Redeploying Docker-Based Enterprise Agents for runc Security Fixes

As noted in the ThousandEyes Changelog, some Linux Docker-based Enterprise Agents must be updated to apply a new seccomp security profile that addresses runc fixes.

If you encounter the following error when you upgrade runc or docker, you must perform the steps outlined in this article.

Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error closing exec fds: get handle to /proc/thread-self/fd: unsafe procfs detected: openat2 fsmount:fscontext:proc/thread-self/fd/: function not implemented: unknown

Redeployment Instructions

To avoid errors in your Docker-based Enterprise Agents, do the following for each agent.

  1. Delete any existing te-seccomp.json file.

    rm /var/docker/configs/te-seccomp.json

  2. Next, you'll extract the following values from the currently running Enterprise Agent container:

    • NAME

    • HOST_VOL_AGENT_DIR

    These are the values you entered when you originally deployed the agent in Network & App Synthetics > Agent Settings, in the Add New Enterprise Agent dialog.

    To extract these values, do the following:

    1. List the running containers.

      docker ps

    2. In the output, find and copy the containerID for the Enterprise Agent container.

    3. Get the NAME value for that container.

      In the following command, replace <container_id> with the value you retrieved in the previous step.

      NAME=$(docker inspect -f '{{ .Name | printf "%s" }}' <container_id> | sed 's|^/||')

    4. Verify that the above command captured the name correctly.

      echo $NAME

    5. Get the HOST_VOL_AGENT_DIR value for the container.

      In the following command, replace <container_id> with the value you retrieved in an earlier step.

      HOST_VOL_AGENT_DIR=$(docker inspect -f '{{ range .Mounts }}{{ if eq .Destination "/var/lib/te-browserbot" }}{{ .Source }}{{ end }}{{ end }}' <container_id> | awk -F'thousandeyes' '{sub(/\/$/, "", $1); print $1}')

    6. Verify that the above command captured the host volume agent directory correctly.

      echo $HOST_VOL_AGENT_DIR

  3. In the ThousandEyes platform UI, go to Network & App Synthetics > Agent Settings and select the Enterprise Agents tab.

  4. Click Add New Enterprise Agent and select the Docker tab.

  5. In the dialog that appears, enter the NAME value in the Name field and the HOST_VOL_AGENT_DIR value in the Host Vol. Agent Directory field.

    Redeploying your Docker-based Enterprise Agent

  6. Copy the commands from the Add New Enterprise Agent dialog, and run them for the agent container.

    Redeployment commands

  7. At the command line, verify the redeployment by checking the status of the Docker daemon.

    systemctl status docker

PreviousInstalling Enterprise Agents with DockerNextDocker Agent Configuration Options

Last updated