Uploaded image for project: 'Cloud Infrastructure Security & Compliance'
  1. Cloud Infrastructure Security & Compliance
  2. CMP-3666

The workload failed to create due to “unable to load local profile” when trying to do Profilerecording

XMLWordPrintable

    • Important

      Description of problem:

       

      When trying to do profilerecording, the workload will be failed to create due to `Error: setup seccomp: unable to load local profile "/var/lib/kubelet/seccomp/operator/openshift-security-profiles/log-enricher-trace.json": open /var/lib/kubelet/seccomp/operator/openshift-security-profiles/log-enricher-trace.json: no such file or directory`
      % oc get profilerecordings                                     
      NAME
      spo-recording
      % oc get daemonsets.apps 
      NAME              DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR                     AGE
      hello-daemonset   3         3         0       3            0           node-role.kubernetes.io/worker=   5m18s
      % oc get pod
      NAME                    READY   STATUS                      RESTARTS   AGE
      hello-daemonset-2t6wt   0/2     Init:CreateContainerError   0          5m22s
      hello-daemonset-5mbrz   0/2     Init:CreateContainerError   0          5m22s
      hello-daemonset-w6lt2   0/2     Init:CreateContainerError   0          5m22s
      % oc get event | grep Failed
      23s         Warning   Failed             pod/hello-daemonset-2t6wt   Error: setup seccomp: unable to load local profile "/var/lib/kubelet/seccomp/operator/openshift-security-profiles/log-enricher-trace.json": open /var/lib/kubelet/seccomp/operator/openshift-security-profiles/log-enricher-trace.json: no such file or directory
      16s         Warning   Failed             pod/hello-daemonset-5mbrz   Error: setup seccomp: unable to load local profile "/var/lib/kubelet/seccomp/operator/openshift-security-profiles/log-enricher-trace.json": open /var/lib/kubelet/seccomp/operator/openshift-security-profiles/log-enricher-trace.json: no such file or directory
      19s         Warning   Failed             pod/hello-daemonset-w6lt2   Error: setup seccomp: unable to load local profile "/var/lib/kubelet/seccomp/operator/openshift-security-profiles/log-enricher-trace.json": open /var/lib/kubelet/seccomp/operator/openshift-security-profiles/log-enricher-trace.json: no such file or directory
       
      Actually, the local file should be /var/lib/kubelet/seccomp/operator/log-enricher-trace.json
      % oc get sp log-enricher-trace  -o=jsonpath={.status.localhostProfile}
      operator/log-enricher-trace.json
      % oc debug node/ip-10-0-29-211.us-east-2.compute.internal -- chroot /host cat /var/lib/kubelet/seccomp/operator/log-enricher-trace.json
      …
      Starting pod/ip-10-0-29-211us-east-2computeinternal-debug-78qlc ...
      To use host binaries, run `chroot /host`. Instead, if you need to access host namespaces, run `nsenter -a -t 1`.
      {"defaultAction":"SCMP_ACT_LOG"}
      Removing debug pod ...    
      

      Version-Release number of selected component (if applicable):

      security-profiles-operator.v0.9.0    

      How reproducible:

      Always    

      Steps to Reproduce:

       

      1. Install SPO security-profiles-operator.v0.9.0 
      2. Setting enableLogEnricher to true
      $ oc -n openshift-security-profiles patch spod spod --type=merge -p '{"spec":{"enableLogEnricher":true}}'
      
      3. Create a ns and set the right labels
       oc new-project mytest
      $ oc label ns mytest spo.x-k8s.io/enable-recording="true"
      $ oc label ns mytest security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged  --overwrite=true
      
      4. Create a profilerecording in the namespace
      5. Create a workload to be recorded 
          

      Actual results:

       

      The workload will be stuck at “Init:CreateContainerError” status due to unable to load local profile /var/lib/kubelet/seccomp/operator/openshift-security-profiles/log-enricher-trace.json”.
      Actually, the local file should be /var/lib/kubelet/seccomp/operator/log-enricher-trace.json
      % oc get sp log-enricher-trace  -o=jsonpath={.status.localhostProfile}
      operator/log-enricher-trace.json
      % oc debug node/ip-10-0-29-211.us-east-2.compute.internal -- chroot /host cat /var/lib/kubelet/seccomp/operator/log-enricher-trace.json    
      

      Expected results:

      The profilerecording should succeed    

      Additional info:

          

              wenshen@redhat.com Vincent Shen
              xiyuan@redhat.com Xiaojie Yuan
              Xiaojie Yuan Xiaojie Yuan
              Maria Simon Marcos Maria Simon Marcos
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: