sourcecd
diff --git a/‎en/_assets/dns/security/service-roles-hierarchy.svg
Lines changed: 31 additions & 4 deletions b/‎en/_assets/dns/security/service-roles-hierarchy.svg
Lines changed: 31 additions & 4 deletions
diff --git a/‎en/_includes/container-registry/lifecycle-rules.md
Lines changed: 4 additions & 7 deletions b/‎en/_includes/container-registry/lifecycle-rules.md
Lines changed: 4 additions & 7 deletions
diff --git a/‎en/_includes/cos/previous-releases.md
Lines changed: 2 additions & 5 deletions b/‎en/_includes/cos/previous-releases.md
Lines changed: 2 additions & 5 deletions
diff --git a/‎en/container-registry/concepts/vulnerability-scanner.md
Lines changed: 8 additions & 1 deletion b/‎en/container-registry/concepts/vulnerability-scanner.md
Lines changed: 8 additions & 1 deletion
diff --git a/‎en/container-registry/operations/lifecycle-policy/lifecycle-policy-create.md
Lines changed: 30 additions & 16 deletions b/‎en/container-registry/operations/lifecycle-policy/lifecycle-policy-create.md
Lines changed: 30 additions & 16 deletions
diff --git a/‎en/cos/error/index.md
Lines changed: 77 additions & 0 deletions b/‎en/cos/error/index.md
Lines changed: 77 additions & 0 deletions
diff --git a/‎en/cos/index.yaml
Lines changed: 12 additions & 8 deletions b/‎en/cos/index.yaml
Lines changed: 12 additions & 8 deletions
@@ -1,10 +1,8 @@
 Example of the contents of a file with rules, where:
-
 * `description`: Description of the policy rule.
-* `tag_regexp`: Docker image tag for filtering.
+* `tag_regexp`: Docker image tag for filtering. A `test.*` regular expression for `tag_regexp` lets you get all images with tags starting with `test`.
 * `untagged`: Flag indicating that the rule applies to Docker images without tags.
-* `expire_period`: Time after which the lifecycle policy may apply to the Docker image.
-    Parameter format: Number and unit of measurement `s`, `m`, `h`, or `d` (seconds, minutes, hours, or days). `expire_period` must be a multiple of 24 hours.
+* `expire_period`: Time after which the lifecycle policy may apply to the Docker image. Parameter format: Number and unit of measurement `s`, `m`, `h`, or `d` (seconds, minutes, hours, or days). `expire_period` must be a multiple of 24 hours.
 * `retained_top`: Number of Docker images that are not deleted even if they match the rule.
 
 ```json
@@ -25,6 +23,5 @@ Example of the contents of a file with rules, where:
     "untagged": true,
     "expire_period": "48h"
   }
-]    
-```
-
+]
+```
@@ -7,7 +7,7 @@
 
 ### Version 2.0.4 {#version2.0.4}
 
-* Added a Container Optimized Image with GPU support.`yc compute image get-latest-from-family coi-base-gpu --folder-id standard-images`
+* Added a Container Optimized Image with GPU support: `yc compute image get-latest-from-family coi-base-gpu --folder-id standard-images`.
 
 ### Version 2.0.3 {#version2.0.3}
 
@@ -46,7 +46,7 @@
 
 ### Version 1.1.2 {#version1.1.2}
 
-* Fixes in automatic launch of Docker containers:
+* Fixes in automatic launch of Docker containers.
 
 ### Version 1.1.1 {#version1.1.1}
 
@@ -59,21 +59,18 @@
 ### Version 1.0.3 {#version1.0.3}
 
 Fixes in automatic launch of Docker containers:
-
 * When a VM is restarted and its metadata is updated, an outdated Docker container is no longer started.
 * Reduced the number of logs in `yc-container-daemon`.
 * Added retries to update a Docker container if the previous update attempt fails.
 
 ### Version 1.0.2 {#version1.0.2}
 
 Fix in automatic launch of Docker containers:
-
 * Added a detailed error message when using `docker login` for a domain with Docker Credential Helper configured.
