diff --git a/docs/rootless.md b/docs/rootless.md index 62709e50a27..c5db142339a 100644 --- a/docs/rootless.md +++ b/docs/rootless.md @@ -25,6 +25,10 @@ The usage of `containerd-rootless-setuptool.sh` is almost same as [`dockerd-root Resource limitation flags such as `nerdctl run --memory` require systemd and cgroup v2: https://rootlesscontaine.rs/getting-started/common/cgroup2/ +#### AppArmor Profile (Ubuntu 23.10+) + +To ensure rootlesskit works on systems with restrictions on unprivileged user namespaces (e.g., Ubuntu 23.10+), the setup tool creates an AppArmor profile if it does not already exist. + ## Client (nerdctl) Just execute `nerdctl`. No need to specify the socket address manually. diff --git a/extras/rootless/containerd-rootless-setuptool.sh b/extras/rootless/containerd-rootless-setuptool.sh index 27627640d51..89e6884f2f4 100755 --- a/extras/rootless/containerd-rootless-setuptool.sh +++ b/extras/rootless/containerd-rootless-setuptool.sh @@ -251,6 +251,40 @@ cmd_entrypoint_install() { EOT systemctl --user daemon-reload INFO "To run \"${SYSTEMD_CONTAINERD_UNIT}\" on system startup automatically, run: \`sudo loginctl enable-linger $(id -un)\`" + + if [ ! -e "/etc/apparmor.d/usr.local.bin.rootlesskit" ]; then + if [ -e "/etc/apparmor.d/abi/4.0" ] && [ -e "/proc/sys/kernel/apparmor_restrict_unprivileged_userns" ]; then + cat >"/etc/apparmor.d/usr.local.bin.rootlesskit" <<-EOF + # Ubuntu 23.10 introduced kernel.apparmor_restrict_unprivileged_userns + # to restrict unsharing user namespaces: + # https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces + # + # kernel.apparmor_restrict_unprivileged_userns is still opt-in in Ubuntu 23.10, + # but it is expected to be enabled in future releases of Ubuntu. + abi , + include + + /usr/local/bin/rootlesskit flags=(unconfined) { + userns, + + # Site-specific additions and overrides. See local/README for details. + include if exists + } + EOF + else + # shellcheck disable=SC2072 + if [ "$(grep 'ID' /etc/os-release | cut -d'=' -f2 | tr -d '"')" = "ubuntu" ] && [ "$(grep 'VERSION_ID' /etc/os-release | cut -d'=' -f2 | tr -d '"')" -gt 23.10 ]; then + ERROR "The files \"/etc/apparmor.d/abi/4.0\" and \"/proc/sys/kernel/apparmor_restrict_unprivileged_userns\" should be present. Note: AppArmor restriction for unprivileged_userns is no longer opt-in and is enabled by default." + else + INFO "The files \"/etc/apparmor.d/abi/4.0\" and \"/proc/sys/kernel/apparmor_restrict_unprivileged_userns\" are not required for this OS version." + fi + fi + systemctl --user restart apparmor.service + else + ERROR "AppArmor profile for rootlesskit already exists." + ERROR "Before retrying installation, you might need to uninstall the current setup: \`$0 uninstall -f ; ${BIN}/rootlesskit rm -rf ${HOME}/.local/share/containerd\`" + exit 1 + fi INFO "------------------------------------------------------------------------------------------" INFO "Use \`nerdctl\` to connect to the rootless containerd." INFO "You do NOT need to specify \$CONTAINERD_ADDRESS explicitly." @@ -518,6 +552,14 @@ cmd_entrypoint_uninstall() { uninstall_systemd_unit "${SYSTEMD_IPFS_UNIT}" uninstall_systemd_unit "${SYSTEMD_BYPASS4NETNSD_UNIT}" + # Starting from Ubuntu 23.10, apparmor_restrict_unprivileged_userns is enabled by default. + # We need to clean the current installation for proper configuration of AppArmor for the next installation. + if [ -e "/etc/apparmor.d/usr.local.bin.rootlesskit" ]; then + INFO "Removing existing AppArmor profile for rootlesskit." + systemctl --user stop apparmor.service + rm -f "/etc/apparmor.d/usr.local.bin.rootlesskit" + fi + INFO "This uninstallation tool does NOT remove containerd binaries and data." INFO "To remove data, run: \`$BIN/rootlesskit rm -rf ${XDG_DATA_HOME}/containerd\`" }