ntpd in systemd-nspawn
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I'm playing with containerizing various parts of my server infrastructure and one of the services I would like to run in container is ntp daemon.
I'm using systemd-nspawn (systemd 233) as a hypervisor as well as init process inside of the containers.
ntpd version is 4.2.8p10.
Every time I try to start ntpd inside of a container it crashes with cap_set_proc()
operation not permitted error:
21 Oct 11:10:23 ntpd[51]: ntpd 4.2.8p10@1.3728 Fri Oct 20 23:28:39 UTC 2017 (1): Starting
21 Oct 11:10:23 ntpd[51]: Command line: ntpd -g -n -u ntp:ntp
21 Oct 11:10:23 ntpd[51]: Cannot set RLIMIT_MEMLOCK: Operation not permitted
21 Oct 11:10:23 ntpd[51]: proto: precision = 0.335 usec (-21)
21 Oct 11:10:23 ntpd[51]: Listen normally on 0 v4wildcard 0.0.0.0:123
21 Oct 11:10:23 ntpd[51]: Listen normally on 1 lo 127.0.0.1:123
21 Oct 11:10:23 ntpd[51]: Listening on routing socket on fd #18 for interface updates
21 Oct 11:10:23 ntpd[51]: mlockall(): Cannot allocate memory
21 Oct 11:10:23 ntpd[51]: start_kern_loop: ntp_loopfilter.c line 1119: ntp_adjtime: Operation not permitted
21 Oct 11:10:23 ntpd[51]: set_freq: ntp_loopfilter.c line 1082: ntp_adjtime: Operation not permitted
21 Oct 11:10:23 ntpd[51]: cap_set_proc() failed to drop root privs: Operation not permitted
What I have tried so far:
- Building ntpd without capabilities enabled - it starts properly, but still has same
ntp_adjtime
syscall permission issues. - Running systemd-nspawn with
--private-users=0
and without--private-users
at all. - Playing with capabilities for systemd-nspawn itself (mainly
CAP_SYS_TIME
andCAP_NET_BIND_SERVICE
) - Playing with capabilities for ntpd inside of the container.
All this gave no positive results and I wonder what am I missing.
Any ideas will be greatly appreciated.
ntpd systemd-nspawn
add a comment |Â
up vote
0
down vote
favorite
I'm playing with containerizing various parts of my server infrastructure and one of the services I would like to run in container is ntp daemon.
I'm using systemd-nspawn (systemd 233) as a hypervisor as well as init process inside of the containers.
ntpd version is 4.2.8p10.
Every time I try to start ntpd inside of a container it crashes with cap_set_proc()
operation not permitted error:
21 Oct 11:10:23 ntpd[51]: ntpd 4.2.8p10@1.3728 Fri Oct 20 23:28:39 UTC 2017 (1): Starting
21 Oct 11:10:23 ntpd[51]: Command line: ntpd -g -n -u ntp:ntp
21 Oct 11:10:23 ntpd[51]: Cannot set RLIMIT_MEMLOCK: Operation not permitted
21 Oct 11:10:23 ntpd[51]: proto: precision = 0.335 usec (-21)
21 Oct 11:10:23 ntpd[51]: Listen normally on 0 v4wildcard 0.0.0.0:123
21 Oct 11:10:23 ntpd[51]: Listen normally on 1 lo 127.0.0.1:123
21 Oct 11:10:23 ntpd[51]: Listening on routing socket on fd #18 for interface updates
21 Oct 11:10:23 ntpd[51]: mlockall(): Cannot allocate memory
21 Oct 11:10:23 ntpd[51]: start_kern_loop: ntp_loopfilter.c line 1119: ntp_adjtime: Operation not permitted
21 Oct 11:10:23 ntpd[51]: set_freq: ntp_loopfilter.c line 1082: ntp_adjtime: Operation not permitted
21 Oct 11:10:23 ntpd[51]: cap_set_proc() failed to drop root privs: Operation not permitted
What I have tried so far:
- Building ntpd without capabilities enabled - it starts properly, but still has same
ntp_adjtime
syscall permission issues. - Running systemd-nspawn with
--private-users=0
and without--private-users
at all. - Playing with capabilities for systemd-nspawn itself (mainly
CAP_SYS_TIME
andCAP_NET_BIND_SERVICE
) - Playing with capabilities for ntpd inside of the container.
All this gave no positive results and I wonder what am I missing.
Any ideas will be greatly appreciated.
ntpd systemd-nspawn
you don't set capabilities on systemd-nspawn. You use thecapability
option of systemd-nspawn.
â sourcejedi
Oct 21 '17 at 8:38
@sourcejedi I have tried adding both capabilities required by ntpd intosystemd-nspawn
service itself.
