cturra / docker-ntp Goto Github PK
View Code? Open in Web Editor NEWπ Chrony NTP Server running in a Docker container (without the priviledged flag)
License: Apache License 2.0
π Chrony NTP Server running in a Docker container (without the priviledged flag)
License: Apache License 2.0
I see a new image version was deployed to docker hub. Any information what has changed?
As the tittle say.
It would be nice to use NTS servers with the docker container.
This would improve security and most well known NTP server is capable of NTS such as Cloudflare.
RFC link: https://www.rfc-editor.org/rfc/rfc8915
Hey nice project!
it runs like a charm but i have the problem, that my server is not stable. I tried a lot of different ntp servers to sync with but even over an hour it is not stable.
I started the server yesterday and even today when i checked the server was not stable:
just a few sudo docker exec ntp ntpctl -s status outputs within 5 minutes:
4/4 peers valid, clock unsynced, clock offset is 591.872ms
4/4 peers valid, clock unsynced, clock offset is 582.678ms
4/4 peers valid, clock unsynced, clock offset is 558.124ms
4/4 peers valid, clock unsynced, clock offset is 549.455ms
4/4 peers valid, clock unsynced, clock offset is -18161.083ms
4/4 peers valid, clock unsynced, clock offset is -18019.615ms
4/4 peers valid, clock unsynced, clock offset is -17914.237ms
4/4 peers valid, clock unsynced, clock offset is -16150.951ms
4/4 peers valid, clock unsynced, clock offset is -9582.942ms
sudo docker exec ntp ntpctl -s peers
peer
wt tl st next poll offset delay jitter
94.16.113.67 0.de.pool.ntp.org
1 9 2 30s 3167s -1710.079ms 11807.145ms 33665.677ms
78.46.253.198 1.de.pool.ntp.org
1 10 2 22s 32s 580.689ms 10336.151ms 31168.227ms
162.159.200.1 2.de.pool.ntp.org
1 10 3 730s 3287s -16167.813ms 23.444ms 1.365ms
91.202.42.81 3.de.pool.ntp.org
1 9 2 151s 3288s -1709.630ms 11807.984ms 33665.965ms
what i have tried as servers so far:
the unspecific pool.ntp.org worked the best so far - got a stable server after like 2 minutes but not for long.
Im running the docker container on an ubuntu 16.04 server - Docker version 18.09.3, build 774a1f4
hope someone got an idea.
Wondering if there is a variable like NTP_SERVERS
for NTS sources.
My docker environment is running in an unprivilged lxc container.
When I try to run docker-ntp I receive following error.
ntp | 2020-12-27T09:09:51Z chronyd version 3.5.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS -SECHASH +IPV6 -DEBUG)
ntp | 2020-12-27T09:09:51Z Fatal error : adjtimex(0x8001) failed : Operation not permitted
cturra/ntp:latest "/bin/sh /opt/startuβ¦" 13 seconds ago Restarting (1) 4 seconds ago
Do you have a hint?
https://hub.docker.com/r/cturra/ntp/tags
should have specific release tags to lock to a specific version
Hello,
Apparently, the main branch has been suppressed (and renamed to main?).
This causes issues in CI systems which track the master branches.
Would it be possible to restore the master branch or at least, to create version tags?
For systems without internet connectivity, it would be nice to have an option to use the system clock as a time source. I've managed (trough command injection :P) to set chrony to use the system clock with NTP_SERVERS
set to --env=NTP_SERVERS="$(printf "%s\n%s\n%s" 127.127.1.0 "local stratum 10" "# ")"
which resutls in the following /etc/chrony/chrony.conf
file:
# https://github.com/cturra/docker-ntp
# chrony.conf file generated by startup script
# located at /opt/startup.sh
# time servers provided by NTP_SERVER environment variables.
server 127.127.1.1
local stratum 10
# iburst
driftfile /var/lib/chrony/chrony.drift
makestep 0.1 3
rtcsync
allow all
from my testing, it looks like local stratum 10
is required for this to work, no idea why.
