ntpd in systemd-nspawn

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I'm playing with containerizing various parts of my server infrastructure and one of the services I would like to run in container is ntp daemon.



I'm using systemd-nspawn (systemd 233) as a hypervisor as well as init process inside of the containers.



ntpd version is 4.2.8p10.



Every time I try to start ntpd inside of a container it crashes with cap_set_proc() operation not permitted error:



21 Oct 11:10:23 ntpd[51]: ntpd 4.2.8p10@1.3728 Fri Oct 20 23:28:39 UTC 2017 (1): Starting
21 Oct 11:10:23 ntpd[51]: Command line: ntpd -g -n -u ntp:ntp
21 Oct 11:10:23 ntpd[51]: Cannot set RLIMIT_MEMLOCK: Operation not permitted
21 Oct 11:10:23 ntpd[51]: proto: precision = 0.335 usec (-21)
21 Oct 11:10:23 ntpd[51]: Listen normally on 0 v4wildcard 0.0.0.0:123
21 Oct 11:10:23 ntpd[51]: Listen normally on 1 lo 127.0.0.1:123
21 Oct 11:10:23 ntpd[51]: Listening on routing socket on fd #18 for interface updates
21 Oct 11:10:23 ntpd[51]: mlockall(): Cannot allocate memory
21 Oct 11:10:23 ntpd[51]: start_kern_loop: ntp_loopfilter.c line 1119: ntp_adjtime: Operation not permitted
21 Oct 11:10:23 ntpd[51]: set_freq: ntp_loopfilter.c line 1082: ntp_adjtime: Operation not permitted
21 Oct 11:10:23 ntpd[51]: cap_set_proc() failed to drop root privs: Operation not permitted


What I have tried so far:



  1. Building ntpd without capabilities enabled - it starts properly, but still has same ntp_adjtime syscall permission issues.

  2. Running systemd-nspawn with --private-users=0 and without --private-users at all.

  3. Playing with capabilities for systemd-nspawn itself (mainly CAP_SYS_TIME and CAP_NET_BIND_SERVICE)

  4. Playing with capabilities for ntpd inside of the container.

All this gave no positive results and I wonder what am I missing.
Any ideas will be greatly appreciated.







share|improve this question




















  • you don't set capabilities on systemd-nspawn. You use the capability option of systemd-nspawn.
    – sourcejedi
    Oct 21 '17 at 8:38










  • @sourcejedi I have tried adding both capabilities required by ntpd into systemd-nspawn service itself.
    – GeekMagus
    Oct 22 '17 at 21:08










  • that's also the wrong way to describe what you want to do. The systemd-nspawn command drops capabilities, according to the option you pass it. You cannot increase capabilities by setting them on systemd-nspawn.service.
    – sourcejedi
    Oct 23 '17 at 7:21










  • I see what you mean, and I think I explained it wrong. What I tried is setting capability on the service file for systemd-nspawn on host, passing same capability as --capability argument to systemd-nspawn in the host and setting this capability on ntpd service inside of the container. Hope that makes sense.
    – GeekMagus
    Oct 23 '17 at 9:33














up vote
0
down vote

favorite












I'm playing with containerizing various parts of my server infrastructure and one of the services I would like to run in container is ntp daemon.



I'm using systemd-nspawn (systemd 233) as a hypervisor as well as init process inside of the containers.



ntpd version is 4.2.8p10.



Every time I try to start ntpd inside of a container it crashes with cap_set_proc() operation not permitted error:



21 Oct 11:10:23 ntpd[51]: ntpd 4.2.8p10@1.3728 Fri Oct 20 23:28:39 UTC 2017 (1): Starting
21 Oct 11:10:23 ntpd[51]: Command line: ntpd -g -n -u ntp:ntp
21 Oct 11:10:23 ntpd[51]: Cannot set RLIMIT_MEMLOCK: Operation not permitted
21 Oct 11:10:23 ntpd[51]: proto: precision = 0.335 usec (-21)
21 Oct 11:10:23 ntpd[51]: Listen normally on 0 v4wildcard 0.0.0.0:123
21 Oct 11:10:23 ntpd[51]: Listen normally on 1 lo 127.0.0.1:123
21 Oct 11:10:23 ntpd[51]: Listening on routing socket on fd #18 for interface updates
21 Oct 11:10:23 ntpd[51]: mlockall(): Cannot allocate memory
21 Oct 11:10:23 ntpd[51]: start_kern_loop: ntp_loopfilter.c line 1119: ntp_adjtime: Operation not permitted
21 Oct 11:10:23 ntpd[51]: set_freq: ntp_loopfilter.c line 1082: ntp_adjtime: Operation not permitted
21 Oct 11:10:23 ntpd[51]: cap_set_proc() failed to drop root privs: Operation not permitted


What I have tried so far:



  1. Building ntpd without capabilities enabled - it starts properly, but still has same ntp_adjtime syscall permission issues.