 
 ### Version 1.0.1 {#version1.0.1}
 
 Fix in automatic launch of Docker containers:
-
 * Now Docker containers with `-` in their name are not deleted.
 
 ### Version 1.0 {#version1.0}
 
@@ -7,8 +7,15 @@ Vulnerability scanner only works with Docker images from {{ container-registry-n
 For scanning, a Docker image is unpacked, and a search is performed for installed package versions (deb). The package versions identified are then checked against a database of known vulnerabilities.
 
 Currently, Docker images are available and built for the following supported operating systems:
+* Debian 7
+* Debian 8
+* Debian 9
+* Debian 10
+* Debian 11
 * Ubuntu 14.04
 * Ubuntu 16.04
 * Ubuntu 18.04
 * Ubuntu 20.04
-* Ubuntu 20.10
+* Ubuntu 20.10
+* Ubuntu 21.04
+* Ubuntu 21.10
@@ -1,65 +1,73 @@
 # Creating a lifecycle policy
 
-To create a lifecycle policy, specify the [repository ID](../repository/repository-list.md#repository-get).
+To create a lifecycle policy, specify the [repository name](../repository/repository-list.md#repository-get).
 
 {% list tabs %}
 
 - CLI
 
   {% include [cli-install](../../../_includes/cli-install.md) %}
 
-  {% include [lifecycle restrictions](../../../_includes/container-registry/lifecycle-restrictions.md) %}
-
   1. Set [policy rules](../../concepts/lifecycle-policy.md#lifecycle-rules) and save them to a file named `rules.json`.
 
      {% include [lifecycle-rules](../../../_includes/container-registry/lifecycle-rules.md) %}
 
   1. Create a lifecycle policy by running the command with the following parameters:
-     * `repository-id`: ID of the repository.
+     * `repository-name`: Repository name.
+     * `rules`: Path to the file with the policy description.
+     * `description`: Description of the lifecycle policy (optional).
      * `name`: Policy name (optional).
 
        {% include [name-format](../../../_includes/name-format.md) %}
 
-     * `description`: Description of the lifecycle policy (optional).
-
-     * `rules`: Path to the file with the policy description.
-
      {% note info %}
 
-     The default policy is created with the `DISABLED` status. It is possible (but not recommended) to create an active policy directly by setting the `--active` flag, or [to enable a policy](../../operations/lifecycle-policy/lifecycle-policy-update.md#update-status) after it is created.
+     The default policy is created with the `DISABLED` status. We do not recommend creating an active policy with the `--active` flag right away.
 
      {% endnote %}
 
      ```bash
      yc container repository lifecycle-policy create \
-       --repository-id crp3cpm16edqql0t30s2 \
+       --repository-name crp3cpm16edqql0t30s2/ubuntu \
        --name test-policy \
        --description "disabled lifecycle-policy for tests" \
        --rules ./rules.json
+     ```
+
+     Command execution result:
+
+     ```bash
      id: crp6lg1868p3i0emkv1b
      name: test-policy
      repository_id: crp3cpm16edqql0t30s2
      description: disabled lifecycle-policy for tests
      status: DISABLED
-     created_at: "2020-05-28T15:05:58.143719Z"
+     created_at: "2021-03-08T16:58:32.984940Z"
      rules:
-     - description: remove prod images older than 60 days except 20 last ones
+     - description: delete prod Docker images older than 60 days but retain 20 last ones
        expire_period: 5184000s
        tag_regexp: prod
        retained_top: "20"
-     - description: remove all test and untagged images older than 48 hours
-       expire_period: 172800s
+     - description: delete all test Docker images except 10 last ones
        tag_regexp: test.*
+       retained_top: "10"
+     - description: delete all untagged Docker images older than 48 hours
+       expire_period: 172800s
        untagged: true
      ```
 
      The `expired_period` parameter value in the response is displayed in seconds. This is a technical constraint, the format will be changed.
 
   1. Make sure that the policy is created by running the command with the following parameter:
-     * `repository-id`: ID of the repository.
+     * `repository-name`: Repository name.