Seems to be working, but I do see perm issue a lot in the log. Running in Docker on a RPi4 and an Intel Nuc not with the 'higher security option. Log is pulled from the rpi4, similar on the nuc. Volumes: /var/lib/chrony
/etc/chrony
/run/chrony
Build: cturra/docker-ntp build-date:- 2022-02-27T03:59:53+0000
Thanks! And thanks for the docker image!
2022-07-06T01:54:05Z Wrong permissions on /var/run/chrony
2022-07-06T01:54:05Z Disabled command socket /var/run/chrony/chronyd.sock
2022-07-06T01:54:05Z Disabled control of system clock
2022-07-06T01:54:11Z Selected source 69.89.207.99 (0.north-america.pool.ntp.org)
2022-07-06T01:54:58Z chronyd exiting
2022-07-06T01:55:05Z chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
2022-07-06T01:55:05Z Wrong permissions on /var/run/chrony
2022-07-06T01:55:05Z Disabled command socket /var/run/chrony/chronyd.sock
2022-07-06T01:55:05Z Disabled control of system clock
2022-07-06T01:55:10Z Selected source 142.147.88.111 (2.north-america.pool.ntp.org)
2022-07-06T01:55:11Z Selected source 192.5.41.209 (ntp2.usno.navy.mil)
2022-07-06T02:45:40Z chronyd exiting
2022-07-06T02:45:56Z chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
2022-07-06T02:45:56Z Wrong permissions on /var/run/chrony
2022-07-06T02:45:56Z Disabled command socket /var/run/chrony/chronyd.sock
2022-07-06T02:45:56Z Disabled control of system clock
2022-07-06T02:47:34Z Forward time jump detected!
2022-07-06T02:47:40Z Selected source 192.5.41.209 (ntp2.usno.navy.mil)
2022-07-10T07:24:52Z Source 68.171.16.4 replaced with 45.32.207.136 (0.north-america.pool.ntp.org)
2022-07-12T15:41:16Z chronyd exiting
2022-07-12T15:41:32Z chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
2022-07-12T15:41:32Z Wrong permissions on /var/run/chrony
2022-07-12T15:41:32Z Disabled command socket /var/run/chrony/chronyd.sock
2022-07-12T15:41:32Z Disabled control of system clock
2022-07-12T15:43:07Z Selected source 192.5.41.209 (ntp2.usno.navy.mil)
2022-07-12T15:44:20Z Source 129.146.64.32 replaced with 72.14.183.239 (0.north-america.pool.ntp.org)
2022-07-19T14:33:34Z chronyd exiting
2022-07-19T14:33:51Z chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
2022-07-19T14:33:51Z Wrong permissions on /var/run/chrony
2022-07-19T14:33:51Z Disabled command socket /var/run/chrony/chronyd.sock
2022-07-19T14:33:51Z Disabled control of system clock
2022-07-19T14:35:30Z Forward time jump detected!
2022-07-19T14:35:36Z Selected source 192.5.41.209 (ntp2.usno.navy.mil)
Hi,
I have the following docker-compose file:
version: '3.4'
services:
ntp:
#build: .
image: cturra/ntp:latest
container_name: ntp
restart: always
ports:
- 123:123/udp
cap_add:
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
environment:
- NTP_SERVERS=time.cloudflare.com
I tried to run it on my ArchLinux Odroid C2 Server but I always get the error:
ntp | standard_init_linux.go:211: exec user process caused "exec format error"
Then I copied the same docker-compose file to my Macbook Pro and ran it there with Docker-Compose up and everything just worked out of the box.
I prefer using Docker-Compose instead of Dockerfile.
Is there any chance I can run my personal ntp server on the Odroid?
When I googled the error message I came across a post where someone has written that it is a architecture problem.
Am I only stupid and don't get it to run, or is my assumption true?
I'm new to Docker, so pardon me if I made a stupid mistake or if I don't get something right. But I think I 'understood' how docker should be running.
