bogus handling of DAEMON_OPTS by chronyd-starter.sh
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
chrony (Ubuntu) |
Fix Released
|
Low
|
Christian Ehrhardt |
Bug Description
By default, chrony's DAEMON_OPTS is set to "-F -1" which means to enable seccomp but not in kill mode. To enable kill mode while also running in a container, one would use "-F 1 -x" but it seems to confuse getopts (from /usr/lib/
# Steps to reproduce:
1) create and enter into a test container:
lxc launch images:ubuntu/focal foo
lxc shell foo
2) install chrony:
apt update
apt install -y chrony
3) set DAEMON_OPTS="-F 1 -x" in /etc/default/chrony
4) restart chrony
systemctl restart chrony
5) check arguments passed to chronyd
ps aux| grep chrony
The last step should show that chronyd was invoked with 3 args: "-F 1 -x" but due to the bug, it shows 4 arguments:
_chrony 106 0.0 0.0 13212 2072 ? S 03:08 0:00 /usr/sbin/chronyd -F 1 -x -x
_chrony 107 0.0 0.0 5032 1728 ? S 03:08 0:00 /usr/sbin/chronyd -F 1 -x -x
# Workaround:
Simply setting DAEMON_OPTS to "-x -F 1" or "-F1 -x" will do.
# Simpler way to reproduce
Kkeep an eye on $X_SET and run:
sh -x /usr/lib/
or
sh -x /usr/lib/
I realize this is an edge case that probably really few might run into but since I've lost a good chunk of time wondering was what going on, I felt I needed to report it. I would have preferred to send a patch but it's too late for me to try to tame getopts ;)
The bug does not affect Debian as /usr/lib/
# Additional information
$ apt-cache policy chrony
chrony:
Installed: 3.5-6ubuntu6.2
Candidate: 3.5-6ubuntu6.2
Version table:
*** 3.5-6ubuntu6.2 500
500 http://
500 http://
100 /var/lib/
3.5-6ubuntu6 500
500 http://
$ lsb_release -rd
Description: Ubuntu 20.04.1 LTS
Release: 20.04
Related branches
- Andreas Hasenack: Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 35 lines (+10/-6)2 files modifieddebian/changelog (+6/-0)
debian/chronyd-starter.sh (+4/-6)
Changed in chrony (Ubuntu): | |
status: | Confirmed → In Progress |
Hi Simon,
you are right and this is a valid bug for sure.
Yet I have a very busy week ahead - it might take some time ... :-/