[lxc-users] Can a container modify the host rtc?
Stewart Brodie
sbrodie at espial.com
Tue Jul 26 16:58:58 UTC 2016
Paul Giordano <paulgiordano at webpass.net> wrote:
> Running LXD 2.0.3
>
> I'm trying to have a container be an ntp server, but the container gets an
> EPERM trying to set the hw clock:
>
> clock_settime(CLOCK_REALTIME, {1469546956, 258938000}) = -1 EPERM
(Operation not permitted)
> adjtimex(0x7ffffb0d6bf0) = -1 EPERM (Operation not permitted)
> settimeofday({1469546956, 258938}, NULL) = -1 EPERM (Operation not
permitted)
> settimeofday({1469546956, 0}, NULL) = -1 EPERM (Operation not permitted)
>
> Is there a way to configure the container to allow access to /dev/rtc0?
You won't be able to call those functions from a container not in the
initial user namespace, even if you possess CAP_SYS_TIME, because of the way
the kernel does its permission checks.
AIUI, this is to prevent containers from being able to do system-wide things
that affect other containers. That affects quite a few things (such as
access to netlink, ability to mount certain types of device, inserting
kernel modules, access to the kernel logger)
--
Stewart Brodie
Senior Software Engineer
Espial UK
More information about the lxc-users
mailing list