[lxc-users] Can a container modify the host rtc?
Stewart Brodie
sbrodie at espial.com
Wed Jul 27 11:13:14 UTC 2016
Marat Khalili <mkh at rqc.ru> wrote:
> On 26/07/16 19:58, Stewart Brodie wrote:
> >
> > You won't be able to call those functions from a container not in the
> > initial user namespace, even if you possess CAP_SYS_TIME, because of the
> > way the kernel does its permission checks.
> I wonder if there's there really no workaround for ntpd? Special version
> talking to the host through pipe probably? It is very convenient from
> administration point of view to keep every network service in a separate
> container.
I am aware of two workarounds (apart from obviously just running ntpd in the
host itself)
As you suggest, you could try transporting the system calls through a pipe
to something running on the host. It could work, but to me, that sounds
awkward and introduces another level of stuff that has to be secured - and
keeping things isolated and as secure as possible is presumably the reason
why you want to run ntpd in a container in the first place!
The workaround I use is to patch the kernel to permit the calls based only
on whether the caller possesses CAP_SYS_TIME. I can only do that because I
control all the software running on our embedded devices, though. I would
strongly disrecommend doing that on anything where you don't control the
entire machine.
--
Stewart Brodie
Senior Software Engineer
Espial UK
More information about the lxc-users
mailing list