Comment 7 for bug 1589780

Thanks to Vincent Blut I was pointed to [1]

That pretty much looks like the patch I was going to write, thanks a lot Vincent!

There are some extra needs, to actually start in a container, but maybe those are upstream as well - I'll check that.

Otherwise my plan would be to somehow match on !cap_sys_time to add -x as parameter.
Maybe a second systemd file chronyd-container.service or such would do (a bit annoying to be a different name, but alias won't work as there is the real "chrony" service. Maybe I can do that in one service file to depend the arguments on the capability.
Since !cap / cap is mutally exclusive only one of each would run at any time.

But as I said, maybe such a change was made upstream already and could also be backported.

[1]: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=e8096330be1eb4db25b14152b14550c6c0bbaa63