❌ Action fails on `ubuntu-24.04`

[AJGranowski]

Updating GitHub runners from ubuntu-22.04 to ubuntu-24.04 causes ScribeMD/rootless-docker to fail. This appears related to the AppArmor updates on Ubuntu 24.

Reproduction steps

1. Create the following workflow in a GitHub repo:

   name: Test ScribeMD/rootless-docker
   
   on:
     push:
       branches:
       - "**"
     workflow_dispatch:
   
   jobs:
     test:
       strategy:
         fail-fast: false
         matrix:
           runner: [ubuntu-20.04, ubuntu-22.04, ubuntu-24.04]
   
       name: Test ${{ matrix.runner }}
       runs-on: ${{ matrix.runner }}
       steps:
         - name: ScribeMD/rootless-docker
           uses: ScribeMD/rootless-docker@6bd157a512c2fafa4e0243a8aa87d964eb890886 # 0.2.2
   

2. Run the workflow.
   • Observe that only Test ubuntu-22.04 succeeds.

Expected behavior ScribeMD/rootless-docker works with ubuntu-24.04.

Logs: From Test ubuntu-24.04:

Run ScribeMD/rootless-docker@6bd157a512c2fafa4e0243a8aa87d964eb890886
Run in_use='false'
Run sudo systemctl stop docker.service
Stopping 'docker.service', but its triggering units are still active:
docker.socket
Run echo ~/bin >>"$GITHUB_PATH"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 71.8M  100 71.8M    0     0   211M      0 --:--:-- --:--:-- --:--:--  211M
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 20.0M  100 20.0M    0     0   177M      0 --:--:-- --:--:-- --:--:--  177M
+ PATH=/home/runner/bin:/snap/bin:/home/runner/.local/bin:/opt/pipx_bin:/home/runner/.cargo/bin:/home/runner/.config/composer/vendor/bin:/usr/local/.ghcup/bin:/home/runner/.dotnet/tools:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin /home/runner/bin/dockerd-rootless-setuptool.sh install --force
time="2024-10-16T01:44:31Z" level=warning msg="[rootlesskit:parent] This error might have happened because /proc/sys/kernel/apparmor_restrict_unprivileged_userns is set to 1" error="fork/exec /proc/self/exe: permission denied"
time="2024-10-16T01:44:31Z" level=warning msg="[rootlesskit:parent] Hint: try running the following commands:\n\n\n########## BEGIN ##########\ncat <<EOT | sudo tee \"/etc/apparmor.d/home.runner.bin.rootlesskit\"\n# ref: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces\nabi <abi/4.0>,\ninclude <tunables/global>\n\n/home/runner/bin/rootlesskit flags=(unconfined) {\n  userns,\n\n  # Site-specific additions and overrides. See local/README for details.\n  include if exists <local/home.runner.bin.rootlesskit>\n}\nEOT\nsudo systemctl restart apparmor.service\n########## END ##########\n\n"
[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: permission denied
Error: [97m[ERROR] RootlessKit failed, see the error messages and https://rootlesscontaine.rs/getting-started/common/ .
Error: Process completed with exit code 1.

Formatted error message from Test ubuntu-24.04:

[Error] fork/exec /proc/self/exe: permission denied
    This error might have happened because /proc/sys/kernel/apparmor_restrict_unprivileged_userns is set to 1
    Hint: try running the following commands:
        ########## BEGIN ##########
        cat <<EOT | sudo tee \"/etc/apparmor.d/home.runner.bin.rootlesskit\"
        # ref: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
        abi <abi/4.0>,
        include <tunables/global>

        /home/runner/bin/rootlesskit flags=(unconfined) {
          userns,

          # Site-specific additions and overrides. See local/README for details.
          include if exists <local/home.runner.bin.rootlesskit>
        }
        EOT
        sudo systemctl restart apparmor.service
        ########## END ##########

Additional context

• Ubuntu 24.04 and later enables restricted unprivileged user namespaces by default, which prevents unprivileged processes in creating user namespaces unless an AppArmor profile is configured to allow programs to use unprivileged user namespaces.

  If you install docker-ce-rootless-extras using the deb package (apt-get install docker-ce-rootless-extras), then the AppArmor profile for rootlesskit is already bundled with the apparmor deb package. With this installation method, you don't need to add any manual the AppArmor configuration. If you install the rootless extras using the installation script, however, you must add an AppArmor profile for rootlesskit manually: ... —Rootless mode (docs.docker.com)

• [Optional] AppArmor (rootlesscontaine.rs)
• What’s new in security for Ubuntu 24.04 LTS? (ubuntu.com)
• [rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: operation not permitted (github.com/rootless-containers/rootlesskit)