  2. Running systemd-nspawn with --private-users=0 and without --private-users at all.

  3. Playing with capabilities for systemd-nspawn itself (mainly CAP_SYS_TIME and CAP_NET_BIND_SERVICE)

  4. Playing with capabilities for ntpd inside of the container.

All this gave no positive results and I wonder what am I missing.
Any ideas will be greatly appreciated.







share|improve this question




















  • you don't set capabilities on systemd-nspawn. You use the capability option of systemd-nspawn.
    – sourcejedi
    Oct 21 '17 at 8:38










  • @sourcejedi I have tried adding both capabilities required by ntpd into systemd-nspawn service itself.
    – GeekMagus
    Oct 22 '17 at 21:08










  • that's also the wrong way to describe what you want to do. The systemd-nspawn command drops capabilities, according to the option you pass it. You cannot increase capabilities by setting them on systemd-nspawn.service.
    – sourcejedi
    Oct 23 '17 at 7:21










  • I see what you mean, and I think I explained it wrong. What I tried is setting capability on the service file for systemd-nspawn on host, passing same capability as --capability argument to systemd-nspawn in the host and setting this capability on ntpd service inside of the container. Hope that makes sense.
    – GeekMagus
    Oct 23 '17 at 9:33












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I'm playing with containerizing various parts of my server infrastructure and one of the services I would like to run in container is ntp daemon.



I'm using systemd-nspawn (systemd 233) as a hypervisor as well as init process inside of the containers.



ntpd version is 4.2.8p10.



Every time I try to start ntpd inside of a container it crashes with cap_set_proc() operation not permitted error:



21 Oct 11:10:23 ntpd[51]: ntpd 4.2.8p10@1.3728 Fri Oct 20 23:28:39 UTC 2017 (1): Starting
21 Oct 11:10:23 ntpd[51]: Command line: ntpd -g -n -u ntp:ntp
21 Oct 11:10:23 ntpd[51]: Cannot set RLIMIT_MEMLOCK: Operation not permitted
21 Oct 11:10:23 ntpd[51]: proto: precision = 0.335 usec (-21)
21 Oct 11:10:23 ntpd[51]: Listen normally on 0 v4wildcard 0.0.0.0:123
21 Oct 11:10:23 ntpd[51]: Listen normally on 1 lo 127.0.0.1:123
21 Oct 11:10:23 ntpd[51]: Listening on routing socket on fd #18 for interface updates
21 Oct 11:10:23 ntpd[51]: mlockall(): Cannot allocate memory
21 Oct 11:10:23 ntpd[51]: start_kern_loop: ntp_loopfilter.c line 1119: ntp_adjtime: Operation not permitted
21 Oct 11:10:23 ntpd[51]: set_freq: ntp_loopfilter.c line 1082: ntp_adjtime: Operation not permitted
21 Oct 11:10:23 ntpd[51]: cap_set_proc() failed to drop root privs: Operation not permitted


What I have tried so far:



  1. Building ntpd without capabilities enabled - it starts properly, but still has same ntp_adjtime syscall permission issues.

  2. Running systemd-nspawn with --private-users=0 and without --private-users at all.

  3. Playing with capabilities for systemd-nspawn itself (mainly CAP_SYS_TIME and CAP_NET_BIND_SERVICE)

  4. Playing with capabilities for ntpd inside of the container.

All this gave no positive results and I wonder what am I missing.
Any ideas will be greatly appreciated.







share|improve this question












I'm playing with containerizing various parts of my server infrastructure and one of the services I would like to run in container is ntp daemon.



I'm using systemd-nspawn (systemd 233) as a hypervisor as well as init process inside of the containers.



ntpd version is 4.2.8p10.



Every time I try to start ntpd inside of a container it crashes with cap_set_proc() operation not permitted error:



21 Oct 11:10:23 ntpd[51]: ntpd 4.2.8p10@1.3728 Fri Oct 20 23:28:39 UTC 2017 (1): Starting
21 Oct 11:10:23 ntpd[51]: Command line: ntpd -g -n -u ntp:ntp
21 Oct 11:10:23 ntpd[51]: Cannot set RLIMIT_MEMLOCK: Operation not permitted
21 Oct 11:10:23 ntpd[51]: proto: precision = 0.335 usec (-21)
21 Oct 11:10:23 ntpd[51]: Listen normally on 0 v4wildcard 0.0.0.0:123
21 Oct 11:10:23 ntpd[51]: Listen normally on 1 lo 127.0.0.1:123
21 Oct 11:10:23 ntpd[51]: Listening on routing socket on fd #18 for interface updates
21 Oct 11:10:23 ntpd[51]: mlockall(): Cannot allocate memory
21 Oct 11:10:23 ntpd[51]: start_kern_loop: ntp_loopfilter.c line 1119: ntp_adjtime: Operation not permitted
21 Oct 11:10:23 ntpd[51]: set_freq: ntp_loopfilter.c line 1082: ntp_adjtime: Operation not permitted
21 Oct 11:10:23 ntpd[51]: cap_set_proc() failed to drop root privs: Operation not permitted


What I have tried so far:



  1. Building ntpd without capabilities enabled - it starts properly, but still has same ntp_adjtime syscall permission issues.

