-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
systemd-time-wait-sync.service
seems to be failing to start inside user namespace containers
#8535
Comments
Hmm, I figure adjitemex() will fail in various container setups. Let's handle that gracefully, and simply assume that if we get EPERM or EACCES on adjtimex() we run inside a container, and the clock is set correctly anyway. @pabigot any chance you can hack up a quick patch for this? Maybe add a brief log_debug() message explaining the assumption when we exit early if adjtimex() fails like this. |
Would disabling it in a container as is done with timesyncd be the right solution? I'll take a look... |
@pabigot we generally want that our images likely boot as well on are metal as in VMs or containers. And that means for auxiliary stuff like this we should handle things gracefully. Of course if some major part of a system can't work in a container, by all means it should fail, but this isn't like that. It's more auxiliary. |
From memory, it is in fact EPERM that shows up in this case. I'm very naive in system.unit configuration, but I'm looking at the various extra stuff that timesyncd has in its unit, and should be able to make something work. |
That said, maybe we should not solve this in code but simply via a condition:
The same two conditions we already have in timesyncd. I think we should add this here too. It would mean the service is skipped silently if CAP_SYS_TIME is missing or we run in a container, which really is the behaviour we want here. Fixing the unit file like this should be trivial. |
Great; that's exactly what I was looking at. |
Well, container managers might block adjtimes via various different ways, for example via seccomp. If they do, then all bets are off, they might as well use EACCES… But yes you are right the caps/userns based blocking would mean we'd get EPERM. but anyway, this is moot, I am pretty sure we should go the condition way. |
FWIW, I don't believe |
It's not necessary. However, given that the ConditionCapability checks PID1's caps, and given that timesyncd has the same condition, we know that there's no point in waiting for an NTP sync if the NTP sync can't happen anyway. Hence, even though this service won't need CAP_SYS_TIME itself, it's still a good check |
This should make it much easier to catch regressions like systemd#9914 and systemd#8535.
This should make it much easier to catch regressions like systemd/systemd#9914 and systemd/systemd#8535. (cherry picked from commit 746fbd9)
This should make it much easier to catch regressions like systemd/systemd#9914 and systemd/systemd#8535. (cherry picked from commit 746fbd9)
This should make it much easier to catch regressions like systemd/systemd#9914 and systemd/systemd#8535. (cherry picked from commit 746fbd9) (cherry picked from commit 91bd0b9)
This should make it much easier to catch regressions like systemd/systemd#9914 and systemd/systemd#8535. Related: #1794787 (cherry picked from commit 746fbd9) (cherry picked from commit 91bd0b9)
This should make it much easier to catch regressions like systemd/systemd#9914 and systemd/systemd#8535. Related: #1794787 (cherry picked from commit 746fbd9) (cherry picked from commit 91bd0b9)
I haven't read #8494 where
systemd-time-wait-sync.service
was introduced yet, so I'm not sure whether it is a bug or not:The text was updated successfully, but these errors were encountered: