[lxc-users] Can a container modify the host rtc?

Stewart Brodie sbrodie at espial.com
Wed Jul 27 11:13:14 UTC 2016


Marat Khalili <mkh at rqc.ru> wrote:

> On 26/07/16 19:58, Stewart Brodie wrote:
> >
> > You won't be able to call those functions from a container not in the
> > initial user namespace, even if you possess CAP_SYS_TIME, because of the
> > way the kernel does its permission checks.

> I wonder if there's there really no workaround for ntpd? Special version
> talking to the host through pipe probably? It is very convenient from
> administration point of view to keep every network service in a separate
> container.

I am aware of two workarounds (apart from obviously just running ntpd in the
host itself)

As you suggest, you could try transporting the system calls through a pipe
to something running on the host.  It could work, but to me, that sounds
awkward and introduces another level of stuff that has to be secured - and
keeping things isolated and as secure as possible is presumably the reason
why you want to run ntpd in a container in the first place!

The workaround I use is to patch the kernel to permit the calls based only
on whether the caller possesses CAP_SYS_TIME.  I can only do that because I
control all the software running on our embedded devices, though.  I would
strongly disrecommend doing that on anything where you don't control the
entire machine.


-- 
Stewart Brodie
Senior Software Engineer
Espial UK


More information about the lxc-users mailing list