From a4055b04f735c58e55e740a984a53c0ac5b8c1f5 Mon Sep 17 00:00:00 2001 From: Felix Moessbauer Date: Mon, 13 Jan 2025 10:46:08 +0100 Subject: [PATCH] kas-container: add support for Ubuntu 24.04 hosts On Ubuntu 24.04 the default apparmor profile restricts unprivileged user namespaces. This breaks the bitbake execution, as bitbake uses this mechanism for network and uid isolation, resulting in the following error message: File "/work/isar/bitbake/bin/bitbake-worker", line 268, in child bb.utils.disable_network(uid, gid) File "/work/isar/bitbake/lib/bb/utils.py", line 1653, in disable_network with open("/proc/self/uid_map", "w") as f: PermissionError: [Errno 1] Operation not permitted To fix this for docker, we start the container under the "rootlesskit" profile, which allows (unprivileged) modifications of the userns namespace. On podman, no fix is needed as podman is already executed with a suitable profile. We detect this situation based on apparmor sysfs entries and by that avoid a tight coupling with distro versions. Signed-off-by: Felix Moessbauer Signed-off-by: Jan Kiszka --- kas-container | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/kas-container b/kas-container index aea7be8b..756168d2 100755 --- a/kas-container +++ b/kas-container @@ -99,6 +99,12 @@ warning(){ echo "${KAS_CONTAINER_SELF_NAME}: Warning: $*" >&2 } +debug(){ + if [ -n "${KAS_VERBOSE}" ]; then + echo "${KAS_CONTAINER_SELF_NAME}: Debug: $*" >&2 + fi +} + trace() { [ -n "${KAS_VERBOSE}" ] && echo "+ $*" >&2 @@ -130,6 +136,20 @@ enable_oe_mode() { fi } +enable_unpriv_userns_docker() { + if [ -f /etc/os-release ] && grep -q 'NAME="Ubuntu"' /etc/os-release && + [ -f /proc/sys/kernel/apparmor_restrict_unprivileged_userns ] && + [ "$(cat /proc/sys/kernel/apparmor_restrict_unprivileged_userns)" = "1" ]; then + if [ -f /etc/apparmor.d/rootlesskit ]; then + debug "AppArmor restricts unprivileged userns, using \"rootlesskit\" profile" + KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} --security-opt apparmor=rootlesskit" + else + warning "AppArmor restricts unprivileged userns but no suitable apparmor " \ + "profile found. Consider setting apparmor_restrict_unprivileged_userns=0" + fi + fi +} + run_clean() { if [ -n "${KAS_ISAR_ARGS}" ]; then # SC2086: Double quote to prevent globbing and word splitting. @@ -205,6 +225,7 @@ KAS_RUNTIME_ARGS="--log-driver=none --user=root" case "${KAS_CONTAINER_ENGINE}" in docker) KAS_CONTAINER_COMMAND="docker" + enable_unpriv_userns_docker ;; podman) KAS_CONTAINER_COMMAND="podman"