-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add error fix & details for AppArmor /proc/self/exe denied #64
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
--- | ||
title: "Operation not permitted fork/exec /proc/self/exe" | ||
weight: 40 | ||
--- | ||
|
||
AppArmor is a Linux security module that restricts programs' capabilities by enforcing access controls defined in profiles. | ||
It provides an additional layer of security by limiting what resources applications can access. | ||
|
||
Based on <https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces> | ||
|
||
After running `containerd-rootless-setuptool.sh check` or `containerd-rootless-setuptool.sh install` | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The docs under https://rootlesscontaine.rs/getting-started/common/ should not assume containerd/nerdctl |
||
|
||
If you get the error below | ||
|
||
``` | ||
[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: operation not permitted | ||
``` | ||
|
||
Try to run `rootlesskit bash`, it will generate a script, based on hint from | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This applies only if the rootlesskit path is not |
||
<https://github.com/rootless-containers/rootlesskit/blob/master/pkg/parent/warn.go> | ||
|
||
``` | ||
ubuntu@energetic-anemone:~$ rootlesskit bash | ||
WARN[0000] [rootlesskit:parent] This error might have happened because /proc/sys/kernel/apparmor_restrict_unprivileged_userns is set to 1 error="fork/exec /proc/self/exe: permission denied" | ||
WARN[0000] [rootlesskit:parent] Hint: try running the following commands: | ||
|
||
|
||
########## BEGIN ########## | ||
cat <<EOT | sudo tee "/etc/apparmor.d/home.ubuntu.bin.rootlesskit" | ||
# ref: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces | ||
abi <abi/4.0>, | ||
include <tunables/global> | ||
|
||
/home/ubuntu/bin/rootlesskit flags=(unconfined) { | ||
userns, | ||
|
||
# Site-specific additions and overrides. See local/README for details. | ||
include if exists <local/home.ubuntu.bin.rootlesskit> | ||
} | ||
EOT | ||
sudo systemctl restart apparmor.service | ||
########## END ########## | ||
|
||
[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: permission denied | ||
|
||
``` | ||
|
||
more context: <https://github.com/rootless-containers/rootlesskit/issues/434> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably this should be like
[Optional] Adjust AppArmor profile
.I also wonder if this should be moved to the
Tips
section in https://rootlesscontaine.rs/getting-started/containerd/ , as this step is only needed if the rootlesskit path is not/usr/bin/rootlesskit
, and the host is Ubuntu >= 23.10