How to Fix “date: cannot set date: Operation not permitted” in OpenVZ Containers


6 views

When working with OpenVZ containers, you might encounter the frustrating "Operation not permitted" error when trying to adjust system time. This occurs because OpenVZ containers share the host's kernel and don't have direct access to hardware clock functions.

Both ntpdate and manual date commands attempt to modify the system clock directly, which isn't allowed in containerized environments:

# These will fail in OpenVZ:
ntpdate pool.ntp.org
date MMDDhhmmYYYY

Here are the proper approaches to handle time in OpenVZ:

1. Using the Host System's Time

The simplest solution is to sync with the host's time:

vzctl set CTID --capability sys_time:on --save
vzctl exec CTID "ln -sf /usr/share/zoneinfo/Region/City /etc/localtime"

2. Alternative NTP Implementation

Use ntpd with the -x flag for gradual adjustment:

yum install ntp
service ntpd start
chkconfig ntpd on

Then configure /etc/ntp.conf with:

server pool.ntp.org iburst
tinker step 0.1

3. Manual Time Adjustment via Host

If you must set time manually, do it from the host:

vzctl set CTID --capability sys_time:on --save
vzctl exec CTID "date -s 'YYYY-MM-DD hh:mm:ss'"
  • Always keep the host system time accurate
  • Regularly check for time drift in containers
  • Consider using chrony as an alternative to ntpd
  • For production systems, implement monitoring for time synchronization

If time still won't sync properly:

# Check current capabilities:
vzctl exec CTID cat /proc/self/status | grep Cap

# Verify NTP service status:
vzctl exec CTID service ntpd status

# Check timezone configuration:
vzctl exec CTID ls -l /etc/localtime

When working with OpenVZ containers, you'll frequently encounter permission issues when trying to modify system time. This is fundamentally different from physical servers or full virtualization solutions like KVM. The error manifests in two common scenarios:

# When using ntpdate:
ntpdate pool.ntp.org
18 May 15:29:21 ntpdate[15477]: step-systime: Operation not permitted

# When setting manually:
date 051822172013
date: cannot set date: Operation not permitted

OpenVZ uses a shared kernel architecture where all containers on a physical host share the same kernel. This means:

  • Time synchronization must be handled at the host (hardware node) level
  • Containers inherit the host's time settings
  • Direct time modification commands are intentionally restricted

Solution 1: Sync Through the Host
The correct approach is to configure NTP on the hardware node:

# On the host server (NOT container):
yum install ntp
chkconfig ntpd on
service ntpd start

Solution 2: Alternative Container Methods
For containers, you can use these workarounds:

# 1. Using OpenVZ's time management:
vzctl set CTID --capability sys_time:on --save

# 2. Alternative time sync method:
yum install rdate
rdate -s time.nist.gov

While you can't change system time, timezone configuration is permitted:

rm -f /etc/localtime
ln -s /usr/share/zoneinfo/America/New_York /etc/localtime
  • Always verify time settings from the host: vzctl exec CTID date
  • Check capability settings: vzctl exec CTID cat /proc/self/status | grep Cap
  • For critical time-sensitive applications, consider migrating to KVM