LXC is actually capable of managing both VMs and containers, so it depends on what you’ve selected as to what the correct answer is here, but the most important thing is: no, it’s not best practice to disable NTP on the host. It’s best practice to make the host as accurate as possible. If you’re running chrony in a container, it can’t control the system clock unless you’ve given it explicit permissions to do so. Better to have the host do the time sync and the container just be used for serving that time to the pool.
In fact, Chrony doesn’t need the systemclock at all.
It can work out the correct time after a few minutes by comparing other servers.
But if you have a connection or container with a lot of jitter or CPU-speed changes, it can not work out the exact time. As such it doesn’t know what source to trust/select.
As you have seen in the logs, where it can’t decide.
When running Chrony in a container, give this in /etc/default/chrony:
DAEMON_OPTS="-F 1 -x"
Then it won’t use the systemclock (if absent) or tries to regulate it.
Let the container-chrony run on it’s own, it will work out the correct time and serve as such.
Chrony doesn’t need the RTC to function, it will work perfectly without.
This is mine in a container, using those parameters and serving the right time:
root@stun:~# chronyc tracking
Reference ID : 4D6D5A48 (heppen.be)
Stratum : 2
Ref time (UTC) : Sun Mar 31 14:07:11 2024
System time : 0.001944188 seconds fast of NTP time
Last offset : +0.000042983 seconds
RMS offset : 0.000043745 seconds
Frequency : 0.626 ppm fast
Residual freq : +0.010 ppm
Skew : 0.841 ppm
Root delay : 0.019564660 seconds
Root dispersion : 0.000426578 seconds
Update interval : 16.0 seconds
Leap status : Normal
As you can see the system-time isn’t very accurate, yet Chrony knows what it should be and serves perfectly.
Thanks for the info and for the posts!
I enabled chrony again on the proxmox host. On the LXC running chrony server, Im using the -x parameter, so its not touching the system clock. I agree this makes most sense.
That is bad advice. What if those “good” servers become “not good”? You need to give the NTP service the option to switch away from it if its time quality decreases.
Good advice would be: configure additional remote sources which can be used to improve the calculations and fill in for your usual stratum 1 if necessary. If your usual source is really “good”, then it will be selected as the sync peer anyway.
That is factually incorrect. It doesn’t need to write the system clock. It (and virtually every other process) absolutely needs to be able to read the system clock. Otherwise, it wouldn’t know the time on the local system and would have no way of determining how fast or slow of UTC it is.
