New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nesting (docker) in containers broken on Ubuntu 24.04 #791
Comments
hmm... it looks like there's a similar issue opened up with LXD |
Never use security.privileged for this kind of stuff, it prevents the use of AppArmor namespaces on top of making your host system extremely vulnerable to attacks. |
Thanks - that was just there for testing to see if it would make a difference. Using |
As a workaround, moving this environment to mainline kernel |
Sounds like some new AppArmor feature that's only in the Ubuntu kernel. I'll have to take a look. If that's the case, we'll be closing this issue as we have little interest in doing special handling for distro specific kernel experiments. |
Fair enough - thanks for taking a peek. It does feel like they introduced a change into 24.04 at the last minute (I've been testing nightlies of 24.04 for a while now and everything has worked great with Incus, right up until this recent upgrade with the final release of Noble) |
Tests so far:
The issue with this denial:
Is that it apparently occurs within the generated The apparmor One way to resolve the mess is to undo what Ubuntu did:
Closing as this whole thing is because of Ubuntu-specific changes causing wide ranging regressions (requirement of AppArmor for anything to use userns) and their attempted fixes for this situation (apparmor profile for runc) then further getting things to run into AppArmor bugs/issues. |
Required information
incus info
version: "1"
remote: false
version: 2.03.16(2) (2022-05-18) / 1.02.185 (2022-05-18) / 4.48.0
remote: false
version: 2.03.16(2) (2022-05-18) / 1.02.185 (2022-05-18) / 4.48.0
remote: true
version: 6.6.3
remote: false
Issue description
I'm trying to run docker inside a simple lxc container, using a config that worked on an early development release kernel of 24.04. I've rebuilt the system to 24.04 final and it appears something has broken container nesting on this latest kernel.
My incus container config has:
When I try to start any docker container from within this incus container, I get:
$ docker run -it alpine /bin/sh docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error jailing process inside rootfs: pivot_root .: permission denied: unknown. ERRO[0000] error waiting for container:
And the parent host generates an audit message:
[ 2834.188006] audit: type=1400 audit(1714097921.411:1252): apparmor="DENIED" operation="pivotroot" class="mount" namespace="root//incus-test_<var-lib-incus>" profile="runc" name="/var/lib/docker/overlay2/38b1e498be70b0eff840bc92770eef7ebaa1c2b3caea9bf0f93bf5ff53088c28/merged/" pid=26921 comm="runc:[2:INIT]" srcname="/var/lib/docker/overlay2/38b1e498be70b0eff840bc92770eef7ebaa1c2b3caea9bf0f93bf5ff53088c28/merged/"
I've tried disabling the new ubuntu-specific Unprivileged user namespace restrictions by setting
kernel.apparmor_restrict_unprivileged_userns=0
but it did not helpThe text was updated successfully, but these errors were encountered: