Merge pull request #421 from AkihiroSuda/warn-apparmor

Print hints if `kernel.apparmor_restrict_unprivileged_userns` is set
rootless-containers · Mar 3, 2024 · 227bf59 · 227bf59
2 parents efee459 + 33c3e7c
commit 227bf59
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 0 deletions.
diff --git a/pkg/parent/parent.go b/pkg/parent/parent.go
@@ -190,6 +190,7 @@ func Parent(opt Opt) error {
 		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%d", opt.ParentEGIDEnvKey, os.Getegid()))
 	}
 	if err := cmd.Start(); err != nil {
+		warnOnChildStartFailure(err)
 		return fmt.Errorf("failed to start the child: %w", err)
 	}
 

diff --git a/pkg/parent/warn.go b/pkg/parent/warn.go
@@ -1,12 +1,14 @@
 package parent
 
 import (
+	"errors"
 	"os"
 	"strconv"
 	"strings"
 
 	"github.com/moby/sys/mountinfo"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
 )
 
 func warnPropagation(propagation string) {
@@ -57,3 +59,46 @@ func warnSysctl() {
 		}
 	}
 }
+
+func warnOnChildStartFailure(childStartErr error) {
+	if errors.Is(childStartErr, unix.EACCES) {
+		// apparmor_restrict_unprivileged_userns is available since Ubuntu 23.10.
+		// Enabled by default since Ubuntu 24.04.
+		// https://github.com/containerd/nerdctl/issues/2847
+		b, err := os.ReadFile("/proc/sys/kernel/apparmor_restrict_unprivileged_userns")
+		if err == nil {
+			s := strings.TrimSpace(string(b))
+			i, err := strconv.ParseInt(s, 10, 64)
+			if err != nil {
+				logrus.WithError(err).Warnf("Failed to parse /proc/sys/kernel/apparmor_restrict_unprivileged_userns (%q)", s)
+			} else if i == 1 {
+				logrus.WithError(childStartErr).Warnf("This error might have happened because /proc/sys/kernel/apparmor_restrict_unprivileged_userns is set to 1")
+				selfExe, err := os.Executable()
+				if err != nil {
+					selfExe = "/usr/local/bin/rootlesskit"
+					logrus.WithError(err).Warnf("Failed to detect the path of the rootlesskit binary, assuming it to be %q", selfExe)
+				}
+				profileName := strings.ReplaceAll(strings.TrimPrefix(selfExe, "/"), "/", ".")
+				const tmpl = `
+
+########## BEGIN ##########
+cat <<EOT | sudo tee "/etc/apparmor.d/%s"
+# ref: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
+abi <abi/4.0>,
+include <tunables/global>
+
+%s flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/%s>
+}
+EOT
+sudo systemctl restart apparmor.service
+########## END ##########
+`
+				logrus.Warnf("Hint: try running the following commands:\n"+tmpl+"\n", profileName, selfExe, profileName)
+			}
+		}
+	}
+}