Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[doc] Add AppArmor profile setup for rootlesskit on Ubuntu 24.04+ #3820

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[doc] Add AppArmor profile setup for rootlesskit on Ubuntu 24.04+ #3820

wants to merge 1 commit into from

Conversation

fahedouch
Copy link
Member

@fahedouch fahedouch commented Jan 15, 2025
edited
Loading

This PR fix #2847:

  • Add documentation for AppArmor profile setup for rootlesskit on Ubuntu 24.04+

@fahedouch fahedouch force-pushed the reflect-apparmor-restrict-unprivileged-userns branch 3 times, most recently from 2831b14 to d9e3658 Compare January 15, 2025 17:33
@fahedouch fahedouch added this to the v2.0.3 milestone Jan 15, 2025
@fahedouch fahedouch marked this pull request as draft January 15, 2025 18:01
@fahedouch fahedouch force-pushed the reflect-apparmor-restrict-unprivileged-userns branch from 2f127d6 to 6045750 Compare January 15, 2025 21:57
@AkihiroSuda
Copy link
Member

I don't think that the rootless set up tool should invoke sudo.

rootlesskit already prints the hint when the AppArmor condition is not satisfied.
https://github.com/rootless-containers/rootlesskit/blob/v2.3.1/pkg/parent/warn.go#L84

@AkihiroSuda AkihiroSuda removed this from the v2.0.3 milestone Jan 16, 2025
@fahedouch
Copy link
Member Author

ah my bad! I didn't know it was supported by rootlesskit, I will reflect this in the documentation

@fahedouch fahedouch force-pushed the reflect-apparmor-restrict-unprivileged-userns branch from 6045750 to 7363094 Compare January 16, 2025 13:03
@fahedouch
Copy link
Member Author

Apparmor warn message already handled by the ./containerd-rootless-setuptool.sh check

faheddorgaa@lima-default:/Users/faheddorgaa/go/src/github.com/nerdctl/extras/rootless$ ./containerd-rootless-setuptool.sh check
[INFO] Checking RootlessKit AppArmor profile
[INFO] Checking RootlessKit functionality
WARN[0000] [rootlesskit:parent] This error might have happened because /proc/sys/kernel/apparmor_restrict_unprivileged_userns is set to 1  error="fork/exec /proc/self/exe: permission denied"
WARN[0000] [rootlesskit:parent] Hint: try running the following commands:


########## BEGIN ##########
cat <<EOT | sudo tee "/etc/apparmor.d/usr.local.bin.rootlesskit"
# ref: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
abi <abi/4.0>,
include <tunables/global>

/usr/local/bin/rootlesskit flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.local.bin.rootlesskit>
}
EOT
sudo systemctl restart apparmor.service
########## END ##########
 
[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: permission denied
[ERROR] RootlessKit failed, see the error messages and https://rootlesscontaine.rs/getting-started/common/ .

documentation updated.

@fahedouch fahedouch marked this pull request as ready for review January 16, 2025 13:03
@fahedouch
[doc] AppArmor profile setup for rootlesskit
37904a0 
Introduce documentation to set up the AppArmor profile for rootlesskit.

Signed-off-by: fahed dorgaa <[email protected]>
@fahedouch fahedouch force-pushed the reflect-apparmor-restrict-unprivileged-userns branch from 7363094 to 37904a0 Compare January 16, 2025 13:05
@fahedouch fahedouch requested a review from AkihiroSuda January 16, 2025 13:06
@fahedouch fahedouch changed the title Add AppArmor profile setup for rootlesskit on Ubuntu 23.10+ [doc] Add AppArmor profile setup for rootlesskit on Ubuntu 24.04+ Jan 16, 2025
AkihiroSuda
AkihiroSuda reviewed Jan 16, 2025
View reviewed changes
docs/rootless.md
sudo systemctl restart apparmor.service
```

```console
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove

AkihiroSuda
AkihiroSuda reviewed Jan 16, 2025
View reviewed changes
docs/rootless.md
@@ -25,6 +25,31 @@ The usage of `containerd-rootless-setuptool.sh` is almost same as [`dockerd-root

Resource limitation flags such as `nerdctl run --memory` require systemd and cgroup v2: https://rootlesscontaine.rs/getting-started/common/cgroup2/

#### AppArmor Profile (Ubuntu 24.04+)

To ensure `rootlesskit` works on systems with restrictions on unprivileged user namespaces (e.g., Ubuntu 24.04+), you need to set up an AppArmor profile for `rootlesskit`:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not true when rootlesskit is installed via apt-get

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You may link https://rootlesscontaine.rs/getting-started/common/apparmor/

@AkihiroSuda AkihiroSuda added this to the v2.0.3 milestone Jan 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.0.3
2 participants
@fahedouch @AkihiroSuda