Discussion went back and forth upstream as well as with people on the bug. Trying to summarize:
For upstream it is not reasonable to "silently" do not work as expected - and that is correct. There was a discussion on a "Fallback if unable to set it" option as an alternative. But even that you would not want to set everywhere to avoid silent fallback on many places it is supposed to work. This is mostly about user expectation especially of the client portion "I install chrony to sync my time" vs silently not doing so. On the server side the also the degradation of that time serving is considered requiring an explicit opt in. In the downstream discussion as a Distribution we are in a different spot. Moving the decision point from "CAP_SYS_TIME" to "in-container" there are several benefits. This is important, chrony will go on to drop all but a few CAPs as it did so far. And the code we are considering now to improve behavior to be better and more consistent is not on CAP_SYS_TIME but instead "if in container". 1. if you are in a container you very likely can't set the time. so installing chrony there would silently not start the chrony service for lacking CAP_SYS_TIME Not only did you now install chrony and got no error, but it does nothing. If there are services depending on chrony service they are down as well. 2. if you are in busted Host that grants no CAP_SYS_TIME the same as above will silently happen. And on a host you'd really want to know it is failing. 3. If you are in a container with special privileges to set the time (rare) it is very dangerous to do so. As multiple containers on that system doing fighting time adjustments is the worst. 4. If run in a container a log message should make it clear that expectations should not be to sync the local time as it is impossible (in 99.9+% of the cases) For #1 you want to default to -x if you are in a container For #2 you want to drop the condition on CAP_SYS_TIME For #3 you want to default to -x if you are in a container For #4 you want to log a message if the case is detected This are defaults, admins can override to get the other behavior. This could either be done: - in a Chrony patch to provide this behavior and a cmdline option to override. - in a wrapper script to the ExecStart doing the checks/messaging and adding the -x chrony already provides The former would be nicer, but require to re-implement a lot of systemd- detect-virt in chrony which feels wrong a bit, so I'll go with a wrapper for now (a bit like comment #9, but evolved). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1589780 Title: chrony.service doesn't start on LXD container To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/1589780/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
