Skip to content
/ chrony Public

A minimal, configurable, secure container image for running chrony NTP server/client

chrisshort.net/tags/ntp/

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

chris-short/chrony

BranchesTags

Repository files navigation

Chrony Container

A minimal, configurable, secure container image for running chrony NTP server/client, optimized for systems without a Real-Time Clock (RTC) such as Raspberry Pi.

Image

ghcr.io/chris-short/chrony:latest

Tested Platforms

This container has been tested and verified on:

  • macOS (Docker Desktop / Podman)
  • Raspberry Pi 5 (arm64, no RTC)
  • x86_64 Linux

Features

  • RTC-free operation: Optimized configuration for devices without hardware clocks
  • Fast sync on boot: Uses makestep to quickly correct time after restart
  • Drift tracking: Maintains accuracy across reboots via persistent drift file
  • Host networking: Binds directly to host interfaces for reliable IPv4/IPv6 NTP service
  • Custom NTP servers: Includes local and public time sources for redundancy

Quick Start

Using Docker Compose

docker compose up -d

Using Docker/Podman CLI

# Build the image
docker build -t chrony:latest .

# Run with minimal configuration
docker run -d --name chrony \
  --network host \
  --cap-add SYS_TIME \
  chrony:latest

# Run with persistent drift/logs
docker run -d --name chrony \
  --network host \
  --cap-add SYS_TIME \
  -v chrony-data:/var/lib/chrony \
  -v chrony-logs:/var/log/chrony \
  chrony:latest

Podman with systemd

# Generate systemd service
podman generate systemd --new --name chrony > ~/.config/systemd/user/chrony.service
systemctl --user enable --now chrony

Docker with systemd

Create /etc/systemd/system/chrony-container.service:

[Unit]
Description=Chrony NTP Container
After=docker.service
Requires=docker.service

[Service]
Restart=always
ExecStartPre=-/usr/bin/docker rm -f chrony
ExecStart=/usr/bin/docker run --rm --name chrony \
  --network host \
  --cap-drop ALL \
  --cap-add SYS_TIME \
  -v chrony-data:/var/lib/chrony \
  ghcr.io/chris-short/chrony:latest
ExecStop=/usr/bin/docker stop chrony

[Install]
WantedBy=multi-user.target

Enable and start:

sudo systemctl daemon-reload
sudo systemctl enable --now chrony-container

Configuration

Custom NTP Servers

Edit chrony.conf to add your preferred NTP servers:

server your.ntp.server iburst

Serving Time to Local Network

Uncomment in chrony.conf:

allow 10.0.5.0/24

Monitoring

# Check sync status
docker exec chrony chronyc tracking

# View sources
docker exec chrony chronyc sources -v

# Check server stats
docker exec chrony chronyc serverstats

Security

Container Hardening

  • ~5MB image: Alpine Linux with only chrony package installed
  • Non-root runtime: Drops to chrony user immediately after binding port 123
  • Weekly rebuilds: Automated builds every Sunday pull the latest Alpine base image with security patches
  • Multi-architecture: Native builds for linux/amd64 and linux/arm64

Recommended Runtime Settings

Setting Purpose
cap_drop: ALL Drop all Linux capabilities
cap_add: SYS_TIME Add back only what chrony needs
read_only: true Immutable root filesystem
no-new-privileges: true Prevent privilege escalation

Reporting Security Issues

Report security vulnerabilities to: security@chrisshort.net

Tags

Tag Description
latest Most recent build from main branch
YYYYMMDD Date-stamped builds
<sha> Git commit SHA

License

MIT

About

A minimal, configurable, secure container image for running chrony NTP server/client

chrisshort.net/tags/ntp/

Topics

time clock ntp chrony clock-synchronization chronyd

Resources

Readme

License

MIT license

Security policy

Security policy
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Packages

 
 
 

Contributors 2

  •  
  •  

Languages