fatal: unable to access 'https://github.com/xuedingmiaojun/wxappUnpacker': error:0D0D90AD:asn1 encoding routines:ASN1_TIME_adj:error getting time
這個問題我是在樹莓派3B+(cpu 是 armv7 架構) 上面跑的 Docker,碰到的人應該很少,因爲網上搜羅問題很少的信息.折磨了我幾天
問題是鏡像 alpine 3.13 版本引起的(3.12 沒問題).
docker container run --rm -it alpine:3.13 sh
/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: clock_gettime(MONOTONIC) failed
/ # nslookup www.baidu.com
nslookup: clock_gettime(MONOTONIC) faileddocker container run --rm -it --privileged alpine:3.13 sh
/ # nslookup www.baidu.com
Server: 8.8.8.8
Address: 8.8.8.8:53
Non-authoritative answer:
Name: www.baidu.com
Address: 220.181.38.148
Non-authoritative answer:
Name: www.baidu.com
Address: 2a00:1450:4005:80b::2003最根本的原因是 Docker 自 1.10 版本開始加入的安全特性( --security-opt seccomp=/path/to/seccomp/profile.json),這裏還不確定是 alpine 鏡像裏的哪個 系統調用 被阻攔了(懷疑是 clock_settime )
Secure computing mode (seccomp) is a Linux kernel feature. You can use it to restrict the actions available within the container. The seccomp() system call operates on the seccomp state of the calling process. You can use this feature to restrict your application’s access.
This feature is available only if Docker has been built with seccomp and the kernel is configured with CONFIG_SECCOMP enabled. To check if your kernel supports seccomp:
解決方案:
- 改動 Dockerfile 裏的版本,指定拉取 alpine:3.12 版本,然後再 build 一個鏡像、容器.
- 直接關閉 seccomp 配置
docker run -it --rm --security-opt seccomp=unconfined alpine:3.13 ping www.google.de - 確定是哪個系統調用函數引起的,然後使用 docker run --cap-add=SYS_PTRACE 明確添加
參考:
alpine 3.13, armv7 network-access seems to be broken
Seccomp security profiles for Docker
Docker 解決openjdk容器裏無法使用JDK的jmap等命令問題