The title makes it sound like this article is a bug report. However, this article is a mere summary of an effect I have observed when time zones are not set correctly in a docker container. It’s not a bug, it is a misconfiguration.
My setup was a follows. I have a public-network facing application in a docker container. Users need to authenticate by public key before they can use the service. If authenticate fails, the occurrence is logged in a text file. Outside the docker container, on the host system, I use fail2ban to block random brute force attacks, in order to avoid cluttering log fails and draining resources. The log file from the dockerized application is lives on a mounted volume, such that fail2ban can monitor its contents from outside. So far so good.
The system worked as expected. If a user accumulated too many failed attempts in the last 10 minutes, the user’s IP address is blacklisted for a certain amount of time. Due to my obsession with tests, I even went so far, to set up test jobs, executed once per day, to check that the host refuses to reply after a certain number of failed attempts.
At some point, the tests started failing. Users were not blocked anymore, regardless of the number of failed attempts? What had happened?
The issue was that the relative time zone between the container and the host changed. One of the systems did the switch from daylight-savings time and standard time while the other didn’t. The time label in the log file was in a human-readable format without time zone information. This means that any failed attempted was logged with the time from within the container. Fail2ban parsed these new entries in the log file, assuming the timezone of the host system. Therefore, fail2ban determined that failed authentication attempts occurred one hour ago. Offenders are unblocked within the hour after they have been blocked. Consequently, fail2ban ignored these entries because it assumed that the offenders have been vindicated already.
The conclusion of this article is, that one should pay attention to the time zone configuration inside the containers and on the host systems AND design the log file format such that the time labels are universal, i.e. in UTC or UNIX time stamps or in ISO format with timezone information.
This might also interest you