Stay organized with collections
Save and categorize content based on your preferences.
Migrated workload fails on 1.20 and later with Ubuntu nodes
AppArmor lets a system administrator
restrict capabilities of a deployed container. To deploy a migrated container workload,
Migrate to Containers requires the AppArmor profile provided by the Linux LXC package.
However, as part of the update to Google Kubernetes Engine (GKE) 1.20, Ubuntu node images
no longer include the LXC package by default. That means new deployment clusters that
use Ubuntu nodes, or Ubuntu nodes for existing deployment clusters
that are upgraded to GKE 1.20 and later, cannot run your migrated workloads.
When deploying container workloads on Ubuntu nodes for GKE
versions 1.20 and later, the workload can enter a crash-loop and the logs contain
error messages in the form:
D0806 01:59:15.000000 8 hcutil.py:136] SHELL CMD:aa-exec -p lxc-container-default echo 123D0806 01:59:15.000000 8 hcutil.py:168] SHELL STDERR:b"aa-exec: ERROR:profile 'lxc-container-default' does not exist\n"D0806 01:59:15.000000 8 hcutil.py:168] SHELL STDERR:b'\n'D0806 01:59:15.000000 8 hcutil.py:210] SHELL COMPLETED:1 (aa-exec -p lxc-container-default echo 123)required AppArmor profile 'lxc-container-default' does not exist, if this pod runs on aGKE node of type 'Container Optimized OS' (COS) please run`migctl setup install --cos-runtime` to install itE0806 01:59:15.000000 8 hcmain.py:22] Traceback (most recent call last):File "./hcmain.py", line 19, in safe_actionFile "./hcmain.py", line 74, in run_actionFile "./hcrunner.py", line 392, in validateSystemException:Invalid system or AppArmor profileE0806 01:59:15.000000 8 hcmain.py:23] Invalid system or AppArmor profileI0806 01:59:15.000000 8 termination_log.py:4] writing error to termination log at /dev/termination-log
To resolve this issue:
Connect to the deployment cluster using a command in the form:
gcloud container clusters get-credentials CLUSTER --zone ZONE --project PROJECT
Manually install the Linux LXC package on the deployment cluster by using the command:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Migrated workload fails on 1.20 and later with Ubuntu nodes\n===========================================================\n\n[AppArmor](https://apparmor.net/) lets a system administrator\nrestrict capabilities of a deployed container. To deploy a migrated container workload,\nMigrate to Containers requires the AppArmor profile provided by the Linux LXC package.\n\nHowever, as part of the update to Google Kubernetes Engine (GKE) 1.20, Ubuntu node images\nno longer include the LXC package by default. That means new deployment clusters that\nuse Ubuntu nodes, or Ubuntu nodes for existing deployment clusters\nthat are upgraded to GKE 1.20 and later, cannot run your migrated workloads.\n\nWhen deploying container workloads on Ubuntu nodes for GKE\nversions 1.20 and later, the workload can enter a crash-loop and the logs contain\nerror messages in the form: \n\n```yaml\nD0806 01:59:15.000000 8 hcutil.py:136] SHELL CMD: aa-exec -p lxc-container-default echo 123\nD0806 01:59:15.000000 8 hcutil.py:168] SHELL STDERR: b\"aa-exec: ERROR: profile 'lxc-container-default' does not exist\\n\"\nD0806 01:59:15.000000 8 hcutil.py:168] SHELL STDERR: b'\\n'\nD0806 01:59:15.000000 8 hcutil.py:210] SHELL COMPLETED: 1 (aa-exec -p lxc-container-default echo 123)\nrequired AppArmor profile 'lxc-container-default' does not exist, if this pod runs on a\nGKE node of type 'Container Optimized OS' (COS) please run\n`migctl setup install --cos-runtime` to install it\nE0806 01:59:15.000000 8 hcmain.py:22] Traceback (most recent call last):\n File \"./hcmain.py\", line 19, in safe_action\n File \"./hcmain.py\", line 74, in run_action\n File \"./hcrunner.py\", line 392, in validateSystem\nException: Invalid system or AppArmor profile\n\nE0806 01:59:15.000000 8 hcmain.py:23] Invalid system or AppArmor profile\nI0806 01:59:15.000000 8 termination_log.py:4] writing error to termination log at /dev/termination-log\n```\n\nTo resolve this issue:\n\n1. Connect to the deployment cluster using a command in the form:\n\n ```\n gcloud container clusters get-credentials CLUSTER --zone ZONE --project PROJECT\n ```\n2. Manually install the Linux LXC package on the deployment cluster by using the command:\n\n ```\n migctl setup install --cos-runtime\n ```"]]
