Re: [chrony-users] rootless chronyd

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]


The only thing I need is the `chronyc sources` command.

`The check for root can be disabled by the -U option`
I know wanting to do it as a container has nothing to do with this mailetter, but can you elaborate about what you mean?


‫בתאריך יום ג׳, 29 ביולי 2025 ב-16:11 מאת ‪Miroslav Lichvar‬‏ <‪mlichvar@xxxxxxxxxx‬‏>:‬
On Tue, Jul 29, 2025 at 04:02:15PM +0300, Remush wrote:
> I attempted to create a Docker Image with the Chronyd installed, yet the
> container is rootless, meaning my uid is not root, however my gid is 0
> (root).
>
> Now it seems that running the container I receive many permission denied on
> /run/chrony and more,
>
> My question is, Is there any way to make the service run not with root?

Yes, chronyd can be started without root in some configurations where
it doesn't need to access any RTC, PPS, PHC devices, but it may need
some capabilities like CAP_SYS_TIME and CAP_NET_BIND_SERVICE (if it
should run as a server).

The check for root can be disabled by the -U option. The /run/chrony
directory needs to exist before starting chronyd (only root can
normally write in /run).

There is an example systemd service that starts chronyd without root:
https://gitlab.com/chrony/chrony/-/blob/master/examples/chronyd-restricted.service

--
Miroslav Lichvar


--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.



Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/