[Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container
Nathan Kinder
nkinder at redhat.com
Thu Jan 15 16:56:29 UTC 2015
On 01/15/2015 12:01 AM, Jan Pazdziora wrote:
> On Wed, Jan 14, 2015 at 08:18:02PM -0800, Nathan Kinder wrote:
>> Hi,
>>
>> I'm running into a strange problem related to ntpd when trying to use
>> IPA in a container. I'm using the adelton/freeipa-server:fedora-21 and
>> adelton/freeipa-client:fedora-21 docker images. Basically, the client
>> install hangs when it runs ntpd. This is reproducible on two different
>> docker hosts of mine, so it will probably easily reproduce for others as
>
> [...]
>
>> The /sbin/ipa-server-configure-first entrypoint script for the server
>> image does a 'systemctl start-enabled' to bring up all of the services,
>> which results in this output in /var/log/systemctl.log:
>>
>> --------------------------------------------------------------------
>> [start-enabled]
>> [start ntpd.service]
>> Running [export OPTIONS="-g -x"; /usr/sbin/ntpd -u ntp:ntp $OPTIONS]
>> Marked pid [15] for [ntpd.service]
>> Marked process name [/usr/sbin/ntpd] for [ntpd.service]
>> ...
>> --------------------------------------------------------------------
>>
>> This is the same log output that is generated if I manually run
>> 'systemctl start ntpd.service' from within the container, but the ntpd
>> process stays around when I start it this way. It's hard to tell what
>> might be happening to ntpd, as there is no journal in the container.
>>
>> I'm continuing to debug this, but I thought I'd share my findings thus
>> far in case anyone else has seen this or has any ideas for tracking the
>> problem down. Any ideas?
>
> You need to use --cap-add=SYS_TIME when running the server container
> or ntpd will fail.
Thanks for the tip. This works. It would be handy to add this to the
README for your freeipa-server container.
>
> Even if you do that, SELinux will likely prevent ntpd doing its job
> but at least it will stay around so that the client can connect to it.
>
> What is interesting though is the fact that the client hangs
> indefinitely instead of reporting that it cannot sync the time and
> proceeding.
>
I think this is simply a behavior difference between ntpdate and ntpd
(which we are using now during the client install on f21). This issue
should not be specific to using IPA in a container.
Hanging indefinitely is never a good thing, so I think it would be nice
to add a timeout in ipa-client-install in case we can't reach the server
for ntp. I have filed a ticket for this:
https://fedorahosted.org/freeipa/ticket/4842
-NGK
More information about the Freeipa-users
mailing list