New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
units: disable systemd-time-sync-wait inside containers #8537
Conversation
I think this is trivial, so it's submitted, but in honesty I'm still testing it. |
This passes the testing I know how to do (container boots, no failures, systemd-time-wait-sync inactive from start condition failed). |
lgtm |
I wouldn't say I'm familiar with what is happening here because I'm still reading #8494 (and the pace of my reading appears to be too slow to keep up with you all :-)). Would it make sense to add a comment about why |
I don't think time-sync-wait has to be in sync with timesyncd; either can be enabled independently and do what they're documented to do. The only intended relation is that time-sync-wait happens to be able to detect an event that's caused by timesyncd, but it detects that event from other (non-systemd) services as well (e.g. connman). Re |
Indeed, it seems to have to be in sync with whatever is used to advance the system time, so people who will use anything different from |
The CI failure has nothing to do with this PR. I opened #8543. |
@evverx what do you mean by "in sync"? Or, what concerns you about the time-sync-wait will "work" only with something that uses the NTP standard protocol for adjusting the system realtime clock (i.e. adjtimex(2)), but that's noted in the man page. |
I'm sorry for being vague. I'll get back as soon as I've read moby/moby#33126. It seems to me that |
Having read moby/moby#33126, I can imagine scenarios where containers are able to call |
I think that it would be better to ignore |
I can imagine those scenarios exist too, but can't create one to test behavior. adjtimex(2) is not an incidental system call here that can be ignored: it defines the behavior of the service. Unless somebody mocks adjtimex(2) the benefit of allowing systemd-time-sync-wait to run in a container isn't clear: it would have to either run forever (pretend it failed to get a sync) or exit immediately (pretend it got a sync). The former path doesn't seem useful, and the latter is indistinguishable from either failure or blocking the service by condition in its effect on I know nothing about seccomp. I'd be willing to remove |
If moby/moby#33403 has been released, any docker container could be used to test this. A more There are people who put everything in containers, so it is possible that containers are being started before or in parallel with |
That's true. Maybe it would be better to add something like |
I may be missing the idea behind |
Anyway, this PR fixes #8535 in the sense that |
I don't use containers and in fact it never crossed my mind to consider them: I need In such a case, as in any other case where the environment does not support indication that the realtime clock is synchronized the service should be disabled. Hacking the unit file to do this automatically based on Adding the following might be worthwhile:
|
On second thought, it seems that Thank you! |
Hmm, is it really a realistic usecase to run some NTP server in one docker container, and this new tool in a second one, and expect it to work? I am not sure this is likely to ever happen... |
…SYS_TIME As requested by @evverx in systemd#8537 (comment)
I doubt anyone would run an |
…SYS_TIME (#8555) As requested by @evverx in #8537 (comment)
What I don't understand is why the CI didn't run |
Fixes #8535