kasmtech
Unable to install - failed to create task for container
No really a bug I think but it's the only template that fits.
Existing Resources
- [x] Please search the existing issues for related problems
- [x] Consult the product documentation : Docs
- [x] Consult the FAQ : FAQ
- [x] Consult the Troubleshooting Guide : Guide
- [x] Reviewed existing training videos: Youtube
Describe the bug Attempting to install KASM on Rocky Linux using one of the hardened security profiles (DISA)
To Reproduce
- Install Rocky Linux 9.2 using a security profile (in my case I'm trying DISA STIGS)
- Attempt to install KASM using script on docs
Expected behavior The install to finish
Workspaces Version Version 1.14.0
Workspaces Installation Method Single Server
Workspace Server Information (please provide the output of the following commands):
uname -aLinux localhost.localdomain 5.14.0-284.30.1.e19_2.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Sep 16 09:55:41 UTC 2023 x86_64 x86_64 x86_64 GNU/Linuxcat /etc/os-release
NAME="Rocky Linux"
VERSION-"9.2 (Blue Onyx)
ID="rocky"
ID_LIKE="rhel centos fedora"
PLATFORM_ID="platform:e9.2"
PRETTY_NAME="Rocky Linux 9.2 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos
sudo docker info
Server:
Containers: 8
Running: 1
Paused: 0
Stopped: 7
Images: 8
Server Version: 24.0.6
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: rune
Init Binary: docker-init
containerd version: 61f9fd88f79f081d64d6fa3bb1a0dc71ec870523
rune version: v1.1.9-0-gccaecfc
init version: de4Oad0
Security Options: seccomp
Profile: builtin
cgroupns
Kernel Version: 5.14.8-284.38.1.e19_2.x86_64
Operating System: Rocky Linux 9.2 (Blue Onyx)
OSType: linux Architecture: x86_64 CPUs: 2
Total Memory: 3.888GiB
Name: localhost.localdomain
ID: e17ad641-21d8-499e-90f2-746b7d2df98e
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
sudo docker ps | grep kasm15339cf18388 postgres:12-alpine "docker-entrypoint.s..." 4 hourse ago up 4 hours (healthy) 5432/tcp kasm_db
Additional context selinux is enabled. But even when disabling I'm getting this problem. The last line in the install log is: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc creation failed: unable to start container process: can't copy bootstrap data to pipe: write init-p: broken pipe: unknown
As an update: It's something with SELinux. I just don't know what has the audit log doesn't complain about anything being denied. Trying to install on rocky linux without a security profile enabled completes without error
I had the same issue on Rocky 9.5. The root cause of the issue that the DISA STIG applies file access rules with fapolicyd (unrelated to selinux) which are preventing Docker and runc from loading the system libraries libseccomp and libc. The following solution worked for me:
- Create
/etc/fapolicyd/rules.d/01-docker.ruleswith the following content:
allow perm=any auid=-1 : dir=/run/docker
allow perm=open auid=-1 : path=/usr/lib64/libseccomp.so.2.5.2
allow perm=open auid=-1 : path=/usr/lib64/libc.so.6
allow perm=open auid=-1 : path=/usr/lib64/libresolv.so.2
- Tell fapolicyd to refresh its rules:
sudo fapolicyd-cli --update
sudo systemctl restart fapolicyd
sudo systemctl restart docker containerd
I was then able to run the install script without any issues. The changes do persist after a reboot with no additional steps.
