Needing NTP in unprivileged Container

For security reasons there is only 1 container allowed to speak to the outside world, even the host system has no access other than this one container.

This container, called net, is unprivileged, but it needs to have NTP running on it. Because it is unprivileged it is not allowed to adjust the clock, I’m getting the error= “ntp_adjtime: Operation not permitted”.

Is there any way that I can have the container have permission to adjust the clock while staying unprivileged?

Or to put anyway, is there a way to have an unprivileged container have a fully functional NTP service?

Unfortunately, no, unprivileged users which includes root inside an unprivileged container are not allowed to mess with system time.

This isn’t a constraint that LXD itself applies so it’s not something which can be relaxed from userspace, it’s a hard kernel restriction.

1 Like