ntpd in systemd-nspawn

I'm playing with containerizing various parts of my server infrastructure and one of the services I would like to run in container is ntp daemon. I'm using systemd-nspawn (systemd 233) as a hypervisor as well as init process inside of the containers. ntpd version is 4.2.8p10. Every time I try to start ntpd inside of a container it crashes with cap_set_proc() operation not permitted error: 21 Oct 11:10:23 ntpd: ntpd 4.2.8p10@1.3728 Fri Oct 20 23:28:39 UTC 2017 (1): Starting 21 Oct 11:10:23 ntpd: Command line: ntpd -g -n -u ntp:ntp 21 Oct 11:10:23 ntpd: Cannot set RLIMIT_MEMLOCK: Operation not permitted 21 Oct 11:10:23 ntpd: proto: precision = 0.335 usec (-21) 21 Oct 11:10:23 ntpd: Listen normally on 0 v4wildcard 0.0.0.0:123 21 Oct 11:10:23 ntpd: Listen normally on 1 lo 127.0.0.1:123 21 Oct 11:10:23 ntpd: Listening on routing socket on fd #18 for interface updates 21 Oct 11:10:23 ntpd: mlockall(): Cannot allocate memory 21 Oct 11:10:23 ntpd: start_kern_loop: ntp_loopfilter.c line 1119: ntp_adjtime: Operation not permitted 21 Oct 11:10:23 ntpd: set_freq: ntp_loopfilter.c line 1082: ntp_adjtime: Operation not permitted 21 Oct 11:10:23 ntpd: cap_set_proc() failed to drop root privs: Operation not permitted What I have tried so far: 1. Building ntpd without capabilities enabled - it starts properly, but still has same ntp_adjtime syscall permission issues. 2. Running systemd-nspawn with --private-users=0 and without --private-users at all. 3. Playing with capabilities for systemd-nspawn itself (mainly CAP_SYS_TIME and CAP_NET_BIND_SERVICE) 4. Playing with capabilities for ntpd inside of the container. All this gave no positive results and I wonder what am I missing. Any ideas will be greatly appreciated.