ERROR : Failed to create container process: Operation not permitted

Simhelp commented 6 months ago

Hi, by running the ./Allrun command in the /ml-cfd-lecture/exercises/cylinder2D folder I get the following output:

Running blockMesh on /home/simon/ml-cfd-lecture/exercises/cylinder2D with image /home/simon/ml-cfd-lecture/of2206-py1.12.1-cpu.sif Running setExprBoundaryFields on /home/simon/ml-cfd-lecture/exercises/cylinder2D with image /home/simon/ml-cfd-lecture/of2206-py1.12.1-cpu.sif Running decomposePar on /home/simon/ml-cfd-lecture/exercises/cylinder2D with image /home/simon/ml-cfd-lecture/of2206-py1.12.1-cpu.sif INFO: squashfuse not found, will not be able to mount SIF or other squashfs files INFO: fuse2fs not found, will not be able to mount EXT3 filesystems INFO: gocryptfs not found, will not be able to use gocryptfs INFO: Converting SIF file to temporary sandbox... FATAL: while extracting /home/simon/ml-cfd-lecture/of2206-py1.12.1-cpu.sif: root filesystem extraction failed: extract command failed: ERROR : Failed to create container process: Operation not permitted : exit status 1 Error getting 'numberOfSubdomains' from 'system/decomposeParDict' Running renumberMesh (1 processes) on /home/simon/ml-cfd-lecture/exercises/cylinder2D with image /home/simon/ml-cfd-lecture/of2206-py1.12.1-cpu.sif INFO: squashfuse not found, will not be able to mount SIF or other squashfs files INFO: fuse2fs not found, will not be able to mount EXT3 filesystems INFO: gocryptfs not found, will not be able to use gocryptfs INFO: Converting SIF file to temporary sandbox... FATAL: while extracting /home/simon/ml-cfd-lecture/of2206-py1.12.1-cpu.sif: root filesystem extraction failed: extract command failed: ERROR : Failed to create container process: Operation not permitted : exit status 1 Error getting 'application' from system/controlDict INFO: squashfuse not found, will not be able to mount SIF or other squashfs files INFO: fuse2fs not found, will not be able to mount EXT3 filesystems INFO: gocryptfs not found, will not be able to use gocryptfs INFO: Converting SIF file to temporary sandbox... FATAL: while extracting /home/simon/ml-cfd-lecture/of2206-py1.12.1-cpu.sif: root filesystem extraction failed: extract command failed: ERROR : Failed to create container process: Operation not permitted : exit status 1 Error getting 'numberOfSubdomains' from 'system/decomposeParDict' Running false (1 processes) on /home/simon/ml-cfd-lecture/exercises/cylinder2D with image /home/simon/ml-cfd-lecture/of2206-py1.12.1-cpu.sif

p.s. when running "apptainer shell of2206-py1.12.1-cpu.sif" during the setup of my system I got the same "Operation not permitted" and solved it by running "sudo apptainer shell of2206-py1.12.1-cpu.sif" instead.

thank you in advance

AndreWeiner commented 6 months ago

Hi @Simhelp,

thanks for reporting this issue. The exercise setup expects to run apptainer without root privileges. For some reason, your setup requires root access to run the image (via sudo). The following information would be helpful:

Ubuntu version (installation via WSL?)
apptainer version (compiled from scratch or package installation?)
is the image located on an external hard drive?

Best regards, Andre

Simhelp commented 6 months ago

Hi @AndreWeiner,

my Ubuntu version is the 24.04, native installation.
the apptainer version is the 1.3.1 and I installed it as reported in your tutorial ("system_setup")
the image is located in the "ml-cfd-lecture" folder (where I also stored the apptainer repository cloned from github), on the internal memory.

thank you so much for answering so quickly and for making your lectures public. Regards, Simone

AndreWeiner commented 6 months ago

Alright, thanks for the clarification. Regarding the installation:

could you check again that all dependencies are installed correctly, i.e., when running

# Ensure repositories are up-to-date
sudo apt-get update
# Install debian packages for dependencies
sudo apt-get install -y \
build-essential \
libseccomp-dev \
pkg-config \
uidmap \
squashfs-tools \
fakeroot \
cryptsetup \
tzdata \
curl wget git

you should see a message that all packages are installed and up to date

in which folder did you clone the apptainer repository?
did you also install the FUSE-based dependencies?

Best, Andre

Simhelp commented 6 months ago

Hi Andrew, so I checked again that all packages are installed and up to date. I have also installed the FUSE-based dependencies. Now the error I get when running the cylinder2D exercise is:

Running blockMesh on /home/simon/ml-cfd-lecture/exercises/cylinder2D with image /home/simon/ml-cfd-lecture/of2206-py1.12.1-cpu.sif Running setExprBoundaryFields on /home/simon/ml-cfd-lecture/exercises/cylinder2D with image /home/simon/ml-cfd-lecture/of2206-py1.12.1-cpu.sif Running decomposePar on /home/simon/ml-cfd-lecture/exercises/cylinder2D with image /home/simon/ml-cfd-lecture/of2206-py1.12.1-cpu.sif ERROR : Could not write info to setgroups: Permission denied ERROR : Error while waiting event for user namespace mappings: no event received Error getting 'numberOfSubdomains' from 'system/decomposeParDict' Running renumberMesh (1 processes) on /home/simon/ml-cfd-lecture/exercises/cylinder2D with image /home/simon/ml-cfd-lecture/of2206-py1.12.1-cpu.sif ERROR : Could not write info to setgroups: Permission denied ERROR : Error while waiting event for user namespace mappings: no event received Error getting 'application' from system/controlDict ERROR : Could not write info to setgroups: Permission denied ERROR : Error while waiting event for user namespace mappings: no event received

The folder in which I cloned the apptainer repository is the ml-cfd-lecture

AndreWeiner commented 6 months ago

Can you confirm that the output of the following command is 1?

sysctl -n kernel.unprivileged_userns_clone

If the value is not 1, run (source and explanation):

sudo sh -c 'echo kernel.unprivileged_userns_clone=1 \
    >/etc/sysctl.d/90-unprivileged_userns.conf'
sudo sysctl -p /etc/sysctl.d /etc/sysctl.d/90-unprivileged_userns.conf

Simhelp commented 6 months ago

Yes the output is 1

AndreWeiner commented 6 months ago

Ok, the issue is relatively recent and related to appAmor in Ubuntu 24.04 (see here). Two options: 1) disable some parts of appAmor (this should be fine for a local installation on your personal computer)

sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

2) create an appAmor profile like this one but for Apptainer (I could not test the code snippet)

sudo tee /etc/apparmor.d/apptainer << 'EOF'
# Permit unprivileged user namespace creation for Apptainer
abi <abi/4.0>,
include <tunables/global>

profile apptainer /usr/local/bin/apptainer{,-suid} flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/apptainer>
}
EOF

enable changes:

sudo systemctl reload apparmor

Simhelp commented 6 months ago

I decided to go with the second option and it worked perfectly! Thank you so much for your time @AndreWeiner

AndreWeiner / ml-cfd-lecture

ERROR : Failed to create container process: Operation not permitted #36