fatal: unable to access 'https://github.com/xuedingmiaojun/wxappUnpacker': error:0D0D90AD:asn1 encoding routines:ASN1_TIME_adj:error getting time
这个问题我是在树莓派3B+(cpu 是 armv7 架构) 上面跑的 Docker,碰到的人应该很少,因为网上搜罗问题很少的信息.折磨了我几天
问题是镜像 alpine 3.13 版本引起的(3.12 没问题).
docker container run --rm -it alpine:3.13 sh
/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: clock_gettime(MONOTONIC) failed
/ # nslookup www.baidu.com
nslookup: clock_gettime(MONOTONIC) faileddocker container run --rm -it --privileged alpine:3.13 sh
/ # nslookup www.baidu.com
Server: 8.8.8.8
Address: 8.8.8.8:53
Non-authoritative answer:
Name: www.baidu.com
Address: 220.181.38.148
Non-authoritative answer:
Name: www.baidu.com
Address: 2a00:1450:4005:80b::2003最根本的原因是 Docker 自 1.10 版本开始加入的安全特性( --security-opt seccomp=/path/to/seccomp/profile.json),这里还不确定是 alpine 镜像里的哪个 系统调用 被阻拦了(怀疑是 clock_settime )
Secure computing mode (seccomp) is a Linux kernel feature. You can use it to restrict the actions available within the container. The seccomp() system call operates on the seccomp state of the calling process. You can use this feature to restrict your application’s access.
This feature is available only if Docker has been built with seccomp and the kernel is configured with CONFIG_SECCOMP enabled. To check if your kernel supports seccomp:
解决方案:
- 改动 Dockerfile 里的版本,指定拉取 alpine:3.12 版本,然后再 build 一个镜像、容器.
- 直接关闭 seccomp 配置
docker run -it --rm --security-opt seccomp=unconfined alpine:3.13 ping www.google.de - 确定是哪个系统调用函数引起的,然后使用 docker run --cap-add=SYS_PTRACE 明确添加
参考:
alpine 3.13, armv7 network-access seems to be broken
Seccomp security profiles for Docker
Docker 解决openjdk容器里无法使用JDK的jmap等命令问题