On 02/19/2018 05:44 AM, Daniel Baumann wrote: > hrm, typo.. (s/locklock/lockclock/); but the result is the same, it > doesn't compile (neither the debian package nor the upstream git snapshot).
It compiles fine for me. What error are you getting? Also, I'd like to revisit what you're trying to accomplish here. Why is running ntpsec in a container desirable? I've been assuming you want to do this for security reasons. Is that correct? Are you intending on serving local systems under your control, customers of yours, or the Internet at large (e.g. in the pool)? After reviewing more documentation and giving this some more thought, I'm very concerned that approaches involving the "local" refclock (which upstream recommends against). This loses information which is important to the overall design of NTP. Specifically, the ntpd that is serving time from the container has no idea what stratum it is or where it synchronized from. Only the host ntpd knows that. In a worst case scenario, you could create a loop. I think you'd be better off either granting CAP_SYS_TIME to your container and running ntpd normally (only in the container), or running it normally from the host. If you're able to test the former, I'm happy to lift the ConditionVirtualization=!container restriction on ntp.service and ntp-wait.service (and would probably submit that upstream too). -- Richard