avoid clock problems on some Docker setups

In particular, this was happening out of the box on Raspberry Pi OS Lite 20210304, as reported by ironoxidizer@gmail.com here: https://groups.google.com/g/moonfire-nvr-users/c/2j9LvfFl2u8/m/tJcNS2WfCQAJ * adjust main.rs to make the problem more obvious * mention it in the troubleshooting guide * sidestep it in the nvr docker wrapper script also just use --networking=host rather than --publish (avoiding a proxy process). I'm using Docker to simplify the build and deployment process, not as a security boundary, so just do the simpler thing.
2025-10-30 00:05:03 -04:00 · 2021-04-08 22:15:31 -07:00 · 2021-04-08 22:15:31 -07:00 · 7c0a634bed
commit 7c0a634bed
parent 0c34ea8314
3 changed files with 34 additions and 17 deletions
--- a/guide/install.md
+++ b/guide/install.md
@ -13,20 +13,9 @@ instead want to build Moonfire NVR yourself, see the [Build
 instructions](build.md).

 First, install [Docker](https://www.docker.com/) if you haven't already,
-and verify you can run the container.
+and verify `docker run --rm hello-world` works.

-```
-$ docker run --rm -it scottlamb/moonfire-nvr:latest
-moonfire-nvr 0.6.2
-security camera network video recorder
-
-USAGE:
-    moonfire-nvr <SUBCOMMAND>
-
-...
-```
-
-Next, you'll need to set up your filesystem and the Monfire NVR user.
+Next, you'll need to set up your filesystem and the Moonfire NVR user.

 Moonfire NVR keeps two kinds of state:

@ -56,12 +45,13 @@ time zone.
 sudo sh -c 'cat > /usr/local/bin/nvr' <<'EOF'
 #!/bin/bash -e

-tz=America/Los_Angeles
-container_name=moonfire-nvr
-image_name=scottlamb/moonfire-nvr:latest
+tz="America/Los_Angeles"
+container_name="moonfire-nvr"
+image_name="scottlamb/moonfire-nvr:latest"
 common_docker_run_args=(
        --mount=type=bind,source=/var/lib/moonfire-nvr,destination=/var/lib/moonfire-nvr
        --user="$(id -u moonfire-nvr):$(id -g moonfire-nvr)"
+        --security-opt=seccomp:unconfined
        --env=RUST_BACKTRACE=1
        --env=TZ=":${tz}"
 )
@ -73,7 +63,7 @@ run)
                --detach=true \
                --restart=on-failure \
                "${common_docker_run_args[@]}" \
-                --publish=8080:8080 \
+                --network=host \
                --name="${container_name}" \
                "${image_name}" \
                run \
--- a/guide/troubleshooting.md
+++ b/guide/troubleshooting.md
@ -11,6 +11,7 @@ need more help.
    * [Camera stream errors](#camera-stream-errors)
 * [Problems](#problems)
    * [Server errors](#server-errors)
+        * [`clock_gettime failed: EPERM: Operation not permitted`](#clock_gettime-failed-eperm-operation-not-permitted)
        * [`Error: pts not monotonically increasing; got 26615520 then 26539470`](#error-pts-not-monotonically-increasing-got-26615520-then-26539470)
        * [Out of disk space](#out-of-disk-space)
        * [Database or filesystem corruption errors](#database-or-filesystem-corruption-errors)
@ -213,6 +214,23 @@ W20210309 00:28:55.527 s-courtyard-sub moonfire_nvr::streamer] courtyard-sub: sl

 ### Server errors

+#### `clock_gettime failed: EPERM: Operation not permitted`
+
+If commands fail with an error like the following, you're likely running
+Docker with an overly restrictive `seccomp` setup. [This stackoverflow
+answer](https://askubuntu.com/questions/1263284/apt-update-throws-signature-error-in-ubuntu-20-04-container-on-arm/1264921#1264921) describes the
+problem in more detail. The simplest solution is to add
+`--security-opt=seccomp:unconfined` to your Docker commandline.
+If you are using the recommended `/usr/local/bin/nvr` wrapper script,
+add this option to the `common_docker_run_args` section.
+
+```
+$ docker run --rm -it moonfire-nvr:latest
+clock_gettime failed: EPERM: Operation not permitted
+
+This indicates a broken environment. See the troubleshooting guide.
+```
+
 #### `Error: pts not monotonically increasing; got 26615520 then 26539470`

 If your streams cut out and you see error messages like this one in Moonfire
--- a/server/src/main.rs
+++ b/server/src/main.rs
@ -137,6 +137,15 @@ fn panic_hook(p: &std::panic::PanicInfo) {
 }

 fn main() {
+    if let Err(e) = nix::time::clock_gettime(nix::time::ClockId::CLOCK_MONOTONIC) {
+        eprintln!(
+            "clock_gettime failed: {}\n\n\
+                   This indicates a broken environment. See the troubleshooting guide.",
+            e
+        );
+        std::process::exit(1);
+    }
+
    let args = Args::from_args();
    let mut h = mylog::Builder::new()
        .set_format(