A Docker image contains the code used to create a Docker container, such as creating a Nginx web server, or a mySQL server, or a home grown app, and the list goes on. In this way, an image is like a template used to create a container. An image is kind of like a virtual machine, but much more light weight, using significantly less storage a memory (containers are usually megabytes in size).

The docker pull command can be used to pull down the latest chrony image.

~]# docker pull geoffh1977/chrony
Using default tag: latest
latest: Pulling from geoffh1977/chrony
8fb306bb3fa9: Pull complete
42a99ae5175a: Pull complete
6956051b6142: Pull complete
Digest: sha256:d878c9cb30fda0ad5655499558d105a62dfe2e616c1737a35961cf4b30296a6f
Status: Downloaded newer image for geoffh1977/chrony:latest
docker.io/geoffh1977/chrony:latest

Or you could create Dockerfile so that the Dockerfile contains something like this.

FROM chrony:latest

Then use the docker build command to create the image, running this command in the same directory as the Dockerfile.

docker build . --tag chrony:latest

The docker images command can be used to display the chrony image.

~]# docker images
REPOSITORY          TAG       IMAGE ID       CREATED        SIZE
geoffh1977/chrony   latest    3bc8ac7cc043   4 years ago    186MB

The following command can then be used to create and start the Chrony container. Let's break down this command.

• The docker run command is used to create and start the Chrony container.
• The --detach flag is used to run the container in the background.
• The --cap-add SYS_TIME command is used to use system time.
• The --env option is used to set the ALLOW_CIDR variable to contain a value of <ip address>/<prefix> so that systems with an IP address in the subnet use the chrony container as it's NTP server.
• The --publish option is used to configure both the Docker server and Chrony container to listen on UDP port 123, which adds a rule to iptables to allow connections between the Docker system and container on port 123.
• The --volume option is used to mount the /etc/localtime file on the Docker system to the /etc/localtime in the container so that the container has the same localtime settings as the Docker system.
• The --name option is used to name the container chrony.
• The --restart unless-stopped option is used so that the container is started if the Docker server is restarted
• The geoffh1977/chrony image is used.

docker run 
--detach
--cap-add SYS_TIME
--env ALLOW_CIDR=192.168.0.0/24
--publish 123:123/udp
--volume /etc/localtime:/etc/localtime:ro
--name chrony 
--restart unless-stopped
geoffh1977/chrony

Use the docker container ls command to ensure the container is running.

~]# docker container ls -a
CONTAINER ID   IMAGE               COMMAND                  CREATED       STATUS       PORTS                              NAMES
ba2fff144f7f   geoffh1977/chrony   "tini -- /usr/local/…"   3 hours ago   Up 3 hours   0.0.0.0:123->123/udp               chrony

The docker exec command can be used to view the contents of the /etc/chrony.conf file in the container.

~]# docker exec chrony cat /etc/chrony.conf
cmdallow 127/8
pool pool.ntp.org iburst
initstepslew 10 pool.ntp.org
driftfile /var/lib/chrony/chrony.drift
local stratum 10
makestep 1.0 3
rtcsync
allow 192.168.0.0/24

The chronyc sources can be used to verify that chrony is able to connect to external NTP servers.

~]# docker exec chrony chronyc sources
210 Number of sources = 4
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^+ time.cloudflare.com           3   6   377    34   -588us[ -567us] +/-   48ms
^* ftp8.ofertadasorte.com.br     2   6   377    34   +945us[ +966us] +/-   33ms
^- tick.srs1.ntfo.org            3   6   377    36  -3144us[-3123us] +/-  130ms
^+ ntp.xtom.com                  2   6   377    36  -1612us[-1591us] +/-   75ms

Use the chronyc tracking command to get the leap status. If Leap status is “normal”, the machine is synchronized with one of the external NTP servers.  On the other hand, if leap status is “not synchronized”, the machine is not synchronized.

~]# docker exec chrony chronyc tracking
Reference ID    : 68C2F2ED (ftp8.ofertadasorte.com.br)
Stratum         : 3
Ref time (UTC)  : Sat Aug 14 04:15:22 2021
System time     : 0.000004047 seconds fast of NTP time
Last offset     : +0.000098503 seconds
RMS offset      : 0.000122952 seconds
Frequency       : 13.058 ppm slow
Residual freq   : +0.058 ppm
Skew            : 1.090 ppm
Root delay      : 0.064625211 seconds
Root dispersion : 0.000936881 seconds
Update interval : 64.3 seconds
Leap status     : Normal