針對機密容器的常見問題進行疑難解答

本文提供 Azure 容器執行個體 上機密容器常見問題的解決方案。

常見問題

當您部署機密容器時，可能會遇到下列問題和錯誤：

• 原則失敗：

  Deployment Failed.
  ErrorMessage=failed to create containerd task: failed to create shim task:
  uvm::Policy: failed to modify utility VM configuration: guest modify: guest RPC failure:
  error creating Rego policy: rego compilation failed: rego compilation failed: 4 errors occurred:
  

  Deployment Failed.
  ErrorMessage=failed to create containerd task: failed to create shim task:
  uvm::Policy: failed to modify utility VM configuration: guest modify:guest RPC failure:
  error creating Rego policy: rego compilation failed: rego compilation failed: 1 error occurred:
  policy.rego:48 rego_parse_error: non-terminated string;
  

  Container creation denied due to policy: create_container not allowed by policy. 
  Errors: [invalid command].
  

  Denied by policy: rule for mount_device is missing from policy: unknown.
  

  Failed to create containerd task: failed to create shim task: failed to mount container storage:
  failed to add LCOW layer: failed to add SCSI layer: failed to modify UVM with new SCSI mount:
  guest modify: guest RPC failure: mounting scsi device controller 3 lun 2 onto /run/mounts/m4
  denied by policy: mount_device not allowed by policy. Errors: [deviceHash not found].
  

  Container creation denied due to policy: create_container not allowed by policy. 
  

• 原則會強制執行新的架構：

  Failed to create containerd task: failed to create shim task: failed to mount container storage:
  guest modify: guest RPC failure: overlay creation denied by policy: mount_overlay not allowed by policy.
  Errors: [framework_svn is ahead of the current svn: 1.1.0 > 0.1.0].
  

• 無效的base64機密運算強制執行 （CCE） 原則：

  The CCE Policy is not valid Base64.
  

• 限制 - CCE 原則的 120 KB （KB） 限制：

  Failed to create containerd task: failed to create shim task: error while creating the compute system:
  hcs::CreateComputeSystem <compute system id>@vm: The requested operation failed.: unknown.\r\n;
  The container group provisioning has failed. Refer to 'DeploymentFailedReason' event for more details.;
  

  Failed to create containerd task: failed to create shim task: task with id: '<task id>' cannot be created in pod: '<pod>'
  which is not running: failed precondition.\r\n;The container group provisioning has failed.
  Refer to 'DeploymentFailedReason' event for more details.
  

• 找不到裝置哈希：

  Denied by policy: rule for mount_device is missing from policy: unknown.
  

  Failed to create containerd task: failed to create shim task: failed to mount container storage:
  failed to add LCOW layer: failed to add SCSI layer: failed to modify UVM with new SCSI mount:
  guest modify: guest RPC failure: mounting scsi device controller 3 lun 2 onto /run/mounts/m4
  denied by policy: mount_device not allowed by policy. Errors: [deviceHash not found]
  

• 其他問題：

  • 記錄不會顯示。
  • exec 功能無法運作。
  • 訂用帳戶部署在 30 分鐘後逾時。
  • 具有不允許原則的活躍度探查。
  • 結束代碼 139。

原因

在大部分情況下，這些問題會因為 CCE 原則而發生。

解決方案

• 如果您遇到任何原則失敗，請重新產生 CCE 原則，然後重試部署。

• 如果 CCE 原則強制執行架構，請還原為較舊的架構 svn。

• 如果找不到裝置哈希，或映射發生問題，請清除快取並重新產生 CCE 原則。

  若要清除快取，請執行 docker rmi <image_name>:<tag> 命令。 若要清除快取中的所有映像，請執行 docker rmi $(docker images -a -q) 命令。 若要檢查遺漏的哈希，請執行 docker inspect <image_name>:<tag> 命令。

與我們連絡，以取得說明

如果您有問題或需要相關協助，請建立支援要求，或詢問 Azure community 支援。 您也可以向 Azure 意見反應社群提交產品意見反應。