Failed to Install an Agent in a CCE Cluster
You can install the agent and enable protection for a cluster on the HSS or CCE console. This section describes how to handle the agent installation failure.
Symptoms
- Log in to the HSS console. In the navigation pane on the left, choose . In the Clusters tab, when you install container security agent for a cluster, the cluster is in the abnormal access or abnormal running state.
- On the CCE console, when you enable security service, protection exception or partial protection is displayed.
Possible Cause 1: The hostguard DaemonSet Is Not Ready
In the navigation pane on the left, choose Workloads > DaemonSets. Select the hss namespace, the hostguard is in the Not Ready state. Click Recovery Suggestion to view the detailed suggestions.
The following provides a solution to a typical issue:
Possible cause: The cluster is configured with a special PSP policy, which prevents privileged containers from being started. For example, when a CCE cluster is being created, psp-global and psp-system are configured by default.
Solution: Check whether the cluster is configured with a special PSP policy, which prevents privileged containers from being started. Allow the hostguard to be started with the privileged permission.
Possible Cause 2: The hostguard DaemonSet Is Running Properly, but HSS Cannot Obtain the Agent Status
In the navigation pane on the left, choose Workloads > DaemonSets. Select the hss namespace, the hostguard is in the Running state. On the HSS console or container management page, view the agent status of the cluster node, which is not installed.
- Check the hostguard processes and connections.
- Check whether the hostguard process is started.
ps -ef | grep hostguard
If hostguard and hostwatch are displayed in the command output, the process is started. If no process is displayed, go to 2.
- Check whether the cluster is connected to hostguard.
ss -antp | grep hostguard
If hostguard is displayed in the command output, the connection is established. If no related command output is displayed, go to 2.
- Check whether the default protection policy is delivered.
ll /usr/local/hostguard/policy
If policies such as assetmanage_collect.policy are displayed in the command output, the policy has been delivered. If no related policy is displayed, go to 2.
- Check whether the hostguard process is started.
- Log in to any node and run the following command to view the hostguard.log file:
/var/log/hostguard/hostguard.log
- If the error shown in Figure 1 is displayed, the metadata cannot be accessed.
Rectify the fault by referring to Why Can't My Linux ECS Obtain Metadata?
- If the error shown in Figure 2 is displayed, the domain name cannot be resolved.
Configure Huawei intranet DNS address by referring to Modifying DNS.
- If the error shown in Figure 1 is displayed, the metadata cannot be accessed.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
