[lxc-users] Can a container modify the host rtc?

jjs - mainphrame jjs at mainphrame.com
Tue Jul 26 20:08:50 UTC 2016


Interesting - we've had OVZ containers running as ntp servers, being
granted the ability to set the RTC via the CAP_SYS_TIME capability. (never
more than one per physical host though)

Jake

On Tue, Jul 26, 2016 at 9:58 AM, Stewart Brodie <sbrodie at espial.com> wrote:

> Paul Giordano <paulgiordano at webpass.net> wrote:
>
> > Running LXD 2.0.3
> >
> > I'm trying to have a container be an ntp server, but the container gets
> an
> > EPERM trying to set the hw clock:
> >
> > clock_settime(CLOCK_REALTIME, {1469546956, 258938000}) = -1 EPERM
> (Operation not permitted)
> > adjtimex(0x7ffffb0d6bf0) = -1 EPERM (Operation not permitted)
> > settimeofday({1469546956, 258938}, NULL) = -1 EPERM (Operation not
> permitted)
> > settimeofday({1469546956, 0}, NULL) = -1 EPERM (Operation not permitted)
> >
> > Is there a way to configure the container to allow access to /dev/rtc0?
>
>
> You won't be able to call those functions from a container not in the
> initial user namespace, even if you possess CAP_SYS_TIME, because of the
> way
> the kernel does its permission checks.
>
> AIUI, this is to prevent containers from being able to do system-wide
> things
> that affect other containers.  That affects quite a few things (such as
> access to netlink, ability to mount certain types of device, inserting
> kernel modules, access to the kernel logger)
>
>
> --
> Stewart Brodie
> Senior Software Engineer
> Espial UK
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160726/10561e4f/attachment-0001.html>


More information about the lxc-users mailing list