Problems running on Ubuntu with apparmor / restricted unprivileged userns

[smoser]

Running melange for the first time on a Ubuntu system will often fail. There are a couple hangups.

1. need to install bubblewrap (apt-get install bubblewrap). This actually gives a pretty good error:

   2024/09/19 10:33:22 WARN SOURCE_DATE_EPOCH is specified but empty, setting it to 1969-12-31 19:00:00 -0500 EST
   2024/09/19 10:33:22 WARN cannot use bubblewrap for containers: bwrap not found on $PATH arch=x86_64
   2024/09/19 10:33:22 ERRO unable to run containers using bubblewrap, specify --runner and one of [bubblewrap docker qemu]

2. Current ubuntu systems require application specific configs in order to use unprivileged user namespaces

   The failure path in wolfi-dev/os looks like this:

   $ make package/mypkg
   @SOURCE_DATE_EPOCH= /home/smoser/go/bin/melange build mypkg.yaml \
      --repository-append /home/smoser/src/wolfi/os/packages --keyring-append local-melange.rsa.pub\
      --signing-key local-melange.rsa --arch x86_64 --env-file build-x86_64.env \
     --namespace wolfi --generate-index false  --pipeline-dir ./pipelines/ \
     -k https://packages.wolfi.dev/os/wolfi-signing.rsa.pub \
     -r https://packages.wolfi.dev/os
   ...
   2024/09/19 10:33:58 INFO built image layer tarball as /tmp/apko-temp-1864610170/apko-x86_64.tar.gz
   2024/09/19 10:33:58 INFO using /tmp/apko-temp-1864610170/apko-x86_64.tar.gz for image layer
   2024/09/19 10:33:58 INFO ImgRef = /tmp/melange-guest-2642779980
   2024/09/19 10:33:58 WARN bwrap: setting up uid map: Permission denied
   2024/09/19 10:33:58 ERRO ERROR: failed to build package. the build environment has been preserved:
   2024/09/19 10:33:58 INFO   workspace dir: /tmp/melange-workspace-4104388352
   2024/09/19 10:33:58 INFO   guest dir: /tmp/melange-guest-1722197694
   2024/09/19 10:33:58 ERRO failed to build package: unable to start pod: exit status 1

The unprivileged user namespace path is a bit of a rathole. Here is some reading if you're interested:

• security improvements in 24.04 release notes
• Ubuntu implementation spec on the feature
• bwrap broke on 24.04 upstream bubblewrap issue
• apparmor doc on unprivileged user namespace restriction
• ubuntu apparmor bug - may be related? just landed on 2024-09-19. It is not clear to me if it fixes bubblewrap usage.
• firefox doc on enabling firefox to use user namespaces.

There are at least the following options to fix

1. disable the apparmor userns restrictions Add kernel.apparmor_restrict_unprivileged_userns = 0 to a file in /etc/sysctl.d/60-apparmor-namespace.conf (per apparmor doc)

2. Allow bubblewrap to use unprivileged user namespaces independent of who calls it.

   Create the file /etc/apparmor.d/local-bwrap with content like below:

   abi <abi/4.0>,
   include <tunables/global>
   
   profile local-bwrap /usr/bin/bwrap flags=(unconfined) {
     userns,
   
     # Site-specific additions and overrides. See local/README for details.
     include if exists <local/bwrap>
   }

   Then run sudo systemctl reload apparmor

3. Allow melange to use unprivileged user namespaces.

   Create the file /etc/apparmor.d/local-melange with content like below (update '/path/to/your/home/...')

   abi <abi/4.0>,
   include <tunables/global>
   
   profile local-melange /path/to/your/home/go/bin/melange flags=(unconfined) {
     userns,
   
     # Site-specific additions and overrides. See local/README for details.
     include if exists <local/melange>
   }

   Then run sudo systemctl reload apparmor

[smoser]

I wanted to dump the above from my head, and would have put a PR up with the content, but didn't know where it should go. Let me know where it should go and I will do so.

Thanks @murraybd for pushing on this a bit.

[murraybd]

I never restarted apparmor rather I used sudo service apparmor reload.

[smoser]

I never restarted apparmor rather I used sudo service apparmor reload.

updated. thank you.