Setup Chrony seccomp filter

Signed-off-by: Thien Tran <contact@tommytran.io>

Docker-Compose.ign

@@ -115,6 +115,14 @@
           "source": "data:;base64,H4sIAAAAAAAC/4yQsU78MAyHdz9Fpf/cyxNkuL8OIVaO6oaqQ0hMz2pqB8cB+vYM1QmBGNh+0vf5GzwOTDbBCWtUKkbC/thM1mAUu6GkYKhwfDFUnyQuqIeK+kYR4RFfGylWz2jvoksvnInxYEFntC/84wzG874mGCqqVxGDe5VW9nkRXYjnEylGE928K8GuzsTtoT7KWqSiSzcD/t19YDxbUPOuVXXPxG4m60rLGX5h30N/1Vrp+gRPW0EvjPUqBjA+cLWQ8wSXwIbp/+bXlo36VlFvn/gMAAD//9CerLZjAQAA"
         }
       },
+      {
+        "overwrite": true,
+        "path": "/etc/sysconfig/chronyd",
+        "contents": {
+          "compression": "",
+          "source": "data:,%23%20Command-line%20options%20for%20chronyd%0AOPTIONS%3D%22-F%201%22%0A"
+        }
+      },
       {
         "overwrite": true,
         "path": "/etc/unbound/unbound.conf",

Docker-Compose.yml

@@ -173,6 +173,12 @@ storage:
 
           [Install]
           WantedBy=multi-user.target
+    - path: /etc/sysconfig/chronyd
+      overwrite: true
+      contents:
+        inline: |
+          # Command-line options for chronyd
+          OPTIONS="-F 1"
     - path: /etc/unbound/unbound.conf
       overwrite: true
       contents:

Generic.ign

@@ -108,12 +108,20 @@
           "source": "data:,GSSAPIAuthentication%20no%0AVerifyHostKeyDNS%20yes%0A"
         }
       },
+      {
+        "overwrite": true,
+        "path": "/etc/sysconfig/chronyd",
+        "contents": {
+          "compression": "",
+          "source": "data:,%23%20Command-line%20options%20for%20chronyd%0AOPTIONS%3D%22-F%201%22%0A"
+        }
+      },
       {
         "overwrite": true,
         "path": "/etc/unbound/unbound.conf",
         "contents": {
           "compression": "gzip",
-          "source": "data:;base64,H4sIAAAAAAAC/6xSQWvcPBC9768Q/s5jezfZ5MNQ6CWFQktL00uPE2lsD5ElZzTa1Pn1RbtdlyyFQqkNxp4373ne0ySSA0m3McaOEqN2pqo2G2MwawSVnBQw2DEK9OypM1VzQGk8PzQ5PMQcXFNY9SMt1caYV4TEQ0DPYejMQmljTOmER1ogUVAO5E9A4fkElkThIQdXftOQ2iYl35RqaiweYe7ZolKqreiZxfNIkjpTff7y6d37D3dv7r/df737eDQxsiMYVWfIiQRwoKDnYY4YuzKJLq+KRxMnD6/qB5LEMaxDOwoLYPhFRnEUAP0QwcXnMAg6ugA9ykDwlEmY0gUm1JMIephRxwssjfGYTp/4ZdXkIUQhsA56j2vKE36H7GY4dV61t7tSjC57AhtDz0NnqgN6dqhRDCtJeSnH9xRwIpg48MQJlWOApMJ2DS2HZwxKDoRmv4COQmmM3nVm256u0pQILM4J+ijAbs0rZh0ihwHm4mUmmVgLcXcNN/v91b70zCUEtav983dZm59CfZRnFAcvMVDZ2zJzZ6q6GDhjZTPynFQIp7PUGUPnpDPbuty7t//vr/5LZLOwLrX1MbveoxC4kGobp9/w2rr9C97upr3prm/b9vTottvtPxBp2z+L/AgAAP//qRxiA+IDAAA="
+          "source": "data:;base64,H4sIAAAAAAAC/6xSQWvcPBC9768Q/s5jezfZ5MNQ6CWFQktL00uPE2lsD5ElZzTa1Pn1RbtdlyyFQqkNxp4373ne0ySSA0m3McaOEqN2pqo2G2MwawSVnBQw2DEK9OypM1VzQGk8PzQ5PMQcXFNY9SMt1caYV4TEQ0DPYejMQmljTOmER1ogUVAO5E9A4fkElkThIQdXftOQ2iYl35RqaiweYe7ZolKqreiZxfNIkjpTff7y6d37D3dv7r/df737eDQxsiMYVWfIiQRwoKDnYY4YuzKJLq+KRxMnD6/qB5LEMaxDOwoLYPhFRnEUAP0QwcXnMAg6ugA9ykDwlEmY0gUm1JMIephRxwssjfGYTp/4ZdXkIUQhsA56j2vKE36H7GY4dV61t7tSjC57AhtDz0NnqgN6dqhRDCtJeSnH9xRwIpg48MQJlWOApMJ2DS2HZwxKDoRmv4COQmmM3nVm256u0pQILM4J+ijAbs0rZh0ihwHm4mUmmVgLcXcNN/v91b70zCUEtav983dZm59CfZRnFAcvMVDZ2zJzZ6q6GDhjZTPynFQIp7PUGUPnpDPbuty7t//vr/5LZLOwLrX1MbveoxC4kGobp9/w2rr9C97upr3prm/b9vTottvtPxBp2z+K9P3mRwAAAP//CV2iuOQDAAA="
         }
       },
       {

Generic.yml

@@ -171,6 +171,12 @@ storage:
         inline: |
           GSSAPIAuthentication no
           VerifyHostKeyDNS yes
+    - path: /etc/sysconfig/chronyd
+      overwrite: true
+      contents:
+        inline: |
+          # Command-line options for chronyd
+          OPTIONS="-F 1"
     - path: /etc/unbound/unbound.conf
       overwrite: true
       contents:
@@ -213,7 +219,7 @@ storage:
             forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
             forward-addr: 1.0.0.2@853#security.cloudflare-dns.com
             forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
-            forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com
+            forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.comff
     - path: /etc/systemd/system/unbound.service.d/override.conf
       contents:
         inline: |