排查机密容器的常见问题

本文提供了Azure 容器实例上机密容器常见问题的解决方案。

常见问题

部署机密容器时可能会遇到以下问题和错误：

• 策略失败：

  Deployment Failed.
  ErrorMessage=failed to create containerd task: failed to create shim task:
  uvm::Policy: failed to modify utility VM configuration: guest modify: guest RPC failure:
  error creating Rego policy: rego compilation failed: rego compilation failed: 4 errors occurred:
  

  Deployment Failed.
  ErrorMessage=failed to create containerd task: failed to create shim task:
  uvm::Policy: failed to modify utility VM configuration: guest modify:guest RPC failure:
  error creating Rego policy: rego compilation failed: rego compilation failed: 1 error occurred:
  policy.rego:48 rego_parse_error: non-terminated string;
  

  Container creation denied due to policy: create_container not allowed by policy. 
  Errors: [invalid command].
  

  Denied by policy: rule for mount_device is missing from policy: unknown.
  

  Failed to create containerd task: failed to create shim task: failed to mount container storage:
  failed to add LCOW layer: failed to add SCSI layer: failed to modify UVM with new SCSI mount:
  guest modify: guest RPC failure: mounting scsi device controller 3 lun 2 onto /run/mounts/m4
  denied by policy: mount_device not allowed by policy. Errors: [deviceHash not found].
  

  Container creation denied due to policy: create_container not allowed by policy. 
  

• 策略强制实施新框架：

  Failed to create containerd task: failed to create shim task: failed to mount container storage:
  guest modify: guest RPC failure: overlay creation denied by policy: mount_overlay not allowed by policy.
  Errors: [framework_svn is ahead of the current svn: 1.1.0 > 0.1.0].
  

• base64 机密计算强制（CCE）策略无效：

  The CCE Policy is not valid Base64.
  

• 限制 - CCE 策略的 120 KB（KB） 限制：

  Failed to create containerd task: failed to create shim task: error while creating the compute system:
  hcs::CreateComputeSystem <compute system id>@vm: The requested operation failed.: unknown.\r\n;
  The container group provisioning has failed. Refer to 'DeploymentFailedReason' event for more details.;
  

  Failed to create containerd task: failed to create shim task: task with id: '<task id>' cannot be created in pod: '<pod>'
  which is not running: failed precondition.\r\n;The container group provisioning has failed.
  Refer to 'DeploymentFailedReason' event for more details.
  

• 找不到设备哈希：

  Denied by policy: rule for mount_device is missing from policy: unknown.
  

  Failed to create containerd task: failed to create shim task: failed to mount container storage:
  failed to add LCOW layer: failed to add SCSI layer: failed to modify UVM with new SCSI mount:
  guest modify: guest RPC failure: mounting scsi device controller 3 lun 2 onto /run/mounts/m4
  denied by policy: mount_device not allowed by policy. Errors: [deviceHash not found]
  

• 其他问题：

  • 日志不会显示。
  • exec 功能不起作用。
  • 订阅部署在 30 分钟后超时。
  • 具有不允许策略的实时性探测。
  • 退出代码 139。

原因

在大多数情况下，这些问题是由于 CCE 策略引起的。

解决方案

• 如果遇到任何策略故障，请重新生成 CCE 策略，然后重试部署。

• 如果 CCE 策略强制实施框架，请还原到较旧的框架 svn。

• 如果找不到设备哈希或映像出现问题，请清除缓存并重新生成 CCE 策略。

  若要清理缓存，请运行 docker rmi <image_name>:<tag> 命令。 若要清理缓存中的所有映像，请 docker rmi $(docker images -a -q) 运行命令。 若要检查缺失的哈希，请运行 docker inspect <image_name>:<tag> 命令。

联系我们寻求帮助

如果你有任何疑问或需要帮助，请创建支持请求或联系 Azure 社区支持。 你还可以将产品反馈提交到 Azure 反馈社区。