Open ricardo-trustle opened 2 months ago
The drata-agent
appears to work if I run this before:
❯ sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
❯ drata-agent
Checking for beta autoupdate feature for deb/rpm distributions
Found package-type: deb
I have the same issue with Ubuntu 24.04. The drata-agent does not start unless I run the command cited above.
We are facing the same issue with Ubuntu 24.04, it's quite problematic with our tech team because it doesn't ease the adoption of Drata. I've tried to create an AppArmor profile but without success so far and deactivating AppArmor is not a solution (it would be quite ironical to deactivate a security measure to be able to run a software to check the security configuration ...).
I would not disable AppArmor, but --no-sandbox
is the appropriate solution for Chromium apps with AppArmor. The Drata Agent does need to be able to run under user context, execute unprivileged shell commands, use network connectivity, launch Chromium, and write to local storage and log files. It should not be sudod / run as root.
Do the users launching drata-agent have root privileges to their devices?
This is likely related to Chromium with Unprivileged user namespace restrictions via AppArmor in Ubuntu. Our customer success team can help you work through these restrictions, please submit a support ticket for the quickest remediation of your specific issue.
First identified Ubuntu 23.10 (non-LTS), and carried to Ubuntu 24.04 LTS. Bug reports for this issue are available at AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
NOTE: As of 3.6 there is also now an AppImage release available for use https://github.com/drata/agent-releases/releases/tag/v3.6.1
For those having issues with completing the registration process, I've had success with modifying the Exec
portion of /usr/share/applications/drata-agent.desktop
to include --no-sandbox
.
Exec="/opt/Drata Agent/drata-agent" --no-sandbox %U
More details:
The only way I have found to launch it is with the option
--no-sandbox
: