Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

❌ Action fails on ubuntu-24.04 #401

Open
AJGranowski opened this issue Oct 16, 2024 · 1 comment · May be fixed by #402
Open

❌ Action fails on ubuntu-24.04 #401

AJGranowski opened this issue Oct 16, 2024 · 1 comment · May be fixed by #402

Comments

@AJGranowski
Copy link

AJGranowski commented Oct 16, 2024
edited
Loading

Updating GitHub runners from ubuntu-22.04 to ubuntu-24.04 causes ScribeMD/rootless-docker to fail. This appears related to the AppArmor updates on Ubuntu 24.

Reproduction steps

  1. Create the following workflow in a GitHub repo: 
    name: Test ScribeMD/rootless-docker

on:
  push:
    branches:
     - "**"
  workflow_dispatch:

jobs:
  test-22_04:
    name: Test ubuntu-22.04
    runs-on: ubuntu-22.04
    steps:
      - name: ScribeMD/rootless-docker
        uses: ScribeMD/rootless-docker@6bd157a512c2fafa4e0243a8aa87d964eb890886 # 0.2.2

  test-24_04:
    name: Test ubuntu-24.04
    runs-on: ubuntu-24.04
    steps:
      - name: ScribeMD/rootless-docker
        uses: ScribeMD/rootless-docker@6bd157a512c2fafa4e0243a8aa87d964eb890886 # 0.2.2
  2. Run the workflow.
    • Observe that Test ubuntu-22.04 succeeds, and Test ubuntu-24.04 fails.

Expected behavior
ScribeMD/rootless-docker works with ubuntu-24.04.

Logs:
From Test ubuntu-24.04:

Run ScribeMD/rootless-docker@6bd157a512c2fafa4e0243a8aa87d964eb890886
Run in_use='false'
Run sudo systemctl stop docker.service
Stopping 'docker.service', but its triggering units are still active:
docker.socket
Run echo ~/bin >>"$GITHUB_PATH"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 71.8M  100 71.8M    0     0   211M      0 --:--:-- --:--:-- --:--:--  211M
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 20.0M  100 20.0M    0     0   177M      0 --:--:-- --:--:-- --:--:--  177M
+ PATH=/home/runner/bin:/snap/bin:/home/runner/.local/bin:/opt/pipx_bin:/home/runner/.cargo/bin:/home/runner/.config/composer/vendor/bin:/usr/local/.ghcup/bin:/home/runner/.dotnet/tools:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin /home/runner/bin/dockerd-rootless-setuptool.sh install --force
time="2024-10-16T01:44:31Z" level=warning msg="[rootlesskit:parent] This error might have happened because /proc/sys/kernel/apparmor_restrict_unprivileged_userns is set to 1" error="fork/exec /proc/self/exe: permission denied"
time="2024-10-16T01:44:31Z" level=warning msg="[rootlesskit:parent] Hint: try running the following commands:\n\n\n########## BEGIN ##########\ncat <<EOT | sudo tee \"/etc/apparmor.d/home.runner.bin.rootlesskit\"\n# ref: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces\nabi <abi/4.0>,\ninclude <tunables/global>\n\n/home/runner/bin/rootlesskit flags=(unconfined) {\n  userns,\n\n  # Site-specific additions and overrides. See local/README for details.\n  include if exists <local/home.runner.bin.rootlesskit>\n}\nEOT\nsudo systemctl restart apparmor.service\n########## END ##########\n\n"
[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: permission denied
Error: [97m[ERROR] RootlessKit failed, see the error messages and https://rootlesscontaine.rs/getting-started/common/ .
Error: Process completed with exit code 1.

Formatted error message from Test ubuntu-24.04:

[Error] fork/exec /proc/self/exe: permission denied
    This error might have happened because /proc/sys/kernel/apparmor_restrict_unprivileged_userns is set to 1
    Hint: try running the following commands:
        ########## BEGIN ##########
        cat <<EOT | sudo tee \"/etc/apparmor.d/home.runner.bin.rootlesskit\"
        # ref: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
        abi <abi/4.0>,
        include <tunables/global>

        /home/runner/bin/rootlesskit flags=(unconfined) {
          userns,

          # Site-specific additions and overrides. See local/README for details.
          include if exists <local/home.runner.bin.rootlesskit>
        }
        EOT
        sudo systemctl restart apparmor.service
        ########## END ##########

Additional context
@AJGranowski
Copy link
Author

It looks like this action installs rootless extras from get.docker.com/rootless. [1] In that case, the Docker docs suggest adding an AppArmor profile for rootlesskit manually. [2]

  1. Create and install the currently logged-in user's AppArmor profile: 
    filename=$(echo $HOME/bin/rootlesskit | sed -e s@^/@@ -e s@/@.@g)
cat <<EOF > ~/${filename}
abi <abi/4.0>,
include <tunables/global>

"$HOME/bin/rootlesskit" flags=(unconfined) {
  userns,

  include if exists <local/${filename}>
}
EOF
sudo mv ~/${filename} /etc/apparmor.d/${filename}
  2. Restart AppArmor. 
    systemctl restart apparmor.service

AJGranowski added a commit to AJGranowski/reddit-expanded-community-filter-userscript that referenced this issue Oct 16, 2024
@AJGranowski
Downgrade from ubuntu-latest to ubuntu-22.04
4d702fb 
ScribeMD/rootless-docker is broken on `ubuntu-24.04`
ScribeMD/rootless-docker#401
@AJGranowski AJGranowski changed the title ❌ Action fails on ubuntu-24.04 (ubuntu-latest) ❌ Action fails on ubuntu-24.04 Oct 26, 2024
@AJGranowski AJGranowski linked a pull request Oct 26, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add AppArmor 4 config AJGranowski/rootless-docker-action
1 participant
@AJGranowski