Skip to content

Commit

Permalink
add apparmor profiles for ubuntu 24.04 or higher distros
Browse files Browse the repository at this point in the history
Signed-off-by: jason yang <jasonyangshadow@gmail.com>
  • Loading branch information
JasonYangShadow committed Jun 7, 2024
1 parent d5d5427 commit c21f0df
Show file tree
Hide file tree
Showing 9 changed files with 118 additions and 3 deletions.
17 changes: 16 additions & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ jobs:
run: git diff --exit-code -- LICENSE_DEPENDENCIES.md

debian:
name: debian
name: debbuild-debian11
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v2
Expand All @@ -130,6 +130,21 @@ jobs:
GO_ARCH: linux-amd64
run: ./scripts/ci-docker-run

ubuntu-2404:
name: debbuild-ubuntu24
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v2
# fetch tags as checkout@v2 doesn't do that by default
- run: git fetch --prune --unshallow --tags --force

- name: Build and test deb under docker
env:
OS_TYPE: ubuntu
OS_VERSION: 24.04
GO_ARCH: linux-amd64
run: ./scripts/ci-docker-run

rpmbuild-centos7:
runs-on: ubuntu-22.04
name: rpmbuild-centos7
Expand Down
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ For older changes see the [archived Singularity change log](https://github.com/a
- Label process for starter binary of interactive containers with image filename,
for example: `Apptainer runtime parent: example.sif`.

## Changes for v1.3.x

- Add apparmor profiles for ubuntu 24.04 or higher distros.

## v1.3.2 - \[2024-05-28\]

### Security fix
Expand Down
38 changes: 38 additions & 0 deletions INSTALL.md
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,44 @@ Then to compile and install do this:
sudo ./scripts/install-dependencies
```

## Apparmor Profile (Ubuntu 24.04+)

Beginning with the 24.04 LTS release, Ubuntu does not permit applications to
create unprivileged user namespaces by default.

If you install Apptainer from a GitHub release `.deb` package then an
apparmor profile will be installed that permits Apptainer to create
unprivileged user namespaces.

If you install Apptainer from source you must configure apparmor.
Create an apparmor profile file at `/etc/apparmor.d/apptainer`:

```sh
sudo tee /etc/apparmor.d/apptainer << 'EOF'
# Permit unprivileged user namespace creation for apptainer starter
abi <abi/4.0>,
include <tunables/global>
profile apptainer /usr/local/libexec/apptainer/bin/starter{,-suid}
flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/apptainer>
}
EOF
```

Modify the path beginning `/usr/local` if you specified a non-default `--prefix`
when configuring and installing Apptainer.

Reload the system apparmor profiles after you have created the file:

```sh
sudo systemctl reload apparmor
```

Apptainer will now be able to create unprivileged user namespaces on your
system.

## Building & Installing from RPM

On a RHEL / CentOS / Fedora machine you can build an Apptainer into rpm
Expand Down
8 changes: 8 additions & 0 deletions dist/debian/apparmor-placeholder
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Permit unprivileged user namespace creation for apptainer starter, placeholder
abi <abi/4.0>,
include <tunables/global>

profile apptainer /usr/lib/@{multiarch}/apptainer/bin/starter{,-suid} flags=(unconfined) {
# Site-specific additions and overrides. See local/README for details.
include if exists <local/apptainer>
}
10 changes: 10 additions & 0 deletions dist/debian/apparmor-userns
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# Permit unprivileged user namespace creation for apptainer starter
abi <abi/4.0>,
include <tunables/global>

profile apptainer /usr/lib/@{multiarch}/apptainer/bin/starter{,-suid} flags=(unconfined) {
userns,

# Site-specific additions and overrides. See local/README for details.
include if exists <local/apptainer>
}
1 change: 1 addition & 0 deletions dist/debian/apptainer.install
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@ usr/bin
usr/libexec
usr/share
var/lib/apptainer
etc/apparmor.d/apptainer
3 changes: 2 additions & 1 deletion dist/debian/control
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,8 @@ Build-Depends:
libtool,
pkg-config,
libfuse3-dev,
zlib1g-dev
zlib1g-dev,
dh-apparmor
Standards-Version: 3.9.8
Homepage: http://apptainer.org
Vcs-Git: https://github.com/apptainer/apptainer.git
Expand Down
11 changes: 11 additions & 0 deletions dist/debian/rules
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
pkgsrc = $(shell LC_ALL=C dpkg-parsechangelog --show-field Source )
pkgver = $(shell LC_ALL=C dpkg-parsechangelog --show-field Version )

OS_MAJOR := $(shell grep ^VERSION_ID /etc/os-release | cut -d'=' -f2 | sed 's/\"//gI' | cut -d'.' -f1)

# Needed by debchange to set Name and EMAIL in changelog
# DEBFULLNAME is filtered out by debuild
# use DEB_FULLNAME instead, which will set DEBFULLNAME
Expand Down Expand Up @@ -93,6 +95,15 @@ override_dh_auto_build:
override_dh_auto_install:
@dh_auto_install -Smakefile -D$(DEB_SC_BUILDDIR)
@./scripts/install-dependencies $(pkgdir)/usr/libexec
# Apparmor userns profile needed on Ubuntu 24.04, or unconfined placeholder for older versions.
if [ $(OS_MAJOR) -gt 23 ] ; then \
echo "Ubuntu 24.04 or newer - installing apparmor userns profile"; \
install -D -m 644 dist/debian/apparmor-userns $(pkgdir)/etc/apparmor.d/apptainer; \
else \
echo "Ubuntu 23.10 or older - installing apparmor placeholder profile"; \
install -D -m 644 dist/debian/apparmor-placeholder $(pkgdir)/etc/apparmor.d/apptainer; \
fi;
dh_apparmor --profile-name=apptainer

override_dh_install:
@dh_install -papptainer-suid usr/libexec/apptainer/bin/starter-suid
Expand Down
29 changes: 28 additions & 1 deletion scripts/ci-deb-build-test
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@

# this script runs as root under docker --privileged

OS_MAJOR=$(grep ^VERSION_ID /etc/os-release | cut -d'=' -f2 | sed 's/\"//gI' | cut -d'.' -f1)

# install dependencies
apt-get update
export DEBIAN_FRONTEND=noninteractive
Expand All @@ -19,6 +21,21 @@ apt-get install -y \
cryptsetup \
tzdata \
curl wget git

if [ $OS_MAJOR -gt 23 ]; then
# install dependencies for 24.04 (ubuntu 24.04 does not have python2)
apt-get install -y \
devscripts \
debhelper \
dh-autoreconf \
help2man \
libarchive-dev \
libssl-dev \
python3 \
uuid-dev \
golang-go \
dh-apparmor
else
apt-get install -y \
devscripts \
debhelper \
Expand All @@ -28,7 +45,10 @@ apt-get install -y \
libssl-dev \
python2 \
uuid-dev \
golang-go
golang-go \
dh-apparmor
fi

# for squashfuse_ll build
apt-get install -y autoconf automake libtool pkg-config libfuse3-dev zlib1g-dev

Expand All @@ -39,7 +59,14 @@ mv .??* !(src) src

# switch to an unprivileged user with sudo privileges
apt-get install -y sudo

if [ $OS_MAJOR -gt 23 ]; then
# uid 1000 is occupied by user 'ubuntu' in ubuntu 24.04, here using a different uid = 1001
useradd -u 1001 --create-home -s /bin/bash testuser
else
useradd -u 1000 --create-home -s /bin/bash testuser
fi

echo "Defaults:testuser env_keep=DOCKER_HOST" >>/etc/sudoers
echo "testuser ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
mkdir -p /local
Expand Down

0 comments on commit c21f0df

Please sign in to comment.