Resolving Deep Security kernel module (TMhook) incompatibility issue when running docker containers in Linux

Product / Version includes:

Deep Security12.0

Last updated: 2021/08/28

Solution ID: KA-0009481

Category: Troubleshoot

Summary

Deep Security performs a system hook at the Linux kernel level for real-time Anti-Malware, real-time Integrity Monitoring, and Application Control. When the Deep Security Agent has enabled one of these mentioned modules and is running docker containers, the module may not be unloaded correctly and you may encounter an incomplete uninstallation or upgrade.

The kernel module becomes incompatible because there are some syscalls used by docker container that failed to return when trying to disable features or upgrade Deep Security Agent.

Checking the Deep Security kernel module (TMhook)

When Deep Security module is enabled, verify that the kernel module version in disk and in memory are the same.
- Get the kernel module version in disk:
```
# sudo modinfo /opt/ds_agent/`uname -r`/tmhook.ko
```
- Identify the kernel module version in memory:
```
# sudo cat /proc/driver/bmhook/tmhook/version
```
When Deep Security module is disabled, make sure the kernel module status is unload.
```
# sudo lsmod | grep tmhook
```

Workarounds

There are two (2) workarounds to resolve the kernel module incompatibility issue.

Option 1. Stop all the running docker containers. Enable one of the Deep Security modules mentioned above, and then disable it.
Option 2. Reboot the agent.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Resolving Deep Security kernel module (TMhook) incompatibility issue when running docker containers in Linux

Resolving Deep Security kernel module (TMhook) incompatibility issue when running docker containers in Linux

Product / Version includes:

Summary