Solución de problemas comunes con contenedores confidenciales
En este artículo se proporcionan soluciones a problemas comunes con contenedores confidenciales en Azure Container Instances.
Problemas comunes
Es posible que experimente los siguientes problemas y errores al implementar contenedores confidenciales:
Errores de directiva:
Deployment Failed. ErrorMessage=failed to create containerd task: failed to create shim task: uvm::Policy: failed to modify utility VM configuration: guest modify: guest RPC failure: error creating Rego policy: rego compilation failed: rego compilation failed: 4 errors occurred:
Deployment Failed. ErrorMessage=failed to create containerd task: failed to create shim task: uvm::Policy: failed to modify utility VM configuration: guest modify:guest RPC failure: error creating Rego policy: rego compilation failed: rego compilation failed: 1 error occurred: policy.rego:48 rego_parse_error: non-terminated string;
Container creation denied due to policy: create_container not allowed by policy. Errors: [invalid command].
Denied by policy: rule for mount_device is missing from policy: unknown.
Failed to create containerd task: failed to create shim task: failed to mount container storage: failed to add LCOW layer: failed to add SCSI layer: failed to modify UVM with new SCSI mount: guest modify: guest RPC failure: mounting scsi device controller 3 lun 2 onto /run/mounts/m4 denied by policy: mount_device not allowed by policy. Errors: [deviceHash not found].
Container creation denied due to policy: create_container not allowed by policy.
Una directiva aplica un nuevo marco:
Failed to create containerd task: failed to create shim task: failed to mount container storage: guest modify: guest RPC failure: overlay creation denied by policy: mount_overlay not allowed by policy. Errors: [framework_svn is ahead of the current svn: 1.1.0 > 0.1.0].
Directiva de cumplimiento de computación confidencial (CCE) base64 no válida:
The CCE Policy is not valid Base64.
Limitación: límite de 120 kilobytes (KB) en la directiva de CCE:
Failed to create containerd task: failed to create shim task: error while creating the compute system: hcs::CreateComputeSystem <compute system id>@vm: The requested operation failed.: unknown.\r\n; The container group provisioning has failed. Refer to 'DeploymentFailedReason' event for more details.;
Failed to create containerd task: failed to create shim task: task with id: '<task id>' cannot be created in pod: '<pod>' which is not running: failed precondition.\r\n;The container group provisioning has failed. Refer to 'DeploymentFailedReason' event for more details.
No se encuentra el hash del dispositivo:
Denied by policy: rule for mount_device is missing from policy: unknown.
Failed to create containerd task: failed to create shim task: failed to mount container storage: failed to add LCOW layer: failed to add SCSI layer: failed to modify UVM with new SCSI mount: guest modify: guest RPC failure: mounting scsi device controller 3 lun 2 onto /run/mounts/m4 denied by policy: mount_device not allowed by policy. Errors: [deviceHash not found]
Otros problemas:
- Los registros no aparecen.
- La funcionalidad exec no funciona.
- La implementación de la suscripción agota el tiempo de espera después de 30 minutos.
- Sondeo de ejecución con directiva no permitida.
- Código de salida 139.
Causa
En la mayoría de los casos, estos problemas se producen debido a la directiva de CCE.
Solución
Si experimenta errores de directiva, vuelva a generar la directiva de CCE y vuelva a intentar la implementación.
Si la directiva de CCE aplica un marco, revierta a un marco anterior svn.
Si no se encuentra el hash del dispositivo o hay un problema con una imagen, borre la memoria caché y vuelva a generar la directiva de CCE.
Para limpiar la memoria caché, ejecute el
docker rmi <image_name>:<tag>
comando . Para limpiar todas las imágenes de la memoria caché, ejecute eldocker rmi $(docker images -a -q)
comando . Para inspeccionar el hash que falta, ejecute eldocker inspect <image_name>:<tag>
comando .
Ponte en contacto con nosotros para obtener ayuda
Si tiene preguntas o necesita ayuda, cree una solicitud de soporte o busque consejo en la comunidad de Azure. También puede enviar comentarios sobre el producto con los comentarios de la comunidad de Azure.