Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add error fix & details for AppArmor /proc/self/exe denied #64

Closed
wants to merge 2 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions content/getting-started/common/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,6 @@ may need the root for the initial set-up.

- [Logging in](./login)
- [/etc/subuid and /etc/subgid](./subuid)
- [fork/exec /proc/self/exe: operation not permitted](./fork-exec-self-exe)
Copy link
Member

@AkihiroSuda AkihiroSuda May 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably this should be like [Optional] Adjust AppArmor profile.

I also wonder if this should be moved to theTips section in https://rootlesscontaine.rs/getting-started/containerd/ , as this step is only needed if the rootlesskit path is not /usr/bin/rootlesskit, and the host is Ubuntu >= 23.10

- [[Optional] cgroup v2](./cgroup2)
- [[Optional] Configuring sysctl values](./sysctl)
48 changes: 48 additions & 0 deletions content/getting-started/common/fork-exec-self-exe.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
---
title: "Operation not permitted fork/exec /proc/self/exe"
weight: 40
---

AppArmor is a Linux security module that restricts programs' capabilities by enforcing access controls defined in profiles.
It provides an additional layer of security by limiting what resources applications can access.

Based on <https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces>

After running `containerd-rootless-setuptool.sh check` or `containerd-rootless-setuptool.sh install`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The docs under https://rootlesscontaine.rs/getting-started/common/ should not assume containerd/nerdctl


If you get the error below

```
[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: operation not permitted
```

Try to run `rootlesskit bash`, it will generate a script, based on hint from
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This applies only if the rootlesskit path is not /usr/bin/rootlesskit, and the host is Ubuntu >= 23.10

<https://github.com/rootless-containers/rootlesskit/blob/master/pkg/parent/warn.go>

```
ubuntu@energetic-anemone:~$ rootlesskit bash
WARN[0000] [rootlesskit:parent] This error might have happened because /proc/sys/kernel/apparmor_restrict_unprivileged_userns is set to 1 error="fork/exec /proc/self/exe: permission denied"
WARN[0000] [rootlesskit:parent] Hint: try running the following commands:


########## BEGIN ##########
cat <<EOT | sudo tee "/etc/apparmor.d/home.ubuntu.bin.rootlesskit"
# ref: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
abi <abi/4.0>,
include <tunables/global>

/home/ubuntu/bin/rootlesskit flags=(unconfined) {
userns,

# Site-specific additions and overrides. See local/README for details.
include if exists <local/home.ubuntu.bin.rootlesskit>
}
EOT
sudo systemctl restart apparmor.service
########## END ##########

[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: permission denied

```

more context: <https://github.com/rootless-containers/rootlesskit/issues/434>