Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add error fix & details for AppArmor /proc/self/exe denied #64

Closed
wants to merge 2 commits into from

Conversation

DenisBalan
Copy link

tldr: To have more error-resolution use cases in the docs.

Addresses rootless-containers/rootlesskit#439

Based on rootless-containers/rootlesskit#434

@@ -8,5 +8,6 @@ may need the root for the initial set-up.

- [Logging in](./login)
- [/etc/subuid and /etc/subgid](./subuid)
- [fork/exec /proc/self/exe: operation not permitted](./fork-exec-self-exe)
Copy link
Member

@AkihiroSuda AkihiroSuda May 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably this should be like [Optional] Adjust AppArmor profile.

I also wonder if this should be moved to theTips section in https://rootlesscontaine.rs/getting-started/containerd/ , as this step is only needed if the rootlesskit path is not /usr/bin/rootlesskit, and the host is Ubuntu >= 23.10


Based on <https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces>

After running `containerd-rootless-setuptool.sh check` or `containerd-rootless-setuptool.sh install`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The docs under https://rootlesscontaine.rs/getting-started/common/ should not assume containerd/nerdctl

[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: operation not permitted
```

Try to run `rootlesskit bash`, it will generate a script, based on hint from
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This applies only if the rootlesskit path is not /usr/bin/rootlesskit, and the host is Ubuntu >= 23.10

@AkihiroSuda
Copy link
Member

@DenisBalan ping

@AkihiroSuda
Copy link
Member

This is now documented in https://rootlesscontaine.rs/getting-started/common/apparmor/

@AkihiroSuda
Copy link
Member

I assume we can close this

@AkihiroSuda AkihiroSuda closed this Aug 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants