From 7c0a634bedb3089d70d08fbcb4392d776a0efd9f Mon Sep 17 00:00:00 2001 From: Scott Lamb Date: Thu, 8 Apr 2021 22:15:31 -0700 Subject: [PATCH] avoid clock problems on some Docker setups In particular, this was happening out of the box on Raspberry Pi OS Lite 20210304, as reported by ironoxidizer@gmail.com here: https://groups.google.com/g/moonfire-nvr-users/c/2j9LvfFl2u8/m/tJcNS2WfCQAJ * adjust main.rs to make the problem more obvious * mention it in the troubleshooting guide * sidestep it in the nvr docker wrapper script also just use --networking=host rather than --publish (avoiding a proxy process). I'm using Docker to simplify the build and deployment process, not as a security boundary, so just do the simpler thing. --- guide/install.md | 24 +++++++----------------- guide/troubleshooting.md | 18 ++++++++++++++++++ server/src/main.rs | 9 +++++++++ 3 files changed, 34 insertions(+), 17 deletions(-) diff --git a/guide/install.md b/guide/install.md index 384880a..95561b4 100644 --- a/guide/install.md +++ b/guide/install.md @@ -13,20 +13,9 @@ instead want to build Moonfire NVR yourself, see the [Build instructions](build.md). First, install [Docker](https://www.docker.com/) if you haven't already, -and verify you can run the container. +and verify `docker run --rm hello-world` works. -``` -$ docker run --rm -it scottlamb/moonfire-nvr:latest -moonfire-nvr 0.6.2 -security camera network video recorder - -USAGE: - moonfire-nvr - -... -``` - -Next, you'll need to set up your filesystem and the Monfire NVR user. +Next, you'll need to set up your filesystem and the Moonfire NVR user. Moonfire NVR keeps two kinds of state: @@ -56,12 +45,13 @@ time zone. sudo sh -c 'cat > /usr/local/bin/nvr' <<'EOF' #!/bin/bash -e -tz=America/Los_Angeles -container_name=moonfire-nvr -image_name=scottlamb/moonfire-nvr:latest +tz="America/Los_Angeles" +container_name="moonfire-nvr" +image_name="scottlamb/moonfire-nvr:latest" common_docker_run_args=( --mount=type=bind,source=/var/lib/moonfire-nvr,destination=/var/lib/moonfire-nvr --user="$(id -u moonfire-nvr):$(id -g moonfire-nvr)" + --security-opt=seccomp:unconfined --env=RUST_BACKTRACE=1 --env=TZ=":${tz}" ) @@ -73,7 +63,7 @@ run) --detach=true \ --restart=on-failure \ "${common_docker_run_args[@]}" \ - --publish=8080:8080 \ + --network=host \ --name="${container_name}" \ "${image_name}" \ run \ diff --git a/guide/troubleshooting.md b/guide/troubleshooting.md index af324f9..39e56cd 100644 --- a/guide/troubleshooting.md +++ b/guide/troubleshooting.md @@ -11,6 +11,7 @@ need more help. * [Camera stream errors](#camera-stream-errors) * [Problems](#problems) * [Server errors](#server-errors) + * [`clock_gettime failed: EPERM: Operation not permitted`](#clock_gettime-failed-eperm-operation-not-permitted) * [`Error: pts not monotonically increasing; got 26615520 then 26539470`](#error-pts-not-monotonically-increasing-got-26615520-then-26539470) * [Out of disk space](#out-of-disk-space) * [Database or filesystem corruption errors](#database-or-filesystem-corruption-errors) @@ -213,6 +214,23 @@ W20210309 00:28:55.527 s-courtyard-sub moonfire_nvr::streamer] courtyard-sub: sl ### Server errors +#### `clock_gettime failed: EPERM: Operation not permitted` + +If commands fail with an error like the following, you're likely running +Docker with an overly restrictive `seccomp` setup. [This stackoverflow +answer](https://askubuntu.com/questions/1263284/apt-update-throws-signature-error-in-ubuntu-20-04-container-on-arm/1264921#1264921) describes the +problem in more detail. The simplest solution is to add +`--security-opt=seccomp:unconfined` to your Docker commandline. +If you are using the recommended `/usr/local/bin/nvr` wrapper script, +add this option to the `common_docker_run_args` section. + +``` +$ docker run --rm -it moonfire-nvr:latest +clock_gettime failed: EPERM: Operation not permitted + +This indicates a broken environment. See the troubleshooting guide. +``` + #### `Error: pts not monotonically increasing; got 26615520 then 26539470` If your streams cut out and you see error messages like this one in Moonfire diff --git a/server/src/main.rs b/server/src/main.rs index f8fce5d..d703dfd 100644 --- a/server/src/main.rs +++ b/server/src/main.rs @@ -137,6 +137,15 @@ fn panic_hook(p: &std::panic::PanicInfo) { } fn main() { + if let Err(e) = nix::time::clock_gettime(nix::time::ClockId::CLOCK_MONOTONIC) { + eprintln!( + "clock_gettime failed: {}\n\n\ + This indicates a broken environment. See the troubleshooting guide.", + e + ); + std::process::exit(1); + } + let args = Args::from_args(); let mut h = mylog::Builder::new() .set_format(