Troubleshooting Clara

Symptom

Docker login returns: "Error response from daemon: login attempt to https://854793243809.dkr.ecr.us-east-1.amazonaws.com/v2/ failed with status: 403 Forbidden"

Cause and solution

Your credentials are not valid. Request new credentials from your vendor.

Symptom

Docker or docker-compose commands return: "Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.38/containers/json: dial unix /var/run/docker.sock: connect: permission denied"

Cause and solution

You don't have the right permissions for Docker. Use commands with root permissions ("sudo" or "sudo su") or refer to Docker documentation.

Symptom

Nginx container doesn't start returning the following error: "ERROR: for nginx Cannot start service nginx: driver failed programming external connectivity on endpoint nginx".

Cause and solution

Stop and start docker-compose by running the following commands:

docker-compose stop
docker-compose up

If the problem persists, run the following steps:

restart docker with docker restart command. See Docker command usage.
docker-compose up

Symptom

Accessing Clara website you get a security warning: " Your connection is not private".

Cause and solution

Add an exception to trust the website.

Symptom

OpenSearch does not start, and the log shows the following error:

"2018-09-21T14:11:16,039][INFO ][o.e.b.BootstrapChecks ] [qVAFkOU] bound or publishing to a non-loopback address, enforcing bootstrap checks

ERROR: [2] bootstrap checks failed

[1]: max file descriptors [4096] for OpenSearch process is too low, increase to at least [65536]

[2]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]"

Cause and solution

To solve this problem, run the following procedure.

How to verify and set ulimit parameter

Check the maximum number of open files for the current user ( the user that started the Docker deamon) by running the command ulimit -n
Verify that the number of allowed open files for the current user is at least 65536
Check the Hard limit for the current user, by running the command ulimit -n -H
Check the Soft limit for the current user, by running the command ulimit -n -S
In case the value of Hard or Soft limit is lower than 65636, increase its value permanently, by editing the file:

/etc/security/limits.conf

[domain] [type] [item] [value]

where:

[domain] can be a username, a group name, or a wildcard entry

[type] is the type of the limit and can have the following values:

soft: a soft limit which can be changed by user

hard: a cap on soft limit set by super user and enforced by kernel

[item] is the resource for which you are setting the limit

For example, for a user with id hmuser run the following steps:

Add or modify soft and hard limits as follow:
- hmuser soft nofile 65536
- hmuser hard nofile 65536

Activate the new values by running the following command sysctl -p
Update the following files:

/etc/systemd/user.conf

/etc/systemd/system.conf

by adding the following line:

DefaultLimitNOFILE=65536

Symptom

The log shows the following error: "[1]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]".

Cause and solution

On Linux, run the following procedure.

How to verify and set the available virtual memory

To verify the available virtual memory, run the following command as the user that started the Docker deamon:

sysctl vm.max_map_count

If the command output shows a value lower than 262144, run the command:

sysctl -w vm.max_map_count=262144

To set this value permanently, edit the vm.max_map_count setting in /etc/sysctl.conf.
Add the following as last row, or edit the row if present:

vm.max_map_count=262144

Verify the new value after reboot.

Symptom

Keycloak container restarts, or the log shows the following error:

"Oops...I understand that you are trying to access the intent .. But I am not trained/configured to take any action on this yet. Please contact administrator to get this added.

Security-Enhanced Linux (SELinux) on the hypervisor must be disabled or the permissions must be set up correctly".

Cause and solution

To set SELinux to permissive, run the following procedure.

How to set SELinux to permissive

Run the following commands:

sed -i s/^SELINUX=.*$/SELINUX=permissive/ /etc/selinux/config

setenforce 0

sed -i s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config

Restart the system to save the changes permanently.
After you restart the system, you can use the getenforce command to check the SELinux status.

Symptom

On first installation, Clara returns "Server internal error".

Cause and solution

Run the following commands:

./clara.sh --down --vol

./clara.sh --up

Symptom

On first installation, the installation script returns the following error message:

"The image for the service you're trying to recreate has been removed. If you continue, volume data could be lost. Consider backing up your data before continuing.

Continue with the new image Y|N?"

Cause and solution

You must first load Clara images from HCL_CLARA_IMAGES.tar.gz file. This file is in the same path as the installation script.

