Hmm, maybe my containers I currently use are "too capable"
The script does two things:
1. it checks if it is running in a container
OR
2. it checks if it misses cap_sys_time
If 1 || 2 are true the service would (by default) fail to run at all.
The wrapper automatically adds -x in that case.
So if 1 || 2 you'll see:
"Adding -x as fallback disabling control of the system clock, see
/usr/share/doc/chrony/README.container to override this behavior"
But when you add -x in the OPTs yourself it should still be ok.
It runs a getopt loop if there is a -x.
If it is set it does not go into any of the later checks and runs chrony as you told it.
Test on non privileged container
default:
├─1459 /usr/sbin/chronyd -F -1 -x
└─1460 /usr/sbin/chronyd -F -1 -x
...
Oct 05 11:27:20 g-chrony chronyd-starter.sh[1454]: Warning: Running in a container, likely impossible and unintended to sync system clock
Oct 05 11:27:20 g-chrony chronyd-starter.sh[1454]: Adding -x as fallback disabling control of the system clock, see /usr/share/doc/chrony/README.container to override this behavior
Adding -x to the options still does not break it ... hmm:
Still ok.
Could you add set -x to /usr/lib/systemd/scripts/chronyd-starter.sh and let me know why the getopt loop might not work for you?
From /usr/lib/systemd/scripts/chronyd-starter.sh:
# Check if -x is already set manually, don't process further if that is the case
X_SET=0
while getopts ":x" opt; do
case $opt in
x)
X_SET=1
;;
esac
done
Hrm I got to test this now and I can't reproduce with:
Groovy
├ ─118154 /usr/sbin/chronyd -F -1 -x
└ ─118155 /usr/sbin/chronyd -F -1 -x
root@g:~# grep OPT /etc/default/chrony
DAEMON_OPTS="-F -1 -x"
root@g:~# systemctl restart chrony; systemctl status chrony | grep 'sbin\/chronyd'
Focal
├ ─80336 /usr/sbin/chronyd -F -1 -x
└ ─80337 /usr/sbin/chronyd -F -1 -x
root@f:~# grep OPT /etc/default/chrony
DAEMON_OPTS="-F -1 -x"
root@f:~# systemctl restart chrony; systemctl status chrony | grep 'sbin\/chronyd'
Hmm, maybe my containers I currently use are "too capable"
The script does two things:
1. it checks if it is running in a container
OR
2. it checks if it misses cap_sys_time
If 1 || 2 are true the service would (by default) fail to run at all.
The wrapper automatically adds -x in that case.
So if 1 || 2 you'll see: share/doc/ chrony/ README. container to override this behavior"
"Adding -x as fallback disabling control of the system clock, see
/usr/
But when you add -x in the OPTs yourself it should still be ok.
It runs a getopt loop if there is a -x.
If it is set it does not go into any of the later checks and runs chrony as you told it.
Test on non privileged container starter. sh[1454] : Warning: Running in a container, likely impossible and unintended to sync system clock starter. sh[1454] : Adding -x as fallback disabling control of the system clock, see /usr/share/ doc/chrony/ README. container to override this behavior
default:
├─1459 /usr/sbin/chronyd -F -1 -x
└─1460 /usr/sbin/chronyd -F -1 -x
...
Oct 05 11:27:20 g-chrony chronyd-
Oct 05 11:27:20 g-chrony chronyd-
Adding -x to the options still does not break it ... hmm:
Groovy:
root@g-chrony:~# grep OPT /etc/default/chrony
DAEMON_OPTS="-F -1 -x"
root@g-chrony:~# systemctl restart chrony; systemctl status chrony | grep 'sbin\/chronyd'
├─1688 /usr/sbin/chronyd -F -1 -x
└─1689 /usr/sbin/chronyd -F -1 -x
Focal:
root@f-chrony:~# grep OPT /etc/default/chrony
DAEMON_OPTS="-F -1 -x"
root@f-chrony:~# systemctl restart chrony; systemctl status chrony | grep 'sbin\/chronyd'
├─2221 /usr/sbin/chronyd -F -1 -x
└─2222 /usr/sbin/chronyd -F -1 -x
Still ok. systemd/ scripts/ chronyd- starter. sh and let me know why the getopt loop might not work for you?
Could you add set -x to /usr/lib/
From /usr/lib/ systemd/ scripts/ chronyd- starter. sh:
# Check if -x is already set manually, don't process further if that is the case
X_SET=0
while getopts ":x" opt; do
case $opt in
x)
X_SET=1
;;
esac
done