+
+     ```bash
+     yc container repository lifecycle-policy list --repository-name crp3cpm16edqql0t30s2/ubuntu
+     ```
+
+     Command execution result:
 
      ```bash
-     yc container repository lifecycle-policy list --repository-id crp3cpm16edqql0t30s2
      +----------------------+-------------+----------------------+----------+---------------------+--------------------------------+
      |          ID          |    NAME     |    REPOSITORY ID     |  STATUS  |       CREATED       |          DESCRIPTION           |
      +----------------------+-------------+----------------------+----------+---------------------+--------------------------------+
@@ -68,4 +76,10 @@ To create a lifecycle policy, specify the [repository ID](../repository/reposito
      +----------------------+-------------+----------------------+----------+---------------------+--------------------------------+
      ```
 
+     {% note tip %}
+
+     You can [test the lifecycle policy](lifecycle-policy-dry-run.md) to check what Docker images comply with the policy rules. Docker images are not actually deleted during dry runs.
+
+     {% endnote %}
+
 {% endlist %}
@@ -0,0 +1,77 @@
+# Troubleshooting
+
+To view Docker image startup logs, use the command:
+
+```bash
+sudo journalctl -u yc-container-daemon
+```
+
+Below are common errors and ways to fix them.
+
+## The service account has no permission to download the specified Docker image {#permission-denied}
+
+**Example:**
+
+```
+Mar 25 12:07:39 instance-name yc-container-daemon[516]:
+{"level":"DEBUG","ts":"2021-03-25T12:07:39.785Z","caller":"container/image.go:75","msg":"trying to pull image (0/3)"}
+Mar 25 12:07:39 instance-name yc-container-daemon[516]:
+{"level":"DEBUG","ts":"2021-03-25T12:07:39.786Z","caller":"container/image.go:47","msg":"pulling image: 'cr.yandex/crpgrueprnc1сgt1la/nginx:1.16.0'"}
+Mar 25 12:07:41 instance-name yc-container-daemon[516]:
+{"level":"ERROR","ts":"2021-03-25T12:07:41.005Z","caller":"container/image.go:78","msg":"error pulling image: Error response from daemon: pull access denied for cr.yandex/crpgruernc1bgt1la/ngin>
+```
+
+**How to fix it:** [Assign to the service account](../../iam/operations/sa/set-access-bindings.md) the `viewer` or `container-registry.images.puller` role for a repository, registry, or folder. For more information about the roles available in the service, see the [documentation](../../container-registry/security/index.md).
+
+## No network access to {{ container-registry-name }} {#connection-to-cr}
+
+**Example:**
+
+```
+Sep 28 08:00:18 cl17bn514eluq62dj8jo-unar yc-container-daemon[952]:
+{"level":"DEBUG","ts":"2019-09-28T08:00:18.842Z ","caller":"container/container.go:121","msg":"trying to pull image (0/3)"}
+Sep 28 08:00:18 cl17bn514eluq62dj8jo-unar yc-container-daemon[952]:
+{"level":"DEBUG","ts":"2019-09-28T08:00:18.842Z","caller":"container/container.go:162","msg":"pulling image: 'cr.yandex/crpgrueprnhc1сgt1lab/nginx:1.16.0'"}
+Sep 28 08:00:33 cl17bn514eluq62dj8jo-unar yc-container-daemon[952]:
+{"level":"ERROR","ts":"2019-09-28T08:00:33.843Z","caller":"container/container.go:124","msg":"error pulling image: Error response from daemon: Get https://cr.yandex/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"}
+```
+
+**How to fix it:** Check if there is access to {{ container-registry-name }} by running the command: `nc -vz cr.yandex 443`. If not, [configure a NAT instance](../../solutions/routing/nat-instance.md) or assign a public IP address to the VM with the {{ coi }}. You can also enable egress NAT for the subnet where the VMs are created.
+
+{% note warning %}
+
+Egress NAT can only be enabled for subnets if the alpha flag is selected for egress NAT on {{ yandex-cloud }}. To request it, [contact support](https://console.cloud.yandex.com/support/create-ticket).