To load Clara images, run the installation script with the appropriate options:

./install.sh --load-images

Symptom

After upgrading Clara from previous version, one or more of the following messages appear when logging into Clara:

"Failed to initialize the authentication adapter"
"Undefined"

Cause and solution

You might have missed a step of Clara upgrade procedure.

Symptom

Selecting Change Language from the menu in the upper right corner of Clara's interface, Clara replies with the following message:

"You cannot change language, translation is not available".

Cause and solution

The Translator service has not been configured. See Installing and configuring the Translator service.
The Translator service cannot be connected. If the Translator service is installed on a different machine, check it is reachable from Clara's machine.

Symptom

When asking Clara to manage workload from the Self-Service Catalog, Clara replies with the following message:

"I can't find any services assigned to your role".

Cause and solution

Verify that the Workload Automation administrator has correctly authorized users to catalog and services. For details, see the chapter Authorizing users to access catalog and services in the Mobile's Applications User's Guide of Workload Automation.
Verify that you correctly added your Workload Automation credentials through the Credential Manager interface.
Verify a role is associated to the services in the Self-Service Catalog and the role is assigned to you.
For the new Self-Service Catalog, ensure you configured the Dynamic Workload Console for Single Sign-On (SSO). See HCL Workload Automation documentation.

Symptom

After configuring a WAz type environment in Clara, when asking Clara a question, she replies with the following message:

"An error occurred while performing the operation: **SCLSLB001E (Solr: connection error):
Solr responded with an error (HTTP 404): [Reason: Error 404 Not Found]**"

Cause and solution

After adding a new WAz environment, run the following commands:

docker exec -it clara-actions sed -i '197s/HWAZ/HWAz/' /app/utils/models.py
docker exec -it clara-actions sed -i '205s/HWAZ/HWAz/' /app/utils/models.py
docker exec -it clara-actions sed -i '82s/Z/z/' /app/utils/settings.py
docker restart clara-actions

Symptom

After Clara installation, when you start chatting with Clara, you receive the following message:

"Clara license is not valid or expired, or the license server is temporarily unavailable. Contact Clara administrator."

Cause and solution

Run the following steps:

Verify that your license id is valid
Verify that Clara machine can reach the license server: https://hclsoftware.compliance.flexnetoperations.com.
Run: docker restart clara-manager

If the problem still exists, contact Clara Administrator.

Symptom

Clara refuses to connect to Workload Automation DWC or Engine.

Cause and solution

If Workload Automation DWC or Engine uses a certificate with an insecure algorithm (SHA1, MD5, etc.), Clara refuses to connect to Workload Automation DWC or Engine unless the security policies inside clara-manager are relaxed.

To use insecure certificates in Clara, run the following steps on the machine where Clara is installed:

docker cp clara-manager:/etc/crypto-policies/back-ends/java.config .
open the java.config with a text editor and remove the algorithm of your certificate from jdk.certpath.disabledAlgorithms.
docker cp java.config clara-manager:/etc/crypto-policies/back-ends/.
docker restart clara-manager.

Symptom

Unable to Start clara-nginx Container.

When attempting to run the clara-nginx container, the following error message may appear:

Error: unable to start container ‘0030590443eacc98fa49a14c19ec5fe1bdc5aeedaa584ff4c67b82c3d0ac2859’: rootlessport cannot expose privileged port 443, you can add ‘net.ipv4.ip_unprivileged_port_start=443' to /etc/sysctl.conf (currently 1024), or choose a higher port number (>= 1024): listen tcp 0.0.0:443: bind: permission denied

Cause and solution

This issue occurs because the container is attempting to bind to port 443, which is a privileged port by default. Privileged ports (those below 1024) require privileged access, and the net.ipv4.ip_unprivileged_port_start parameter is set to 1024 in the system configuration.

Modify the System Configuration:
-Open the /etc/sysctl.conf file in a text editor with privileged access:
sudo nano /etc/sysctl.conf
-Add the following line to allow unprivileged access to port 443:
net.ipv4.ip_unprivileged_port_start=443
Add the following line to allow unprivileged access to port 443:
-Run the following command to reload the system parameters:
sudo sysctl -p
Restart all Clara containers.

Alternatively, you can configure the container to use a non-privileged port (>= 1024) to avoid modifying the system configuration.
Ensure that the system's security policies and requirements align with this configuration change.