OpenVZ Forum


Home » General » Support » Time inside container
Time inside container [message #51042] Mon, 06 January 2014 22:26 Go to next message
ilou is currently offline  ilou
Messages: 2
Registered: January 2014
Junior Member
From: *127.14.93.rev.sfr.net
I am new here, Hi to all.

I've got some Openvz VPS from some hosting provider.

The time was out by 2 hours, even though I did set the proper timezone from inside the container.

I contacted the support.

The answer was they need to run some cronjob (that they trigger twice a day) to sync the VMs to the hardware node. Indeed this is supposed to be required in case the VM has been reboot or reinstalled according to the support.

Is that the way it has to be done ?

My undrerstanding was rather that in anycase the container time was locked to the node time that it receives from it no matter what (reboot or reinstall) ?

I don't get the reason why the node would require some cron task to put things back in sync.
To me the HN would just need proper time (i.e. ntpd)

Or am I missing something ?

Thanks in advance for any clarification.
Re: Time inside container [message #51049 is a reply to message #51042] Sun, 12 January 2014 10:31 Go to previous messageGo to next message
dipps is currently offline  dipps
Messages: 22
Registered: May 2013
Location: Out in the scrub
Junior Member
From: *static.internode.on.net
The container and the HN share the same kernel. I would have thought that kernel time in the container would track kernel time in the HN. Isn't that how it works?
Re: Time inside container [message #51050 is a reply to message #51049] Sun, 12 January 2014 12:49 Go to previous messageGo to next message
ilou is currently offline  ilou
Messages: 2
Registered: January 2014
Junior Member
From: *127.14.93.rev.sfr.net
dipps wrote on Sun, 12 January 2014 05:31
I would have thought that kernel time in the container would track kernel time in the HN. Isn't that how it works?


Yes that is pretty much the way I understand it as well ... hence my OP: why whould some kind of cron task be run in order resync the container in case it'd lost the "master clock" ?

... or would that mean that in this case it is the HN that hasn't proper time ?
Maybe the provider doesn't run ntpd on the HN or run different hosting services on same HN which prevents him to have things setup this way? I haven't got the clue at this point.

I am just trying to understand the proper way it should be done so that I can discuss with the provider with a better understanding of this all.
Re: Time inside container [message #51051 is a reply to message #51050] Sun, 12 January 2014 13:49 Go to previous messageGo to next message
dipps is currently offline  dipps
Messages: 22
Registered: May 2013
Location: Out in the scrub
Junior Member
From: *static.internode.on.net
There's a section "Changing System Time from VPS" in the OpenVZ Users Guide. It recommends running ntpd in one container, then giving this container capability sys_time so it can set the time for the HN. And presumably the other containers.

Is anyone able to confirm that container time is based on HN time?
Re: Time inside container [message #51066 is a reply to message #51042] Wed, 15 January 2014 19:09 Go to previous messageGo to next message
Paparaciz
Messages: 302
Registered: August 2009
Senior Member
From: 78.60.233*
Hi,
Probably the time is wrong in HN, and hoster have to ensure that time in HN is right.
in CT you only have to set proper timezone.

running ntpd in CT will not help even with sys_time capability. few years ago I tried, but after ~1min time in CT changes back to HN time. dunno how this works today, but anyway this is wrong way to go.
Re: Time inside container [message #51242 is a reply to message #51066] Tue, 18 March 2014 08:38 Go to previous messageGo to next message
dipps is currently offline  dipps
Messages: 22
Registered: May 2013
Location: Out in the scrub
Junior Member
From: *static.internode.on.net
This seems to be working for me:

HN: centos 6.4, 2.6.32-042stab078.28
Container: debian 7.4

Container has --capability sys_time:on and runs openntpd - I don't need all of xntpd. It's keeping in sync and the CT updates time on the HN.

The HN time was pretty close to start with, so to tell if it was working, I manually set it a minute wrong. 2 days later it was in sync again.

Paparaciz, interested why you think this is the wrong way to go. So far it does all I need.
Re: Time inside container [message #51244 is a reply to message #51042] Tue, 18 March 2014 09:18 Go to previous messageGo to next message
Paparaciz
Messages: 302
Registered: August 2009
Senior Member
From: *gaumina.lt
Hi dipps,
don't remember exact details, but as I said:

running ntpd in CT will not help even with sys_time capability. few years ago I tried, but after ~1min time in CT changes back to HN time. dunno how this works today.

it is wrong way because time sync should be done in HN, not in CT.
Re: Time inside container [message #51245 is a reply to message #51244] Tue, 18 March 2014 11:38 Go to previous messageGo to next message
dipps is currently offline  dipps
Messages: 22
Registered: May 2013
Location: Out in the scrub
Junior Member
From: *static.internode.on.net
Paparaciz wrote on Tue, 18 March 2014 19:48
.. dunno how this works today.


Looks OK so far! (as the falling man said before he hit the ground)

Paparaciz wrote
it is wrong way because time sync should be done in HN, not in CT.


I would like to run as little in the HN as possible, for security reasons. The full xntpd seems a pretty big deal. openntpd seems more lightweight, but I still like restricting it to a CT.

[Updated on: Tue, 18 March 2014 11:39]

Report message to a moderator

Re: Time inside container [message #51246 is a reply to message #51042] Fri, 21 March 2014 14:26 Go to previous message
blahugo@yahoo.de is currently offline  blahugo@yahoo.de
Messages: 4
Registered: May 2013
Junior Member
From: 89.106.184*
It is possible to run ntpd inside a container an sync the HN.
This is our standad setup.

You'll have to grant the container the capability sys_time.

# vzctl set VEID --capability sys_time:on --save

And configure your ntpd inside the container to sync the hardware clock.
On RHEL-based systems for example:
# /etc/sysconfig/ntpd
# Drop root to id 'ntp:ntp' by default.
OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid"

# Set to 'yes' to sync hw clock after successful ntpdate.
SYNC_HWCLOCK=yes

Lookout for your Debian config file.

On RHEL6-based systems this is caused by the compile flag
CONFIG_SECURITY_FILE_CAPABILITIES=y.

Find this on the HN:
grep CAPABILITIES /boot/config-$(uname -r)

Hope this helps.

regards,
blahugo
Previous Topic: Container networking broken after upgrade to 2.6.18-308.8.2.el5.028stab101.1, stange kernel errors
Next Topic: Move containers private area to another directory.
Goto Forum:
  


Current Time: Thu Nov 21 22:19:13 GMT 2019