Kind regards,
Daniel Oberlechner
here is my docker-compose.yml file content
`
version: '3.4'
services:
ntp:
image: cturra/ntp:latest
container_name: ntp
restart: always
ports:
- 123:123/udp
cap_add:
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
environment:
- NTP_SERVERS="time.pool.aliyun.com"
`
the clock was not synced. so i checked the ntp peers and found the server name was "time*.google.com", clearly the var(NTP_SERVERS) was not setted gracefully.
Hi,
I'm running your ntp Docker container on a Raspberry Pi, and the last update seems to have broken it.
Here are my logs:
ntp | +588592596-05-04T01:24:56Z chronyd version 4.0 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6 -DEBUG)
ntp | +588384768-06-10T08:00:24Z Fatal error : clock_gettime() failed : Operation not permitted
ntp | +624270944-01-21T11:54:16Z chronyd version 4.0 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6 -DEBUG)
ntp | +624063116-02-27T18:29:44Z Fatal error : clock_gettime() failed : Operation not permitted
ntp | +695627639-07-24T16:14:32Z chronyd version 4.0 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6 -DEBUG)
ntp | +695419811-08-30T22:50:00Z Fatal error : clock_gettime() failed : Operation not permitted
... and it goes on and on.
Here's my docker-compose.yml
setup:
ntp:
image: cturra/ntp:latest
container_name: ntp
restart: always
ports:
- 123:123/udp
cap_add:
- SYS_TIME
read_only: true
tmpfs:
- /etc/chrony:rw,mode=1750
- /run/chrony:rw,mode=1750
- /var/lib/chrony:rw,mode=1750
environment:
- NTP_SERVERS=time.cloudflare.com
I tried both with and without the SYS_TIME
privilege, no difference.
Any help would be appreciated!
Clicking on the "Build status" or "Number of pulls" at the top of the Readme are pointing to
https://hub.docker.com/r/cturra/dropbox/
which is obviously something else....
Is there an easy way to "poke" your container (once running) with a new set of NTP servers, without having to restart it?
I don't think Docker allows modifying environment variables once a container is running, besides I think your startup.sh script would have to re-run.
Could I modify the /etc/chrony/chrony.conf
file instead? Does chrony cache the servers once it runs, or does it always parse the file?
Hi
Has this been rebuilt?
Docker advises a new push 6 days ago but I can't see any changes here?
https://hub.docker.com/r/cturra/ntp shows an update 6 days ago (6th Dec) but no changes in src?
--env=NTP_SERVERS="127.127.1.1"
// if [[ "${N_CLEANED}" == "127\."* ]] is false
// if [[ "${N_CLEANED}" == "127."* ]] is true
if [[ "${N_CLEANED}" == "127\."* ]]; then
echo "server "${N_CLEANED} >> ${CHRONY_CONF_FILE}
echo "local stratum 10" >> ${CHRONY_CONF_FILE}
# found external time servers
else
echo "server "${N_CLEANED}" iburst" >> ${CHRONY_CONF_FILE}
fi
is it a bug ?
The server accesses IP address 162.159.200.1 (time.cloudflare.com) every 64.5 seconds.
How can I increase the time synchronization interval? So that the time is synchronized (with the remote Cloudflare server) every 10 minutes.
Hey,
it's me again.
I have a question: Is it possible to run the server offline or more like in an (mini) intranet? I have an IPC (industrial pc) which is connected to sensor measurement systems, those systems should be synchronized in time, but neither the IPC nor the measurement systems have access to the internet or intranet they run complete autak/by there self.
Thanks for any answer
Hello, can I ask whether the project can obtain time from multiple upstream servers and provide a more accurate time to the service based on it
Hi!
Just wanted to know if it would be possible to add an environment variable to be able to sync the system clock from the docker container?
I know it was taken off to have it as not a privilege container. But it would be great to have the option if we want.
My reason, i run chrony as both my client and server on my server, so i kinda don't want to have 2 chrony process if possible ^^'
Secondly i wanted to know if by setting a volume (read-only) to the chrony.conf, with my own conf file, if it would be overwritten with the default ntp server?
Correct me if i'm wrong but it shouldn't be able to modify it, if it is mounted as read-only right?
