I added the key to the Ubuntu keyserver (for some reason, they didn't have the key for the Kitware apt repository, which was updated in 2022)
Running this should solve your problem now:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 6AF7F09730B3F0A4
以上这是非容器解决方法
https://askubuntu.com/questions/1389758/apt-get-update-fails-due-to-no-pubkey-6af7f09730b3f0a4
问题
在ubuntu22.04的容器里面运行apt update的时候出现了以下报错
[[email protected] docker-kubuntu]# docker run --rm -it ubuntu:22.04 bash [email protected]:/# apt updateGet:1 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB] Get:2 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB] Err:1 http://security.ubuntu.com/ubuntu jammy-security InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C Err:2 http://archive.ubuntu.com/ubuntu jammy InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C Get:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [109 kB] Err:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C Get:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [90.7 kB] Err:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C Reading package lists... Done W: http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease: The key(s) inthe keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt'executing apt-key. W: http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease: The key(s) inthe keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt'executing apt-key. W: GPG error: http://security.ubuntu.com/ubuntu jammy-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C E: The repository 'http://security.ubuntu.com/ubuntu jammy-security InRelease' is not signed. N: Updating from such a repository can't be donesecurely, and is therefore disabled by default. N: See apt-secure(8) manpage forrepository creation and user configuration details. W: http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease: The key(s) inthe keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt'executing apt-key. W: http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease: The key(s) inthe keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt'executing apt-key. W: GPG error: http://archive.ubuntu.com/ubuntu jammy InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C E: The repository 'http://archive.ubuntu.com/ubuntu jammy InRelease' is not signed. N: Updating from such a repository can't be donesecurely, and is therefore disabled by default. N: See apt-secure(8) manpage forrepository creation and user configuration details. W: http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease: The key(s) inthe keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt'executing apt-key. W: http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease: The key(s) inthe keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt'executing apt-key. W: GPG error: http://archive.ubuntu.com/ubuntu jammy-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C E: The repository 'http://archive.ubuntu.com/ubuntu jammy-updates InRelease' is not signed. N: Updating from such a repository can't be donesecurely, and is therefore disabled by default. N: See apt-secure(8) manpage forrepository creation and user configuration details. W: http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease: The key(s) inthe keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt'executing apt-key. W: http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease: The key(s) inthe keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt'executing apt-key. W: GPG error: http://archive.ubuntu.com/ubuntu jammy-backports InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C E: The repository 'http://archive.ubuntu.com/ubuntu jammy-backports InRelease' is not signed. N: Updating from such a repository can't be donesecurely, and is therefore disabled by default. N: See apt-secure(8) manpage forrepository creation and user configuration details. E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true'E: Sub-process returned an error code
原因
经过查询,发现是ubuntu21.10和fedora35开始使用glibc2.34甚至更高的版本。在glibc2.34版本里面,开始使用一个名为clone3的系统调用。通常情况下,容器里面所有的系统调用都会被docker捕获,然后docker决定如何处理它们。如果docker中没有为特定系统调用指定策略,则默认的策略会通知容器这边"Permission Denied"。但是,如果 Glibc 收到此错误,它不会回退。它仅在收到响应“此系统调用不可用”时才执行此操作。
解决
办法一
运行容器的时候,加上这个参数来绕过docker系统调用限制
--security-opt seccomp=unconfined
不过这会有很大的问题,一个是你的容器将变得不安全,另一个是这些参数在构建镜像的时候是不可用的。所以,请参考办法二
办法二
将docker升级到20.10.8以上的版本(> 20.10.8)
由于生产环境调整docker版本不是一件容易的事情,所以生产环境在构建镜像时候要避免使用ubuntu21.10和fedora35以更高版本的镜像,以及使用它们作为基础镜像的其他镜像。目前官方大部分镜像基于debian,后续要确认debian系列镜像是否受此影响
赞赏参考: https://stackoverflow.com/questions/71941032/why-i-cannot-run-apt-update-inside-a-fresh-ubuntu22-04
参考: https://pascalroeleven.nl/2021/09/09/ubuntu-21-10-and-fedora-35-in-docker/
历史上的文章
- 2021: Docker异常 OCI runtime 创建失败( 0)
- 2016: 阿里云盾拦截腾讯云cdn解决办法( 0)
Comments | NOTHING