❌ Action fails on `ubuntu-24.04`

Updating GitHub runners from `ubuntu-22.04` to `ubuntu-24.04` causes `ScribeMD/rootless-docker` to fail. This appears related to the AppArmor updates on Ubuntu 24.

**Reproduction steps**
1. Create the following workflow in a GitHub repo:
    ```yaml
    name: Test ScribeMD/rootless-docker

    on:
      push:
        branches:
        - "**"
      workflow_dispatch:

    jobs:
      test:
        strategy:
          fail-fast: false
          matrix:
            runner: [ubuntu-20.04, ubuntu-22.04, ubuntu-24.04]

        name: Test ${{ matrix.runner }}
        runs-on: ${{ matrix.runner }}
        steps:
          - name: ScribeMD/rootless-docker
            uses: ScribeMD/rootless-docker@6bd157a512c2fafa4e0243a8aa87d964eb890886 # 0.2.2
    ```
2. Run the workflow.
   * Observe that only `Test ubuntu-22.04` succeeds.

**Expected behavior**
`ScribeMD/rootless-docker` works with `ubuntu-24.04`.

**Logs:**
From `Test ubuntu-24.04`:
```
Run ScribeMD/rootless-docker@6bd157a512c2fafa4e0243a8aa87d964eb890886
Run in_use='false'
Run sudo systemctl stop docker.service
Stopping 'docker.service', but its triggering units are still active:
docker.socket
Run echo ~/bin >>"$GITHUB_PATH"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 71.8M  100 71.8M    0     0   211M      0 --:--:-- --:--:-- --:--:--  211M
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 20.0M  100 20.0M    0     0   177M      0 --:--:-- --:--:-- --:--:--  177M
+ PATH=/home/runner/bin:/snap/bin:/home/runner/.local/bin:/opt/pipx_bin:/home/runner/.cargo/bin:/home/runner/.config/composer/vendor/bin:/usr/local/.ghcup/bin:/home/runner/.dotnet/tools:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin /home/runner/bin/dockerd-rootless-setuptool.sh install --force
time="2024-10-16T01:44:31Z" level=warning msg="[rootlesskit:parent] This error might have happened because /proc/sys/kernel/apparmor_restrict_unprivileged_userns is set to 1" error="fork/exec /proc/self/exe: permission denied"
time="2024-10-16T01:44:31Z" level=warning msg="[rootlesskit:parent] Hint: try running the following commands:\n\n\n########## BEGIN ##########\ncat <<EOT | sudo tee \"/etc/apparmor.d/home.runner.bin.rootlesskit\"\n# ref: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces\nabi <abi/4.0>,\ninclude <tunables/global>\n\n/home/runner/bin/rootlesskit flags=(unconfined) {\n  userns,\n\n  # Site-specific additions and overrides. See local/README for details.\n  include if exists <local/home.runner.bin.rootlesskit>\n}\nEOT\nsudo systemctl restart apparmor.service\n########## END ##########\n\n"
[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: permission denied
Error: [97m[ERROR] RootlessKit failed, see the error messages and https://rootlesscontaine.rs/getting-started/common/ .
Error: Process completed with exit code 1.
```

Formatted error message from `Test ubuntu-24.04`:
```
[Error] fork/exec /proc/self/exe: permission denied
    This error might have happened because /proc/sys/kernel/apparmor_restrict_unprivileged_userns is set to 1
    Hint: try running the following commands:
        ########## BEGIN ##########
        cat <<EOT | sudo tee \"/etc/apparmor.d/home.runner.bin.rootlesskit\"
        # ref: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
        abi <abi/4.0>,
        include <tunables/global>

        /home/runner/bin/rootlesskit flags=(unconfined) {
          userns,

          # Site-specific additions and overrides. See local/README for details.
          include if exists <local/home.runner.bin.rootlesskit>
        }
        EOT
        sudo systemctl restart apparmor.service
        ########## END ##########
```


**Additional context**
* >Ubuntu 24.04 and later enables restricted unprivileged user namespaces by default, which prevents unprivileged processes in creating user namespaces unless an AppArmor profile is configured to allow programs to use unprivileged user namespaces.
  >
  >If you install `docker-ce-rootless-extras` using the deb package (`apt-get install docker-ce-rootless-extras`), then the AppArmor profile for `rootlesskit` is already bundled with the `apparmor` deb package. With this installation method, you don't need to add any manual the AppArmor configuration. If you install the rootless extras using the [installation script](https://get.docker.com/rootless), however, you must add an AppArmor profile for `rootlesskit` manually: ...
  >—[Rootless mode (docs.docker.com)](https://docs.docker.com/engine/security/rootless/#distribution-specific-hint)
* [[Optional] AppArmor (rootlesscontaine.rs)](https://rootlesscontaine.rs/getting-started/common/apparmor/)
* [What’s new in security for Ubuntu 24.04 LTS? (ubuntu.com)](https://ubuntu.com/blog/whats-new-in-security-for-ubuntu-24-04-lts)
* [[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: operation not permitted (github.com/rootless-containers/rootlesskit)](https://github.com/rootless-containers/rootlesskit/issues/172#issuecomment-2122189550)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

❌ Action fails on `ubuntu-24.04` #401

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

❌ Action fails on ubuntu-24.04 #401

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

❌ Action fails on `ubuntu-24.04` #401