Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ubuntu 24.04 now restricts user namespaces by default, which breaks some setups #2319

Closed
afbjorklund opened this issue May 5, 2024 · 1 comment · Fixed by #2320
Closed

Ubuntu 24.04 now restricts user namespaces by default, which breaks some setups #2319

afbjorklund opened this issue May 5, 2024 · 1 comment · Fixed by #2320
Labels
guest/ubuntu Guest: Ubuntu

Comments

@afbjorklund
Copy link
Member

afbjorklund commented May 5, 2024
edited
Loading

Description

The setup in the default cidata (for containerd) is now mandatory, since otherwise containers don't work:

https://github.com/lima-vm/lima/blob/v0.21.0/pkg/cidata/cidata.TEMPLATE.d/boot/40-install-containerd.sh#L80

It comes with a default allowance for rootlesskit, but only when installed in /usr/bin/rootlesskit

And it needs similar setup, for Apptainer to work... Since it doesn't support Ubuntu, it doesn't affect Podman*.

$ limactl shell apptainer apptainer run -u -B $HOME:$HOME docker://alpine
INFO:    Converting OCI blobs to SIF format
INFO:    Starting build...
Copying blob 4abcf2066143 done   | 
Copying config bc4e4f7999 done   | 
Writing manifest to image destination
2024/05/05 12:29:22  info unpack layer: sha256:4abcf20661432fb2d719aaf90656f55c287f8ca915dc1c92ec14ff61e67fbaf8
INFO:    Creating SIF file...
ERROR  : Could not write info to setgroups: Permission denied

* with Fedora you already have the SELinux and the tmp-on-tmpfs breakage to take care of instead.
@afbjorklund afbjorklund added the guest/ubuntu Guest: Ubuntu label May 5, 2024
@AkihiroSuda AkihiroSuda mentioned this issue May 5, 2024
Merged
@afbjorklund
Copy link
Member Author

Workaround for apptainer (#2320):

root@lima-apptainer:~#     # Workaround for https://github.com/apptainer/apptainer/issues/2027
    echo "kernel.apparmor_restrict_unprivileged_userns = 0" >/etc/sysctl.d/99-userns.conf
    sysctl --system
$ limactl shell apptainer apptainer run -u -B $HOME:$HOME docker://alpine
INFO:    Using cached SIF image
Apptainer>

@mraron mraron mentioned this issue May 29, 2024
Open
@gdevenyi gdevenyi mentioned this issue Jul 12, 2024
Open
@zed zed mentioned this issue Jul 12, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
guest/ubuntu Guest: Ubuntu
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

apptainer: fix AppArmor incompatibility with Ubuntu 24.04 AkihiroSuda/lima-vm-lima
1 participant
@afbjorklund