[chrony-users] Chrony launched with -x in Kubernetes

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

Hi,


I have a question about a specific chrony setup which I suspect is a not functioning one.

I have a Kubernetes cluster consisting of 3 baremetal nodes.
There is one Chrony pod running in this Kubernetes that get its reference clock from 5 NTP servers accessible via the Internet.

This chrony is launched with the parameters "-U -d -x".

The goal is that this chrony pod is launched with the least privileges:

- run as unprivileged user

- drop all caps except NET_BIND_SERVICE, SYS_NICE, SYS_TIME


By doing so, we expect the chrony in the pod to get its reference time from the remote NTP servers, maintain its own local clock without touching the system and rtc clock (thanks to the -x option) and serve time to clients.


Then, on each node of this Kubernetes cluster, we have a chrony instance installed in the OS via Debian packages that takes its time reference from the chrony running in the Kubernetes cluster.


But I suspect that, on the K8s node running the chrony pod, the chrony in the OS messes up with the chrony running in the pod.
The chrony pod always have flapping offset with 200+ms with its internet timesources (as reported by the chronyc sourcestats command)
The chrony pod also reports regularly that it detects falseticker on its internet timesources (from chrony logs)

The chrony in the OS do not manage to make the system clock converge after 48h.


It seems that if I stop the chrony in the OS on the node running the chrony pod, the chrony in the pod ends up reporting a few microseconds of offset from its internet timesources.

If I switch the chrony in the OS back the offset jumps back to 80+ms.


Am I in a situation where "the snake bites its own tail" ?
That somehow there is a loop between the chrony pod and the chrony in the OS running on the node that runs the chrony pod ?


Is there something that I am missing ?

Is it a fundamentally broken setup or do I need to adjust something to make it work ?
What would be the best way to achieve it ?

Thanks for your help



Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/