[PVE-User] PVE 5.2, time sync, container...

Discussion:

Marco Gaiarin

2018-05-21 10:49:05 UTC

I'm setting up a set of PVE hosts, all with a samba AD DC container,
that came also with a NTP server (ntpd).

Most of that servers get installed on place where there's just a NTP
''network'' (based on phisical or P2V machines), and i'm using mostly
PVE 4.4, so probably i've never hitted that trouble.

Now i've added a new node/site, where i've put a single PVE 5.2 node,
and my samba AD DC container that act as NTP server for that site.

I've found, so, that container take time for the host (and is
reasonable) but seems that an NTP server run on a container cannot
modify local time, and sooner or later will crash.

Apart the ''bootstrap'' problem (a host that sync time to a container,
that have the same time of the host; i need to revise my NTP network...
;-), looking on google i've found that relative to old containers:

https://forum.proxmox.com/threads/ntp-and-containers.10258/

How can i enable NTP ''safely'' on a cantainer? Thanks.

--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797

Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Marco Baldini - H.S. Amiata

2018-05-22 06:17:21 UTC

Permalink

Hi.

Just install a little VM with a NTP server (i use chrony) and sync hosts
with that. I went this route about two years ago and had no problem
since then

Have a nice day

Post by Marco Gaiarin
I'm setting up a set of PVE hosts, all with a samba AD DC container,
that came also with a NTP server (ntpd).
Most of that servers get installed on place where there's just a NTP
''network'' (based on phisical or P2V machines), and i'm using mostly
PVE 4.4, so probably i've never hitted that trouble.
Now i've added a new node/site, where i've put a single PVE 5.2 node,
and my samba AD DC container that act as NTP server for that site.
I've found, so, that container take time for the host (and is
reasonable) but seems that an NTP server run on a container cannot
modify local time, and sooner or later will crash.
Apart the ''bootstrap'' problem (a host that sync time to a container,
that have the same time of the host; i need to revise my NTP network...
https://forum.proxmox.com/threads/ntp-and-containers.10258/
How can i enable NTP ''safely'' on a cantainer? Thanks.

--
*Marco Baldini*
*H.S. Amiata Srl*
Ufficio: 0577-779396
Cellulare: 335-8765169
WEB: www.hsamiata.it <https://www.hsamiata.it>
EMAIL: ***@hsamiata.it <mailto:***@hsamiata.it>

Marco Gaiarin

2018-05-22 14:49:26 UTC

Permalink

Mandi! Marco Baldini - H.S. Amiata
In chel di` si favelave...

Post by Marco Baldini - H.S. Amiata
Just install a little VM with a NTP server (i use chrony) and sync hosts
with that. I went this route about two years ago and had no problem since
then

After googling a bit better then yesterday, i've done:

***@clerk:~# lxc-info -n 100 -c lxc.cap.drop
lxc.cap.drop = mac_admin
mac_override
sys_time
sys_module
sys_rawio

and so i've added to /etc/pve/lxc/100.conf:

lxc.cap.drop:
lxc.cap.drop: mac_admin mac_override sys_module sys_rawio

and now:

***@clerk:~# lxc-info -n 100 -c lxc.cap.drop
lxc.cap.drop = mac_admin
mac_override
sys_module
sys_rawio

So now i can run a NTP on my container, providing probably that is the
only container with cap 'sys_time' enabled.

Clearly i can run ntp on the hostm, or in a VM, but an AD DC mandate
the presence of a ntp server, and probably having an NTP server that,
if needed, cannot write to HWclock, could be a source of troubles...