Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: chrony

chrony (3.5-9ubuntu1) groovy; urgency=medium * Merge with Debian unstable (LP: #1878005). Remaining changes: - d/chrony.conf: use ubuntu ntp pool and server (LP 1744664 1754358) - Set -x as default if unable to set time (e.g. in containers) (LP 1589780) Chrony is a single service which acts as both NTP client (i.e. syncing the local clock) and NTP server (i.e. providing NTP services to the network), and that is both desired and expected in the vast majority of cases. But in containers syncing the local clock is usually impossible, but this shall not break the providing of NTP services to the network. To some extent this makes chrony's default config more similar to 'ntpd', which complained in syslog but still provided NTP server service in those cases. + debian/chrony.service: allow the service to run without CAP_SYS_TIME + debian/control: add new dependency libcap2-bin for capsh (usually installed anyway, but make them explicit to be sure). + debian/chrony.default: new option SYNC_IN_CONTAINER to not fall back (Default off) [fixed a minor typo in the comment in this update] + debian/ wrapper to handle special cases in containers and if CAP_SYS_TIME is missing. Effectively allows to run NTP server in containers on a default installation and avoid failing to sync time (or if allowed to sync, avoid multiple containers to fight over it by accident). + debian/install: make available on install. + debian/docs, debian/README.container: provide documentation about the handling of this case. - d/t/control: harden time-sources-from-dhcp-servers test for systemd change (LP: 1873031) * Dropped changes [in Debian now] - d/t/upstream-system-tests: stop chrony/systemd-timesynd before tests - d/t/upstream-system-tests: fix stderr in case services do not exist - Stop starting systemd-timesyncd in postrm. This is no longer relevant since systemd-timesyncd is a standalone package declaring Conflicts/Replaces/Provides: time-daemon. (Closes 955773, LP: 1872183) - d/postrm: Reinstate the remove target (LP: 1873810) -- Christian Ehrhardt <> Wed, 20 May 2020 09:57:39 +0200

Modifications :
  1. Download patch debian/tests/control

    --- 3.5-9/debian/tests/control 2020-05-19 14:42:18.000000000 +0000 +++ 3.5-9ubuntu1/debian/tests/control 2020-05-20 07:57:39.000000000 +0000 @@ -4,7 +4,8 @@ Restrictions: isolation-container, build Tests: time-sources-from-dhcp-servers Depends: @, isc-dhcp-server, isc-dhcp-client, iproute2, kmod -Restrictions: isolation-machine, needs-root +# allow-stderr is needed until systemd fixed LP: 1873031 +Restrictions: isolation-machine, needs-root, allow-stderr Features: test-name=run_system_tests Test-Command: debian/tests/upstream-system-tests
  2. Download patch debian/chrony.default

    --- 3.5-9/debian/chrony.default 2020-05-19 14:42:18.000000000 +0000 +++ 3.5-9ubuntu1/debian/chrony.default 2020-05-20 07:57:02.000000000 +0000 @@ -4,3 +4,7 @@ # Options to pass to chrony. DAEMON_OPTS="-F -1" + +# Sync system clock in containers or without CAP_SYS_TIME (likely to fail) +# See /usr/share/doc/chrony/README.container for details. +SYNC_IN_CONTAINER="no"
  3. Download patch debian/install

    --- 3.5-9/debian/install 2020-05-19 14:42:18.000000000 +0000 +++ 3.5-9ubuntu1/debian/install 2020-05-20 07:57:02.000000000 +0000 @@ -3,3 +3,4 @@ debian/chrony-helper usr/lib/chrony debian/chrony.conf usr/share/chrony debian/ntp-units.d/50-chrony.list usr/lib/systemd/ntp-units.d debian/usr.sbin.chronyd etc/apparmor.d +debian/ usr/lib/systemd/scripts/
  4. Download patch debian/control

