| Re: [chrony-users] Impact of multiple NTP implementations in containers on host chronyd |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
On Fri, 2026-01-16 at 13:04 +0000, Valera Requena, Juan wrote:
>
> Hi everyone,
> I have a setup where the host runs chronyd natively to discipline the system clock. However, we have several applications running in containers, and for various legacy reasons, some of these containers include their own NTP implementations (likentpd, sntp, or even other chronyd instances).
> My main concerns are:
> 1.
> Will these containerized NTP clients interfere with the host's chronyd ability to maintain a stable clock?
> 2.
> Since they share the same kernel, is there a risk of "clock fighting" if a container has enough privileges to calladjtimex or settimeofday?
> 3.
> What is the recommended way to handle this? Should we strictly disable time-setting capabilities in all containers?
> Any insights or best practices would be greatly appreciated.
On Linux, setting the system clock is protected by CAP_SYS_TIME, see
capabilities(7). So just don't give your containers this capability.
podman/docker drop it by default.
Jan
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.