Skip to content

Commit

Permalink
Add AppArmor profile setup for rootlesskit on Ubuntu 23.10+
Browse files Browse the repository at this point in the history
Introduce automatic creation and cleanup of an AppArmor profile for rootlesskit to handle restrictions on unprivileged user namespaces in Ubuntu 23.10 and later. Ensure proper installation by checking for necessary AppArmor files and restarting the AppArmor service as needed. Update the uninstallation script to remove existing AppArmor profiles when cleaning up.

Signed-off-by: fahed dorgaa <[email protected]>
  • Loading branch information
fahedouch committed Jan 15, 2025
1 parent 1259a55 commit 2831b14
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 0 deletions.
4 changes: 4 additions & 0 deletions docs/rootless.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@ The usage of `containerd-rootless-setuptool.sh` is almost same as [`dockerd-root

Resource limitation flags such as `nerdctl run --memory` require systemd and cgroup v2: https://rootlesscontaine.rs/getting-started/common/cgroup2/

#### AppArmor Profile (Ubuntu 23.10+)

To ensure rootlesskit works on systems with restrictions on unprivileged user namespaces (e.g., Ubuntu 23.10+), the setup tool creates an AppArmor profile if it does not already exist.

## Client (nerdctl)

Just execute `nerdctl`. No need to specify the socket address manually.
Expand Down
42 changes: 42 additions & 0 deletions extras/rootless/containerd-rootless-setuptool.sh
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,40 @@ cmd_entrypoint_install() {
EOT
systemctl --user daemon-reload
INFO "To run \"${SYSTEMD_CONTAINERD_UNIT}\" on system startup automatically, run: \`sudo loginctl enable-linger $(id -un)\`"

if [ ! -e "/etc/apparmor.d/usr.local.bin.rootlesskit" ]; then
if [ -e "/etc/apparmor.d/abi/4.0" ] && [ -e "/proc/sys/kernel/apparmor_restrict_unprivileged_userns" ]; then
cat >"/etc/apparmor.d/usr.local.bin.rootlesskit" <<-EOF
# Ubuntu 23.10 introduced kernel.apparmor_restrict_unprivileged_userns
# to restrict unsharing user namespaces:
# https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
#
# kernel.apparmor_restrict_unprivileged_userns is still opt-in in Ubuntu 23.10,
# but it is expected to be enabled in future releases of Ubuntu.
abi <abi/4.0>,
include <tunables/global>
/usr/local/bin/rootlesskit flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.local.bin.rootlesskit>
}
EOF
else
# shellcheck disable=SC2072
if [ "$(grep 'ID' /etc/os-release | cut -d'=' -f2 | tr -d '"')" = "ubuntu" ] && [ "$(grep 'VERSION_ID' /etc/os-release | cut -d'=' -f2 | tr -d '"')" -gt 23.10 ]; then
ERROR "The files \"/etc/apparmor.d/abi/4.0\" and \"/proc/sys/kernel/apparmor_restrict_unprivileged_userns\" should be present. Note: AppArmor restriction for unprivileged_userns is no longer opt-in and is enabled by default."
else
INFO "The files \"/etc/apparmor.d/abi/4.0\" and \"/proc/sys/kernel/apparmor_restrict_unprivileged_userns\" are not required for this OS version."
fi
fi
systemctl --suer restart apparmor.service
else
ERROR "AppArmor profile for rootlesskit already exists."
ERROR "Before retrying installation, you might need to uninstall the current setup: \`$0 uninstall -f ; ${BIN}/rootlesskit rm -rf ${HOME}/.local/share/containerd\`"
exit 1
fi
INFO "------------------------------------------------------------------------------------------"
INFO "Use \`nerdctl\` to connect to the rootless containerd."
INFO "You do NOT need to specify \$CONTAINERD_ADDRESS explicitly."
Expand Down Expand Up @@ -518,6 +552,14 @@ cmd_entrypoint_uninstall() {
uninstall_systemd_unit "${SYSTEMD_IPFS_UNIT}"
uninstall_systemd_unit "${SYSTEMD_BYPASS4NETNSD_UNIT}"

# Starting from Ubuntu 23.10, apparmor_restrict_unprivileged_userns is enabled by default.
# We need to clean the current installation for proper configuration of AppArmor for the next installation.
if [ -e "/etc/apparmor.d/usr.local.bin.rootlesskit" ]; then
INFO "Removing existing AppArmor profile for rootlesskit."
systemctl stop apparmor.service
rm -f "/etc/apparmor.d/usr.local.bin.rootlesskit"
fi

INFO "This uninstallation tool does NOT remove containerd binaries and data."
INFO "To remove data, run: \`$BIN/rootlesskit rm -rf ${XDG_DATA_HOME}/containerd\`"
}
Expand Down

0 comments on commit 2831b14

Please sign in to comment.