[lxc-users] Can a container modify the host rtc?

Stewart Brodie sbrodie at espial.com
Tue Jul 26 16:58:58 UTC 2016

Paul Giordano <paulgiordano at webpass.net> wrote:

> Running LXD 2.0.3 
> I'm trying to have a container be an ntp server, but the container gets an
> EPERM trying to set the hw clock:
> clock_settime(CLOCK_REALTIME, {1469546956, 258938000}) = -1 EPERM
(Operation not permitted) 
> adjtimex(0x7ffffb0d6bf0) = -1 EPERM (Operation not permitted) 
> settimeofday({1469546956, 258938}, NULL) = -1 EPERM (Operation not
> settimeofday({1469546956, 0}, NULL) = -1 EPERM (Operation not permitted) 
> Is there a way to configure the container to allow access to /dev/rtc0? 

You won't be able to call those functions from a container not in the
initial user namespace, even if you possess CAP_SYS_TIME, because of the way
the kernel does its permission checks.

AIUI, this is to prevent containers from being able to do system-wide things
that affect other containers.  That affects quite a few things (such as
access to netlink, ability to mount certain types of device, inserting
kernel modules, access to the kernel logger)

Stewart Brodie
Senior Software Engineer
Espial UK

More information about the lxc-users mailing list