Description of problem: Chrony in container traditionally needs SYS_TIME capability and is then able to manage time on the host. On Fedora rawhide, that seems no longer possible. Version-Release number of selected component (if applicable): chrony-3.5-6.fc32.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. Have Dockerfile: FROM registry.fedoraproject.org/fedora:rawhide RUN dnf install -y chrony && dnf -y clean all CMD ["/usr/sbin/chronyd", "-d"] 2. Build container image: docker build -t chrony-rawhide . 3. Run the container with SYS_TIME: docker run --cap-add SYS_TIME chrony-rawhide Actual results: 2019-11-29T11:12:01Z chronyd version 3.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 +DEBUG) 2019-11-29T11:12:01Z Fatal error : adjtimex(0x8001) failed : Operation not permitted Expected results: 2019-11-29T11:20:03Z chronyd version 3.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 +DEBUG) 2019-11-29T11:20:03Z Initial frequency -14.694 ppm 2019-11-29T11:20:03Z Using right/UTC timezone to obtain leap second data This is the output I get from Fedora 31-based container with chrony-3.5-4.fc31.x86_64 built from Dockerfile FROM registry.fedoraproject.org/fedora:31 RUN dnf install -y chrony && dnf -y clean all CMD ["/usr/sbin/chronyd", "-d"] Additional info: Observed on Fedora 30 host with docker-1.13.1-68.git47e2230.fc30.x86_64.
I see the same result on Fedora 31 with podman-1.6.2-2.fc31.x86_64 instead of docker.
This looks like a docker bug. It doesn't seem to allow the clock_adjtime system call with the SYS_TIME capability. In a quick search on github I found this list which might need to be updated: https://github.com/docker/docker-ce/blob/9867d9fdde40205541d5f204c1038fc03939fea2/components/engine/profiles/seccomp/seccomp_default.go The reason why it shows only with the Fedora rawhide packages is that glibc switched its adjtimex() implementation to the clock_adjtime() system call. When I try to use clock_adjtime() in a Fedora 31 container, it fails with EPERM too.
FWIW, the glibc change broke also chronyd's own seccomp filter (the -F 1 option).
Docker is likely dead in Fedora. Let's move this to podman component.
I believe this works with Podman in F31 and Rawhide? ``` { "names": [ "settimeofday", "stime", "clock_settime", "clock_adjtime", "adjtimex" ], "action": "SCMP_ACT_ALLOW", "args": [], "comment": "", "includes": { "caps": [ "CAP_SYS_TIME" ] }, "excludes": {} }, ``` If you add CAP_SYS_TIME, then seccomp ads all of those syscalls. Are we missing any?
adjtimex() and clock_adjtime() can be used as read-only operations, so maybe they should be enabled even without CAP_SYS_TIME? Docker seems to do that for adjtimex().
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle. Changing version to 32.
This should be fixed in the current release. podman 2.0.* along with latest containers-common.