Skip to content

Commit

Permalink
kas-container: add support for Ubuntu 24.04 hosts
Browse files Browse the repository at this point in the history 
On Ubuntu 24.04 the default apparmor profile restricts unprivileged user
namespaces. This breaks the bitbake execution, as bitbake uses this
mechanism for network and uid isolation, resulting in the following
error message:

 File "/work/isar/bitbake/bin/bitbake-worker", line 268, in child
     bb.utils.disable_network(uid, gid)
   File "/work/isar/bitbake/lib/bb/utils.py", line 1653, in disable_network
     with open("/proc/self/uid_map", "w") as f:
 PermissionError: [Errno 1] Operation not permitted

To fix this for docker, we start the container under the "rootlesskit"
profile, which allows (unprivileged) modifications of the userns
namespace. On podman, no fix is needed as podman is already executed
with a suitable profile. We detect this situation based on apparmor sysfs
entries and by that avoid a tight coupling with distro versions.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  • Loading branch information
@fmoessbauer @jan-kiszka
fmoessbauer authored and jan-kiszka committed Jan 13, 2025
1 parent 00a0ffa commit a4055b0
Showing 1 changed file with 21 additions and 0 deletions.
21 changes: 21 additions & 0 deletions kas-container
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,12 @@ warning(){
echo "${KAS_CONTAINER_SELF_NAME}: Warning: $*" >&2
}

debug(){
if [ -n "${KAS_VERBOSE}" ]; then
echo "${KAS_CONTAINER_SELF_NAME}: Debug: $*" >&2
fi
}

trace()
{
[ -n "${KAS_VERBOSE}" ] && echo "+ $*" >&2
Expand Down Expand Up @@ -130,6 +136,20 @@ enable_oe_mode() {
fi
}

enable_unpriv_userns_docker() {
if [ -f /etc/os-release ] && grep -q 'NAME="Ubuntu"' /etc/os-release &&
[ -f /proc/sys/kernel/apparmor_restrict_unprivileged_userns ] &&
[ "$(cat /proc/sys/kernel/apparmor_restrict_unprivileged_userns)" = "1" ]; then
if [ -f /etc/apparmor.d/rootlesskit ]; then
debug "AppArmor restricts unprivileged userns, using \"rootlesskit\" profile"
KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} --security-opt apparmor=rootlesskit"
else
warning "AppArmor restricts unprivileged userns but no suitable apparmor " \
"profile found. Consider setting apparmor_restrict_unprivileged_userns=0"
fi
fi
}

run_clean() {
if [ -n "${KAS_ISAR_ARGS}" ]; then
# SC2086: Double quote to prevent globbing and word splitting.
Expand Down Expand Up @@ -205,6 +225,7 @@ KAS_RUNTIME_ARGS="--log-driver=none --user=root"
case "${KAS_CONTAINER_ENGINE}" in
docker)
KAS_CONTAINER_COMMAND="docker"
enable_unpriv_userns_docker
;;
podman)
KAS_CONTAINER_COMMAND="podman"
Expand Down

0 comments on commit a4055b0

Please sign in to comment.