On 01/15/2015 12:01 AM, Jan Pazdziora wrote: > On Wed, Jan 14, 2015 at 08:18:02PM -0800, Nathan Kinder wrote: >> Hi, >> >> I'm running into a strange problem related to ntpd when trying to use >> IPA in a container. I'm using the adelton/freeipa-server:fedora-21 and >> adelton/freeipa-client:fedora-21 docker images. Basically, the client >> install hangs when it runs ntpd. This is reproducible on two different >> docker hosts of mine, so it will probably easily reproduce for others as > > [...] > >> The /sbin/ipa-server-configure-first entrypoint script for the server >> image does a 'systemctl start-enabled' to bring up all of the services, >> which results in this output in /var/log/systemctl.log: >> >> -------------------------------------------------------------------- >> [start-enabled] >> [start ntpd.service] >> Running [export OPTIONS="-g -x"; /usr/sbin/ntpd -u ntp:ntp $OPTIONS] >> Marked pid [15] for [ntpd.service] >> Marked process name [/usr/sbin/ntpd] for [ntpd.service] >> ... >> -------------------------------------------------------------------- >> >> This is the same log output that is generated if I manually run >> 'systemctl start ntpd.service' from within the container, but the ntpd >> process stays around when I start it this way. It's hard to tell what >> might be happening to ntpd, as there is no journal in the container. >> >> I'm continuing to debug this, but I thought I'd share my findings thus >> far in case anyone else has seen this or has any ideas for tracking the >> problem down. Any ideas? > > You need to use --cap-add=SYS_TIME when running the server container > or ntpd will fail.
Thanks for the tip. This works. It would be handy to add this to the README for your freeipa-server container. > > Even if you do that, SELinux will likely prevent ntpd doing its job > but at least it will stay around so that the client can connect to it. > > What is interesting though is the fact that the client hangs > indefinitely instead of reporting that it cannot sync the time and > proceeding. > I think this is simply a behavior difference between ntpdate and ntpd (which we are using now during the client install on f21). This issue should not be specific to using IPA in a container. Hanging indefinitely is never a good thing, so I think it would be nice to add a timeout in ipa-client-install in case we can't reach the server for ntp. I have filed a ticket for this: https://fedorahosted.org/freeipa/ticket/4842 -NGK -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project