On 02/20/2018 01:42 AM, Richard Laager wrote: > I think you'd be better off either granting CAP_SYS_TIME to your > container and running ntpd normally (only in the container), or running > it normally from the host. If you're able to test the former, I'm happy > to lift the ConditionVirtualization=!container restriction on > ntp.service and ntp-wait.service (and would probably submit that > upstream too).
I was able to test removing ConditionVirtualization=!container, which allows ntpd to work in a *privileged* container with CAP_SYS_TIME. This leaves ConditionCapability=CAP_SYS_TIME, which is also the approach used by chrony.service. Thus, running in an *unprivileged* container is still blocked. -- Richard
