Bug 1778133

Summary: Chrony in container started to fail with Operation not permitted even with SYS_TIME capability
Product: [Fedora] Fedora Reporter: Jan Pazdziora <jpazdziora>
Component: podmanAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 32CC: adimania, admiller, amurdaca, bbaude, debarshir, dwalsh, fweimer, ichavero, jcajka, jnovy, John_Sauter, jpazdziora, lsm5, mheon, mlichvar, nalin, rh.container.bot, santiago
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-14 17:51:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora 2019-11-29 11:21:13 UTC
Description of problem:

Chrony in container traditionally needs SYS_TIME capability and is then able to manage time on the host. On Fedora rawhide, that seems no longer possible.

Version-Release number of selected component (if applicable):

chrony-3.5-6.fc32.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have Dockerfile:

FROM registry.fedoraproject.org/fedora:rawhide
RUN dnf install -y chrony && dnf -y clean all
CMD ["/usr/sbin/chronyd", "-d"]

2. Build container image: docker build -t chrony-rawhide .
3. Run the container with SYS_TIME: docker run --cap-add SYS_TIME chrony-rawhide

Actual results:

2019-11-29T11:12:01Z chronyd version 3.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 +DEBUG)
2019-11-29T11:12:01Z Fatal error : adjtimex(0x8001) failed : Operation not permitted

Expected results:

2019-11-29T11:20:03Z chronyd version 3.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 +DEBUG)
2019-11-29T11:20:03Z Initial frequency -14.694 ppm
2019-11-29T11:20:03Z Using right/UTC timezone to obtain leap second data

This is the output I get from Fedora 31-based container with chrony-3.5-4.fc31.x86_64 built from Dockerfile

FROM registry.fedoraproject.org/fedora:31
RUN dnf install -y chrony && dnf -y clean all
CMD ["/usr/sbin/chronyd", "-d"]

Additional info:

Observed on Fedora 30 host with docker-1.13.1-68.git47e2230.fc30.x86_64.

Comment 1 Jan Pazdziora 2019-11-29 11:54:42 UTC
I see the same result on Fedora 31 with podman-1.6.2-2.fc31.x86_64 instead of docker.

Comment 2 Miroslav Lichvar 2019-12-02 11:28:48 UTC
This looks like a docker bug. It doesn't seem to allow the clock_adjtime system call with the SYS_TIME capability. In a quick search on github I found this list which might need to be updated:

https://github.com/docker/docker-ce/blob/9867d9fdde40205541d5f204c1038fc03939fea2/components/engine/profiles/seccomp/seccomp_default.go

The reason why it shows only with the Fedora rawhide packages is that glibc switched its adjtimex() implementation to the clock_adjtime() system call. When I try to use clock_adjtime() in a Fedora 31 container, it fails with EPERM too.

Comment 3 Miroslav Lichvar 2019-12-02 11:38:09 UTC
FWIW, the glibc change broke also chronyd's own seccomp filter (the -F 1 option).

Comment 4 Jan Pazdziora 2019-12-02 11:58:11 UTC
Docker is likely dead in Fedora. Let's move this to podman component.

Comment 5 Daniel Walsh 2019-12-02 15:59:10 UTC
I believe this works with Podman in F31 and Rawhide?  

```
		{
			"names": [
				"settimeofday",
				"stime",
				"clock_settime",
				"clock_adjtime",
				"adjtimex"
			],
			"action": "SCMP_ACT_ALLOW",
			"args": [],
			"comment": "",
			"includes": {
				"caps": [
					"CAP_SYS_TIME"
				]
			},
			"excludes": {}
		},
```

If you add CAP_SYS_TIME, then seccomp ads all of those syscalls.  Are we missing any?

Comment 6 Miroslav Lichvar 2019-12-02 16:14:29 UTC
adjtimex() and clock_adjtime() can be used as read-only operations, so maybe they should be enabled even without CAP_SYS_TIME? Docker seems to do that for adjtimex().

Comment 7 Ben Cotton 2020-02-11 17:37:50 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle.
Changing version to 32.

Comment 8 Daniel Walsh 2020-09-14 17:51:22 UTC
This should be fixed in the current release.

podman 2.0.* along with latest containers-common.