http://bugzilla.opensuse.org/show_bug.cgi?id=1190926 http://bugzilla.opensuse.org/show_bug.cgi?id=1190926#c2 --- Comment #2 from Arjen de Korte <suse+build@de-korte.org> --- With default hardening enabled: # systemctl status chronyd.service �� chronyd.service - NTP client/server Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Fri 2021-10-01 21:45:08 CEST; 43s ago Docs: man:chronyd(8) man:chrony.conf(5) CPU: 37ms Oct 01 21:45:08 mail systemd[1]: Starting NTP client/server... Oct 01 21:45:08 mail chronyd[38831]: chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG) Oct 01 21:45:08 mail chronyd[38831]: Could not open /dev/ptp0 : No such file or directory Oct 01 21:45:08 mail chronyd[38831]: Fatal error : Could not enable HW timestamping on eth0 Oct 01 21:45:08 mail chronyd[38829]: Could not enable HW timestamping on eth0 Oct 01 21:45:08 mail systemd[1]: chronyd.service: Control process exited, code=exited, status=1/FAILURE Oct 01 21:45:08 mail systemd[1]: chronyd.service: Failed with result 'exit-code'. Oct 01 21:45:08 mail systemd[1]: Failed to start NTP client/server. With `PrivateDevices=true`, `ProtectControlGroups=true` and `DeviceAllow=char-rtc` commented out: # systemctl status chronyd.service ��� chronyd.service - NTP client/server Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2021-10-01 21:49:35 CEST; 13ms ago Docs: man:chronyd(8) man:chrony.conf(5) Process: 40010 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS) Process: 40014 ExecStartPost=/usr/libexec/chrony/helper update-daemon (code=exited, status=0/SUCCESS) Main PID: 40012 (chronyd) Tasks: 1 (limit: 9374) CPU: 59ms CGroup: /system.slice/chronyd.service ������40012 /usr/sbin/chronyd Oct 01 21:49:35 mail systemd[1]: Starting NTP client/server... Oct 01 21:49:35 mail chronyd[40012]: chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG) Oct 01 21:49:35 mail chronyd[40012]: Enabled HW timestamping on eth0 Oct 01 21:49:35 mail chronyd[40012]: Frequency 77.294 +/- 240.772 ppm read from /var/lib/chrony/drift Oct 01 21:49:35 mail systemd[1]: Started NTP client/server. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1190926 http://bugzilla.opensuse.org/show_bug.cgi?id=1190926#c5 --- Comment #5 from Arjen de Korte <suse+build@de-korte.org> --- (In reply to Reinhard Max from comment #4) With an override containing the following, hwtimestamp works: [Service] PrivateDevices=false DeviceAllow=char-ptp Commenting out either line breaks it again, so this seems to be the minimum required change. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1190926 http://bugzilla.opensuse.org/show_bug.cgi?id=1190926#c7 Reinhard Max <max@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS CC| |jsegitz@suse.com --- Comment #7 from Reinhard Max <max@suse.com> --- After talking to the systemd maintainers it looks like using PrivateDevices=true was completely wrong in this case. Its purpose is to disallow access to all physical devices, so it cannot be used if access to any physicall device is needed. But DeviceAllow should be good enough to allow the process to only access the devices it needs. -- You are receiving this mail because: You are on the CC list for the bug.