Merge pull request rootless-containers#463 from sbrivio-rh/master

Update comment and network guide to reflect current status of pasta's AppArmor issue on Ubuntu
Mirantis · Aug 23, 2024 · 264f23e · 264f23e
2 parents b160eea + 3bb2efa
commit 264f23e
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 5 deletions.
diff --git a/docs/network.md b/docs/network.md
@@ -148,8 +148,17 @@ If `--disable-host-loopback` is not specified, ports listening on 127.0.0.1 in t
 > `--net=pasta` needs [pasta (passt)](https://passt.top/passt/) `2023_06_25.32660ce` or later.
 > Using `2023_12_04.b86afe3` or later is highly recommended.
 >
-> Depending on the version of pasta and the host operating system,
-> running `sudo apparmor_parser -R /etc/apparmor.d/usr.bin.passt` might be needed too.
+> Currently, this doesn't work with some Ubuntu versions of the passt
+> package:
+> - `passt-0.0~git20230627.289301b-1` (Ubuntu 23.10)
+> - `passt-0.0~git20240220.1e6f92b-1` (Ubuntu 24.04)
+> due to a missing `usr.bin.pasta` AppArmor profile, see:
+> https://bugs.launchpad.net/ubuntu/+source/passt/+bug/2077158
+>
+> Workaround: set the `kernel.apparmor_restrict_unprivileged_userns`
+> sysctl to `0`, or (preferred) add the AppArmor profile from
+> upstream, or from Debian packages, or from Ubuntu > 24.10.
+
 
 Pros:
 * Possible to perform network-namespaced operations, e.g. creating iptables rules, running `tcpdump`

diff --git a/pkg/network/pasta/pasta.go b/pkg/network/pasta/pasta.go
@@ -137,9 +137,14 @@ func (d *parentDriver) ConfigureNetwork(childPID int, stateDir, detachedNetNSPat
 			"--netns="+detachedNetNSPath)
 	}
 
-	// FIXME: Doesn't work with passt_0.0~git20230216.4663ccc-1_amd64.deb (Ubuntu 23.04)
-	// `Couldn't open user namespace /proc/51813/ns/user: Permission denied`
-	// Possibly related to AppArmor.
+	// FIXME: Doesn't work with:
+	// - passt-0.0~git20230627.289301b-1 (Ubuntu 23.10)
+	// - passt-0.0~git20240220.1e6f92b-1 (Ubuntu 24.04)
+	// see https://bugs.launchpad.net/ubuntu/+source/passt/+bug/2077158
+	//
+	// Workaround: set the kernel.apparmor_restrict_unprivileged_userns
+	// sysctl to 0, or (preferred) add the AppArmor profile from upstream,
+	// or from Debian packages, or from Ubuntu > 24.10.
 	cmd := exec.Command(d.binary, opts...)
 	logrus.Debugf("Executing %v", cmd.Args)
 	out, err := cmd.CombinedOutput()