summaryrefslogtreecommitdiffstats
path: root/INSTALL
blob: 9ca6e229260c046d8dcda9ff76f53719609971c9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
Installation

The software is distributed as source code which has to be compiled. The source
code is supplied in the form of a gzipped tar file, which unpacks to a
subdirectory identifying the name and version of the program.

A C compiler (e.g. gcc or clang) and GNU Make are needed to build chrony. The
following libraries with their development files, and programs, are needed to
enable optional features:

  o pkg-config: detection of development libraries

  o Nettle, GnuTLS, NSS, or LibTomCrypt: secure hash functions (SECHASH)

  o libcap: dropping root privileges on Linux (DROPROOT)

  o libseccomp: system call filter on Linux (SCFILTER)

  o GnuTLS and Nettle: Network Time Security (NTS)

  o Editline: line editing in chronyc (READLINE)

  o timepps.h header: PPS reference clock

  o Asciidoctor: documentation in HTML format

  o Bash: test suite

The following programs are needed when building chrony from the git repository
instead of a released tar file:

  o Asciidoctor: manual pages

  o Bison: parser for chronyc settime command

After unpacking the source code, change directory into it, and type

./configure

This is a shell script that automatically determines the system type. There is
an optional parameter --prefix, which indicates the directory tree where the
software should be installed. For example,

./configure --prefix=/opt/free

will install the chronyd daemon into /opt/free/sbin and the chronyc control
program into /opt/free/bin. The default value for the prefix is /usr/local.

The configure script assumes you want to use gcc as your compiler. If you want
to use a different compiler, you can configure this way:

CC=cc ./configure --prefix=/opt/free

for Bourne-family shells, or

setenv CC cc
setenv CFLAGS -O
./configure --prefix=/opt/free

for C-family shells.

If the software cannot (yet) be built on your system, an error message will be
shown. Otherwise, Makefile will be generated.

On Linux, if development files for the libcap library are available, chronyd
will be built with support for dropping root privileges. On other systems no
extra library is needed. The default user which chronyd should run as can be
specified with the --with-user option of the configure script.

If development files for the POSIX threads library are available, chronyd will
be built with support for asynchronous resolving of hostnames specified in the
server, peer, and pool directives. This allows chronyd operating as a server to
respond to client requests when resolving a hostname. If you don't want to
enable the support, specify the --disable-asyncdns flag to configure.

If development files for the Nettle, NSS, or libtomcrypt library are available,
chronyd will be built with support for other cryptographic hash functions than
MD5, which can be used for NTP authentication with a symmetric key. If you
don't want to enable the support, specify the --disable-sechash flag to
configure.

If development files for the editline library are available, chronyc will be
built with line editing support. If you don't want this, specify the
--disable-readline flag to configure.

If a timepps.h header is available (e.g. from the LinuxPPS project), chronyd
will be built with PPS API reference clock driver. If the header is installed
in a location that isn't normally searched by the compiler, you can add it to
the searched locations by setting the CPPFLAGS variable to -I/path/to/timepps.

The --help option can be specified to configure to print all options supported
by the script.

Now type

make

to build the programs.

If you want to build the manual in HTML, type

make docs

Once the programs have been successfully compiled, they need to be installed in
their target locations. This step normally needs to be performed by the
superuser, and requires the following command to be entered.

make install

This will install the binaries and man pages.

To install the HTML version of the manual, enter the command

make install-docs

Now that the software is successfully installed, the next step is to set up a
configuration file. The default location of the file is /etc/chrony.conf.
Several examples of configuration with comments are included in the examples
directory. Suppose you want to use public NTP servers from the pool.ntp.org
project as your time reference. A minimal useful configuration file could be

pool pool.ntp.org iburst
makestep 1.0 3
rtcsync

Then, chronyd can be run. For security reasons, it's recommended to create an
unprivileged user for chronyd and specify it with the -u command-line option or
the user directive in the configuration file, or set the default user with the
--with-user configure option before building.

Support for system call filtering

chronyd can be built with support for the Linux secure computing (seccomp)
facility. This requires development files for the libseccomp library and the
--enable-scfilter option specified to configure. The -F option of chronyd will
enable a system call filter, which should significantly reduce the kernel
attack surface and possibly prevent kernel exploits from chronyd if it is
compromised.

Extra options for package builders

The configure and make procedures have some extra options that may be useful if
you are building a distribution package for chrony.

The --mandir=DIR option to configure specifies an installation directory for
the man pages. This overrides the man subdirectory of the argument to the
--prefix option.

./configure --prefix=/usr --mandir=/usr/share/man

to set both options together.

The final option is the DESTDIR option to the make command. For example, you
could use the commands

./configure --prefix=/usr --mandir=/usr/share/man
make all docs
make install DESTDIR=./tmp
cd tmp
tar cvf - . | gzip -9 > chrony.tar.gz

to build a package. When untarred within the root directory, this will install
the files to the intended final locations.

Last updated 2023-12-05 14:22:10 +0100