    --- 3.5-9/debian/control 2020-05-19 14:42:18.000000000 +0000 +++ 3.5-9ubuntu1/debian/control 2020-05-20 07:57:39.000000000 +0000 @@ -1,7 +1,8 @@ Source: chrony Section: net Priority: optional -Maintainer: Vincent Blut <> +Maintainer: Ubuntu Developers <> +XSBC-Original-Maintainer: Vincent Blut <> Uploaders: Joachim Wiedorn <> Standards-Version: 4.5.0 Build-Depends: asciidoctor (>= 1.5.3-1~), @@ -26,6 +27,7 @@ Architecture: linux-any Pre-Depends: ${misc:Pre-Depends} Depends: adduser, iproute2 [linux-any], + libcap2-bin (>= 1:2.32-1), ucf, ${misc:Depends}, ${shlibs:Depends}
  5. Download patch debian/README.container

    --- 3.5-9/debian/README.container 1970-01-01 00:00:00.000000000 +0000 +++ 3.5-9ubuntu1/debian/README.container 2020-05-20 07:57:39.000000000 +0000 @@ -0,0 +1,60 @@ +Chrony in Containers +-------------------- + +Currently in 99.9+% of the cases syncing the local clock in a container +is wrong. Most of the time it will be unable to do so, because it is lacking +CAP_SYS_TIME. Or worse, if the CAP_SYS_TIME privilege is granted, multiple +containers could fight over the system's time, because the Linux kernel does +not provide time namespaces (yet). + +There are two things a user installing chrony usually wants: +1. synchronize my time (NTP client) +2. serve NTP (NTP server) + +In a container the first makes (usually) no sense, so by default we enable -x +there (as it would only crash otherwise). +This will disable the control of the system clock. +See `man chronyd` for more details on the -x option. + +Formerly, the check for Condition=CAP_SYS_TIME in the systemd service avoided +the crash of the NTP client portion, but that means the server use case will +not work by default in containers. It is still not recommended to use a +container as an NTP server, but if the host clock is synchronised via NTP, +adding the -x option to chronyd instances running in containers will allow +them to function as NTP servers which do not adjust the system clock. +The Condition=CAP_SYS_TIME check was a silent, no-log-entry stealing away +leaving users often unclear what happened - especially if they were more after +the NTP server than the NTP client. + +One could argue that someone who installs chrony expects the system time to be +synchronised, so it should fail if it is not able to do so. On the other hand +it could be argued that someone who installs chrony expects time to be served +over the network via NTP. +We can't know which expectation is applicable, so we assume that time should +be synchronised unless chronyd is running in a container (or is without +CAP_SYS_TIME in any other environment). + +To make things worse recent container implementations will offer CAP_SYS_TIME +to the container. Since from the container's point of view, this capability is +available for the container's user namespace. Just later on adjtimex and similar +are actually evaluated against the host kernel where they will fail. Due to +that without further precaution running chrony in Ubuntu in the future will +likely have the service start (as Condition=CAP_SYS_TIME will be true) but +then immediately fail. +This will depend on the environment e.g. versions and types of containers and +thereby feel just 'unreliable' from users point of view. +Furthermore it will affect upgrades as the service has to be restarted for a +package upgrade to be considered complete. + +Due to all of that Ubuntu decided (LP: #1589780) to default to -x (do not +set the system clock) in containers. + +If one really wants to (try to) sync time in a container or CAP_SYS_TIME-less +environment set SYNC_IN_CONTAINER="yes" in /etc/default/chrony to disable +this special handling. + +It is important to mention that as soon as upstream provides a way to provide +a default config working in those cases Ubuntu intends to use that and drop +the current workaround. + + -- Christian Ehrhardt <> Fri, 16 Mar 2018 12:25:44 +0100
  6. Download patch debian/chrony.service

    --- 3.5-9/debian/chrony.service 2020-05-19 14:42:18.000000000 +0000 +++ 3.5-9ubuntu1/debian/chrony.service 2020-05-20 07:57:02.000000000 +0000 @@ -5,13 +5,13 @@ Conflicts=openntpd.service ntp.service n -ConditionCapability=CAP_SYS_TIME [Service] Type=forking PIDFile=/run/ EnvironmentFile=-/etc/default/chrony -ExecStart=/usr/sbin/chronyd $DAEMON_OPTS +# Starter takes care of special cases mostly for containers +ExecStart=/usr/lib/systemd/scripts/ $DAEMON_OPTS ExecStartPost=-/usr/lib/chrony/chrony-helper update-daemon PrivateTmp=yes ProtectHome=yes
  7. Download patch debian/docs

