Enable RootlessKit on Ubuntu 24.04 with AppArmor.

Addressing msg="[rootlesskit:parent] This error might have happened because /proc/sys/kernel/apparmor_restrict_unprivileged_userns is set to 1" error="fork/exec /proc/self/exe: permission denied" msg="[rootlesskit:parent] Hint: try running the following commands:\n\n\n########## BEGIN ##########\ncat <<EOT | sudo tee \"/etc/apparmor.d/home.runner.bin.rootlesskit\"\n# ref: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces\nabi <abi/4.0>,\ninclude <tunables/global>\n\n/home/runner/bin/rootlesskit flags=(unconfined) {\n userns,\n\n # Site-specific additions and overrides. See local/README for details.\n include if exists <local/home.runner.bin.rootlesskit>\n}\nEOT\nsudo systemctl restart apparmor.service\n########## END ##########\n\n" [rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: permission denied
freeipa · Feb 15, 2025 · 33183d3 · 33183d3
1 parent c6d28b7
commit 33183d3
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml
@@ -129,6 +129,18 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - run: sudo systemctl disable --now docker.service docker.socket
+      - run: |
+          cat <<EOT | sudo tee "/etc/apparmor.d/home.runner.bin.rootlesskit"
+          # ref: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
+          abi <abi/4.0>,
+          include <tunables/global>
+          /home/runner/bin/rootlesskit flags=(unconfined) {
+            userns,
+            # Site-specific additions and overrides. See local/README for details.
+            include if exists <local/home.runner.bin.rootlesskit>
+          }
+          EOT
+          sudo systemctl restart apparmor.service
       - run: curl -fsSL https://get.docker.com/rootless | FORCE_ROOTLESS_INSTALL=1 sh
       - uses: actions/download-artifact@v4
         with: