[Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container

[Jan Pazdziora]

On Wed, Jan 14, 2015 at 08:18:02PM -0800, Nathan Kinder wrote:
> Hi,
> 
> I'm running into a strange problem related to ntpd when trying to use
> IPA in a container.  I'm using the adelton/freeipa-server:fedora-21 and
> adelton/freeipa-client:fedora-21 docker images.  Basically, the client
> install hangs when it runs ntpd.  This is reproducible on two different
> docker hosts of mine, so it will probably easily reproduce for others as

[...]

> The /sbin/ipa-server-configure-first entrypoint script for the server
> image does a 'systemctl start-enabled' to bring up all of the services,
> which results in this output in /var/log/systemctl.log:
> 
> --------------------------------------------------------------------
> [start-enabled]
> [start ntpd.service]
> Running [export OPTIONS="-g -x"; /usr/sbin/ntpd -u ntp:ntp $OPTIONS]
> Marked pid [15] for [ntpd.service]
> Marked process name [/usr/sbin/ntpd] for [ntpd.service]
> ...
> --------------------------------------------------------------------
> 
> This is the same log output that is generated if I manually run
> 'systemctl start ntpd.service' from within the container, but the ntpd
> process stays around when I start it this way.  It's hard to tell what
> might be happening to ntpd, as there is no journal in the container.
> 
> I'm continuing to debug this, but I thought I'd share my findings thus
> far in case anyone else has seen this or has any ideas for tracking the
> problem down.  Any ideas?

You need to use --cap-add=SYS_TIME when running the server container
or ntpd will fail.

Even if you do that, SELinux will likely prevent ntpd doing its job
but at least it will stay around so that the client can connect to it.

What is interesting though is the fact that the client hangs
indefinitely instead of reporting that it cannot sync the time and
proceeding.

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat