[Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container

Nathan Kinder nkinder at redhat.com
Thu Jan 15 16:56:29 UTC 2015 


On 01/15/2015 12:01 AM, Jan Pazdziora wrote:
> On Wed, Jan 14, 2015 at 08:18:02PM -0800, Nathan Kinder wrote:
>> Hi,
>>
>> I'm running into a strange problem related to ntpd when trying to use
>> IPA in a container.  I'm using the adelton/freeipa-server:fedora-21 and
>> adelton/freeipa-client:fedora-21 docker images.  Basically, the client
>> install hangs when it runs ntpd.  This is reproducible on two different
>> docker hosts of mine, so it will probably easily reproduce for others as
> 
> [...]
> 
>> The /sbin/ipa-server-configure-first entrypoint script for the server
>> image does a 'systemctl start-enabled' to bring up all of the services,
>> which results in this output in /var/log/systemctl.log:
>>
>> --------------------------------------------------------------------
>> [start-enabled]
>> [start ntpd.service]
>> Running [export OPTIONS="-g -x"; /usr/sbin/ntpd -u ntp:ntp $OPTIONS]
>> Marked pid [15] for [ntpd.service]
>> Marked process name [/usr/sbin/ntpd] for [ntpd.service]
>> ...
>> --------------------------------------------------------------------
>>
>> This is the same log output that is generated if I manually run
>> 'systemctl start ntpd.service' from within the container, but the ntpd
>> process stays around when I start it this way.  It's hard to tell what
>> might be happening to ntpd, as there is no journal in the container.
>>
>> I'm continuing to debug this, but I thought I'd share my findings thus
>> far in case anyone else has seen this or has any ideas for tracking the
>> problem down.  Any ideas?
> 
> You need to use --cap-add=SYS_TIME when running the server container
> or ntpd will fail.

Thanks for the tip.  This works.  It would be handy to add this to the
README for your freeipa-server container.

> 
> Even if you do that, SELinux will likely prevent ntpd doing its job
> but at least it will stay around so that the client can connect to it.
> 
> What is interesting though is the fact that the client hangs
> indefinitely instead of reporting that it cannot sync the time and
> proceeding.
> 

I think this is simply a behavior difference between ntpdate and ntpd
(which we are using now during the client install on f21).  This issue
should not be specific to using IPA in a container.

Hanging indefinitely is never a good thing, so I think it would be nice
to add a timeout in ipa-client-install in case we can't reach the server
for ntp.   I have filed a ticket for this:

  https://fedorahosted.org/freeipa/ticket/4842

-NGK

More information about the Freeipa-users mailing list