Docker容器中与主机同步的时间 [英] Time in Docker container our of sync with host machine
问题描述
我正试图通过我的 SpringBoot 应用程序连接到 CosmosDB 。如果我使用 Spring 或通过 Intellij 运行应用程序,则所有这些工作都可以进行。但是,当我在 Docker 中运行应用程序时,出现以下错误消息:
I'm trying to connect to CosmosDB through my SpringBoot app. I have all of this working if I run the app with Spring or via Intellij. But, when I run the app in Docker I get the following error message:
com.azure.data.cosmos.CosmosClientException: The authorization token is not valid at the current time.
Please create another token and retry
(token start time: Thu, 26 Mar 2020 04:32:10 GMT,
token expiry time: Thu, 26 Mar 2020 04:47:10 GMT, current server time: Tue, 31 Mar 2020 20:12:42 GMT).
请注意,在上述错误消息中,当前服务器时间是正确的,但其他时间落后了5天。
Note that in the above error message the current server time is correct but the other times are 5 days behind.
我发现有趣的是,我只在docker容器中收到过此消息。
What I find interesting is that I only ever receive this in the docker container.
FROM {copy of zulu-jdk11}
ARG JAR_FILE
#.crt file in the same folder as your Dockerfile
ARG CERT="cosmos.cer"
ARG ALIAS="cosmos2"
#import cert into java
COPY $CERT /
RUN chmod +x /$CERT
WORKDIR $JAVA_HOME/lib/security
RUN keytool -importcert -file /$CERT -alias $ALIAS -cacerts -storepass changeit -noprompt
WORKDIR /
COPY /target/${JAR_FILE} app.jar
COPY run-java.sh /
RUN chmod +x /run-java.sh
ENV JAVA_OPTIONS "-Duser.timezone=UTC"
ENV JAVA_APP_JAR "/app.jar"
# run as non-root to mitigate some security risks
RUN addgroup -S pcc && adduser -S nonroot -G nonroot
USER nonroot:nonroot
ENTRYPOINT ["/run-java.sh"]
要注意的一件事是 ENV JAVA_OPTIONS -Duser.timezone = UTC ,但是删除它并没有帮助我全部
One thing to note is ENV JAVA_OPTIONS "-Duser.timezone=UTC" but removing this didn't help me at all
我基本上从IntelliJ运行相同的步骤,但没有问题,但在docker中,到期日期似乎要晚5天。
I basically run the same step from IntelliJ and I have no issues with it but in docker the expiry date seems to be 5 days behind.
version: "3.7"
services:
orchestration-agent:
image: {image-name}
ports:
- "8080:8080"
network_mode: host
environment:
- COSMOSDB_URI=https://host.docker.internal:8081/
- COSMOSDB_KEY={key}
- COSMOSDB_DATABASE={database}
- COSMOSDB_POPULATEQUERYMETRICS=true
- COSMOSDB_ITEMLEVELTTL=60
我想也应该提到我将 network_mode 更改为 host 。而且我还将CosmosDB URI从 https:// localhost:8081 更改为 https://host.docker.internal:8081 /
I think it should also be mentioned that I changed the network_mode to host. And I also changed the CosmosDB URI from https://localhost:8081 to https://host.docker.internal:8081/
我还要提及的是,我在以下帮助下构建了 dockerfile :
I would also like to mention that I built my dockerfile with the help of:
服务无法识别将自签名证书导入Docker的JRE cacert中
推荐答案
Docker容器不维护单独的时钟,这与Dockerfile中的Jenkins签署了证书吗?由于时间不是命名空间值,因此连接到Linux主机。这也是Docker删除更改容器内时间的权限的原因,因为这会影响主机和其他容器,从而破坏隔离模型。
Docker containers don't maintain a separate clock, it's identical to the Linux host since time is not a namespaced value. This is also why Docker removes the permission to change the time inside the container, since that would impact the host and other containers, breaking the isolation model.
但是,在Docker上泊坞窗在台式机上运行在VM内部(允许您在非Linux台式机上运行Linux容器),并且在笔记本电脑挂起时,VM的时间可能不同步。当前正在github上的一个问题中对此进行跟踪,您可以按照该问题查看进度: https://github.com/docker/for-win/issues/4526
However, on Docker Desktop, docker runs inside of a VM (allowing you to run Linux containers on non-Linux desktops), and that VM's time can get out of sync when the laptop is suspended. This is currently being tracked in an issue over on github which you can follow to see the progress: https://github.com/docker/for-win/issues/4526
可能的解决方案包括重启计算机,重启docker的VM,以特权容器,或使用以下PowerShell在Windows VM中重置时间同步:
Potential solutions include restarting your computer, restarting docker's VM, running NTP as a privileged container, or resetting the time sync in the windows VM with the following PowerShell:
Get-VMIntegrationService -VMName DockerDesktopVM -Name "Time Synchronization" | Disable-VMIntegrationService
Get-VMIntegrationService -VMName DockerDesktopVM -Name "Time Synchronization" | Enable-VMIntegrationService
使用WSL 2,重新启动VM涉及:
With WSL 2, restarting the VM involves:
wsl --shutdown
wsl
这篇关于Docker容器中与主机同步的时间的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
