无法在 CentOS 主机上的 ubuntu 22 docker 镜像上运行 apt update

无法在 CentOS 主机上的 ubuntu 22 docker 镜像上运行 apt update

更新解决方案

我必须从 centos extras 存储库安装 docker-engine。步骤如下:

首先,删除docker

sudo yum remove docker \
                  docker-client \
                  docker-client-latest \
                  docker-common \
                  docker-latest \
                  docker-latest-logrotate \
                  docker-logrotate \
                  docker-engine

然后添加 docker-ce repo:

sudo yum install -y yum-utils
sudo yum-config-manager \
    --add-repo \
    https://download.docker.com/linux/centos/docker-ce.repo

然后安装docker-ce

sudo yum install docker-ce docker-ce-cli containerd.io docker-compose-plugin

终于开始docker-ce

sudo systemctl start docker

首先让我说明一下关于更新 PUBKEY 的问题(如何修复 GPG 错误“NO_PUBKEY”?) 并不能解决这个问题,正如我下面提到的。

以下是我的流程:

docker run --rm -it ubuntu:22.04 bash -l

这将下载 ubuntu 22.04 映像、启动容器并将我放入 root shell。对于我尝试过的任何主机操作系统(MacOS、CentOS、Amazon Linux),此过程都是相同的。

下一个命令在 root shell 中运行,适用于 MacOS 和 Amazon Linux,但不适用于 Cent OS 主机:

apt update

在 CentOS 主机上,我得到以下信息:

root@b40f3c9766e7:/# apt update
Get:1 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB]
Err:1 http://security.ubuntu.com/ubuntu jammy-security InRelease   
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
Get:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [109 kB]
Err:2 http://archive.ubuntu.com/ubuntu jammy InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
Err:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
Get:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [90.7 kB]
Err:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
Reading package lists... Done
W: http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://security.ubuntu.com/ubuntu jammy-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
E: The repository 'http://security.ubuntu.com/ubuntu jammy-security InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://archive.ubuntu.com/ubuntu jammy InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
E: The repository 'http://archive.ubuntu.com/ubuntu jammy InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://archive.ubuntu.com/ubuntu jammy-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
E: The repository 'http://archive.ubuntu.com/ubuntu jammy-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://archive.ubuntu.com/ubuntu jammy-backports InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
E: The repository 'http://archive.ubuntu.com/ubuntu jammy-backports InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true'
E: Sub-process returned an error code

我尝试使用以下说明添加 PUBKEY:如何修复 GPG 错误“NO_PUBKEY”?但我收到此错误:

E: gnupg, gnupg2 and gnupg1 do not seem to be installed, but one of them is required for this operation

由于我无法使用,因此我无法安装其中任何一个apt,那么如何解决这种情况呢?

有人知道为什么这在 MacOS 和 Amazon Linux 上运行良好但在 CentOS 上却不行吗?

此外,这在 Ubuntu 18.04 和 Ubuntu 20.04 上也有效。它仅在 22.04 上失败。

答案1

编辑:仔细查看之后,我意识到我在这里所做的只是在@extras 中使用 yum 提供的默认 docker 版本。

我删除了这些:

Removing:
 docker                          x86_64                   2:1.13.1-209.git7d71120.el7.centos                    @extras                    64 M
 docker-client                   x86_64                   2:1.13.1-209.git7d71120.el7.centos                    @extras                    13 M
 docker-common                   x86_64                   2:1.13.1-209.git7d71120.el7.centos                    @extras                   4.4 k

然后我从docker安装了正确的方法https://docs.docker.com/engine/install/centos/

这个问题现在已经完全解决了。下面是我最初对此的深入研究,以便您可以看到我研究这个问题的过程。


无论出于什么原因,我在基于 CentOS 7 的 Docker 容器上也看到了同样的情况,这些容器几乎运行着每个公共 Ubuntu 镜像。我刚刚浏览了各个版本,这表明在执行此例程时,Docker 和 CentOS 7 之间存在一些较低级别的问题/错误。我真的不知道是什么。仍在挖掘。

W: http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt' executing apt-key

这是有问题的一行。 _apt 存在于我看到的所有系统上,尽管用户 ID 往往不同。

系统损坏:

root@69a789b8893e:/# grep _apt /etc/passwd /etc/shadow /etc/group
/etc/passwd:_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

工作本机系统:

_apt:x:105:65534::/nonexistent:/usr/sbin/nologin

GID 总是常见的 65534,所以这是有道理的。这里不正确的是,实际上每个文件和目录的权限和所有权都是正确的。0755 始终是 /etc/apt 中的默认值。

root@69a789b8893e:/# find /etc/apt -type d -ls
  1464065      0 drwxr-xr-x   8 root     root          143 Apr 28 12:01 /etc/apt
 68555287      0 drwxr-xr-x   2 root     root          213 Apr 28 12:04 /etc/apt/apt.conf.d
135370920      0 drwxr-xr-x   2 root     root            6 Apr  8 10:22 /etc/apt/auth.conf.d
202835524      0 drwxr-xr-x   2 root     root            6 Apr  8 10:22 /etc/apt/keyrings
  1467146      0 drwxr-xr-x   2 root     root            6 Apr  8 10:22 /etc/apt/preferences.d
 68562845      0 drwxr-xr-x   2 root     root            6 Apr  8 10:22 /etc/apt/sources.list.d
135370943      0 drwxr-xr-x   2 root     root           84 Apr 28 12:04 /etc/apt/trusted.gpg.d

我会继续寻找。

答案2

我确实也遇到了这个问题,但注意到在使用选项 --privileged 启动容器时 apt-get 可以正常工作。看起来问题是由于密钥环故障造成的。如果apt-ket list不使用 --privileged 选项运行,也无法正常工作。但是,docker build 不支持此选项,因此我还必须切换到建议的方法:https://docs.docker.com/engine/install/centos

相关内容