    --- 3.5-9/debian/docs 2020-05-19 14:42:18.000000000 +0000 +++ 3.5-9ubuntu1/debian/docs 2020-05-20 07:57:03.000000000 +0000 @@ -1,3 +1,4 @@ FAQ NEWS README +debian/README.container
  8. Download patch debian/chrony.conf

    --- 3.5-9/debian/chrony.conf 2020-05-19 14:42:18.000000000 +0000 +++ 3.5-9ubuntu1/debian/chrony.conf 2020-05-20 07:56:57.000000000 +0000 @@ -1,6 +1,23 @@ # Welcome to the chrony configuration file. See chrony.conf(5) for more # information about usuable directives. -pool iburst + +# This will use (up to): +# - 4 sources from which some are ipv6 enabled +# - 2 sources from which is ipv6 enabled as well +# - 1 source from [01] each (ipv4 only atm) +# This means by default, up to 6 dual-stack and up to 2 additional IPv4-only +# sources will be used. +# At the same time it retains some protection against one of the entries being +# down (compare to just using one of the lines). See (LP: #1754358) for the +# discussion. +# +# About using servers from the NTP Pool Project in general see (LP: #104525). +# Approved by Ubuntu Technical Board on 2011-02-08. +# See for more information. +pool iburst maxsources 4 +pool iburst maxsources 1 +pool iburst maxsources 1 +pool iburst maxsources 2 # This directive specify the location of the file containing ID/key pairs for # NTP authentication.
  9. Download patch debian/

    --- 3.5-9/debian/ 1970-01-01 00:00:00.000000000 +0000 +++ 3.5-9ubuntu1/debian/ 2020-05-20 07:57:02.000000000 +0000 @@ -0,0 +1,70 @@ +#!/bin/sh +set -ue + +CONF="/etc/default/chrony" +DOC="/usr/share/doc/chrony/README.container" +CAP="cap_sys_time" +CMD="/usr/sbin/chronyd" +# Take any args passed, use none if nothing was specified +EFFECTIVE_DAEMON_OPTS=${@:-""} + +if [ -f "${CONF}" ]; then + . "${CONF}" +else + echo "<4>Warning: ${CONF} is missing" +fi +# take from conffile if available, default to no otherwise +EFFECTIVE_SYNC_IN_CONTAINER=${SYNC_IN_CONTAINER:-"no"} + +if [ ! -x "${CMD}" ]; then + echo "<3>Error: ${CMD} not executable" + # ugly, but works around + sleep 0.1 + exit 1 +fi + +# Check if -x is already set manually, don't process further if that is the case +X_SET=0 +while getopts ":x" opt; do + case $opt in + x) + X_SET=1 + ;; + esac +done + +if [ ${X_SET} -ne 1 ]; then + # Assume it is not in a container + IS_CONTAINER=0 + if [ -x /usr/bin/systemd-detect-virt ]; then + if /usr/bin/systemd-detect-virt --quiet --container; then + IS_CONTAINER=1 + fi + fi + + + # Assume it has the cap + HAS_CAP=1 + CAPSH="/sbin/capsh" + if [ -x "${CAPSH}" ]; then + ${CAPSH} --has-p="${CAP}" || HAS_CAP=0 + fi + + if [ ${HAS_CAP} -eq 0 ]; then + echo "<4>Warning: Missing ${CAP}, syncing the system clock will fail" + fi + if [ ${IS_CONTAINER} -eq 1 ]; then + echo "<4>Warning: Running in a container, likely impossible and unintended to sync system clock" + fi + + if [ ${HAS_CAP} -eq 0 -o ${IS_CONTAINER} -eq 1 ]; then + if [ "${EFFECTIVE_SYNC_IN_CONTAINER}" != "yes" ]; then + echo "<5>Adding -x as fallback disabling control of the system clock, see ${DOC} to override this behavior" + EFFECTIVE_DAEMON_OPTS="${EFFECTIVE_DAEMON_OPTS} -x" + else + echo "<5>Not falling back to disable control of the system clock, see ${DOC} to change this behavior" + fi + fi +fi + +${CMD} ${EFFECTIVE_DAEMON_OPTS}
  1. chrony