| Re: [chrony-users] rootless chronyd |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: chrony-users@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-users] rootless chronyd
- From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
- Date: Tue, 29 Jul 2025 15:11:37 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1753794704; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=wKz2hZeB4U5X6Iekl+VQNhoH0+A93wroBtwC3dShBHo=; b=G3CPUMYRDJOYXAZlK+fxGfndSl9VzWbAruho7qNkFy455E3m0K0dlVMQ8WE95JAuh1Ob/M CQmOoiIb0CWypNpB0Ehz91e+bnwjkjg4QbiRd650yWcEKEWDjeg1VpQngArA2t6jw6T2O7 5TTFLraOvHHlfpeXyb3h8Tky6FXA1gY=
On Tue, Jul 29, 2025 at 04:02:15PM +0300, Remush wrote:
> I attempted to create a Docker Image with the Chronyd installed, yet the
> container is rootless, meaning my uid is not root, however my gid is 0
> (root).
>
> Now it seems that running the container I receive many permission denied on
> /run/chrony and more,
>
> My question is, Is there any way to make the service run not with root?
Yes, chronyd can be started without root in some configurations where
it doesn't need to access any RTC, PPS, PHC devices, but it may need
some capabilities like CAP_SYS_TIME and CAP_NET_BIND_SERVICE (if it
should run as a server).
The check for root can be disabled by the -U option. The /run/chrony
directory needs to exist before starting chronyd (only root can
normally write in /run).
There is an example systemd service that starts chronyd without root:
https://gitlab.com/chrony/chrony/-/blob/master/examples/chronyd-restricted.service
--
Miroslav Lichvar
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.