  2. Running systemd-nspawn with --private-users=0 and without --private-users at all.

  3. Playing with capabilities for systemd-nspawn itself (mainly CAP_SYS_TIME and CAP_NET_BIND_SERVICE)

  4. Playing with capabilities for ntpd inside of the container.

All this gave no positive results and I wonder what am I missing.
Any ideas will be greatly appreciated.









share|improve this question











share|improve this question




share|improve this question










asked Oct 21 '17 at 1:17









GeekMagus

206314




206314











  • you don't set capabilities on systemd-nspawn. You use the capability option of systemd-nspawn.
    – sourcejedi
    Oct 21 '17 at 8:38










  • @sourcejedi I have tried adding both capabilities required by ntpd into systemd-nspawn service itself.
    – GeekMagus
    Oct 22 '17 at 21:08










  • that's also the wrong way to describe what you want to do. The systemd-nspawn command drops capabilities, according to the option you pass it. You cannot increase capabilities by setting them on systemd-nspawn.service.
    – sourcejedi
    Oct 23 '17 at 7:21










  • I see what you mean, and I think I explained it wrong. What I tried is setting capability on the service file for systemd-nspawn on host, passing same capability as --capability argument to systemd-nspawn in the host and setting this capability on ntpd service inside of the container. Hope that makes sense.
    – GeekMagus
    Oct 23 '17 at 9:33
















  • you don't set capabilities on systemd-nspawn. You use the capability option of systemd-nspawn.
    – sourcejedi
    Oct 21 '17 at 8:38










  • @sourcejedi I have tried adding both capabilities required by ntpd into systemd-nspawn service itself.
    – GeekMagus
    Oct 22 '17 at 21:08










  • that's also the wrong way to describe what you want to do. The systemd-nspawn command drops capabilities, according to the option you pass it. You cannot increase capabilities by setting them on systemd-nspawn.service.
    – sourcejedi
    Oct 23 '17 at 7:21










  • I see what you mean, and I think I explained it wrong. What I tried is setting capability on the service file for systemd-nspawn on host, passing same capability as --capability argument to systemd-nspawn in the host and setting this capability on ntpd service inside of the container. Hope that makes sense.
    – GeekMagus
    Oct 23 '17 at 9:33















you don't set capabilities on systemd-nspawn. You use the capability option of systemd-nspawn.
– sourcejedi
Oct 21 '17 at 8:38




you don't set capabilities on systemd-nspawn. You use the capability option of systemd-nspawn.
– sourcejedi
Oct 21 '17 at 8:38












@sourcejedi I have tried adding both capabilities required by ntpd into systemd-nspawn service itself.
– GeekMagus
Oct 22 '17 at 21:08




@sourcejedi I have tried adding both capabilities required by ntpd into systemd-nspawn service itself.
– GeekMagus
Oct 22 '17 at 21:08












that's also the wrong way to describe what you want to do. The systemd-nspawn command drops capabilities, according to the option you pass it. You cannot increase capabilities by setting them on systemd-nspawn.service.
– sourcejedi
Oct 23 '17 at 7:21




that's also the wrong way to describe what you want to do. The systemd-nspawn command drops capabilities, according to the option you pass it. You cannot increase capabilities by setting them on systemd-nspawn.service.
– sourcejedi
Oct 23 '17 at 7:21












I see what you mean, and I think I explained it wrong. What I tried is setting capability on the service file for systemd-nspawn on host, passing same capability as --capability argument to systemd-nspawn in the host and setting this capability on ntpd service inside of the container. Hope that makes sense.
– GeekMagus
Oct 23 '17 at 9:33




I see what you mean, and I think I explained it wrong. What I tried is setting capability on the service file for systemd-nspawn on host, passing same capability as --capability argument to systemd-nspawn in the host and setting this capability on ntpd service inside of the container. Hope that makes sense.
– GeekMagus
Oct 23 '17 at 9:33















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f399464%2fntpd-in-systemd-nspawn%23new-answer', 'question_page');

);

Post as a guest



































active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f399464%2fntpd-in-systemd-nspawn%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?