Prisma Cloud Compute: API error (500): invalid character 'i' in literal true (expecting 'r'): unknown

Prisma Cloud Compute: API error (500): invalid character 'i' in literal true (expecting 'r'): unknown

8023
Created On 11/20/22 19:52 PM - Last Modified 04/21/23 02:08 AM


Symptom


  • The Defender installs correctly however, scanning errors out with an error similar to the following:
ERRO 2022-10-14T15:10:27.685 scanner.go:601 Failed to list containers. Error failed to query the processes of container 57bf765f4fba8f85bd0fd5ae38d.....: API error (500): invalid character 'i' in literal true (expecting 'r'): unknown
  • The output of the following command on the Defender host:​​​​
 cat /etc/containers/storage.conf | grep -i "override_kernel_check" is
 override_kernel_check = "true"
  • The results of the Defender scans do not show up on the Prisma Console User Interface (UI) due to the incomplete nature of scan

Environment


  • Red Hat Enterprise Linux 7 (RHEL7)
  • Container Defender
  • Red Hat Enterprise Linux Atomic Host
  • Prisma Cloud Compute (v22.06.179)
  • Docker 20.10.18-3.el7

Cause


  • The cause of the mentioned error is the interaction between a RHEL7 host having an old kernel and the container Defender
  • A RHEL7 host runs an old kernel versioned: 3.10.0-1160.76.1.el7.x86_6 which consists of the deprecated setting: override_kernel_check = "true"
  • The API error (500) is caused by the error similar to the following error: 
time="2022-10-13T12:03:57-04:00" level=warning msg="Failed to decode the keys [\"storage.options.override_kernel_check\"] from \"/etc/containers/storage.conf\"."”
Where the Defender is expecting in the stdout for "true" in the scanning process, but instead of that the "time=..." warning pops up, because it expects 'r' but got 'i'. The word starts with 't' as expected but then comes the 'i' and Defender expects 'r' to be true​​​​​​

Resolution


  • The current workaround for this issue would be an immediate removal of the override_kernel_check from the storage.conf file present at /etc/containers on the concerned host
  • The upgrade of the HostOS to RHEL8 would resolve the issue as well

Additional Information


  • This issue has been addressed by the internal team with its fix expected to go live by the Maxwell release of Prisma Compute
  • Useful and relevant links:
  1. RHEL systems question
  2. Allow overlay2 on 7.4 kernel 3.10..
  3. storage.conf: remove obsolete option override_kernel_check
  4. storage.conf: remove obsolete option override_kernel_check
  5. sandbox creation fails due to obsolete option in /etc/containers/storage.conf
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZvUCAU&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language