if the error is less
+# than 1 second, it will be gradually removed by speeding up or slowing
+# down your computer's clock until it is correct.  If the error is above
+# 1 second, an immediate time jump will be applied to correct it.  The
+# value '3' means the step is allowed only in the first three updates of
+# the clock.  Some software can get upset if the system clock jumps
 # (especially backwards), so be careful!
 
-! makestep 10 1
+! makestep 1.0 3
 
 #######################################################################
 ### LOGGING

logging.h

@@ -47,7 +47,7 @@ extern int log_debug_enabled;
 
 #if DEBUG > 0
 #define LOG_MESSAGE(severity, facility, ...) \
-  LOG_Message(LOGS_DEBUG, facility, __LINE__, __FILE__, FUNCTION_NAME, __VA_ARGS__);
+  LOG_Message(severity, facility, __LINE__, __FILE__, FUNCTION_NAME, __VA_ARGS__);
 #else
 #define LOG_MESSAGE(severity, facility, ...) \
   LOG_Message(severity, __VA_ARGS__);

ntp_io.c

@@ -189,7 +189,7 @@ prepare_socket(int family, int port_number, int client_only)
 #endif
 
   if (family == AF_INET) {
-#ifdef IP_PKTINFO
+#ifdef HAVE_IN_PKTINFO
     /* We want the local IP info on server sockets */
     if (setsockopt(sock_fd, IPPROTO_IP, IP_PKTINFO, (char *)&on_off, sizeof(on_off)) < 0) {
       LOG(LOGS_ERR, LOGF_NtpIO, "Could not set packet info socket option");
@@ -206,14 +206,16 @@ prepare_socket(int family, int port_number, int client_only)
     }
 #endif
 
+#ifdef HAVE_IN6_PKTINFO
 #ifdef IPV6_RECVPKTINFO
     if (setsockopt(sock_fd, IPPROTO_IPV6, IPV6_RECVPKTINFO, (char *)&on_off, sizeof(on_off)) < 0) {
       LOG(LOGS_ERR, LOGF_NtpIO, "Could not set IPv6 packet info socket option");
     }
-#elif defined(IPV6_PKTINFO)
+#else
     if (setsockopt(sock_fd, IPPROTO_IPV6, IPV6_PKTINFO, (char *)&on_off, sizeof(on_off)) < 0) {
       LOG(LOGS_ERR, LOGF_NtpIO, "Could not set IPv6 packet info socket option");
     }
+#endif
 #endif
   }
 #endif
@@ -531,7 +533,7 @@ read_from_socket(void *anything)
     local_addr.sock_fd = sock_fd;
 
     for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) {
-#ifdef IP_PKTINFO
+#ifdef HAVE_IN_PKTINFO
       if (cmsg->cmsg_level == IPPROTO_IP && cmsg->cmsg_type == IP_PKTINFO) {
         struct in_pktinfo ipi;
 
@@ -541,7 +543,7 @@ read_from_socket(void *anything)
       }
 #endif
 
-#if defined(IPV6_PKTINFO) && defined(HAVE_IN6_PKTINFO)
+#ifdef HAVE_IN6_PKTINFO
       if (cmsg->cmsg_level == IPPROTO_IPV6 && cmsg->cmsg_type == IPV6_PKTINFO) {
         struct in6_pktinfo ipi;
 
@@ -629,7 +631,7 @@ send_packet(void *packet, int packetlen, NTP_Remote_Address *remote_addr, NTP_Lo
   msg.msg_flags = 0;
   cmsglen = 0;
 
-#ifdef IP_PKTINFO
+#ifdef HAVE_IN_PKTINFO
   if (local_addr->ip_addr.family == IPADDR_INET4) {
     struct cmsghdr *cmsg;
     struct in_pktinfo *ipi;
@@ -647,7 +649,7 @@ send_packet(void *packet, int packetlen, NTP_Remote_Address *remote_addr, NTP_Lo
   }
 #endif
 