â GeekMagus
Oct 22 '17 at 21:08
that's also the wrong way to describe what you want to do. The systemd-nspawn command drops capabilities, according to the option you pass it. You cannot increase capabilities by setting them on systemd-nspawn.service.
â sourcejedi
Oct 23 '17 at 7:21
I see what you mean, and I think I explained it wrong. What I tried is setting capability on the service file for systemd-nspawn on host, passing same capability as--capability
argument to systemd-nspawn in the host and setting this capability on ntpd service inside of the container. Hope that makes sense.
â GeekMagus
Oct 23 '17 at 9:33
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I'm playing with containerizing various parts of my server infrastructure and one of the services I would like to run in container is ntp daemon.
I'm using systemd-nspawn (systemd 233) as a hypervisor as well as init process inside of the containers.
ntpd version is 4.2.8p10.
Every time I try to start ntpd inside of a container it crashes with cap_set_proc()
operation not permitted error:
21 Oct 11:10:23 ntpd[51]: ntpd 4.2.8p10@1.3728 Fri Oct 20 23:28:39 UTC 2017 (1): Starting
21 Oct 11:10:23 ntpd[51]: Command line: ntpd -g -n -u ntp:ntp
21 Oct 11:10:23 ntpd[51]: Cannot set RLIMIT_MEMLOCK: Operation not permitted
21 Oct 11:10:23 ntpd[51]: proto: precision = 0.335 usec (-21)
21 Oct 11:10:23 ntpd[51]: Listen normally on 0 v4wildcard 0.0.0.0:123
21 Oct 11:10:23 ntpd[51]: Listen normally on 1 lo 127.0.0.1:123
21 Oct 11:10:23 ntpd[51]: Listening on routing socket on fd #18 for interface updates
21 Oct 11:10:23 ntpd[51]: mlockall(): Cannot allocate memory
21 Oct 11:10:23 ntpd[51]: start_kern_loop: ntp_loopfilter.c line 1119: ntp_adjtime: Operation not permitted
21 Oct 11:10:23 ntpd[51]: set_freq: ntp_loopfilter.c line 1082: ntp_adjtime: Operation not permitted
21 Oct 11:10:23 ntpd[51]: cap_set_proc() failed to drop root privs: Operation not permitted
What I have tried so far:
- Building ntpd without capabilities enabled - it starts properly, but still has same
ntp_adjtime
syscall permission issues. - Running systemd-nspawn with
--private-users=0
and without--private-users
at all. - Playing with capabilities for systemd-nspawn itself (mainly
CAP_SYS_TIME
andCAP_NET_BIND_SERVICE
) - Playing with capabilities for ntpd inside of the container.
All this gave no positive results and I wonder what am I missing.
Any ideas will be greatly appreciated.
ntpd systemd-nspawn
I'm playing with containerizing various parts of my server infrastructure and one of the services I would like to run in container is ntp daemon.
I'm using systemd-nspawn (systemd 233) as a hypervisor as well as init process inside of the containers.
ntpd version is 4.2.8p10.
Every time I try to start ntpd inside of a container it crashes with cap_set_proc()
operation not permitted error:
21 Oct 11:10:23 ntpd[51]: ntpd 4.2.8p10@1.3728 Fri Oct 20 23:28:39 UTC 2017 (1): Starting
21 Oct 11:10:23 ntpd[51]: Command line: ntpd -g -n -u ntp:ntp
21 Oct 11:10:23 ntpd[51]: Cannot set RLIMIT_MEMLOCK: Operation not permitted
21 Oct 11:10:23 ntpd[51]: proto: precision = 0.335 usec (-21)
21 Oct 11:10:23 ntpd[51]: Listen normally on 0 v4wildcard 0.0.0.0:123
21 Oct 11:10:23 ntpd[51]: Listen normally on 1 lo 127.0.0.1:123
21 Oct 11:10:23 ntpd[51]: Listening on routing socket on fd #18 for interface updates
21 Oct 11:10:23 ntpd[51]: mlockall(): Cannot allocate memory
21 Oct 11:10:23 ntpd[51]: start_kern_loop: ntp_loopfilter.c line 1119: ntp_adjtime: Operation not permitted
21 Oct 11:10:23 ntpd[51]: set_freq: ntp_loopfilter.c line 1082: ntp_adjtime: Operation not permitted
21 Oct 11:10:23 ntpd[51]: cap_set_proc() failed to drop root privs: Operation not permitted
What I have tried so far:
- Building ntpd without capabilities enabled - it starts properly, but still has same
ntp_adjtime
syscall permission issues. - Running systemd-nspawn with
--private-users=0
and without--private-users
at all. - Playing with capabilities for systemd-nspawn itself (mainly
CAP_SYS_TIME
andCAP_NET_BIND_SERVICE
) - Playing with capabilities for ntpd inside of the container.
