Updating GitHub runners from ubuntu-22.04 to ubuntu-24.04 causes ScribeMD/rootless-docker to fail. This appears related to the AppArmor updates on Ubuntu 24.
Reproduction steps
- Create the following workflow in a GitHub repo:
name: Test ScribeMD/rootless-docker
on:
push:
branches:
- "**"
workflow_dispatch:
jobs:
test:
strategy:
fail-fast: false
matrix:
runner: [ubuntu-20.04, ubuntu-22.04, ubuntu-24.04]
name: Test ${{ matrix.runner }}
runs-on: ${{ matrix.runner }}
steps:
- name: ScribeMD/rootless-docker
uses: ScribeMD/rootless-docker@6bd157a512c2fafa4e0243a8aa87d964eb890886 # 0.2.2
- Run the workflow.
- Observe that only
Test ubuntu-22.04 succeeds.
Expected behavior
ScribeMD/rootless-docker works with ubuntu-24.04.
Logs:
From Test ubuntu-24.04:
Run ScribeMD/rootless-docker@6bd157a512c2fafa4e0243a8aa87d964eb890886
Run in_use='false'
Run sudo systemctl stop docker.service
Stopping 'docker.service', but its triggering units are still active:
docker.socket
Run echo ~/bin >>"$GITHUB_PATH"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 71.8M 100 71.8M 0 0 211M 0 --:--:-- --:--:-- --:--:-- 211M
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 20.0M 100 20.0M 0 0 177M 0 --:--:-- --:--:-- --:--:-- 177M
+ PATH=/home/runner/bin:/snap/bin:/home/runner/.local/bin:/opt/pipx_bin:/home/runner/.cargo/bin:/home/runner/.config/composer/vendor/bin:/usr/local/.ghcup/bin:/home/runner/.dotnet/tools:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin /home/runner/bin/dockerd-rootless-setuptool.sh install --force
time="2024-10-16T01:44:31Z" level=warning msg="[rootlesskit:parent] This error might have happened because /proc/sys/kernel/apparmor_restrict_unprivileged_userns is set to 1" error="fork/exec /proc/self/exe: permission denied"
time="2024-10-16T01:44:31Z" level=warning msg="[rootlesskit:parent] Hint: try running the following commands:\n\n\n########## BEGIN ##########\ncat <<EOT | sudo tee \"/etc/apparmor.d/home.runner.bin.rootlesskit\"\n# ref: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces\nabi <abi/4.0>,\ninclude <tunables/global>\n\n/home/runner/bin/rootlesskit flags=(unconfined) {\n userns,\n\n # Site-specific additions and overrides. See local/README for details.\n include if exists <local/home.runner.bin.rootlesskit>\n}\nEOT\nsudo systemctl restart apparmor.service\n########## END ##########\n\n"
[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: permission denied
Error: [97m[ERROR] RootlessKit failed, see the error messages and https://rootlesscontaine.rs/getting-started/common/ .
Error: Process completed with exit code 1.
Formatted error message from Test ubuntu-24.04:
[Error] fork/exec /proc/self/exe: permission denied
This error might have happened because /proc/sys/kernel/apparmor_restrict_unprivileged_userns is set to 1
Hint: try running the following commands:
########## BEGIN ##########
cat <<EOT | sudo tee \"/etc/apparmor.d/home.runner.bin.rootlesskit\"
# ref: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
abi <abi/4.0>,
include <tunables/global>
/home/runner/bin/rootlesskit flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/home.runner.bin.rootlesskit>
}
EOT
sudo systemctl restart apparmor.service
########## END ##########
Additional context
Updating GitHub runners from
ubuntu-22.04toubuntu-24.04causesScribeMD/rootless-dockerto fail. This appears related to the AppArmor updates on Ubuntu 24.Reproduction steps
Test ubuntu-22.04succeeds.Expected behavior
ScribeMD/rootless-dockerworks withubuntu-24.04.Logs:
From
Test ubuntu-24.04:Formatted error message from
Test ubuntu-24.04:Additional context