48 lines
1.1 KiB
INI
48 lines
1.1 KiB
INI
[Unit]
|
|
Description=Wait for chrony to synchronize system clock
|
|
Documentation=man:chronyc(1)
|
|
After=chrony.service
|
|
Requires=chrony.service
|
|
Before=time-sync.target
|
|
Wants=time-sync.target
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
# Wait for chronyd to update the clock and the remaining
|
|
# correction to be less than 0.1 seconds
|
|
ExecStart=/usr/bin/chronyc -h 127.0.0.1,::1 waitsync 0 0.1 0.0 1
|
|
# Wait for at most 3 minutes
|
|
TimeoutStartSec=180
|
|
RemainAfterExit=yes
|
|
StandardOutput=null
|
|
|
|
CapabilityBoundingSet=
|
|
DevicePolicy=closed
|
|
DynamicUser=yes
|
|
IPAddressAllow=localhost
|
|
IPAddressDeny=any
|
|
LockPersonality=yes
|
|
MemoryDenyWriteExecute=yes
|
|
PrivateDevices=yes
|
|
PrivateUsers=yes
|
|
ProcSubset=pid
|
|
ProtectClock=yes
|
|
ProtectControlGroups=yes
|
|
ProtectHome=yes
|
|
ProtectHostname=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectKernelModules=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectProc=invisible
|
|
ProtectSystem=strict
|
|
RestrictAddressFamilies=AF_INET AF_INET6
|
|
RestrictNamespaces=yes
|
|
RestrictRealtime=yes
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=@system-service
|
|
SystemCallFilter=~@privileged @resources
|
|
UMask=0777
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|