DISCLAIMER FOR REDDIT USERS ⚠️
You’ll find the source code for the image on my github repo: 11notes/chrony or at the end of this post You can debug distroless containers. Check my RTFM/distroless for an example on how easily this can be done If you prefer the original image or any other image provider, that is fine, it is your choice and as long as you are happy, I am happy No, I don’t plan to make a PR to the original image, because that PR would be huge and require a lot of effort and I have other stuff to attend to than to fix everyones Docker images No AI was used to write this post or to write the code for my images! The README.md is generated by my own github action based on the project.md template, there is no LLM involved, even if you hate emojis
INTRODUCTION 📢
chrony is a versatile implementation of the Network Time Protocol (NTP). It can synchronise the system clock with NTP servers, reference clocks e.g. GPS receiver), and manual input using wristwatch and keyboard.
SYNOPSIS 📖
What can I do with this? Run chrony as an NTP server for your network, pure and simple, maximized for performance and security. If you plan to run this in production, make sure you stand up multiple NTP instances and put them behind a load balancer and use virtual IPs. Pair this image with a GPS USB antenna and you can run your own Stratum 1 NTP for your entire network.
UNIQUE VALUE PROPOSITION 💶
Why should I run this image and not the other image(s) that already exist? Good question! Because …
… this image runs rootless as 1000:1000 … this image has no shell since it is distroless … this image is auto updated to the latest version via CI/CD … this image has a health check … this image runs read-only … this image is automatically scanned for CVEs before and after publishing … this image is created via a secure and pinned CI/CD process … this image is very small
If you value security, simplicity and optimizations to the extreme, then this image might be for you.
COMPARISON 🏁
Below you find a comparison between this image and the most used or original one.
image 11notes/chrony:4.7 dockurr/chrony
image size on disk 1.18MB 15.4MB
process UID/GID 1000/1000 0/0
distroless? ✅ ❌
rootless? ✅ ❌
VOLUMES 📁
/chrony/etc - Directory of your config
DEFAULT CONFIG 📑
sh pool ch.pool.ntp.org iburst maxsources 5 pool ntp.ubuntu.com iburst maxsources 5 maxupdateskew 10.0 makestep 1 -1 clientloglimit 268435456 driftfile /run/chrony/drift allow all
COMPOSE ✂️
name: "chrony"
services:
app:
image: "11notes/chrony:4.7"
read_only: true
environment:
TZ: "Europe/Zurich"
volumes:
- "etc:/chrony/etc"
ports:
- "123:123/udp"
tmpfs:
# tmpfs volume because of read_only: true
- "/run/chrony:mode=0770,uid=1000,gid=1000"
sysctls:
# allow rootless container to access ports < 1024
net.ipv4.ip_unprivileged_port_start: 123
restart: "always"
volumes:
etc:SOURCE 💾
💬 Discussion r/selfhosted (146 points, 52 commentaires)