-#if defined(IPV6_PKTINFO) && defined(HAVE_IN6_PKTINFO)
+#ifdef HAVE_IN6_PKTINFO
   if (local_addr->ip_addr.family == IPADDR_INET6) {
     struct cmsghdr *cmsg;
     struct in6_pktinfo *ipi;

rtc.c

@@ -39,11 +39,12 @@
 /* ================================================== */
 
 static int driver_initialised = 0;
+static int driver_preinit_ok = 0;
 
 static struct {
   int  (*init)(void);
   void (*fini)(void);
-  int  (*time_pre_init)(void);
+  int  (*time_pre_init)(time_t driftfile_time);
   void (*time_init)(void (*after_hook)(void*), void *anything);
   void (*start_measurements)(void);
   int  (*write_parameters)(void);
@@ -73,29 +74,37 @@ static struct {
 };
      
 /* ================================================== */
-/* Set the system clock to the time of last modification of driftfile
-   if it's in the future */
+/* Get the last modification time of the driftfile */
 
-static void
-fallback_time_init(void)
+static time_t
+get_driftfile_time(void)
 {
-  struct timeval now;
   struct stat buf;
   char *drift_file;
 
   drift_file = CNF_GetDriftFile();
   if (!drift_file)
-    return;
+    return 0;
 
   if (stat(drift_file, &buf))
-    return;
+    return 0;
+
+  return buf.st_mtime;
+}
+
+/* ================================================== */
+/* Set the system time to the driftfile time if it's in the future */
+
+static void
+apply_driftfile_time(time_t t)
+{
+  struct timeval now;
 
   LCL_ReadCookedTime(&now, NULL);
 
-  if (now.tv_sec < buf.st_mtime) {
-    if (LCL_ApplyStepOffset(now.tv_sec - buf.st_mtime))
-      LOG(LOGS_INFO, LOGF_Rtc, "System clock set from driftfile %s",
-          drift_file);
+  if (now.tv_sec < t) {
+    if (LCL_ApplyStepOffset(now.tv_sec - t))
+      LOG(LOGS_INFO, LOGF_Rtc, "System time restored from driftfile");
   }
 }
 
@@ -104,15 +113,24 @@ fallback_time_init(void)
 void
 RTC_Initialise(int initial_set)
 {
+  time_t driftfile_time;
   char *file_name;
 
-  /* Do an initial read of the RTC and set the system time to it.  This
-     is analogous to what /sbin/hwclock -s would do on Linux.  If that fails
-     or RTC is not supported, set the clock to the time of the last
-     modification of driftfile, so we at least get closer to the truth. */
+  /* If the -s option was specified, try to do an initial read of the RTC and
+     set the system time to it.  Also, read the last modification time of the
+     driftfile (i.e. system time when chronyd was previously stopped) and set
+     the system time to it if it's in the future to bring the clock closer to
+     the true time when the RTC is broken (e.g. it has no battery), is missing,
+     or there is no RTC driver. */
   if (initial_set) {
-    if (!driver.time_pre_init || !driver.time_pre_init()) {
-      fallback_time_init();
+    driftfile_time = get_driftfile_time();
+
+    if (driver.time_pre_init && driver.time_pre_init(driftfile_time)) {
+      driver_preinit_ok = 1;
+    } else {
+      driver_preinit_ok = 0;
+      if (driftfile_time)
+        apply_driftfile_time(driftfile_time);
     }
   }
 
@@ -150,9 +168,9 @@ RTC_Finalise(void)
 /* ================================================== */
 /* Start the processing to get a single measurement from the real time
    clock, and use it to trim the system time, based on knowing the
-   drift rate of the RTC and the error the last time we set it.  The
-   TimePreInit routine has already run, so we can be sure that the
-   trim required is not *too* large.
+   drift rate of the RTC and the error the last time we set it.  If the
+   TimePreInit routine has succeeded, we can be sure that the trim required
+   is not *too* large.
 
    We are called with a hook to a function to be called after the
    initialisation is complete.  We also call this if we cannot do the
@@ -161,7 +179,7 @@ RTC_Finalise(void)
 void
 RTC_TimeInit(void (*after_hook)(void *), void *anything)
 {
-  if (driver_initialised) {
+  if (driver_initialised && driver_preinit_ok) {
     (driver.time_init)(after_hook, anything);
   } else {
     (after_hook)(anything);

rtc_linux.c

@@ -367,6 +367,9 @@ t_from_rtc(struct tm *stm) {
   t2 = mktime(&temp2);
   diff = t2 - t1;
 
