From 792366d9fc8262bd53eef42410a6d5c486626582 Mon Sep 17 00:00:00 2001 From: caoqianming Date: Tue, 26 May 2026 22:16:05 +0800 Subject: [PATCH] =?UTF-8?q?deploy/sandbox:=20apt=20retry=20+=20=E6=8E=A8?= =?UTF-8?q?=20http=20mirror(=E8=85=BE=E8=AE=AF=E4=BA=91=20https=20?= =?UTF-8?q?=E5=81=B6=E5=8F=91=20SSL=20EOF)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 腾讯云内网 apt mirror (169.254.0.3) HTTPS 端偶发不发 close_notify 直接断, OpenSSL 3 严格 fail (error:0A000126: unexpected eof while reading),OpenSSL 1.1.1 容忍。python:3.11-slim 自带 OpenSSL 3,撞这条。 修两层: - Dockerfile 加 Acquire::Retries "5" + Pipeline-Depth "0" + No-Cache "true" - RUN.md 推 APT_MIRROR=http:// 而非 https://(apt 包 GPG 签名校验,无 HTTPS 安全收益,顺手绕开 SSL 兼容问题) 故障兜底加 OpenSSL EOF 一行。 Co-Authored-By: Claude Opus 4.7 (1M context) --- RUN.md | 9 +++++++-- deploy/sandbox/Dockerfile | 4 +++- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/RUN.md b/RUN.md index ab8f1aa..4a47026 100644 --- a/RUN.md +++ b/RUN.md @@ -293,8 +293,12 @@ sudo -u zcbot docker build \ # --build-arg PIP_TRUSTED_HOST= # apt 源同款(chromium + nodejs + npm 体积大,deb.debian.org 境内慢): -# --build-arg APT_MIRROR=https://mirrors.cloud.tencent.com # 腾讯云内网 -# --build-arg APT_MIRROR=https://mirrors.aliyun.com # 阿里云 +# --build-arg APT_MIRROR=http://mirrors.cloud.tencent.com # 腾讯云内网(推 http,见下) +# --build-arg APT_MIRROR=http://mirrors.aliyun.com # 阿里云 +# 推荐 http 而非 https:apt 包用 GPG 签名校验,HTTPS 无额外安全收益,且腾讯云 +# 内网 mirror 走 https 偶发触发 OpenSSL 3 严格的 `unexpected eof while reading` +# (旧版 OpenSSL 1.1.1 容忍,新版 fail)。Dockerfile 已加 apt retry=5 + 关 +# pipeline + no-cache 兜底偶发抖动。 # npm 源同款(@mermaid-js/mermaid-cli + 依赖,境内访问 registry.npmjs.org 也慢): # --build-arg NPM_REGISTRY=https://mirrors.cloud.tencent.com/npm/ # 腾讯云 @@ -453,6 +457,7 @@ sudo xfs_quota -x -c "limit -p bhard=10g zcbot_" /opt | `docker run zcbot-sandbox:latest` 报 `Unable to find image` | 镜像没 build。`sudo -u zcbot docker build -f deploy/sandbox/Dockerfile --build-arg HOST_UID=$(id -u zcbot) --build-arg HOST_GID=$(id -g zcbot) -t zcbot-sandbox:latest .` | | 镜像 build pip 报 `ReadTimeoutError: HTTPSConnectionPool(host='files.pythonhosted.org', ...)` | 境内访问 PyPI 抖动。加 `--build-arg PIP_INDEX_URL=https://mirrors.cloud.tencent.com/pypi/simple/`(腾讯云内网)或阿里云 / 清华源,详 RUN.md「镜像构建」段。Dockerfile 已把 pip timeout 拉到 60s,主因仍是源不通而非超时 | | 镜像 build npm 装 mermaid-cli 慢 / fail | npm 源境内慢。加 `--build-arg NPM_REGISTRY=https://mirrors.cloud.tencent.com/npm/`(腾讯云)或 `https://registry.npmmirror.com/`(阿里) | +| 镜像 build apt 报 `OpenSSL error: ... unexpected eof while reading` | 腾讯云 / 阿里 mirror HTTPS 端偶发 close_notify 缺失,OpenSSL 3 严格 fail。改用 http 形式:`--build-arg APT_MIRROR=http://mirrors.cloud.tencent.com`(apt 包 GPG 签名校验,无 HTTPS 安全收益)。Dockerfile 已配 apt retry=5 + 关 pipeline,重 build 一般直接过 | | 容器内 shell 写工作目录报 `Permission denied`(but `sandbox check` ⑤ HOST_UID aligned ok) | DockerExecutor 写死了 `--user 1000:1000` 不会自动跟 build 的 HOST_UID 同步(改 `--user zcbot` 后已修)。仍报错检查镜像内 `docker run --rm --entrypoint id zcbot-sandbox:latest zcbot` 输出 uid 是否 = `id -u $(whoami)` | | 模型用 run_python 跑 `render_diagrams.py` 报 `mmdc returncode=1: Failed to launch chromium` | 容器内 chromium 缺 puppeteer no-sandbox 配置。镜像已落 `/sandbox/puppeteer-config.json` + ENV `MERMAID_PUPPETEER_CONFIG`,render_diagrams.py 已读 env 自动 -p 注入;仍跪查 `docker exec ... env \| grep MERMAID` 看 env 是否在 | | Export 报 "无可导出内容" | task 没 messages(只 system 不算);先发条消息再 export | diff --git a/deploy/sandbox/Dockerfile b/deploy/sandbox/Dockerfile index d380558..ea56eb0 100644 --- a/deploy/sandbox/Dockerfile +++ b/deploy/sandbox/Dockerfile @@ -23,7 +23,9 @@ RUN if [ -n "${APT_MIRROR}" ]; then \ -e "s|http://security.debian.org|${APT_MIRROR}|g" \ -e "s|https://security.debian.org|${APT_MIRROR}|g" \ /etc/apt/sources.list /etc/apt/sources.list.d/*.sources 2>/dev/null || true; \ - fi + fi && \ + printf 'Acquire::Retries "5";\nAcquire::http::Pipeline-Depth "0";\nAcquire::http::No-Cache "true";\n' \ + > /etc/apt/apt.conf.d/80-zcbot-retries # - iptables / ip6tables: init.sh 配 blocklist 需要(NET_ADMIN cap 在 docker run 处加) # - iproute2: ip 命令(调试 / 排查)