New Package Request: chrony #157
Description
Package name and purpose
- Package upstream repo: https://gitlab.com/chrony/chrony
- Gentoo ebuild: https://packages.gentoo.org/packages/net-misc/chrony
Impact of adding this package to the Flatcar OS image
The package improves on the following core values:
- Secure by default
- Always up to date
- Improve container experience
- Operate at scale / automation / telemetry
The package will increase the image size by: ~1–2 MBytes.
How might this package increase the attack surface:
- Chrony communicates over the standard NTP port UDP 123 when acting as a client or server.
- It does not open any additional ports.
- In default (client-only) mode,
chronyddoes not listen for incoming connections at all. - New service: Installing Chrony adds the
chronyddaemon, which runs as a low-privilege background service (systemd unitchronyd.service).
Benefits of adding this package
- Fast and accurate time sync: Crucial for distributed container systems (e.g., Kubernetes), TLS verification, logs, CI/CD pipelines, and security audits.
- More secure and reliable than systemd-timesyncd: Supports Network Time Security (NTS), reduces drift faster, and handles network disruptions better.
- Scales well in ephemeral/cloud-native environments: Synchronizes quickly on boot – ideal for autoscaling, edge devices, and rapid deployments.
- Actively maintained and widely used: Part of all major Linux distributions (RHEL, Ubuntu, SUSE, Gentoo, Arch), with active development and security updates.
- Minimal footprint: Small, efficient daemon with low resource usage and flexible configuration.
Additional information
RHEL 8 dropped support for ntp and uses chrony only for NTP.
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/considerations_in_adopting_rhel_8/infrastructure-services_considerations-in-adopting-rhel-8?utm_source=chatgpt.com#implementation-of-ntp_time-synchronization