+  if (t1 - diff == -1)
+    DEBUG_LOG(LOGF_RtcLinux, "Could not convert RTC time");
+
   return t1 - diff;
 }
 
@@ -379,13 +382,13 @@ read_hwclock_file(const char *hwclock_file)
   char line[256];
   int i;
 
-  if (!hwclock_file)
+  if (!hwclock_file || !hwclock_file[0])
     return;
 
   in = fopen(hwclock_file, "r");
   if (!in) {
-    LOG(LOGS_WARN, LOGF_RtcLinux, "Could not open hwclockfile %s",
-        hwclock_file);
+    LOG(LOGS_WARN, LOGF_RtcLinux, "Could not open %s : %s",
+        hwclock_file, strerror(errno));
     return;
   }
 
@@ -402,7 +405,7 @@ read_hwclock_file(const char *hwclock_file)
   } else if (i == 3 && !strncmp(line, "UTC", 3)) {
     rtc_on_utc = 1;
   } else {
-    LOG(LOGS_WARN, LOGF_RtcLinux, "Could not read LOCAL/UTC setting from hwclockfile %s",
+    LOG(LOGS_WARN, LOGF_RtcLinux, "Could not read RTC LOCAL/UTC setting from %s",
         hwclock_file);
   }
 }
@@ -445,7 +448,7 @@ read_coefs_from_file(void)
                  &file_ref_offset,
                  &file_rate_ppm) == 4) {
       } else {
-        LOG(LOGS_WARN, LOGF_RtcLinux, "Could not read coefficients from RTC file %s",
+        LOG(LOGS_WARN, LOGF_RtcLinux, "Could not read coefficients from %s",
             coefs_file_name);
       }
       fclose(in);
@@ -607,14 +610,16 @@ switch_interrupts(int onoff)
   if (onoff) {
     status = ioctl(fd, RTC_UIE_ON, 0);
     if (status < 0) {
-      LOG(LOGS_ERR, LOGF_RtcLinux, "Could not start measurement : %s", strerror(errno));
+      LOG(LOGS_ERR, LOGF_RtcLinux, "Could not %s RTC interrupt : %s",
+          "enable", strerror(errno));
       return;
     }
     skip_interrupts = 1;
   } else {
     status = ioctl(fd, RTC_UIE_OFF, 0);
     if (status < 0) {
-      LOG(LOGS_ERR, LOGF_RtcLinux, "Could not stop measurement : %s", strerror(errno));
+      LOG(LOGS_ERR, LOGF_RtcLinux, "Could not %s RTC interrupt : %s",
+          "disable", strerror(errno));
       return;
     }
   }
@@ -694,10 +699,11 @@ handle_initial_trim(void)
     /* sys_error_now is positive if the system clock is fast */
     sys_error_now = rtc_error_now - coef_seconds_fast;
           
-    LOG(LOGS_INFO, LOGF_RtcLinux, "System trim from RTC = %f", sys_error_now);
     LCL_AccumulateOffset(sys_error_now, 0.0);
+    LOG(LOGS_INFO, LOGF_RtcLinux, "System clock off from RTC by %f seconds (slew)",
+        sys_error_now);
   } else {
-    LOG(LOGS_WARN, LOGF_RtcLinux, "No valid file coefficients, cannot trim system time");
+    LOG(LOGS_WARN, LOGF_RtcLinux, "No valid rtcfile coefficients");
   }
   
   coefs_valid = 0;
@@ -722,7 +728,7 @@ handle_relock_after_trim(void)
   if (valid) {
     write_coefs_to_file(1,ref,fast,saved_coef_gain_rate);
   } else {
-    LOG(LOGS_WARN, LOGF_RtcLinux, "Could not do regression after trim");
+    DEBUG_LOG(LOGF_RtcLinux, "Could not do regression after trim");
   }
 
   coefs_valid = 0;
@@ -857,7 +863,6 @@ read_from_device(void *any)
     rtc_t = t_from_rtc(&rtc_tm);
 
     if (rtc_t == (time_t)(-1)) {
-      LOG(LOGS_ERR, LOGF_RtcLinux, "Could not convert RTC time to timeval");
       error = 1;
       goto turn_off_interrupt;
     }      
@@ -883,7 +888,7 @@ turn_off_interrupt:
   switch (operating_mode) {
     case OM_INITIAL:
       if (error) {
-        LOG(LOGS_WARN, LOGF_RtcLinux, "Could not complete initial step due to errors");
+        DEBUG_LOG(LOGF_RtcLinux, "Could not complete initial step due to errors");
         operating_mode = OM_NORMAL;
         (after_init_hook)(after_init_hook_arg);
 
