avoid clock problems on some Docker setups

In particular, this was happening out of the box on Raspberry Pi OS Lite
20210304, as reported by ironoxidizer@gmail.com here:
https://groups.google.com/g/moonfire-nvr-users/c/2j9LvfFl2u8/m/tJcNS2WfCQAJ

*   adjust main.rs to make the problem more obvious
*   mention it in the troubleshooting guide
*   sidestep it in the nvr docker wrapper script

also just use --networking=host rather than --publish (avoiding a proxy
process). I'm using Docker to simplify the build and deployment process,
not as a security boundary, so just do the simpler thing.
This commit is contained in:
Scott Lamb 2021-04-08 22:15:31 -07:00
parent 0c34ea8314
commit 7c0a634bed
3 changed files with 34 additions and 17 deletions

View File

@ -13,20 +13,9 @@ instead want to build Moonfire NVR yourself, see the [Build
instructions](build.md). instructions](build.md).
First, install [Docker](https://www.docker.com/) if you haven't already, First, install [Docker](https://www.docker.com/) if you haven't already,
and verify you can run the container. and verify `docker run --rm hello-world` works.
``` Next, you'll need to set up your filesystem and the Moonfire NVR user.
$ docker run --rm -it scottlamb/moonfire-nvr:latest
moonfire-nvr 0.6.2
security camera network video recorder
USAGE:
moonfire-nvr <SUBCOMMAND>
...
```
Next, you'll need to set up your filesystem and the Monfire NVR user.
Moonfire NVR keeps two kinds of state: Moonfire NVR keeps two kinds of state:
@ -56,12 +45,13 @@ time zone.
sudo sh -c 'cat > /usr/local/bin/nvr' <<'EOF' sudo sh -c 'cat > /usr/local/bin/nvr' <<'EOF'
#!/bin/bash -e #!/bin/bash -e
tz=America/Los_Angeles tz="America/Los_Angeles"
container_name=moonfire-nvr container_name="moonfire-nvr"
image_name=scottlamb/moonfire-nvr:latest image_name="scottlamb/moonfire-nvr:latest"
common_docker_run_args=( common_docker_run_args=(
--mount=type=bind,source=/var/lib/moonfire-nvr,destination=/var/lib/moonfire-nvr --mount=type=bind,source=/var/lib/moonfire-nvr,destination=/var/lib/moonfire-nvr
--user="$(id -u moonfire-nvr):$(id -g moonfire-nvr)" --user="$(id -u moonfire-nvr):$(id -g moonfire-nvr)"
--security-opt=seccomp:unconfined
--env=RUST_BACKTRACE=1 --env=RUST_BACKTRACE=1
--env=TZ=":${tz}" --env=TZ=":${tz}"
) )
@ -73,7 +63,7 @@ run)
--detach=true \ --detach=true \
--restart=on-failure \ --restart=on-failure \
"${common_docker_run_args[@]}" \ "${common_docker_run_args[@]}" \
--publish=8080:8080 \ --network=host \
--name="${container_name}" \ --name="${container_name}" \
"${image_name}" \ "${image_name}" \
run \ run \

View File

@ -11,6 +11,7 @@ need more help.
* [Camera stream errors](#camera-stream-errors) * [Camera stream errors](#camera-stream-errors)
* [Problems](#problems) * [Problems](#problems)
* [Server errors](#server-errors) * [Server errors](#server-errors)
* [`clock_gettime failed: EPERM: Operation not permitted`](#clock_gettime-failed-eperm-operation-not-permitted)
* [`Error: pts not monotonically increasing; got 26615520 then 26539470`](#error-pts-not-monotonically-increasing-got-26615520-then-26539470) * [`Error: pts not monotonically increasing; got 26615520 then 26539470`](#error-pts-not-monotonically-increasing-got-26615520-then-26539470)
* [Out of disk space](#out-of-disk-space) * [Out of disk space](#out-of-disk-space)
* [Database or filesystem corruption errors](#database-or-filesystem-corruption-errors) * [Database or filesystem corruption errors](#database-or-filesystem-corruption-errors)
@ -213,6 +214,23 @@ W20210309 00:28:55.527 s-courtyard-sub moonfire_nvr::streamer] courtyard-sub: sl
### Server errors ### Server errors
#### `clock_gettime failed: EPERM: Operation not permitted`
If commands fail with an error like the following, you're likely running
Docker with an overly restrictive `seccomp` setup. [This stackoverflow
answer](https://askubuntu.com/questions/1263284/apt-update-throws-signature-error-in-ubuntu-20-04-container-on-arm/1264921#1264921) describes the
problem in more detail. The simplest solution is to add
`--security-opt=seccomp:unconfined` to your Docker commandline.
If you are using the recommended `/usr/local/bin/nvr` wrapper script,
add this option to the `common_docker_run_args` section.
```
$ docker run --rm -it moonfire-nvr:latest
clock_gettime failed: EPERM: Operation not permitted
This indicates a broken environment. See the troubleshooting guide.
```
#### `Error: pts not monotonically increasing; got 26615520 then 26539470` #### `Error: pts not monotonically increasing; got 26615520 then 26539470`
If your streams cut out and you see error messages like this one in Moonfire If your streams cut out and you see error messages like this one in Moonfire

View File

@ -137,6 +137,15 @@ fn panic_hook(p: &std::panic::PanicInfo) {
} }
fn main() { fn main() {
if let Err(e) = nix::time::clock_gettime(nix::time::ClockId::CLOCK_MONOTONIC) {
eprintln!(
"clock_gettime failed: {}\n\n\
This indicates a broken environment. See the troubleshooting guide.",
e
);
std::process::exit(1);
}
let args = Args::from_args(); let args = Args::from_args();
let mut h = mylog::Builder::new() let mut h = mylog::Builder::new()
.set_format( .set_format(