cturra / docker-ntp Goto Github PK

Herro.

Nice repo, want to use for my NOTnet and to keep the google IOT to spam google.ntp all the time
Got this container up and running about a week and can't get the server to synq.

I do this:
ntp:
image: cturra/ntp:latest
container_name: ntp
restart: always
ports:
- 123:123
links:
- pihole
environment:
- NTP_SERVERS=time.cloudflare.com
- LOG_LEVEL=0

And open ufw 123/udp so my whole network can use this.

Doing some commands to check if it functions according to readme
Been trying this through my ISP and ovpn with no luck.

->

$ ntpdate -q 127.0.0.1
23 Nov 18:11:18 ntpdate[17102]: no server suitable for synchronization found

$ docker exec ntp chronyc tracking
Reference ID : 00000000 ()
Stratum : 0
Ref time (UTC) : Thu Jan 01 00:00:00 1970
System time : 0.000000000 seconds fast of NTP time
Last offset : +0.000000000 seconds
RMS offset : 0.000000000 seconds
Frequency : 0.000 ppm slow
Residual freq : +0.000 ppm
Skew : 0.000 ppm
Root delay : 1.000000000 seconds
Root dispersion : 1.000000000 seconds
Update interval : 0.0 seconds
Leap status : Not synchronised

$ docker exec ntp chronyc sources
MS Name/IP address Stratum Poll Reach LastRx Last sample

===============================================================================
why is this emty ? :/

$ docker logs -f ntp
2022-11-23T16:57:59Z chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
2022-11-23T16:57:59Z Disabled control of system clock
2022-11-23T16:57:59Z Could not read valid frequency and skew from driftfile /var/lib/chrony/chrony.drift

inspecting my dns log i have found that there are a lot ptr requests to the ip of time.cloudflare.com.
Is this normal?

"""
version: '3.4'

services:
ntp:
build: .
image: cturra/ntp:latest
container_name: ntp
restart: always
ports:
- 123:123/udp
cap_add:
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
environment:
- NTP_SERVERS="ntp1.aliyun.com,ntp2.aliyun.com,ntp3.aliyun.com,ntp4.aliyun.com,ntp5.aliyun.com,ntp6.aliyun.com,ntp7.aliyun.com"
"""
after cmd "docker exec ntp ntpctl -s all" the result shows
"""
0/1 peers valid, clock unsynced, clock offset is -22145.517ms

peer
wt tl st next poll offset delay jitter
not resolved ntp1.aliyun.comserver ntp2.aliyun.comserver ntp3.aliyun.comserver
1 2 - 14s 15s ---- peer not valid ----
"""

Hey,

it's me again.
I have a question: Is it possible to run the server offline or more like in an (mini) intranet? I have an IPC (industrial pc) which is connected to sensor measurement systems, those systems should be synchronized in time, but neither the IPC nor the measurement systems have access to the internet or intranet they run complete autak/by there self.

Thanks for any answer

For systems without internet connectivity, it would be nice to have an option to use the system clock as a time source. I've managed (trough command injection :P) to set chrony to use the system clock with NTP_SERVERS set to --env=NTP_SERVERS="$(printf "%s\n%s\n%s" 127.127.1.0 "local stratum 10" "# ")" which resutls in the following /etc/chrony/chrony.conf file:

# https://github.com/cturra/docker-ntp

# chrony.conf file generated by startup script
# located at /opt/startup.sh

# time servers provided by NTP_SERVER environment variables.
server 127.127.1.1
local stratum 10
#  iburst

driftfile /var/lib/chrony/chrony.drift
makestep 0.1 3
rtcsync

allow all

from my testing, it looks like local stratum 10 is required for this to work, no idea why.

As the tittle say.

It would be nice to use NTS servers with the docker container.
This would improve security and most well known NTP server is capable of NTS such as Cloudflare.

RFC link: https://www.rfc-editor.org/rfc/rfc8915

My NTP server address is ntp.smirnov.tk
It has IPv4 and IPv6.

Today night container was upgraded and some clients can't get reply from my NTP server.

You can see it here: https://www.ntppool.org/a/smirnov
IPv4 is dead, but IPv6 is ok.

