NTP server on LXC container with read only for system clock

Client Configuration and Development
1

I have setup a GNSS steered PTP Grandmaster on my network and have my Proxmox host synced via hardware timestamping. It seems you cannot have both hardware and software at the same time, so I was figuring on setting chrony in an LXC container to serve the rest of the clients in my homelab. So far, I have yet to find a configuration that will not complain about permissions to adjust the system clock and just accept the host clock as it is in read only. Any suggestions on this setup?

2

Welcome to the forum!

According to the documentation, if you start chronyd with the -x option then it does not attempt to control the system clock. The docs explicitly mention containers as a possible use case.

Does that work for you? What else have you already tried?

3

Just a follow up if one was running their server say at Digital Ocean in a droplet would you also use the -x option?

4

I tried the -x option and it still complained and would not start. I could try to make it a privileged container, but before I do that was hoping someone already had a solution.

6

Well I run it in a container that is not allowed to acces RTC.
My service / systemd looks like this:

● chrony.service - chrony, an NTP client/server
     Loaded: loaded (/usr/lib/systemd/system/chrony.service; enabled; preset: enabled)
     Active: active (running) since Fri 2025-11-07 15:06:17 CET; 3 months 12 days ago
 Invocation: 0272d52e89ce4cf681751524e5755344
       Docs: man:chronyd(8)
             man:chronyc(1)
             man:chrony.conf(5)
   Main PID: 12667 (chronyd)
      Tasks: 2 (limit: 38221)
     Memory: 34.1M
     CGroup: /system.slice/chrony.service
             ├─12667 /usr/sbin/chronyd -n -F 1 -x
             └─12668 /usr/sbin/chronyd -n -F 1 -x

Options set in /etc/default/chrony and in chrony.conf I unmarked these:

# Stop bad estimates upsetting machine clock.
# maxupdateskew 100.0

# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
# rtcsync

In systemd you need to alter the chrony.service file to this:

[Unit]
Description=chrony, an NTP client/server
Documentation=man:chronyd(8) man:chronyc(1) man:chrony.conf(5)
Conflicts=openntpd.service ntp.service ntpsec.service
ConditionVirtualization=|!container
ConditionVirtualization=|wsl
#ConditionCapability=CAP_SYS_TIME
ConditionCapability=

To avoid it tries to mess with the host-clock of the container. Then it should run, it does for me.

7

I did finally figure it out. I had to add user= and group= to the syetemd service leaving the user and group name blank. After that the service was able to start. Hopefully this help someone else.

8

I run it as root, so it’s not a problem of user-rights.