@@ -897,7 +902,7 @@ turn_off_interrupt:
 
     case OM_AFTERTRIM:
       if (error) {
-        LOG(LOGS_WARN, LOGF_RtcLinux, "Could not complete after trim relock due to errors");
+        DEBUG_LOG(LOGF_RtcLinux, "Could not complete after trim relock due to errors");
         operating_mode = OM_NORMAL;
 
         switch_interrupts(0);
@@ -974,7 +979,7 @@ RTC_Linux_WriteParameters(void)
    RTC behaviour than we do for the rest of the module. */
 
 int
-RTC_Linux_TimePreInit(void)
+RTC_Linux_TimePreInit(time_t driftfile_time)
 {
   int fd, status;
   struct rtc_time rtc_raw, rtc_raw_retry;
@@ -1039,16 +1044,19 @@ RTC_Linux_TimePreInit(void)
 
       UTI_AddDoubleToTimeval(&new_sys_time, -accumulated_error, &new_sys_time);
 
+      if (new_sys_time.tv_sec < driftfile_time) {
+        LOG(LOGS_WARN, LOGF_RtcLinux, "RTC time before last driftfile modification (ignored)");
+        return 0;
+      }
+
       UTI_DiffTimevalsToDouble(&sys_offset, &old_sys_time, &new_sys_time);
 
       /* Set system time only if the step is larger than 1 second */
       if (fabs(sys_offset) >= 1.0) {
         if (LCL_ApplyStepOffset(sys_offset))
-          LOG(LOGS_INFO, LOGF_RtcLinux, "Set system time, error in RTC = %f",
-              accumulated_error);
+          LOG(LOGS_INFO, LOGF_RtcLinux, "System time set from RTC");
       }
     } else {
-      LOG(LOGS_WARN, LOGF_RtcLinux, "Could not convert RTC reading to seconds since 1/1/1970");
       return 0;
     }
   } else {
@@ -1092,7 +1100,8 @@ RTC_Linux_Trim(void)
 
   if (fabs(coef_seconds_fast) > 1.0) {
 
-    LOG(LOGS_INFO, LOGF_RtcLinux, "Trimming RTC, error = %.3f seconds", coef_seconds_fast);
+    LOG(LOGS_INFO, LOGF_RtcLinux, "RTC wrong by %.3f seconds (step)",
+        coef_seconds_fast);
 
     /* Do processing to set clock.  Let R be the value we set the
        RTC to, then in 500ms the RTC ticks (R+1) (see comments in

rtc_linux.h

@@ -30,7 +30,7 @@
 
 extern int RTC_Linux_Initialise(void);
 extern void RTC_Linux_Finalise(void);
-extern int RTC_Linux_TimePreInit(void);
+extern int RTC_Linux_TimePreInit(time_t driftile_time);
 extern void RTC_Linux_TimeInit(void (*after_hook)(void *), void *anything);
 extern void RTC_Linux_StartMeasurements(void);
 

sys_linux.c

@@ -563,7 +563,7 @@ SYS_Linux_EnableSystemCallFilter(int level)
   }
 
   if (seccomp_load(ctx) < 0)
-      LOG(LOGS_INFO, LOGF_SysLinux, "Failed to load seccomp rules");
+    LOG_FATAL(LOGF_SysLinux, "Failed to load seccomp rules");
 
   LOG(LOGS_INFO, LOGF_SysLinux, "Loaded seccomp filter");
   seccomp_release(ctx);

test/compilation/001-features

@@ -6,12 +6,12 @@ cd ../..
 
 for opts in \
 	"--enable-debug" \
+	"--enable-scfilter" \
 	"--disable-asyncdns" \
 	"--disable-ipv6" \
 	"--disable-privdrop" \
 	"--disable-readline" \
 	"--disable-rtc" \
-	"--disable-scfilter" \
 	"--disable-sechash" \
 	"--disable-cmdmon" \
 	"--disable-ntp" \