diff --git a/README.md b/README.md
index f79b872..7d0ebf3 100644
--- a/README.md
+++ b/README.md
@@ -190,6 +190,25 @@ following during startup:
 > NTS-KE session with 164.67.62.194:4460 (tick.ucla.edu) timed out
 
 
+## Enable control of system clock
+
+This option enables the control of the system clock.
+
+By default, chronyd will not try to make any adjustments of the clock. It will assume the clock is free running
+and still track its offset and frequency relative to the estimated true time. This allows chronyd to run without
+the capability to adjust or set the system clock in order to operate as an NTP server.
+
+Enabling the control requires granting SYS_TIME capability and a container run-time allowing that access:
+
+```yaml
+  ...
+  cap_add:
+    - SYS_TIME
+  environment:
+    - ENABLE_SYSCLK=true
+    ...
+```
+
 ## Testing your NTP Container
 
 From any machine that has `ntpdate` you can query your new NTP container with the follow
diff --git a/assets/startup.sh b/assets/startup.sh
index bfe69d6..0a5d8d3 100755
--- a/assets/startup.sh
+++ b/assets/startup.sh
@@ -80,5 +80,11 @@ done
   echo "allow all"
 } >> ${CHRONY_CONF_FILE}
 
+# enable control of system clock, disabled by default
+SYSCLK="-x"
+if [[ "${ENABLE_SYSCLK:-false}" = true ]]; then
+  SYSCLK=""
+fi
+
 ## startup chronyd in the foreground
-exec /usr/sbin/chronyd -u chrony -d -x -L ${LOG_LEVEL}
+exec /usr/sbin/chronyd -u chrony -d ${SYSCLK} -L ${LOG_LEVEL}
diff --git a/docker-compose.yml b/docker-compose.yml
index c466ec3..9f2f05e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -14,3 +14,4 @@ services:
 #      - TZ=America/Vancouver
 #      - NOCLIENTLOG=true
 #      - ENABLE_NTS=true
+#      - ENABLE_SYSCLK=true
diff --git a/run.sh b/run.sh
index d5672be..9e1028b 100755
--- a/run.sh
+++ b/run.sh
@@ -18,8 +18,10 @@ function start_container() {
               --publish=123:123/udp                \
               --env=NTP_SERVERS=${NTP_SERVERS}     \
               --env=ENABLE_NTS=${ENABLE_NTS}       \
+              --env=ENABLE_SYSCLK=${ENABLE_SYSCLK} \
               --env=NOCLIENTLOG=${NOCLIENTLOG}     \
               --env=LOG_LEVEL=${LOG_LEVEL}         \
+              --cap-add=SYS_TIME                   \
               --read-only=true                     \
               --tmpfs=/etc/chrony:rw,mode=1750     \
               --tmpfs=/run/chrony:rw,mode=1750     \
diff --git a/vars b/vars
index 7f4dbfc..703bd14 100644
--- a/vars
+++ b/vars
@@ -15,6 +15,9 @@ NTP_SERVERS="0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org"
 # (optional) enable NTS in the chronyd configuration file
 ENABLE_NTS=false
 
+# (optional) enable control of system clock
+ENABLE_SYSCLK=true
+
 # (optional) turn on noclientlog option
 NOCLIENTLOG=false