docker: unknown syscalls return invalid `EPERM`
This is exposed due to the upgrade to musl-1.2. When trying to execute the syscall clock_gettime64, docker returns EPERM, instead of the expected ENOSYS. Because this unexpected return code, musl does not fall back to clock_gettime.
This results for example in all kinds of errors when trying to connect via TLS.
-
git:
error:0D0D90AD:asn1 encoding routines:ASN1_TIME_adj:error getting time -
curl:
Operation timed out -
openssl:
Verify return code: 14 (format error in certificate's notAfter field)
When running the container unprivileged:
clock_gettime64(CLOCK_REALTIME, 0xffb8f9d8) = -1 EPERM (Operation not permitted)
When running the container privileged (and thus no issues):
clock_gettime64(CLOCK_REALTIME, 0xfff6bbe0) = -1 ENOSYS (Function not implemented)