VM time server on proxmox4 step-systime problem

libes

Active Member
Jun 13, 2016
4
0
41
64
hello
on promox3 I had a VM acting as a NTP time server with CAPABILITY="SYS_TIME:eek:n in the configuration file

Now on ProxMox4/LXC , I don't find where to put the same capability allowing a VM to modify its own Time
I remember that I want a VM acting as a real NTP time server (not taking its time on the HN node)

when I launch my NTP server (LXC VM)... It fails with "step-systime: Operation not permitted"

thanks for your help

ML

Jun 13 13:02:39 dhcp ntpd[1094]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
Jun 13 13:02:39 dhcp ntp[1078]: Starting NTP server: ntpd.
Jun 13 13:02:39 dhcp ntpd[1094]: Listen and drop on 1 v6wildcard :: UDP 123
Jun 13 13:02:39 dhcp ntpd[1094]: Listen normally on 2 lo 127.0.0.1 UDP 123
Jun 13 13:02:39 dhcp ntpd[1094]: Listen normally on 3 eth0 139.124.2.103 UDP 123
Jun 13 13:02:39 dhcp ntpd[1094]: Listen normally on 4 lo ::1 UDP 123
Jun 13 13:02:39 dhcp ntpd[1094]: Listen normally on 5 eth0 fe80::3433:31ff:...23
Jun 13 13:02:39 dhcp ntpd[1094]: peers refreshed
Jun 13 13:02:39 dhcp ntpd[1094]: Listening on routing socket on fd #22 for ...es
Jun 13 13:02:39 dhcp systemd[1]: Started LSB: Start NTP daemon.
Jun 13 13:05:58 dhcp ntpd[1094]: step-systime: Operation not permitted
 
you can specify which capabilities to drop or keep for this container by manually editing the config file in "/etc/pve/local/lxc/" and setting "lxc.cap.keep" (see "man lxc.container.conf").

note that you need to reset the default "lxc.cap.drop" by setting it to an empty value ("lxc.cap.drop: "), and that lxc.cap.keep will drop all capabilities which are not explicitly included (whereas the default config only drops some capabilities which are potentially dangerous, including "sys_time").
 
you can specify which capabilities to drop or keep for this container by manually editing the config file in "/etc/pve/local/lxc/" and setting "lxc.cap.keep" (see "man lxc.container.conf").

note that you need to reset the default "lxc.cap.drop" by setting it to an empty value ("lxc.cap.drop: "), and that lxc.cap.keep will drop all capabilities which are not explicitly included (whereas the default config only drops some capabilities which are potentially dangerous, including "sys_time").


according what I have understood
In the config file of my VM /etc/pve/local/lxc/2100.conf , I have added
lxc.cap.drop:
lxc.cap.keep: sys_time

and then I have lost all the network... So i suppose I have dropped some network capabilities?
I have understood that lxc.cap.keep will drop all capabilities which are not explicitly included...
So now my question is where are and which are the other capabilities that I need to preserve, in order the VM works correctly ?

the question may resume in how to add
lxc.cap.keep: sys_time
without breaking all the rest

thank you for more informations on this capabilities management

Maurice
 
you can check "man capabilities" for a list of possible capabilities.

afaik, there are only four (exclusive) possibilities to specify capabilities for lxc containers using lxc.cap.drop and lxc.cap.keep:
  • keep all capabilities (by blanking drop and not setting keep)
  • dropping all capabilities (by blanking drop and setting keep to 'none')
  • specify a whitelist of capabilities which are kept (by blanking drop and setting keep to the whitelist) - everything else is dropped
  • specify a blacklist of capabilities which are dropped (by blanking keep and setting drop to the blacklist) - everything else is kept
you cannot set both drop and keep unless either or both are blank.
the last option is used by default in lxc, dropping these four: mac_admin mac_override sys_time sys_module

to change this behaviour for one container, you can include two additional lines in the configuration file in /etc/pve/local/lxc/XXX.conf:
Code:
lxc.cap.drop:
lxc.cap.drop: mac_admin mac_override sys_module

the first line resets the default blacklist (otherwise you would add to the existing blacklist), the second defines the new blacklist (which is the default except sys_time).

note that this is a custom configuration that is not well tested/supported by proxmox, and that you are responsible for keeping that blacklist current (e.g., when proxmox or LXC decide to extend the default blacklist for security reasons, you will need to manually update this container's configuration). another approach that is erring on the secure side would be to test which capabilities your container actually needs, blank the blacklist and include a whitelist with lxc.cap.keep - but this whitelist might also need to be tweaked in case future upgrades require capabilities that are not on it.
 
  • Like
Reactions: libes
you can specify which capabilities to drop or keep for this container by manually editing the config file in "/etc/pve/local/lxc/" and setting "lxc.cap.keep" (see "man lxc.container.conf").

note that you need to reset the default "lxc.cap.drop" by setting it to an empty value ("lxc.cap.drop: "), and that lxc.cap.keep will drop all capabilities which are not explicitly included (whereas the default config only drops some capabilities which are potentially dangerous, including "sys_time").
you can check "man capabilities" for a list of possible capabilities.

afaik, there are only four (exclusive) possibilities to specify capabilities for lxc containers using lxc.cap.drop and lxc.cap.keep:
  • keep all capabilities (by blanking drop and not setting keep)
  • dropping all capabilities (by blanking drop and setting keep to 'none')
  • specify a whitelist of capabilities which are kept (by blanking drop and setting keep to the whitelist) - everything else is dropped
  • specify a blacklist of capabilities which are dropped (by blanking keep and setting drop to the blacklist) - everything else is kept
you cannot set both drop and keep unless either or both are blank.
the last option is used by default in lxc, dropping these four: mac_admin mac_override sys_time sys_module

to change this behaviour for one container, you can include two additional lines in the configuration file in /etc/pve/local/lxc/XXX.conf:
Code:
lxc.cap.drop:
lxc.cap.drop: mac_admin mac_override sys_module

the first line resets the default blacklist (otherwise you would add to the existing blacklist), the second defines the new blacklist (which is the default except sys_time).

note that this is a custom configuration that is not well tested/supported by proxmox, and that you are responsible for keeping that blacklist current (e.g., when proxmox or LXC decide to extend the default blacklist for security reasons, you will need to manually update this container's configuration). another approach that is erring on the secure side would be to test which capabilities your container actually needs, blank the blacklist and include a whitelist with lxc.cap.keep - but this whitelist might also need to be tweaked in case future upgrades require capabilities that are not on it.


Greaaaat it works
thank you
I was trying the opposite, I mean trying to make a white list with lxc.cap.keep but it didn't work correctly

I find these lxc capabilities rather complicated based on white and black capabilities list ! indeed rare those who knows (except you)
the exact use and impact of these kernel capabilities... I have to work on this

bye
M
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!