Ubuntu
chrony package

  1. Bug #1898000
  2. Comment #3

Comment 3 for bug 1898000

Revision history for this message
Simon Déziel (sdeziel) wrote : Re: [Bug 1898000] Re: bogus handling of DAEMON_OPTS by chronyd-starter.sh

Hello Christian,

One need to use "-F 1 -x" in order to reproduce. The "1" instead of "-1"
is what causes the bug to happen. Thanks!

Regards,
Simon

On 2020-10-05 7:33 a.m., Christian Ehrhardt  wrote:
> Hrm I got to test this now and I can't reproduce with:
>
> Groovy
> root@g:~# grep OPT /etc/default/chrony
> DAEMON_OPTS="-F -1 -x"
> root@g:~# systemctl restart chrony; systemctl status chrony | grep 'sbin\/chronyd'
> ├─118154 /usr/sbin/chronyd -F -1 -x
> └─118155 /usr/sbin/chronyd -F -1 -x
>
> Focal
> root@f:~# grep OPT /etc/default/chrony
> DAEMON_OPTS="-F -1 -x"
> root@f:~# systemctl restart chrony; systemctl status chrony | grep 'sbin\/chronyd'
> ├─80336 /usr/sbin/chronyd -F -1 -x
> └─80337 /usr/sbin/chronyd -F -1 -x
>
> Hmm, maybe my containers I currently use are "too capable"
>
> The script does two things:
> 1. it checks if it is running in a container
> OR
> 2. it checks if it misses cap_sys_time
>
> If 1 || 2 are true the service would (by default) fail to run at all.
> The wrapper automatically adds -x in that case.
>
> So if 1 || 2 you'll see:
> "Adding -x as fallback disabling control of the system clock, see
> /usr/share/doc/chrony/README.container to override this behavior"
>
>
> But when you add -x in the OPTs yourself it should still be ok.
> It runs a getopt loop if there is a -x.
> If it is set it does not go into any of the later checks and runs chrony as you told it.
>
> Test on non privileged container
> default:
> ├─1459 /usr/sbin/chronyd -F -1 -x
> └─1460 /usr/sbin/chronyd -F -1 -x
> ...
> Oct 05 11:27:20 g-chrony chronyd-starter.sh[1454]: Warning: Running in a container, likely impossible and unintended to sync system clock
> Oct 05 11:27:20 g-chrony chronyd-starter.sh[1454]: Adding -x as fallback disabling control of the system clock, see /usr/share/doc/chrony/README.container to override this behavior
>
>
> Adding -x to the options still does not break it ... hmm:
>
> Groovy:
> root@g-chrony:~# grep OPT /etc/default/chrony
> DAEMON_OPTS="-F -1 -x"
> root@g-chrony:~# systemctl restart chrony; systemctl status chrony | grep 'sbin\/chronyd'
> ├─1688 /usr/sbin/chronyd -F -1 -x
> └─1689 /usr/sbin/chronyd -F -1 -x
>
> Focal:
> root@f-chrony:~# grep OPT /etc/default/chrony
> DAEMON_OPTS="-F -1 -x"
> root@f-chrony:~# systemctl restart chrony; systemctl status chrony | grep 'sbin\/chronyd'
> ├─2221 /usr/sbin/chronyd -F -1 -x
> └─2222 /usr/sbin/chronyd -F -1 -x
>
>
> Still ok.
> Could you add set -x to /usr/lib/systemd/scripts/chronyd-starter.sh and let me know why the getopt loop might not work for you?
>
>
>>From /usr/lib/systemd/scripts/chronyd-starter.sh:
> # Check if -x is already set manually, don't process further if that is the case
> X_SET=0
> while getopts ":x" opt; do
> case $opt in
> x)
> X_SET=1
> ;;
> esac
> done
>
>
> ** Changed in: chrony (Ubuntu)
> Status: New => Incomplete
>