On 02/19/2018 05:44 AM, Daniel Baumann wrote:
> hrm, typo.. (s/locklock/lockclock/); but the result is the same, it
> doesn't compile (neither the debian package nor the upstream git snapshot).

It compiles fine for me. What error are you getting?

Also, I'd like to revisit what you're trying to accomplish here. Why is
running ntpsec in a container desirable? I've been assuming you want to
do this for security reasons. Is that correct?

Are you intending on serving local systems under your control, customers
of yours, or the Internet at large (e.g. in the pool)?

After reviewing more documentation and giving this some more thought,
I'm very concerned that approaches involving the "local" refclock (which
upstream recommends against). This loses information which is important
to the overall design of NTP. Specifically, the ntpd that is serving
time from the container has no idea what stratum it is or where it
synchronized from. Only the host ntpd knows that. In a worst case
scenario, you could create a loop.

I think you'd be better off either granting CAP_SYS_TIME to your
container and running ntpd normally (only in the container), or running
it normally from the host. If you're able to test the former, I'm happy
to lift the ConditionVirtualization=!container restriction on
ntp.service and ntp-wait.service (and would probably submit that
upstream too).


Reply via email to