fatal: unable to access error:0D0D90AD:asn1 encodi

fatal: unable to access error:0D0D90AD:asn1 encodi

问题

fatal: unable to access 'error:0D0D90AD:asn1 encoding routines:ASN1_TIME_adj:error getting time

这个问题我是在树莓派3B+（cpu 是 armv7 架构） 上面跑的 Docker，碰到的人应该很少，因为网上搜罗问题很少的信息.折磨了我几天

问题是镜像 alpine 3.13 版本引起的（3.12 没问题）.

docker container run --rm -it alpine:3.13 sh / # ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes ping: clock_gettime(MONOTONIC) failed / # nslookup baidu.com nslookup: clock_gettime(MONOTONIC) failed

docker container run --rm -it --privileged alpine:3.13 sh / # nslookup baidu.com Server: 8.8.8.8 Address: 8.8.8.8:53 Non-authoritative answer: Name: baidu.com Address: 220.181.38.148 Non-authoritative answer: Name: baidu.com Address: 2a00:1450:4005:80b::2003

最根本的原因是 Docker 自 1.10 版本开始加入的安全特性( --security-opt seccomp=/path/to/seccomp/profile.json),这里还不确定是 alpine 镜像里的哪个 系统调用 被阻拦了（怀疑是 clock_settime ）

Secure computing mode (seccomp) is a Linux kernel feature. You can use it to restrict the actions available within the container. The seccomp() system call operates on the seccomp state of the calling process. You can use this feature to restrict your application’s access.This feature is available only if Docker has been built with seccomp and the kernel is configured with CONFIG_SECCOMP enabled. To check if your kernel supports seccomp:

解决方案：

改动 Dockerfile 里的版本，指定拉取 alpine:3.12 版本，然后再 build 一个镜像、容器. 直接关闭 seccomp 配置 docker run -it --rm --security-opt seccomp=unconfined alpine:3.13 ping google.de 确定是哪个系统调用函数引起的，然后使用 docker run --cap-add=SYS_PTRACE 明确添加

参考：alpine 3.13, armv7 network-access seems to be brokenSeccomp security profiles for DockerDocker 解决openjdk容器里无法使用JDK的jmap等命令问题

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。