Bringing up the docker with the following docker compose service:
local-ntp:
image: cturra/ntp:latest
container_name: local-ntp
restart: always
privileged: true
ports:
- 123:123/udp
environment:
- NTP_SERVERS=time.google.com
- LOG_LEVEL=0
- TZ=Etc/GMT-4
When I try to query the NTP from my host (mac) with sntp -d 192.168.176.2
I get
sntp: Exchange failed: Timeout
sntp_exchange {
result: 6 (Timeout)
header: 00 (li:0 vn:0 mode:0)
stratum: 00 (0)
poll: 00 (1)
precision: 00 (1.000000e+00)
delay: 0000.0000 (0.000000000)
dispersion: 0000.0000 (0.000000000)
ref: 00000000 (" ")
t_ref: 00000000.00000000 (0.000000000)
t1: E8D89171.D7E4CD74 (3906507121.843334999)
t2: 00000000.00000000 (0.000000000)
t3: 00000000.00000000 (0.000000000)
t4: 00000000.00000000 (0.000000000)
offset: FFFFFFFF8B93B747.140D994600000000 (-1953253560.921667576)
delay: FFFFFFFF17276E8E.281B328C00000000 (-3906507121.843335152)
mean: 0000000000000000.0000000000000000 (0.000000000)
error: 0000000000000000.0000000000000000 (0.000000000)
addr: 192.168.176.2
}
sntp: Clock select failed
Hello,
I've got cturra deployed on my Raspberry Pi server
My docker -compose file:
services:
ntp:
build: .
image: cturra/ntp:latest
container_name: ntp
restart: always
ports:
- 123:123/udp
cap_add:
- SYS_TIME
read_only: true
tmpfs:
- /etc/chrony:rw,mode=1750
- /run/chrony:rw,mode=1750
- /var/lib/chrony:rw,mode=1750
environment:
- NTP_SERVERS="time1.google.com,time2.google.com,time3.google.com,time4.google.com"
- LOG_LEVEL=0
In logs I can see only this:
2022-11-22T12:17:22Z chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
2022-11-22T12:17:22Z Disabled control of system clock
And NTP is not working. I've found in one of the issues that the problem can be with "libseccomp2", I've checked and found that "libseccomp2" is installed on my system.
Any suggestion?
how can i set container so that it does not uses any exteranl internet ntp servers(like I dont want to use servers like time.cloudfare.com). What I want is that I will manually set time of my host and then all ntp clients of my host should synchronise with that time.
For example I want my time to 10 days behind utc.
Without docker I was able to do this by setting the server directive for ntp as (127.127.1.0),intead of ntp.ubuntu.com. So the ntp server do not syncs time with ntp.ubuntu.com, it only sends to client what time is available on server itself.
"""
version: '3.4'
services:
ntp:
build: .
image: cturra/ntp:latest
container_name: ntp
restart: always
ports:
- 123:123/udp
cap_add:
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
environment:
- NTP_SERVERS="ntp1.aliyun.com,ntp2.aliyun.com,ntp3.aliyun.com,ntp4.aliyun.com,ntp5.aliyun.com,ntp6.aliyun.com,ntp7.aliyun.com"
"""
after cmd "docker exec ntp ntpctl -s all" the result shows
"""
0/1 peers valid, clock unsynced, clock offset is -22145.517ms
peer
wt tl st next poll offset delay jitter
not resolved ntp1.aliyun.comserver ntp2.aliyun.comserver ntp3.aliyun.comserver
1 2 - 14s 15s ---- peer not valid ----
"""
So typically you run ntp to set the time of the computer. So does running this in a container affect the time of the docker host, or the other containers?
If not what is the use case for this, as a ntp relay?
I see a new version on docker hub but no file changes since 2 months on the repo. Could you validate that there is an update and what is in it?
