以下引用自:https://blog.51cto.com/laok8/2618697,提供的方法
fatal: unable to access error:0D0D90AD:asn1 encoding routines:ASN1_TIME_adj:error getting time
在树莓派3B+(cpu 是 armv7 架构) 上面跑的 Docker。
问题是镜像 alpine 3.13 版本引起的(3.12 没问题).
2
3
4
5
6
7
>/ # ping 8.8.8.8
>PING 8.8.8.8 (8.8.8.8): 56 data bytes
>ping: clock_gettime(MONOTONIC) failed
>/ # nslookup www.baidu.com
>nslookup: clock_gettime(MONOTONIC) failed
2
3
4
5
6
7
8
9
10
11
12
13
>/ # nslookup www.baidu.com
>Server: 8.8.8.8
>Address: 8.8.8.8:53
>Non-authoritative answer:
>Name: www.baidu.com
>Address: 220.181.38.148
>Non-authoritative answer:
>Name: www.baidu.com
>Address: 2a00:1450:4005:80b::2003
最根本的原因是 Docker 自 1.10 版本开始加入的安全特性( –security-opt seccomp=/path/to/seccomp/profile.json),这里还不确定是 alpine 镜像里的哪个 系统调用 被阻拦了(怀疑是 clock_settime )
Secure computing mode (seccomp) is a Linux kernel feature. You can use it to restrict the actions available within the container. The seccomp() system call operates on the seccomp state of the calling process. You can use this feature to restrict your application’s access.
This feature is available only if Docker has been built with seccomp and the kernel is configured with CONFIG_SECCOMP enabled. To check if your kernel supports seccomp:
提供的解决方案:
- 改动 Dockerfile 里的版本,指定拉取 alpine:3.12 版本,然后再 build 一个镜像、容器.
- 直接关闭 seccomp 配置
- 确定是哪个系统调用函数引起的,然后使用 docker run –cap-add=SYS_PTRACE 明确添加
1 | docker run -it --rm --security-opt seccomp=unconfined alpine:3.13 ping www.google.de |