Public bug reported:
By default, chrony's DAEMON_OPTS is set to "-F -1" which means to enable
seccomp but not in kill mode. To enable kill mode while also running in
a container, one would use "-F 1 -x" but it seems to confuse getopts
(from /usr/lib/systemd/scripts/chronyd-starter.sh) into thinking that no
"-x" was provided and thus wrongly logs a warning about the CAP_SYS_TIME
missing and also adds an extraneous "-x".
# Steps to reproduce:
1) create and enter into a test container:
lxc launch images:ubuntu/focal foo
lxc shell foo
2) install chrony:
apt update
apt install -y chrony
3) set DAEMON_OPTS="-F 1 -x" in /etc/default/chrony
4) restart chrony
systemctl restart chrony
5) check arguments passed to chronyd
ps aux| grep chrony
The last step should show that chronyd was invoked with 3 args: "-F 1 -x" but
due to the bug, it shows 4 arguments:
_chrony 106 0.0 0.0 13212 2072 ? S 03:08 0:00
/usr/sbin/chronyd -F 1 -x -x
_chrony 107 0.0 0.0 5032 1728 ? S 03:08 0:00
/usr/sbin/chronyd -F 1 -x -x
# Workaround:
Simply setting DAEMON_OPTS to "-x -F 1" or "-F1 -x" will do.
# Simpler way to reproduce
Kkeep an eye on $X_SET and run:
sh -x /usr/lib/systemd/scripts/chronyd-starter.sh -F -1 -x
or
sh -x /usr/lib/systemd/scripts/chronyd-starter.sh -F 1 -x
I realize this is an edge case that probably really few might run into
but since I've lost a good chunk of time wondering was what going on, I
felt I needed to report it. I would have preferred to send a patch but
it's too late for me to try to tame getopts ;)
The bug does not affect Debian as /usr/lib/systemd/scripts/chronyd-
starter.sh is an Ubuntu delta (carried to Groovy). Don't get me wrong, I
appreciate the delta as I can easily run chrony inside a container, so
thank you ;)
# Additional information
$ apt-cache policy chrony
chrony:
Installed: 3.5-6ubuntu6.2
Candidate: 3.5-6ubuntu6.2
Version table:
*** 3.5-6ubuntu6.2 500
500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
100 /var/lib/dpkg/status
3.5-6ubuntu6 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
$ lsb_release -rd
Description: Ubuntu 20.04.1 LTS
Release: 20.04
** Affects: chrony (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1898000
Title:
bogus handling of DAEMON_OPTS by chronyd-starter.sh
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/1898000/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