All this gave no positive results and I wonder what am I missing.
Any ideas will be greatly appreciated.
ntpd systemd-nspawn
asked Oct 21 '17 at 1:17
GeekMagus
206314
206314
you don't set capabilities on systemd-nspawn. You use thecapability
option of systemd-nspawn.
â sourcejedi
Oct 21 '17 at 8:38
@sourcejedi I have tried adding both capabilities required by ntpd intosystemd-nspawn
service itself.
â GeekMagus
Oct 22 '17 at 21:08
that's also the wrong way to describe what you want to do. The systemd-nspawn command drops capabilities, according to the option you pass it. You cannot increase capabilities by setting them on systemd-nspawn.service.
â sourcejedi
Oct 23 '17 at 7:21
I see what you mean, and I think I explained it wrong. What I tried is setting capability on the service file for systemd-nspawn on host, passing same capability as--capability
argument to systemd-nspawn in the host and setting this capability on ntpd service inside of the container. Hope that makes sense.
â GeekMagus
Oct 23 '17 at 9:33
add a comment |Â
you don't set capabilities on systemd-nspawn. You use thecapability
option of systemd-nspawn.
â sourcejedi
Oct 21 '17 at 8:38
@sourcejedi I have tried adding both capabilities required by ntpd intosystemd-nspawn
service itself.
â GeekMagus
Oct 22 '17 at 21:08
that's also the wrong way to describe what you want to do. The systemd-nspawn command drops capabilities, according to the option you pass it. You cannot increase capabilities by setting them on systemd-nspawn.service.
â sourcejedi
Oct 23 '17 at 7:21
I see what you mean, and I think I explained it wrong. What I tried is setting capability on the service file for systemd-nspawn on host, passing same capability as--capability
argument to systemd-nspawn in the host and setting this capability on ntpd service inside of the container. Hope that makes sense.
â GeekMagus
Oct 23 '17 at 9:33
you don't set capabilities on systemd-nspawn. You use the
capability
option of systemd-nspawn.â sourcejedi
Oct 21 '17 at 8:38
you don't set capabilities on systemd-nspawn. You use the
capability
option of systemd-nspawn.â sourcejedi
Oct 21 '17 at 8:38
@sourcejedi I have tried adding both capabilities required by ntpd into
systemd-nspawn
service itself.â GeekMagus
Oct 22 '17 at 21:08
@sourcejedi I have tried adding both capabilities required by ntpd into
systemd-nspawn
service itself.â GeekMagus
Oct 22 '17 at 21:08
that's also the wrong way to describe what you want to do. The systemd-nspawn command drops capabilities, according to the option you pass it. You cannot increase capabilities by setting them on systemd-nspawn.service.
â sourcejedi
Oct 23 '17 at 7:21
that's also the wrong way to describe what you want to do. The systemd-nspawn command drops capabilities, according to the option you pass it. You cannot increase capabilities by setting them on systemd-nspawn.service.
â sourcejedi
Oct 23 '17 at 7:21
I see what you mean, and I think I explained it wrong. What I tried is setting capability on the service file for systemd-nspawn on host, passing same capability as
--capability
argument to systemd-nspawn in the host and setting this capability on ntpd service inside of the container. Hope that makes sense.â GeekMagus
Oct 23 '17 at 9:33
I see what you mean, and I think I explained it wrong. What I tried is setting capability on the service file for systemd-nspawn on host, passing same capability as
--capability
argument to systemd-nspawn in the host and setting this capability on ntpd service inside of the container. Hope that makes sense.â GeekMagus
Oct 23 '17 at 9:33
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f399464%2fntpd-in-systemd-nspawn%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
you don't set capabilities on systemd-nspawn. You use the
capability
option of systemd-nspawn.â sourcejedi
Oct 21 '17 at 8:38
@sourcejedi I have tried adding both capabilities required by ntpd into
systemd-nspawn
service itself.â GeekMagus
Oct 22 '17 at 21:08
that's also the wrong way to describe what you want to do. The systemd-nspawn command drops capabilities, according to the option you pass it. You cannot increase capabilities by setting them on systemd-nspawn.service.
â sourcejedi
Oct 23 '17 at 7:21
I see what you mean, and I think I explained it wrong. What I tried is setting capability on the service file for systemd-nspawn on host, passing same capability as
--capability
argument to systemd-nspawn in the host and setting this capability on ntpd service inside of the container. Hope that makes sense.â GeekMagus
Oct 23 '17 at 9:33