six demon bag

Wind, fire, all that kind of thing!

2019-05-06

Run a time server in an LXC container

Running a network time server in an LXC container normally doesn't work even if you run the container in privileged mode. The reason is that containers drop certain capabilities upon startup for security reasons (sys_module, mac_admin, mac_override, sys_time).

For running an NTP server in a container remove sys_time from the list of dropped capabilities by adding the following settings to the config section of your container config (lxc config edit CONTAINER_NAME):

config:
  raw.lxc: |-
    lxc.cap.drop =
    lxc.cap.drop = sys_module mac_admin mac_override
  security.privileged: "true"
  ...

Also make sure that the host system (as well as others containers on that host) will NOT modify the system time. This can be achieved by configuring the NTP service to use the undisciplined local clock driver.

# /etc/ntpd.conf
restrict default ignore
restrict 127.0.0.1
server 127.127.1.0 prefer    # local clock
fudge  127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift

Alternatively remove the NTP service entirely. The latter isn't always an option, though. Cloudera's Hadoop distribution for instance demands that you are running an NTP service on all nodes.

Posted 21:38 [permalink]