Runj 在 Ubuntu 24.04 & Linux 6.8 中运行异常

[GZTimeWalker]

在进行 #15 的测试过程中，发现 runj 无法按照预期运行。

系统及内核版本：Ubuntu 24.04 LTS (GNU/Linux 6.8.0-35-generic x86_64)

部分权限问题是 24.04 中新的 AppArmor 配置所致（使用本机升级系统前无此问题，并且升级前没有这一配置文件）：

# file: /etc/apparmor.d/unprivileged_userns
# 
# Special profile transitioned to by unconfined when creating an unprivileged
# user namespace.
#
abi <abi/4.0>,
include <tunables/global>

profile unprivileged_userns {
     audit deny capability,
     audit deny change_profile,

     # allow block to be replaced by allow when x dominance test is fixed
     # allow all,
     allow network,
     allow signal,
     allow dbus,
     allow file rwlkm /**,
     allow unix,
     allow mqueue,
     allow ptrace,
     allow userns,

     # stack children to strip capabilities
     allow pix /** -> &unprivileged_userns ,

     # Site-specific additions and overrides. See local/README for details.
     include if exists <local/unprivileged_userns>
}

对应日志：

ERR: Runj failed with code 1: time="2024-06-18T04:29:10+08:00" level=debug msg="nsexec[310183]: => nsexec container setup"
time="2024-06-18T04:29:10+08:00" level=debug msg="nsexec-0[310183]: ~> nsexec stage-0"
time="2024-06-18T04:29:10+08:00" level=debug msg="nsexec-0[310183]: spawn stage-1"
time="2024-06-18T04:29:10+08:00" level=debug msg="nsexec-0[310183]: -> stage-1 synchronisation loop"
time="2024-06-18T04:29:10+08:00" level=debug msg="nsexec-1[310184]: ~> nsexec stage-1"
time="2024-06-18T04:29:10+08:00" level=debug msg="nsexec-1[310184]: unshare user namespace"
time="2024-06-18T04:29:10+08:00" level=debug msg="nsexec-1[310184]: request stage-0 to map user namespace"
time="2024-06-18T04:29:10+08:00" level=debug msg="nsexec-1[310184]: waiting stage-0 to complete the mapping of user namespace"
time="2024-06-18T04:29:10+08:00" level=debug msg="nsexec-0[310183]: stage-1 requested userns mappings"
time="2024-06-18T04:29:10+08:00" level=debug msg="nsexec-0[310183]: update /proc/310184/uid_map to '0 1000 1\n1 100000 65536\n'"
time="2024-06-18T04:29:10+08:00" level=debug msg="nsexec-0[310183]: update /proc/310184/uid_map got -EPERM (trying /usr/bin/newuidmap)"
time="2024-06-18T04:29:10+08:00" level=debug msg="nsexec-0[310183]: update /proc/310184/gid_map to '0 1000 1\n1 100000 65536\n'"
time="2024-06-18T04:29:10+08:00" level=debug msg="nsexec-0[310183]: update /proc/310184/gid_map got -EPERM (trying /usr/bin/newgidmap)"
time="2024-06-18T04:29:10+08:00" level=debug msg="nsexec-1[310184]: unshare remaining namespaces (except cgroupns)"
time="2024-06-18T04:29:10+08:00" level=fatal msg="nsexec-1[310184]: failed to unshare remaining namespaces (except cgroupns): Operation not permitted"
time="2024-06-18T04:29:10+08:00" level=fatal msg="nsexec-0[310183]: failed to sync with stage-1: next state: Operation not permitted"
time="2024-06-18T04:29:10+08:00" level=fatal msg="Error executing the container" error="Error initializing the container process: unable to start container process: can't get final child's PID from pipe: EOF"

内核日志：

Jun 18 04:29:10 nc kernel: audit: type=1400 audit(1718656150.549:967): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=310184 comm="runc:[1:CHILD]" capability=21  capname="sys_admin"
Jun 18 04:29:10 nc kernel: audit: type=1400 audit(1718656150.539:966): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=310184 comm="runc:[1:CHILD]" requested="userns_create" target="unprivileged_userns"
Jun 18 04:29:10 nc kernel: audit: type=1400 audit(1718656150.419:965): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=310170 comm="runc:[1:CHILD]" capability=21  capname="sys_admin"
Jun 18 04:29:10 nc kernel: audit: type=1400 audit(1718656150.408:964): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=310170 comm="runc:[1:CHILD]" requested="userns_create" target="unprivileged_userns"
Jun 18 04:29:10 nc kernel: audit: type=1400 audit(1718656150.319:963): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=310156 comm="runc:[1:CHILD]" capability=21  capname="sys_admin"
Jun 18 04:29:10 nc kernel: audit: type=1400 audit(1718656150.307:962): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=310156 comm="runc:[1:CHILD]" requested="userns_create" target="unprivileged_userns"
Jun 18 04:29:06 nc kernel: audit: type=1400 audit(1718656146.786:961): apparmor="STATUS" operation="profile_load" profile="unconfined" name="unprivileged_userns" pid=310084 comm="apparmor_parser"
Jun 18 04:29:03 nc kernel: audit: type=1400 audit(1718656143.517:960): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="unprivileged_userns" pid=310044 comm="apparmor_parser"

尝试使用如下命令禁用这一规则集：

sudo apparmor_parser -R /etc/apparmor.d/unprivileged_userns # remove them
sudo apparmor_parser -C /etc/apparmor.d/unprivileged_userns # force into complain mode

而后：

ERR: Runj failed with code 1: time="2024-06-18T04:33:58+08:00" level=debug msg="nsexec[311571]: => nsexec container setup"
// ignore the normal outputs...
time="2024-06-18T04:33:58+08:00" level=debug msg="nsexec-0[311571]: <~ nsexec stage-0"
time="2024-06-18T04:33:58+08:00" level=fatal msg="Error executing the container" error="Error initializing the container process: unable to start container process: error during container init: error jailing process inside rootfs: open /mnt/data/projects/seele/runj/tests/runj-test/merged/113377828: permission denied"

同时内核日志：

Jun 18 04:33:58 nc kernel: apparmor mqueue disconnected TODO
Jun 18 04:33:58 nc kernel: apparmor mqueue disconnected TODO
Jun 18 04:33:58 nc kernel: overlayfs: upper fs does not support tmpfile.

^ 上述输出让我无语了（