# Redeploying Docker-Based Enterprise Agents for runc Security Fixes

As noted [in the ThousandEyes Changelog](https://docs.thousandeyes.com/whats-new/changelog#id-2025-11-21), some Linux Docker-based Enterprise Agents must be updated to apply a new seccomp security profile that addresses runc fixes.

If you encounter the following error when you upgrade **runc** or **docker**, you must perform the steps outlined in this article.

```
Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error closing exec fds: get handle to /proc/thread-self/fd: unsafe procfs detected: openat2 fsmount:fscontext:proc/thread-self/fd/: function not implemented: unknown
```

## Redeployment Instructions

To avoid errors in your Docker-based Enterprise Agents, do the following for each agent.

1. Delete any existing **te-seccomp.json** file.

   `rm /var/docker/configs/te-seccomp.json`
2. Next, you'll extract the following values from the currently running Enterprise Agent container:

   * **NAME**
   * **HOST\_VOL\_AGENT\_DIR**

   These are the values you entered when you originally deployed the agent in **Network & App Synthetics > Agent Settings**, in the **Add New Enterprise Agent** dialog.

   To extract these values, do the following:

   1. List the running containers.

      `docker ps`
   2. In the output, find and copy the **containerID** for the Enterprise Agent container.
   3. Get the **NAME** value for that container.

      In the following command, replace **\<container\_id>** with the value you retrieved in the previous step.

      `NAME=$(docker inspect -f '{{ .Name | printf "%s" }}' <container_id> | sed 's|^/||')`
   4. Verify that the above command captured the name correctly.

      `echo $NAME`
   5. Get the **HOST\_VOL\_AGENT\_DIR** value for the container.

      In the following command, replace **\<container\_id>** with the value you retrieved in an earlier step.

      `HOST_VOL_AGENT_DIR=$(docker inspect -f '{{ range .Mounts }}{{ if eq .Destination "/var/lib/te-browserbot" }}{{ .Source }}{{ end }}{{ end }}' <container_id> | awk -F'thousandeyes' '{sub(/\/$/, "", $1); print $1}')`
   6. Verify that the above command captured the host volume agent directory correctly.

      `echo $HOST_VOL_AGENT_DIR`
3. In the ThousandEyes platform UI, go to **Network & App Synthetics > Agent Settings** and select the **Enterprise Agents** tab.
4. Click **Add New Enterprise Agent** and select the **Docker** tab.
5. In the dialog that appears, enter the **NAME** value in the **Name** field and the **HOST\_VOL\_AGENT\_DIR** value in the **Host Vol. Agent Directory** field.

   ![Redeploying your Docker-based Enterprise Agent](https://1112912342-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4QARF6s57qxMrOHDTZ%2Fuploads%2Fgit-blob-224de033abc6b5b380d8963529f13c3618e7b341%2Frunc-update-1.png?alt=media)
6. Copy the commands from the **Add New Enterprise Agent** dialog, and run them for the agent container.

   ![Redeployment commands](https://1112912342-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4QARF6s57qxMrOHDTZ%2Fuploads%2Fgit-blob-38f09cf55f04648dbc06951c1956c92fb3adfbe7%2Frunc-update-2.png?alt=media)
7. At the command line, verify that the Enterprise Agent's container is running.

   `docker ps`