Also this service shows IPv4 dead: https://servertest.online/ntp

But this service shows IPv4 alive: https://keetweej.vanheusden.com/query_ntp.php

UPD: I used docker tag cturra/ntp:strip-quotes and now IPv4 connectivity is OK. So, I think, it's some kind of problem in chrony update.

Hello,
Apparently, the main branch has been suppressed (and renamed to main?).
This causes issues in CI systems which track the master branches.
Would it be possible to restore the master branch or at least, to create version tags?

https://hub.docker.com/r/cturra/ntp/tags

should have specific release tags to lock to a specific version

Hello, can I ask whether the project can obtain time from multiple upstream servers and provide a more accurate time to the service based on it

here is my docker-compose.yml file content
`
version: '3.4'

services:
ntp:
image: cturra/ntp:latest
container_name: ntp
restart: always
ports:
- 123:123/udp
cap_add:
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
environment:
- NTP_SERVERS="time.pool.aliyun.com"
`
the clock was not synced. so i checked the ntp peers and found the server name was "time*.google.com", clearly the var(NTP_SERVERS) was not setted gracefully.

Hey nice project!
it runs like a charm but i have the problem, that my server is not stable. I tried a lot of different ntp servers to sync with but even over an hour it is not stable.
I started the server yesterday and even today when i checked the server was not stable:
just a few sudo docker exec ntp ntpctl -s status outputs within 5 minutes:

4/4 peers valid, clock unsynced, clock offset is 591.872ms
4/4 peers valid, clock unsynced, clock offset is 582.678ms
4/4 peers valid, clock unsynced, clock offset is 558.124ms
4/4 peers valid, clock unsynced, clock offset is 549.455ms
4/4 peers valid, clock unsynced, clock offset is -18161.083ms
4/4 peers valid, clock unsynced, clock offset is -18019.615ms
4/4 peers valid, clock unsynced, clock offset is -17914.237ms
4/4 peers valid, clock unsynced, clock offset is -16150.951ms
4/4 peers valid, clock unsynced, clock offset is -9582.942ms

sudo docker exec ntp ntpctl -s peers

peer
   wt tl st  next  poll          offset       delay      jitter
94.16.113.67 0.de.pool.ntp.org
    1  9  2   30s 3167s     -1710.079ms 11807.145ms  33665.677ms
78.46.253.198 1.de.pool.ntp.org
    1 10  2   22s   32s       580.689ms 10336.151ms  31168.227ms
162.159.200.1 2.de.pool.ntp.org
    1 10  3  730s 3287s    -16167.813ms    23.444ms     1.365ms
91.202.42.81 3.de.pool.ntp.org
    1  9  2  151s 3288s     -1709.630ms 11807.984ms  33665.965ms

what i have tried as servers so far:

• default (time.cloudflare.com)
• google (time1.google.com,time2.google.com,time3.google.com,time4.google.com)
• unspecific pool.ntp.org (pool.ntp.org)
• specific pool.ntp.org (0.de.pool.ntp.org,1.de.pool.ntp.org,2.de.pool.ntp.org,3.de.pool.ntp.org)

the unspecific pool.ntp.org worked the best so far - got a stable server after like 2 minutes but not for long.

Im running the docker container on an ubuntu 16.04 server - Docker version 18.09.3, build 774a1f4

hope someone got an idea.

The server accesses IP address 162.159.200.1 (time.cloudflare.com) every 64.5 seconds.
How can I increase the time synchronization interval? So that the time is synchronized (with the remote Cloudflare server) every 10 minutes.

My docker environment is running in an unprivilged lxc container.
When I try to run docker-ntp I receive following error.
ntp | 2020-12-27T09:09:51Z chronyd version 3.5.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS -SECHASH +IPV6 -DEBUG)
ntp | 2020-12-27T09:09:51Z Fatal error : adjtimex(0x8001) failed : Operation not permitted

cturra/ntp:latest "/bin/sh /opt/startu…" 13 seconds ago Restarting (1) 4 seconds ago

Do you have a hint?

