RKE errors connecting to the Docker socket whilst updating clusters with the Aqua Enforcer deployed

This document (000020210) is provided subject to the disclaimer at the end of this document.

Situation

Issue

During invocations of rke up via the RKE CLI or whilst modifying Rancher provisioned Kubernetes clusters, the process fails upon attempted creation of a Kubernetes component container with an error of the following format:

2019-04-30T15:19:17.9826528Z time="2019-04-30T15:19:17Z" level=fatal msg="[etcd] Failed to bring up Etcd Plane: Failed to create [etcd] container on host [rancher.example.com]: Failed to create [etcd] container on host [rancher.example.com]: error during connect: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/create?name=etcd: EOF

Pre-requisites

  • A Kubernetes cluster provisioned via the RKE CLI or Rancher
  • The Aqua Enforcer workload deployed in the cluster, with AQUA_RUNC_INTERCEPTION environment variable set to 0

Root cause

The issue is caused by Aqua Enforcer's use of the Docker socket to perform runtime enforcement operations preventing RKE from successfully connecting to the Docker socket upon some requests.

Resolution

To resolve this issue set the AQUA_RUNC_INTERCEPTION environment variable on the Aqua Enforcer daemonset to 1. With this setting the Aqua Enforcer will interact directly with runC to perform runtime enforcement operations, and not with the Docker daemon via the Docker socket. This is the default behaviour in new versions of the Aqua Enforcer, as it brings stability and performance benefits. More information on this setting can be found at https://docs.aquasec.com/docs/40-ga#section-new-aqua-enforcer-architecture-for-enhanced-stability-and-performance

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020210
  • Creation Date: 06-May-2021
  • Modified Date:06-May-2021
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center