systemd/units/systemd-timesyncd.service.in

#  SPDX-License-Identifier: LGPL-2.1-or-later
#
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

[Unit]
Description=Network Time Synchronization
Documentation=man:systemd-timesyncd.service(8)
ConditionCapability=CAP_SYS_TIME
ConditionVirtualization=!container
DefaultDependencies=no
After=systemd-sysusers.service
Before=time-set.target sysinit.target shutdown.target
Conflicts=shutdown.target
Wants=time-set.target

[Service]
AmbientCapabilities=CAP_SYS_TIME
BusName=org.freedesktop.timesync1
CapabilityBoundingSet=CAP_SYS_TIME
# Turn off DNSSEC validation for hostname look-ups, since those need the
# correct time to work, but we likely won't acquire that without NTP. Let's
# break this chicken-and-egg cycle here.
Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0
ExecStart=!!{{ROOTLIBEXECDIR}}/systemd-timesyncd
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectProc=invisible
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
Restart=always
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RuntimeDirectory=systemd/timesync
StateDirectory=systemd/timesync
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service @clock
Type=notify
User=systemd-timesync
{{SERVICE_WATCHDOG}}

[Install]
WantedBy=sysinit.target
Alias=dbus-org.freedesktop.timesync1.service
license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 04:23:58 +00:00			`# SPDX-License-Identifier: LGPL-2.1-or-later`
Add SPDX license headers to unit files 2017-11-18 16:35:03 +00:00			`#`
timesyncd: add unit and man page 2014-04-29 06:57:51 +00:00			`# This file is part of systemd.`
			`#`
			`# systemd is free software; you can redistribute it and/or modify it`
			`# under the terms of the GNU Lesser General Public License as published by`
			`# the Free Software Foundation; either version 2.1 of the License, or`
			`# (at your option) any later version.`

			`[Unit]`
			`Description=Network Time Synchronization`
			`Documentation=man:systemd-timesyncd.service(8)`
			`ConditionCapability=CAP_SYS_TIME`
timesyncd: enable timesyncd in virtual machines On Fri, Mar 13, 2015 at 8:25 PM, Michael Marineau <michael.marineau@coreos.com> wrote: > Currently systemd-timesyncd.service includes > ConditionVirtualization=no, disabling it in both containers and > virtual machines. Each VM platform tends to deal with or ignore the > time problem in their own special ways, KVM/QEMU has the kernel time > source kvm-clock, Xen has had different schemes over the years, VMware > expects a userspace daemon sync the clock, and other platforms are > content to drift with the wind as far as I can tell. > > I don't know of a robust way to know if a platform needs a little > extra help from userspace to keep the clock sane or not but it seems > generally safer to try than to risk drifting. Does anyone know of a > reason to leave timesyncd off by default? Otherwise switching to > ConditionVirtualization=!container should be reasonable. 2015-03-15 18:44:59 +00:00			`ConditionVirtualization=!container`
units: minor cleanups 2014-06-17 00:18:33 +00:00			`DefaultDependencies=no`
units: drop systemd-remount-fs.service dependency from more services All services using StateDirectory= don't need the explicit dep anymore, let's hence drop it everywhere. 2020-04-08 14:24:23 +00:00			`After=systemd-sysusers.service`
units: add time-set.target time-sync.target is supposed to indicate system clock is synchronized with a remote clock, but as used through 241 it only provided a system clock that was updated based on a locally-maintained timestamp. Systems that are powered off for extended periods would not come up with accurate time. Retain the existing behavior using a new time-set.target leaving time-sync.target for cases where accuracy is required. Closes #8861 2018-04-30 12:05:29 +00:00			`Before=time-set.target sysinit.target shutdown.target`
timesyncd: save clock to disk everytime we get an NTP fix, and bump clock at boot using this This is useful to make sure the system clock stays monotonic even on systems that lack an RTC. Also, why we are at it, also use the systemd release time for bumping the clock, since it's a slightly less bad than starting with jan 1st, 1970. This also moves timesyncd into the early bootphase, in order to make sure this initial bump is guaranteed to have finished by the time we start real daemons which might write to the file systemd and thus shouldn't leave 1970's timestamps all over the place... 2014-05-20 15:04:11 +00:00			`Conflicts=shutdown.target`
units: don't pull in time-sync.target from systemd-timesyncd.service systemd-timesyncd.service only applies the much weaker monotonic clock from file logic, i.e should pull in and order itself before time-set.target. The strong time-sync.target unit is pulled in by systemd-time-wait-sync.service. 2020-12-17 19:19:44 +00:00			`Wants=time-set.target`
timesyncd: add unit and man page 2014-04-29 06:57:51 +00:00
			`[Service]`
units: make use of !! ExecStart= prefix in systemd-timesyncd.service Let's make use of !! to run timesyncd with ambient capabilities on systems supporting them. 2017-08-10 07:07:08 +00:00			`AmbientCapabilities=CAP_SYS_TIME`
unit: declare BusName= in all our units that are on the bus, event if they don't use Type=dbus This information is always useful, so let's always declare it, particular in the light of #16976. 2020-09-11 08:56:06 +00:00			`BusName=org.freedesktop.timesync1`
units: set NoNewPrivileges= for all long-running services Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219 2018-11-12 16:19:48 +00:00			`CapabilityBoundingSet=CAP_SYS_TIME`
units: turn off DNSSEC validation when timesyncd resolves hostnames We have a chicken and egg problem: validation of DNSSEC signatures doesn't work without a correct clock, but to set the correct clock we need to contact NTP servers which requires resolving a hostname, which would normally require DNSSEC validation. Let's break the cycle by excluding NTP hostname resolution from validation for now. Of course, this leaves NTP traffic unprotected. To cover that we need NTPSEC support, which we can add later. Fixes: #5873 #15607 2020-11-05 10:20:32 +00:00			`# Turn off DNSSEC validation for hostname look-ups, since those need the`
			`# correct time to work, but we likely won't acquire that without NTP. Let's`
			`# break this chicken-and-egg cycle here.`
			`Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0`
meson: use jinja2 for unit templates We don't need two (and half) templating systems anymore, yay! I'm keeping the changes minimal, to make the diff manageable. Some enhancements due to a better templating system might be possible in the future. For handling of '## ' — see the next commit. 2021-05-16 09:55:36 +00:00			`ExecStart=!!{{ROOTLIBEXECDIR}}/systemd-timesyncd`
units: set NoNewPrivileges= for all long-running services Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219 2018-11-12 16:19:48 +00:00			`LockPersonality=yes`
			`MemoryDenyWriteExecute=yes`
			`NoNewPrivileges=yes`
timesyncd: run timesyncd as unpriviliged user "systemd-timesync" (but still with CAP_SYS_TIME) 2014-05-17 18:33:47 +00:00			`PrivateDevices=yes`
units: set NoNewPrivileges= for all long-running services Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219 2018-11-12 16:19:48 +00:00			`PrivateTmp=yes`
units: turn on ProtectProc= wherever suitable 2020-08-06 12:50:38 +00:00			`ProtectProc=invisible`
units: further lock down our long-running services Let's make this an excercise in dogfooding: let's turn on more security features for all our long-running services. Specifically: - Turn on RestrictRealtime=yes for all of them - Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of them - Turn on RestrictAddressFamilies= for all of them, but different sets of address families for each Also, always order settings in the unit files, that the various sandboxing features are close together. Add a couple of missing, older settings for a numbre of unit files. Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively turning of networking from udev rule commands. Since this might break stuff (that is already broken I'd argue) this is documented in NEWS. 2016-08-26 11:23:27 +00:00			`ProtectControlGroups=yes`
units: set NoNewPrivileges= for all long-running services Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219 2018-11-12 16:19:48 +00:00			`ProtectHome=yes`
units: enable ProtectHostname=yes 2019-02-18 22:30:12 +00:00			`ProtectHostname=yes`
units: turn on ProtectProc= wherever suitable 2020-08-06 12:50:38 +00:00			`ProtectKernelLogs=yes`
units: turn on ProtectKernelModules= for most long-running services 2017-02-09 10:09:50 +00:00			`ProtectKernelModules=yes`
units: set NoNewPrivileges= for all long-running services Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219 2018-11-12 16:19:48 +00:00			`ProtectKernelTunables=yes`
			`ProtectSystem=strict`
			`Restart=always`
			`RestartSec=0`
units: further lock down our long-running services Let's make this an excercise in dogfooding: let's turn on more security features for all our long-running services. Specifically: - Turn on RestrictRealtime=yes for all of them - Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of them - Turn on RestrictAddressFamilies= for all of them, but different sets of address families for each Also, always order settings in the unit files, that the various sandboxing features are close together. Add a couple of missing, older settings for a numbre of unit files. Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively turning of networking from udev rule commands. Since this might break stuff (that is already broken I'd argue) this is documented in NEWS. 2016-08-26 11:23:27 +00:00			`RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6`
units: set NoNewPrivileges= for all long-running services Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219 2018-11-12 16:19:48 +00:00			`RestrictNamespaces=yes`
			`RestrictRealtime=yes`
units: turn on RestrictSUIDSGID= in most of our long-running daemons 2019-03-20 18:52:20 +00:00			`RestrictSUIDSGID=yes`
time-wait-sync: use watchfile to coordinate with timesyncd Systems that have an accurate real-time clock may have an initial unsynchronized time that is close enough to the synchronized time that the final adjustment doesn't trigger a waking "clock set" event. Have timesyncd touch a file in its runtime directory as a secondary signal for synchronization. Continue to support the timerfd-based trigger as a sufficient condition when the watchfile is not present. Closes issue #8683 2018-04-09 18:39:16 +00:00			`RuntimeDirectory=systemd/timesync`
timesync: move stamp file to /var/lib/systemd/timesync/clock 2017-08-30 06:59:57 +00:00			`StateDirectory=systemd/timesync`
units: set NoNewPrivileges= for all long-running services Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219 2018-11-12 16:19:48 +00:00			`SystemCallArchitectures=native`
			`SystemCallErrorNumber=EPERM`
			`SystemCallFilter=@system-service @clock`
			`Type=notify`
			`User=systemd-timesync`
meson: use jinja2 for unit templates We don't need two (and half) templating systems anymore, yay! I'm keeping the changes minimal, to make the diff manageable. Some enhancements due to a better templating system might be possible in the future. For handling of '## ' — see the next commit. 2021-05-16 09:55:36 +00:00			`{{SERVICE_WATCHDOG}}`
timesyncd: add unit and man page 2014-04-29 06:57:51 +00:00
			`[Install]`
timesyncd: save clock to disk everytime we get an NTP fix, and bump clock at boot using this This is useful to make sure the system clock stays monotonic even on systems that lack an RTC. Also, why we are at it, also use the systemd release time for bumping the clock, since it's a slightly less bad than starting with jan 1st, 1970. This also moves timesyncd into the early bootphase, in order to make sure this initial bump is guaranteed to have finished by the time we start real daemons which might write to the file systemd and thus shouldn't leave 1970's timestamps all over the place... 2014-05-20 15:04:11 +00:00			`WantedBy=sysinit.target`
timesync: expose manager properties on bus 2018-04-30 14:02:09 +00:00			`Alias=dbus-org.freedesktop.timesync1.service`