Podman - Minimal Chrony service

Build from a Fedora 36 image with only chrony service implemented as time server. The goal is to reduce surface attack with only few binary tools onboarded, use chrony user to lauch the service and cost size reduced as much as possible.

Prerequisites

You need to build the image on a machine with podman 3.3.1 installed

What the script does ?

• Pull a fedora 36 container as helper
• Mount a directory to build the chrony image
• use fedora container to build the chony service inside the mounted directory
• archive the mounted directory in a layer.tar.xz
• use the new layer as sysroot directory to build the final image
• create 2 tmpfs volume to secure the chrony service
• Launch a test container with the local chrony.conf as time source in the most secure way
• remove sysroot content

Installation

You can clone the repository or download files

git clone https://github.com/vpolaris/container_chrony_f36.git
cd container_chrony_f36 && chmod u+x install_chronyd.sh 
sudo ./install_chronyd.sh

To schedule the default service use the following command

podman run -d --read-only  \
    --name chrony \
    --publish 123:123/udp \
    --health-cmd 'CMD-SHELL chronyc tracking || exit 1' \
    --health-interval 15m \
    --health-start-period 2m \
    --restart on-failure \
    --volume /etc/chrony.conf:/etc/chrony.conf:ro \
    --volume run_chrony:/run/chrony:Z \
    --volume var_chrony:/var/lib/chrony:rw \
    -t f36:chony

Check

Launch the health check

podman healthcheck run chrony

sources

This is the sites where I found the materials

• https://github.com/cturra/docker-ntp
• https://github.com/moby/moby/blob/master/contrib/mkimage-yum.sh