Bringing up the docker with the following docker compose service:

  local-ntp:
    image: cturra/ntp:latest
    container_name: local-ntp
    restart: always
    privileged: true
    ports:
      - 123:123/udp
    environment:
      - NTP_SERVERS=time.google.com
      - LOG_LEVEL=0
      - TZ=Etc/GMT-4

When I try to query the NTP from my host (mac) with sntp -d 192.168.176.2 I get

sntp: Exchange failed: Timeout
sntp_exchange {
        result: 6 (Timeout)
        header: 00 (li:0 vn:0 mode:0)
       stratum: 00 (0)
          poll: 00 (1)
     precision: 00 (1.000000e+00)
         delay: 0000.0000 (0.000000000)
    dispersion: 0000.0000 (0.000000000)
           ref: 00000000 ("    ")
         t_ref: 00000000.00000000 (0.000000000)
            t1: E8D89171.D7E4CD74 (3906507121.843334999)
            t2: 00000000.00000000 (0.000000000)
            t3: 00000000.00000000 (0.000000000)
            t4: 00000000.00000000 (0.000000000)
        offset: FFFFFFFF8B93B747.140D994600000000 (-1953253560.921667576)
         delay: FFFFFFFF17276E8E.281B328C00000000 (-3906507121.843335152)
          mean: 0000000000000000.0000000000000000 (0.000000000)
         error: 0000000000000000.0000000000000000 (0.000000000)
          addr: 192.168.176.2
}
sntp: Clock select failed

So typically you run ntp to set the time of the computer. So does running this in a container affect the time of the docker host, or the other containers?

If not what is the use case for this, as a ntp relay?

Wondering if there is a variable like NTP_SERVERS for NTS sources.

I am trying to spin up this ntp server in a docker swarm. The container is never able to spin up even though it works locally.

Hi,
I have the following docker-compose file:
version: '3.4'
services:
ntp:
#build: .
image: cturra/ntp:latest
container_name: ntp
restart: always
ports:
- 123:123/udp
cap_add:
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
environment:
- NTP_SERVERS=time.cloudflare.com

I tried to run it on my ArchLinux Odroid C2 Server but I always get the error:
ntp | standard_init_linux.go:211: exec user process caused "exec format error"

Then I copied the same docker-compose file to my Macbook Pro and ran it there with Docker-Compose up and everything just worked out of the box.

I prefer using Docker-Compose instead of Dockerfile.
Is there any chance I can run my personal ntp server on the Odroid?
When I googled the error message I came across a post where someone has written that it is a architecture problem.

Am I only stupid and don't get it to run, or is my assumption true?
I'm new to Docker, so pardon me if I made a stupid mistake or if I don't get something right. But I think I 'understood' how docker should be running.

Kind regards,
Daniel Oberlechner

Hi,
I'm running your ntp Docker container on a Raspberry Pi, and the last update seems to have broken it.

Here are my logs:

ntp              | +588592596-05-04T01:24:56Z chronyd version 4.0 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6 -DEBUG)
ntp              | +588384768-06-10T08:00:24Z Fatal error : clock_gettime() failed : Operation not permitted
ntp              | +624270944-01-21T11:54:16Z chronyd version 4.0 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6 -DEBUG)
ntp              | +624063116-02-27T18:29:44Z Fatal error : clock_gettime() failed : Operation not permitted
ntp              | +695627639-07-24T16:14:32Z chronyd version 4.0 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6 -DEBUG)
ntp              | +695419811-08-30T22:50:00Z Fatal error : clock_gettime() failed : Operation not permitted

... and it goes on and on.

Here's my docker-compose.yml setup:

ntp:
    image: cturra/ntp:latest
    container_name: ntp
    restart: always
    ports:
      - 123:123/udp
    cap_add:
      - SYS_TIME
    read_only: true
    tmpfs:
      - /etc/chrony:rw,mode=1750
      - /run/chrony:rw,mode=1750
      - /var/lib/chrony:rw,mode=1750
    environment:
      - NTP_SERVERS=time.cloudflare.com

I tried both with and without the SYS_TIME privilege, no difference.

Any help would be appreciated!

