Reputation: 6301
Error: failed to create containerd container: cannot load seccomp profile, no such file or directory
Trying to set a custom seccomp profile when using kubectl apply and despite the file being there in the container, the pod will not start with the following error:
Error: failed to create containerd container: cannot load seccomp profile "/var/lib/kubelet/seccomp/custom_profile.json": open /var/lib/kubelet/seccomp/custom_profile.json: no such file or directory
K8 deployment YAML
...
containers:
- name: container-name
image: container-image:version
securityContext:
seccompProfile:
type: Localhost
localhostProfile: custom_profile.json
...
The file is copied when the container is created and going into the shell of the pod I can see that it does exist there (when not trying to load it and the pod starts)
Dockerfile
...
COPY custom_profile.json /var/lib/kubelet/seccomp/custom_profile.json
...
I have also tried changing the owner (chown) and running with root privileges but as long as the localhostProfile: custom_profile.json line is in the YAML then the same error appears again.
What am I missing that is preventing the file from being found? Something missing in the YAML, something missing in the container/dockerfile?
The following article is what got me this far but still not able to set the profile: https://docs.openshift.com/container-platform/4.8/security/seccomp-profiles.html
Upvotes: 2
Views: 3547
Answers (1)
Reputation: 18411
If type: Localhost seccomp profile is used, then the seccomp profiles must be present over the node on which the pod is getting scheduled. Also, the path is relative to the path /var/lib/kubelet/seccomp. Here /var/lib/kubelet/ is the default path for kubelet config.
Here is the related snippet from official documentation:
localhost/<path>- Specify a profile as a file on the node located at <seccomp_root>/, where <seccomp_root> is defined via the--seccomp-profile-rootflag on the Kubelet. If the--seccomp-profile-rootflag is not defined, the default path will be used, which is /seccomp where is specified by the --root-dir flag.
Example-1: For the following to work , a custom_profile.json file must be present at /var/lib/kubelet/seccomp path on the node.
securityContext:
seccompProfile:
type: Localhost
localhostProfile: custom_profile.json
Example-2: For the following to work , a custom_profile.json file must be present at /var/lib/kubelet/seccomp/profiles path on the node.
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/custom_profile.json
Here is a minimal working example:
seccomp profiles are copied on the worker node.
ps@worker-node:~$ sudo ls -lrt /var/lib/kubelet/seccomp/profiles
[sudo] password for ps:
total 12
-rw-r--r-- 1 root root 39 Sep 10 13:54 audit.json
-rw-r--r-- 1 root root 41 Sep 10 13:54 violation.json
-rw-r--r-- 1 root root 1657 Sep 10 13:54 fine-grained.json
ps@worker-node:~$
Create the pod with the following path, notice the path is relative to /var/lib/kubelet/seccomp.
apiVersion: v1
kind: Pod
metadata:
name: audit-pod
labels:
app: audit-pod
spec:
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
containers:
- name: test-container
image: nginx
securityContext:
allowPrivilegeEscalation: false
Upvotes: 3
Related Questions
- Azure AKS - This container service is in a failed state
- Error in creating backend containers in Azure Kubernetes
- ValidationError(Deployment.spec.template.spec.containers[0].env[13])
- Unable to launch docker container with custom seccomp profile
- Getting ValidationError(Deployment): unknown field "env"
- Kubernete CreateContainerConfigError
- Running containers issue
- Failed to create pod sandbox: rpc error: code = Unknown desc = seccomp is not enabled in your kernel, cannot run with a profile
- Azure AKS - Error creating load balancer
- Not able to create Azure Container Service type = Kubernetes