six demon bag
Wind, fire, all that kind of thing!
Running a network time server in an LXC container normally doesn't work even if you run the container in privileged mode. The reason is that containers drop certain capabilities upon startup for security reasons (
For running an NTP server in a container remove
sys_timefrom the list of dropped capabilities by adding the following settings to the
configsection of your container config (
lxc config edit CONTAINER_NAME):
config: raw.lxc: |- lxc.cap.drop = lxc.cap.drop = sys_module mac_admin mac_override security.privileged: "true" ...
Also make sure that the host system (as well as others containers on that host) will NOT modify the system time. This can be achieved by configuring the NTP service to use the undisciplined local clock driver.
# /etc/ntpd.conf restrict default ignore restrict 127.0.0.1 server 127.127.1.0 prefer # local clock fudge 127.127.1.0 stratum 10 driftfile /var/lib/ntp/drift
Alternatively remove the NTP service entirely. The latter isn't always an option, though. Cloudera's Hadoop distribution for instance demands that you are running an NTP service on all nodes.
Posted 21:38 [permalink]