Bug 1778133
Summary: | Chrony in container started to fail with Operation not permitted even with SYS_TIME capability | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jan Pazdziora <jpazdziora> |
Component: | podman | Assignee: | Lokesh Mandvekar <lsm5> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 32 | CC: | adimania, admiller, amurdaca, bbaude, debarshir, dwalsh, fweimer, ichavero, jcajka, jnovy, John_Sauter, jpazdziora, lsm5, mheon, mlichvar, nalin, rh.container.bot, santiago |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-14 17:51:22 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Pazdziora
2019-11-29 11:21:13 UTC
I see the same result on Fedora 31 with podman-1.6.2-2.fc31.x86_64 instead of docker. This looks like a docker bug. It doesn't seem to allow the clock_adjtime system call with the SYS_TIME capability. In a quick search on github I found this list which might need to be updated: https://github.com/docker/docker-ce/blob/9867d9fdde40205541d5f204c1038fc03939fea2/components/engine/profiles/seccomp/seccomp_default.go The reason why it shows only with the Fedora rawhide packages is that glibc switched its adjtimex() implementation to the clock_adjtime() system call. When I try to use clock_adjtime() in a Fedora 31 container, it fails with EPERM too. FWIW, the glibc change broke also chronyd's own seccomp filter (the -F 1 option). Docker is likely dead in Fedora. Let's move this to podman component. I believe this works with Podman in F31 and Rawhide? ``` { "names": [ "settimeofday", "stime", "clock_settime", "clock_adjtime", "adjtimex" ], "action": "SCMP_ACT_ALLOW", "args": [], "comment": "", "includes": { "caps": [ "CAP_SYS_TIME" ] }, "excludes": {} }, ``` If you add CAP_SYS_TIME, then seccomp ads all of those syscalls. Are we missing any? adjtimex() and clock_adjtime() can be used as read-only operations, so maybe they should be enabled even without CAP_SYS_TIME? Docker seems to do that for adjtimex(). This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle. Changing version to 32. This should be fixed in the current release. podman 2.0.* along with latest containers-common. |