+
+{% endnote %}
+
+## No service account is linked to the VM to enable access to {{ container-registry-name }} {#sa-for-registry}
+
+**Example:**
+
+```
+Mar 25 12:13:23 instance-name yc-container-daemon[518]:
+{"level":"WARN","ts":"2021-03-25T12:13:23.466Z","caller":"container/container.go:240","msg":"Attempting to pull Container Registry image with empty credentials. It will only work if public registr>
+Mar 25 12:13:23 instance-name yc-container-daemon[518]:
+{"level":"DEBUG","ts":"2021-03-25T12:13:23.466Z","caller":"container/image.go:75","msg":"trying to pull image (0/3)"}
+Mar 25 12:13:23 instance-name yc-container-daemon[518]:
+{"level":"DEBUG","ts":"2021-03-25T12:13:23.467Z","caller":"container/image.go:47","msg":"pulling image: 'cr.yandex/crpgruehrnhc0bgt1lab/nginx:1.16.0'"}
+Mar 25 12:13:24 instance-name yc-container-daemon[518]:
+{"level":"ERROR","ts":"2021-03-25T12:13:24.706Z","caller":"container/image.go:78","msg":"error pulling image: Error response from daemon: unauthorized: Authentication problem ; requestId = b2f6f07>
+```
+
+**How to fix it:** For private registries, [link a service account](../../compute/operations/vm-connect/auth-inside-vm.md#link-sa-with-instance) to access Docker images.
+
+## Not enough disk space {#disk-full}
+
+**Example:**
+
+```
+Mar 25 12:34:22 intr13-vm yc-container-daemon[518]:
+{"level":"DEBUG","ts":"2021-03-25T12:34:22.043Z","caller":"container/image.go:75","msg":"trying to pull image (0/3)"}
+Mar 25 12:34:22 intr13-vm yc-container-daemon[518]:
+{"level":"DEBUG","ts":"2021-03-25T12:34:22.043Z","caller":"container/image.go:47","msg":"pulling image: 'openjdk:7' (normalized: 'docker.io/library/openjdk:7')"}
+Mar 25 12:34:46 intr13-vm yc-container-daemon[518]:
+{"level":"DEBUG","ts":"2021-03-25T12:34:46.276Z","caller":"container/image.go:59","msg":"received ImagePull response: ... {\"message\":\"failed to register layer: Error processing tar file(exit status 1): write /usr/bin/hostnamectl: no space left on device\"},\"error\":\"failed to register layer: Error processing tar file(exit status 1): write /usr/bin/hostnamectl: no space left on device\"}\r\n)."}
+```
+
+**How to fix it:** Stop the VM and [increase the disk size](../../compute/operations/disk-control/update.md#change-disk-size).
@@ -1,25 +1,29 @@
-title: Yandex Container Optimized Solutions
+title: Yandex Container Solution
 description:
   - >-
-    Yandex Container Optimized Solutions are use cases based on VMs with a
-    Container Optimized Image for running Docker containers. The Container
-    Optimized Image is also available on the <a
-    href="https://cloud.yandex.com/marketplace/products/f2ea2mtumfqb17k9eso7">marketplace</a>.
+    Yandex Container Solution provides use cases based on VMs with a Container
+    Optimized Image for running Docker containers. The Container Optimized Image
+    is also available in the <a
+    href="https://cloud.yandex.com/marketplace/products/f2ea2mtumfqb17k9eso7">Cloud
+    Marketplace</a>.
 meta:
-  title: Yandex Container Optimized Solutions
+  title: Yandex Container Solution
 links:
   - title: Getting started
     description: Create your first VM from a Container Optimized Image
     href: quickstart
   - title: Concepts
     description: Learn more about the Container Optimized Image
     href: concepts/
-  - title: Solutions
-    description: Container Optimized Image solutions
+  - title: Use cases
+    description: Container Optimized Image use cases
     href: solutions/
   - title: Quotas and limits
     description: Technical and organizational limitations
     href: concepts/limits
   - title: Pricing policy
     description: Pricing and cost calculations
     href: pricing
+  - title: Troubleshooting
+    description: Common errors and how to fix them
+    href: error/