Hello,
I've got cturra deployed on my Raspberry Pi server
My docker -compose file:

 services:
                  ntp:
                    build: .
                    image: cturra/ntp:latest
                    container_name: ntp
                    restart: always
                    ports:
                      - 123:123/udp
                    cap_add:
                      - SYS_TIME
                    read_only: true
                    tmpfs:
                      - /etc/chrony:rw,mode=1750
                      - /run/chrony:rw,mode=1750
                      - /var/lib/chrony:rw,mode=1750
                    environment:
                      - NTP_SERVERS="time1.google.com,time2.google.com,time3.google.com,time4.google.com"
                      - LOG_LEVEL=0

In logs I can see only this:

          2022-11-22T12:17:22Z chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
            2022-11-22T12:17:22Z Disabled control of system clock

And NTP is not working. I've found in one of the issues that the problem can be with "libseccomp2", I've checked and found that "libseccomp2" is installed on my system.
Any suggestion?

Hi

Has this been rebuilt?
Docker advises a new push 6 days ago but I can't see any changes here?

https://hub.docker.com/r/cturra/ntp shows an update 6 days ago (6th Dec) but no changes in src?

I see a new version on docker hub but no file changes since 2 months on the repo. Could you validate that there is an update and what is in it?

Have you changed something in partikular or why won't the docker compose image not start anymore?

version: '3.4'

services:
ntp:
image: cturra/ntp-multiarch:latest
container_name: ntp
ports:
- 123:123/udp
cap_add:
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
environment:
- NTP_SERVERS=time.cloudflare.com,it.pool.ntp.org,time.google.com
restart: always
`

• local NTP_SERVERS :

--env=NTP_SERVERS="127.127.1.1"

// if [[ "${N_CLEANED}" == "127\."* ]]  is false 
// if [[ "${N_CLEANED}" == "127."* ]]   is true 

if [[ "${N_CLEANED}" == "127\."* ]]; then 
    echo "server "${N_CLEANED} >> ${CHRONY_CONF_FILE}
    echo "local stratum 10"    >> ${CHRONY_CONF_FILE}

  # found external time servers
  else
    echo "server "${N_CLEANED}" iburst" >> ${CHRONY_CONF_FILE}
  fi

is it a bug ?

Clicking on the "Build status" or "Number of pulls" at the top of the Readme are pointing to

https://hub.docker.com/r/cturra/dropbox/

which is obviously something else....

Hello,
We are using the docker-ntp projects for month but recently we got this issue:

With the command:

docker run --name=ntp
--restart=always
--detach
--publish=123:123/udp
cturra/ntp

We got the following error message :
docker: Error response from daemon: driver failed programming external connectivity on endpoint ntp (4a4b3c16599cea9cee1802fffc845b7bdb0517e656e05fa1ad2e7ff5e021c63a): Error starting userland proxy: listen udp4 0.0.0.0:123: bind: address already in use.

this happens only on docker Mac version >= v3.2.0 (tested on all the version >= 3.2.0. Up to now, the docker-ntp was working with no problem on Mac and Linux. If I downgrade to 3.1.0 on Mac it works. Of course, i'v checked that I have
I suppose that this problem is related only to the docker engine on Mac and has nothing to do with the docker-ntp project, but before opening an issue in the docker Mac project, is there anything is miss ? I there additional rights or flags to start this container ?

Thank you for your help.
++

Is there an easy way to "poke" your container (once running) with a new set of NTP servers, without having to restart it?

I don't think Docker allows modifying environment variables once a container is running, besides I think your startup.sh script would have to re-run.

Could I modify the /etc/chrony/chrony.conf file instead? Does chrony cache the servers once it runs, or does it always parse the file?

Hi!
Just wanted to know if it would be possible to add an environment variable to be able to sync the system clock from the docker container?
I know it was taken off to have it as not a privilege container. But it would be great to have the option if we want.
My reason, i run chrony as both my client and server on my server, so i kinda don't want to have 2 chrony process if possible ^^'

Secondly i wanted to know if by setting a volume (read-only) to the chrony.conf, with my own conf file, if it would be overwritten with the default ntp server?
Correct me if i'm wrong but it shouldn't be able to modify it, if it is mounted as read-only right?

Host: Raspberry Pi 4
OS: Ubuntu Server 20.04.1 LTS (aarch64)

This morning I tried to update my cturra/ntp container from image ID 7d5219fcd338 to 6deea110137f. The previous image launched a container just fine and was happily providing NTP services to my network.