Have you changed something in partikular or why won't the docker compose image not start anymore?
version: '3.4'
services:
ntp:
image: cturra/ntp-multiarch:latest
container_name: ntp
ports:
- 123:123/udp
cap_add:
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
environment:
- NTP_SERVERS=time.cloudflare.com,it.pool.ntp.org,time.google.com
restart: always
`
Hello,
We are using the docker-ntp projects for month but recently we got this issue:
With the command:
docker run --name=ntp
--restart=always
--detach
--publish=123:123/udp
cturra/ntp
We got the following error message :
docker: Error response from daemon: driver failed programming external connectivity on endpoint ntp (4a4b3c16599cea9cee1802fffc845b7bdb0517e656e05fa1ad2e7ff5e021c63a): Error starting userland proxy: listen udp4 0.0.0.0:123: bind: address already in use.
this happens only on docker Mac version >= v3.2.0 (tested on all the version >= 3.2.0. Up to now, the docker-ntp was working with no problem on Mac and Linux. If I downgrade to 3.1.0 on Mac it works. Of course, i'v checked that I have
I suppose that this problem is related only to the docker engine on Mac and has nothing to do with the docker-ntp project, but before opening an issue in the docker Mac project, is there anything is miss ? I there additional rights or flags to start this container ?
Thank you for your help.
++
Herro.
Nice repo, want to use for my NOTnet and to keep the google IOT to spam google.ntp all the time
Got this container up and running about a week and can't get the server to synq.
I do this:
ntp:
image: cturra/ntp:latest
container_name: ntp
restart: always
ports:
- 123:123
links:
- pihole
environment:
- NTP_SERVERS=time.cloudflare.com
- LOG_LEVEL=0
And open ufw 123/udp so my whole network can use this.
Doing some commands to check if it functions according to readme
Been trying this through my ISP and ovpn with no luck.
->
$ ntpdate -q 127.0.0.1
23 Nov 18:11:18 ntpdate[17102]: no server suitable for synchronization found
$ docker exec ntp chronyc tracking
Reference ID : 00000000 ()
Stratum : 0
Ref time (UTC) : Thu Jan 01 00:00:00 1970
System time : 0.000000000 seconds fast of NTP time
Last offset : +0.000000000 seconds
RMS offset : 0.000000000 seconds
Frequency : 0.000 ppm slow
Residual freq : +0.000 ppm
Skew : 0.000 ppm
Root delay : 1.000000000 seconds
Root dispersion : 1.000000000 seconds
Update interval : 0.0 seconds
Leap status : Not synchronised
$ docker exec ntp chronyc sources
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
why is this emty ? :/
$ docker logs -f ntp
2022-11-23T16:57:59Z chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
2022-11-23T16:57:59Z Disabled control of system clock
2022-11-23T16:57:59Z Could not read valid frequency and skew from driftfile /var/lib/chrony/chrony.drift
My NTP server address is ntp.smirnov.tk
It has IPv4 and IPv6.
Today night container was upgraded and some clients can't get reply from my NTP server.
You can see it here: https://www.ntppool.org/a/smirnov
IPv4 is dead, but IPv6 is ok.
Also this service shows IPv4 dead: https://servertest.online/ntp
But this service shows IPv4 alive: https://keetweej.vanheusden.com/query_ntp.php
UPD: I used docker tag cturra/ntp:strip-quotes and now IPv4 connectivity is OK. So, I think, it's some kind of problem in chrony update.
Host: Raspberry Pi 4
OS: Ubuntu Server 20.04.1 LTS (aarch64)
This morning I tried to update my cturra/ntp container from image ID 7d5219fcd338 to 6deea110137f. The previous image launched a container just fine and was happily providing NTP services to my network.
The new image won't launch a container. It throws the error message "standard_init_linux.go:219: exec user process caused: exec format error"
Googling that message suggests that this error is likely caused by trying to run an image intended for a different architecture. But I'm not doing anything different than I did with the previous image.
The page at https://hub.docker.com/r/cturra/ntp indicates that "linux/arm64" is among the supported architectures for this image.
I'm still finding my feet with Docker, so I'm open to the possibility that I'm doing something daft without realising, but I can't work out what. The previous image worked; the current image doesn't. And I'm stumped.
Any suggestions, or clue-by-fours?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.