Skip to content

Steps for troubleshooting the error "failed to create containerd task, failed to create shim task OCI runtime create failed, unable to start container process"

This document (000021691) is provided subject to the disclaimer at the end of this document.

Environment

Rancher

RKE2

Situation

If you encounter these errors while creating the RKE2 custom cluster, adding new nodes to an existing cluster, or running a pod on the new nodes, you may try the steps mentioned in the checklist below.

From containerd logs

failed, error" error="failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: can't copy bootstrap data to pipe: write init-p: broken

From Rancher pod logs

{"Code":"Forbidden","Status":403},"Message":"clusters.management.cattle.io \"c-m-f5lgdss6\" is forbidden: User \"u-z72j43l5aq\" cannot get resource \"clusters\" in API group \"management.cattle.io\" at the cluster scope","Cause":null,"FieldName":""} (get nodes)

Resolution

Troubleshooting Steps:

  1. Verify whether SELinux is enabled on the nodes. If RKE2 SELinux is enabled, it should be configured according to the documentation, including the rke2-selinux package. If SELinux is enforcing, it may block access to certain files. Reference: https://docs.rke2.io/install/methods#rpm https://ranchermanager.docs.rancher.com/reference-guides/rancher-security/selinux-rpm/about-rke2-selinux
  2. Verify whether the operating system firewalld or firewall is enabled or present in the environment. If the firewall is configured, make sure the correct rules are applied.
  3. Verify whether the NetworkManager is enabled on the operating system. If so, make sure the correct methods are followed. Reference: https://docs.rke2.io/known_issues
  4. Any proxy settings added to the environment, if yes, make sure the correct proxy and NO_PROXY values are set
  5. Check if any antivirus software is enabled or running on the nodes, it is advisable to disable it during the cluster creation. Container users may lack the necessary permissions to access files or directories to run the runc. Reference: https://www.suse.com/support/kb/doc/?id=000020477
  6. Check if security-related software is running which may block the container creation at runtime.
  7. Verify K8s PSA is enabled, if yes, make sure the correct policies are set.
  8. Review the registry settings, and make sure the nodes can communicate to the registry. If registry mirrors are enabled, make sure the correct endpoints are set. container user lacks the necessary permissions to access files or directories within the container image.
  9. Verify CIS profiles are enabled, if yes, make sure correct security contexts are set. Reference: https://docs.rke2.io/security/hardening_guide
  10. Review the host resource limitations, if the container attempts to use more memory or CPU than allocated on the host, causing the container to fail to start.

Cause

Concerning 'runc' container/OCI runtime error typically occurs when there is a problem with the configuration or execution of a container using the 'runc' due to not accessing necessary resources, or experiencing permission errors due to incorrect container image settings or host system configurations or incorrect permissions on container files.

Status

Top Issue

Additional Information

Please feel free to contact SUSE support if the issue persists.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.