| Re: [chrony-users] Chrony and NTP hardening |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: chrony-users@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-users] Chrony and NTP hardening
- From: Bernd Brandstetter <kde-bbrand@xxxxxxxxxxxx>
- Date: Wed, 4 Feb 2026 17:41:09 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kabelmail.de; s=vfde-mb-mr2-23sep; t=1770223273; bh=CQOKT+edE0O4L3DWPU+ZRPQexDYK7g88Xd6yy6vSiAw=; h=Message-ID:Date:User-Agent:Subject:To:References:Content-Language: From:In-Reply-To:Content-Type:From; b=wZbg7HFXZzHx89GrG7hHxe8Rwld0ztQrfz62xyHNa+hDIS/dkqw7Yk+KdhE0g+ijv 1co/AbGqPXniNiYaQnPuLnlvDI2M+H26WETPcQmxhNuqdBA93fkYP44bfpdZ6Znn8i as6dGZleB0fskGO2BJylTTqkvPdZRHXRswcYc8MU=
On 2/4/26 17:25, Holger Hoffstätte wrote:
It's not clear to me whether you want to do this only at startup or
continously at runtime. For the former you will have to write your own
pre-start script where you can check for "the current offset" without
setting the clock with:
chronyd -x -Q 2>&1 | grep "System clock" | cut -d ' ' -f 6
which will give you something like:
-0.000211
You can then compare this with the checkpoint time and do whatever is
necessary. Does that help?
It's only supposed to happen at startup. I have already thought about
this approach, but the problem is that it imposes a TOCTOU
(time-of-check-time-of-use) problem. Even if the result of the pre-check
is OK, it does not guarantee that after the following start chronyd will
still get a valid time. (Even though this seems a bit far-fetched also
to me, but I haven't written the requirements.)
Thanks and best regards,
Bernd
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.