The new image won't launch a container. It throws the error message "standard_init_linux.go:219: exec user process caused: exec format error"

Googling that message suggests that this error is likely caused by trying to run an image intended for a different architecture. But I'm not doing anything different than I did with the previous image.

The page at https://hub.docker.com/r/cturra/ntp indicates that "linux/arm64" is among the supported architectures for this image.

I'm still finding my feet with Docker, so I'm open to the possibility that I'm doing something daft without realising, but I can't work out what. The previous image worked; the current image doesn't. And I'm stumped.

Any suggestions, or clue-by-fours?

Seems to be working, but I do see perm issue a lot in the log. Running in Docker on a RPi4 and an Intel Nuc not with the 'higher security option. Log is pulled from the rpi4, similar on the nuc. Volumes: /var/lib/chrony /etc/chrony /run/chrony Build: cturra/docker-ntp build-date:- 2022-02-27T03:59:53+0000

Thanks! And thanks for the docker image!

2022-07-06T01:54:05Z Wrong permissions on /var/run/chrony
2022-07-06T01:54:05Z Disabled command socket /var/run/chrony/chronyd.sock
2022-07-06T01:54:05Z Disabled control of system clock
2022-07-06T01:54:11Z Selected source 69.89.207.99 (0.north-america.pool.ntp.org)
2022-07-06T01:54:58Z chronyd exiting
2022-07-06T01:55:05Z chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
2022-07-06T01:55:05Z Wrong permissions on /var/run/chrony
2022-07-06T01:55:05Z Disabled command socket /var/run/chrony/chronyd.sock
2022-07-06T01:55:05Z Disabled control of system clock
2022-07-06T01:55:10Z Selected source 142.147.88.111 (2.north-america.pool.ntp.org)
2022-07-06T01:55:11Z Selected source 192.5.41.209 (ntp2.usno.navy.mil)
2022-07-06T02:45:40Z chronyd exiting
2022-07-06T02:45:56Z chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
2022-07-06T02:45:56Z Wrong permissions on /var/run/chrony
2022-07-06T02:45:56Z Disabled command socket /var/run/chrony/chronyd.sock
2022-07-06T02:45:56Z Disabled control of system clock
2022-07-06T02:47:34Z Forward time jump detected!
2022-07-06T02:47:40Z Selected source 192.5.41.209 (ntp2.usno.navy.mil)
2022-07-10T07:24:52Z Source 68.171.16.4 replaced with 45.32.207.136 (0.north-america.pool.ntp.org)
2022-07-12T15:41:16Z chronyd exiting
2022-07-12T15:41:32Z chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
2022-07-12T15:41:32Z Wrong permissions on /var/run/chrony
2022-07-12T15:41:32Z Disabled command socket /var/run/chrony/chronyd.sock
2022-07-12T15:41:32Z Disabled control of system clock
2022-07-12T15:43:07Z Selected source 192.5.41.209 (ntp2.usno.navy.mil)
2022-07-12T15:44:20Z Source 129.146.64.32 replaced with 72.14.183.239 (0.north-america.pool.ntp.org)
2022-07-19T14:33:34Z chronyd exiting
2022-07-19T14:33:51Z chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
2022-07-19T14:33:51Z Wrong permissions on /var/run/chrony
2022-07-19T14:33:51Z Disabled command socket /var/run/chrony/chronyd.sock
2022-07-19T14:33:51Z Disabled control of system clock
2022-07-19T14:35:30Z Forward time jump detected!
2022-07-19T14:35:36Z Selected source 192.5.41.209 (ntp2.usno.navy.mil)

how can i set container so that it does not uses any exteranl internet ntp servers(like I dont want to use servers like time.cloudfare.com). What I want is that I will manually set time of my host and then all ntp clients of my host should synchronise with that time.
For example I want my time to 10 days behind utc.

Without docker I was able to do this by setting the server directive for ntp as (127.127.1.0),intead of ntp.ubuntu.com. So the ntp server do not syncs time with ntp.ubuntu.com, it only sends to client what time is available on server itself.