In case upstream won't accept the changes, here he revised Design of the wrapper as mentioned in comment #9:
- The amount of "-x" passed to chronyd doesn't matter, so we can just add one.
- But OTOH the X-SET check is good and can be used to silence the warnings we otherwise would
emit (no need to fall back if set this way)
- We want the capsh check only to be a warning a la "you likely can't set the time as you lack
CAP_SYS_TIME" but not "the only decision maker to set -x
If CAP_SYS_TIME is missing, set -x and warn (that way around the logic works)
But if it is avail that is no guarantee that all is fine.
- The extra decision to default to -x as well is "systemd-detect-virt --container"
Also along with a message that explains that (and why) we do so.
- /etc/default/chrony needs an option to override this for people that really WANT to start without -x in containers
For Debian packaging:
- Yet untested code for the wrapper approach available at [1].
- The code that uses the suggested change to chrony itsel is available in [2]
In case upstream won't accept the changes, here he revised Design of the wrapper as mentioned in comment #9: detect- virt --container"
- The amount of "-x" passed to chronyd doesn't matter, so we can just add one.
- But OTOH the X-SET check is good and can be used to silence the warnings we otherwise would
emit (no need to fall back if set this way)
- We want the capsh check only to be a warning a la "you likely can't set the time as you lack
CAP_SYS_TIME" but not "the only decision maker to set -x
If CAP_SYS_TIME is missing, set -x and warn (that way around the logic works)
But if it is avail that is no guarantee that all is fine.
- The extra decision to default to -x as well is "systemd-
Also along with a message that explains that (and why) we do so.
- /etc/default/chrony needs an option to override this for people that really WANT to start without -x in containers
For Debian packaging:
- Yet untested code for the wrapper approach available at [1].
- The code that uses the suggested change to chrony itsel is available in [2]
[1]: https:/ /code.launchpad .net/~paelzer/ ubuntu/ +source/ chrony/ +git/chrony/ +ref/bionic- lp1589780- run-in- container- wrapper /code.launchpad .net/~paelzer/ ubuntu/ +source/ chrony/ +git/chrony/ +ref/bionic- lp1589780- run-in- container
[2]: https:/