Public bug reported: By default, chrony's DAEMON_OPTS is set to "-F -1" which means to enable seccomp but not in kill mode. To enable kill mode while also running in a container, one would use "-F 1 -x" but it seems to confuse getopts (from /usr/lib/systemd/scripts/chronyd-starter.sh) into thinking that no "-x" was provided and thus wrongly logs a warning about the CAP_SYS_TIME missing and also adds an extraneous "-x".
# Steps to reproduce: 1) create and enter into a test container: lxc launch images:ubuntu/focal foo lxc shell foo 2) install chrony: apt update apt install -y chrony 3) set DAEMON_OPTS="-F 1 -x" in /etc/default/chrony 4) restart chrony systemctl restart chrony 5) check arguments passed to chronyd ps aux| grep chrony The last step should show that chronyd was invoked with 3 args: "-F 1 -x" but due to the bug, it shows 4 arguments: _chrony 106 0.0 0.0 13212 2072 ? S 03:08 0:00 /usr/sbin/chronyd -F 1 -x -x _chrony 107 0.0 0.0 5032 1728 ? S 03:08 0:00 /usr/sbin/chronyd -F 1 -x -x # Workaround: Simply setting DAEMON_OPTS to "-x -F 1" or "-F1 -x" will do. # Simpler way to reproduce Kkeep an eye on $X_SET and run: sh -x /usr/lib/systemd/scripts/chronyd-starter.sh -F -1 -x or sh -x /usr/lib/systemd/scripts/chronyd-starter.sh -F 1 -x I realize this is an edge case that probably really few might run into but since I've lost a good chunk of time wondering was what going on, I felt I needed to report it. I would have preferred to send a patch but it's too late for me to try to tame getopts ;) The bug does not affect Debian as /usr/lib/systemd/scripts/chronyd- starter.sh is an Ubuntu delta (carried to Groovy). Don't get me wrong, I appreciate the delta as I can easily run chrony inside a container, so thank you ;) # Additional information $ apt-cache policy chrony chrony: Installed: 3.5-6ubuntu6.2 Candidate: 3.5-6ubuntu6.2 Version table: *** 3.5-6ubuntu6.2 500 500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages 100 /var/lib/dpkg/status 3.5-6ubuntu6 500 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages $ lsb_release -rd Description: Ubuntu 20.04.1 LTS Release: 20.04 ** Affects: chrony (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1898000 Title: bogus handling of DAEMON_OPTS by chronyd-starter.sh To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/1898000/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs