From e3f840aae9eb7e387727a5b84a085269429fc30a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 26 Mar 2018 13:21:54 +0200 Subject: [PATCH] doc: update installation document --- doc/installation.adoc | 64 +++++++++++++++++++++++++++++++------------ 1 file changed, 46 insertions(+), 18 deletions(-) diff --git a/doc/installation.adoc b/doc/installation.adoc index 151674a..eea9088 100644 --- a/doc/installation.adoc +++ b/doc/installation.adoc @@ -29,8 +29,8 @@ After unpacking the source code, change directory into it, and type ---- This is a shell script that automatically determines the system type. There is -a single optional parameter, `--prefix` which indicates the directory tree -where the software should be installed. For example, +an optional parameter `--prefix`, which indicates the directory tree where the +software should be installed. For example, ---- ./configure --prefix=/opt/free @@ -40,11 +40,11 @@ will install the `chronyd` daemon into `/opt/free/sbin` and the `chronyc` control program into `/opt/free/bin`. The default value for the prefix is `/usr/local`. -The configure script assumes you want to use gcc as your compiler. If you want -to use a different compiler, you can configure this way: +The `configure` script assumes you want to use `gcc` as your compiler. If you +want to use a different compiler, you can configure this way: ---- -CC=cc CFLAGS=-O ./configure --prefix=/opt/free +CC=cc ./configure --prefix=/opt/free ---- for Bourne-family shells, or @@ -63,11 +63,26 @@ shown. Otherwise, `Makefile` will be generated. On Linux, if development files for the libcap library are available, `chronyd` will be built with support for dropping root privileges. On other systems no extra library is needed. The default user which `chronyd` should run as can be -specified with the `--with-user` option of the configure script. +specified with the `--with-user` option of the `configure` script. + +If development files for the POSIX threads library are available, `chronyd` +will be built with support for asynchronous resolving of hostnames specified in +the `server`, `peer`, and `pool` directives. This allows `chronyd` operating as +a server to respond to client requests when resolving a hostname. If you don't +want to enable the support, specify the `--disable-asyncdns` flag to +`configure`. + +If development files for the https://www.lysator.liu.se/~nisse/nettle/[Nettle], +https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS[NSS], or +http://www.libtom.net/LibTomCrypt/[libtomcrypt] library are available, +`chronyd` will be built with support for other cryptographic hash functions +than MD5, which can be used for NTP authentication with a symmetric key. If you +don't want to enable the support, specify the `--disable-sechash` flag to +`configure`. If development files for the editline or readline library are available, `chronyc` will be built with line editing support. If you don't want this, -specify the `--disable-readline` flag to configure. +specify the `--disable-readline` flag to `configure`. If a `timepps.h` header is available (e.g. from the http://linuxpps.org[LinuxPPS project]), `chronyd` will be built with PPS API @@ -75,6 +90,9 @@ reference clock driver. If the header is installed in a location that isn't normally searched by the compiler, you can add it to the searched locations by setting the `CPPFLAGS` variable to `-I/path/to/timepps`. +The `--help` option can be specified to `configure` to print all options +supported by the script. + Now type ---- @@ -122,6 +140,16 @@ unprivileged user for `chronyd` and specify it with the `-u` command-line option or the `user` directive in the configuration file, or set the default user with the `--with-user` configure option before building. +== Support for system call filtering + +`chronyd` can be built with support for the Linux secure computing (seccomp) +facility. This requires development files for the +https://github.com/seccomp/libseccomp[libseccomp] library and the +`--enable-scfilter` option specified to `configure`. The `-F` option of +`chronyd` will enable a system call filter, which should significantly reduce +the kernel attack surface and possibly prevent kernel exploits from `chronyd` +if it is compromised. + == Support for line editing libraries `chronyc` can be built with support for line editing, this allows you to use @@ -132,12 +160,12 @@ Please note that readline since version 6.0 is licensed under GPLv3+ which is incompatible with chrony's license GPLv2. You should use editline instead if you don't want to use older readline versions. -The configure script will automatically enable the line editing support if one -of the supported libraries is available. If they are both available, the +The `configure` script will automatically enable the line editing support if +one of the supported libraries is available. If they are both available, the editline library will be used. -If you don't want to use it (in which case chronyc will use a minimal command -line interface), invoke configure like this: +If you don't want to use it (in which case `chronyc` will use a minimal command +line interface), invoke `configure` like this: ---- ./configure --disable-readline other-options... @@ -161,12 +189,12 @@ normally searched by the compiler and linker, you need to use extra options: == Extra options for package builders -The configure and make procedures have some extra options that may be useful if -you are building a distribution package for chrony. +The `configure` and `make` procedures have some extra options that may be +useful if you are building a distribution package for `chrony`. -The `--mandir=DIR` option to configure specifies an install directory for the -man pages. This overrides the `man` subdirectory of the argument to the ---prefix option. +The `--mandir=DIR` option to `configure` specifies an installation directory +for the man pages. This overrides the `man` subdirectory of the argument to the +`--prefix` option. ---- ./configure --prefix=/usr --mandir=/usr/share/man @@ -174,8 +202,8 @@ man pages. This overrides the `man` subdirectory of the argument to the to set both options together. -The final option is the `DESTDIR` option to the make command. For example, you -could use the commands +The final option is the `DESTDIR` option to the `make` command. For example, +you could use the commands ---- ./configure --prefix=/usr --mandir=/usr/share/man