D0806 01:59:15.000000 8 hcutil.py:136] SHELL CMD:aa-exec -p lxc-container-default echo 123D0806 01:59:15.000000 8 hcutil.py:168] SHELL STDERR:b"aa-exec: ERROR:profile 'lxc-container-default' does not exist\n"D0806 01:59:15.000000 8 hcutil.py:168] SHELL STDERR:b'\n'D0806 01:59:15.000000 8 hcutil.py:210] SHELL COMPLETED:1 (aa-exec -p lxc-container-default echo 123)required AppArmor profile 'lxc-container-default' does not exist, if this pod runs on aGKE node of type 'Container Optimized OS' (COS) please run`migctl setup install --cos-runtime` to install itE0806 01:59:15.000000 8 hcmain.py:22] Traceback (most recent call last):File "./hcmain.py", line 19, in safe_actionFile "./hcmain.py", line 74, in run_actionFile "./hcrunner.py", line 392, in validateSystemException:Invalid system or AppArmor profileE0806 01:59:15.000000 8 hcmain.py:23] Invalid system or AppArmor profileI0806 01:59:15.000000 8 termination_log.py:4] writing error to termination log at /dev/termination-log
要解决此问题,请执行以下操作:
使用表单中的命令连接到部署集群:
gcloud container clusters get-credentials CLUSTER --zone ZONE --project PROJECT
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[],[],null,["# Migrated workload fails on 1.20 and later with Ubuntu nodes\n===========================================================\n\n[AppArmor](https://apparmor.net/) lets a system administrator\nrestrict capabilities of a deployed container. To deploy a migrated container workload,\nMigrate to Containers requires the AppArmor profile provided by the Linux LXC package.\n\nHowever, as part of the update to Google Kubernetes Engine (GKE) 1.20, Ubuntu node images\nno longer include the LXC package by default. That means new deployment clusters that\nuse Ubuntu nodes, or Ubuntu nodes for existing deployment clusters\nthat are upgraded to GKE 1.20 and later, cannot run your migrated workloads.\n\nWhen deploying container workloads on Ubuntu nodes for GKE\nversions 1.20 and later, the workload can enter a crash-loop and the logs contain\nerror messages in the form: \n\n```yaml\nD0806 01:59:15.000000 8 hcutil.py:136] SHELL CMD: aa-exec -p lxc-container-default echo 123\nD0806 01:59:15.000000 8 hcutil.py:168] SHELL STDERR: b\"aa-exec: ERROR: profile 'lxc-container-default' does not exist\\n\"\nD0806 01:59:15.000000 8 hcutil.py:168] SHELL STDERR: b'\\n'\nD0806 01:59:15.000000 8 hcutil.py:210] SHELL COMPLETED: 1 (aa-exec -p lxc-container-default echo 123)\nrequired AppArmor profile 'lxc-container-default' does not exist, if this pod runs on a\nGKE node of type 'Container Optimized OS' (COS) please run\n`migctl setup install --cos-runtime` to install it\nE0806 01:59:15.000000 8 hcmain.py:22] Traceback (most recent call last):\n File \"./hcmain.py\", line 19, in safe_action\n File \"./hcmain.py\", line 74, in run_action\n File \"./hcrunner.py\", line 392, in validateSystem\nException: Invalid system or AppArmor profile\n\nE0806 01:59:15.000000 8 hcmain.py:23] Invalid system or AppArmor profile\nI0806 01:59:15.000000 8 termination_log.py:4] writing error to termination log at /dev/termination-log\n```\n\nTo resolve this issue:\n\n1. Connect to the deployment cluster using a command in the form:\n\n ```\n gcloud container clusters get-credentials CLUSTER --zone ZONE --project PROJECT\n ```\n2. Manually install the Linux LXC package on the deployment cluster by using the command:\n\n ```\n migctl setup install --cos-runtime\n ```"]]
